for active directorydownload.microsoft.com/download/e/7/a/e7ae2f7c-0112-405d... · 2018-10-16 ·...
TRANSCRIPT
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 1
Role‐Based Management Extreme Makeoverfor Active Directory
Dan Holme, MVP, SharePointAuthor, Windows Administration Resource Kit (Microsoft Press)Trainer & Consultant, Microsoft Technologies Consultant, NBC OlympicsContributing Editor, Windows IT Pro magazine (www.windowsitpro.com)
Chief SharePoint Evangelist, AvePointFounding Partner, Aptillon (www.aptillon.com)
@[email protected]: http://bit.ly/gPH8hn (Case Sensitive)
ROLE‐BASED MANAGEMENTQuestions: “What can Joe get to?” and “Who has access to the budget?”
Answers: “Umm….”
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 2
The Role‐based Lifecycle Of Penny Xavier
4
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 3
5
6
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 4
Role‐based Management
Categorize a user (define its “roles”)
Automatically enable management of the userResource access
Logon rights & system privileges
Software distribution
User experience (e.g. mapped drives)
User data & settings (redirected folders, profiles)
Email distribution lists
Security & update configuration
Role‐based Management
Who can do what and where?Role group
Resource access rule groupA discreet access level (e.g. permission)
For a scope of management (e.g. collection of resources)
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 5
The Grand Assumption Of RBM
Organizational roles drive the requirementsfor what it takes to achieve the goals of the role
Roles are more persistent than assets(human or device)
Today Employee A performs Job A. Tomorrow Employee B performs Job A.
Today Employee A performs Roles A & B.Tomorrow those roles are performed by two employees.
Today: Employee A = Role A, Employee B = Role B.Tomorrow Employee A performs Roles A and B.
Even in small organizations!
The Payoff Of RBM
Dynamic, agile service
Facilitate managementManual
Automated & provisioned
Increase consistency security
Simplify reporting, auditing, and compliance“What can James get to?”
“Who can edit the Budget files?”
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 6
The Doubts About RBM
OK, this sounds great, but how do you do it?Details later in this presentation
My enterprise is more complicated than…It’s not. This works. This is a simple demo but it scales
If this is all about groups, won’t you end up with a lot of groups?
Yes, but after analysis, you’ll be glad you did
How many roles should a user belong to?It depends: typically a handful to a dozen or more direct roles
Other roles inherited
What's Necessary
DataActive Directory: first‐class enterprise database
Business LogicImplementation & technology is easy
Nest of users & computers into role groups
Nest of role groups into rule groups
Implement access, privilege, configuration
Business is notlots of business requirements & process analysis
PresentationVery weak native toolset (e.g. ADUC)
Need custom scripts, tools and applications
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 7
WINDOWS AND GROUPS
14
Identity Access Management
Access Management Without Groups
Resource
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 8
15
Groups Add Manageability
Identity GroupAccess Management
Resource
16
Groups Add Scalability
Identity GroupAccess Management
Resource
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 9
17
One Type of Group Is Not Enough
Identity Group Access Management Resource
18
Can You Tell Me Who Can Do What?
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 10
19
Role Groups and Rule Groups
Identity Role Group Rule GroupAccess Management
Resource
20
Windows Group Scopes
Identity AccessGlobal Domain LocalIdentity Role Group Rule Group
Access ManagementResource
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 11
Role And Rule‐based Management
Nest user role management groupse.g. “Sales”
Into resource access rule groupsthat define “who has capability for folder(s)”
ACL_Resource_Capabilitye.g. ACL_Sales Folders_Read
Resource = one or more folders on one or more servers
Assign permissions to implement access level
Based on business logic
Users Role Rule Resource
Nesting In An RBM Enterprise
Roles into rule group
Users into rule groupBarometer: too many individual users in a rule group? Perhaps they share a common role that needs to be defined.
Roles into role groupAccounting + Treasury + … Finance
Finance Mangers + Sales Managers + … Departmental Managers
Computers into role (or management) groupType, location, function
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 12
ROLE GROUPS
Role Groups
Define users / computersBusiness‐driven criteria
Job / role in company
Business unit / function / department / team
Location (site)
Seniority
Will typically be very cleare.g. you are an IT Manager, in Orlando, etc.
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 13
Role Groups
Roles’ membership should be highly trustedRole groups will be assigned resources, etc. by resource owners
Roles should be driven by authoritative sourcesWhen possible
Dynamic role maintenance
HR database designation of certain user roles
Computer inventory designation of roles for workstations
Role Groups
Implement as global security groupsCan contain users & computers from same domain
Use universal groups to create role groups containing users & computers from more than one domain in the same forest
Use domain local groups for role groups only as a rare exception (e.g. role needs to include users from a trusted external domain). You can use that role group in scoping management of anything except GPOs, which wouldn’t apply to users from an external domain anyway.
MembershipUsers & computers
Typically a role will have users or computers
Some roles have both users and computers (“location”)
Other rolesRole group nesting will reflect your organization chart
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 14
Groups OU Example
User
Computer
Location Users & Computers
Sub‐OUsAutomatically defined roles
Scripts/tools populate these groups’ memberships
Normal administrators can’t modify member property
Manually defined rolesDelegated to a limited number of trained, trusted individuals to administer roles
Provisioning workflows & tools in place
If enforcing provisioned management, delegate provisioning service account Allow:Write:Members
Role Groups Naming Conventions
Use prefixes for specific types of rolesCOMP_descriptor defines roles of computers
e.g. COMP_Conference Room Systems
ADM_descriptor defines roles of administrative users
Should contain only administrative secondary logon identities
e.g. ADM_Help Desk
LOC_descriptor defines location‐based groups
Use no prefix for “normal user roles”Because these will be the most visible groups to non technical users
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 15
Role Groups Summary
Foundation of RBM
Highly trusted
Membership driven by authoritative sources
Separate and delegate in Active Directory
Global security groups
Contain users, computers, other roles
Strict naming conventionComponents separated by a delimiter
Normal human user role groups: simple
RULE GROUPS
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 16
Terminology
Management group
Capability management group
Task group
Rule group
Naming Conventions
Insanely absolutely critically importante.g. ACL_Resource_AccessLevel: ACL_Sales Folders_Read
Components and delimiterse.g. GroupTypePrefix_GroupName_Modifier
DelimiterUnderscore (“_”)
Do not use _ elsewhere
Facilitates automation, provisioning & presentation
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 17
Naming Conventions
PrefixDefines group’s function/purpose/type
ACL = “resource access”
Facilitates discoverability & use of groups
Sorting & grouping “lists” of groups
Rule Groups
Naming conventionACL_ResourceCollection_AccessLevelor RES_ or PERM_
e.g. ACL_Sales Folders_EditACL_Sales Folders_Read
SYS_scope_capabilitye.g. SYS_LON Clients_Admins
SYS_FileServer_Backup
APP_application
UPD_descriptore.g. UPD_Pilot (updated as part of update testing)
UPD_Manual (do not get updates automatically)
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 18
Rule Groups
Naming conventionGPO_ (GPO filtering)
Used to filter GPO application
CCM_ (multiple change management tools)“Broad” or “umbrella” CCM group
Achieves its ‘effect’ using one or more CCM paths. e.g. “conference room computers” may have apps deployed, lockdowns applied thru GPOs, etc.
Rule Groups
Implement as domain local security groupsBest practice for long‐term flexibility of RBM
Use to scope management within same domainUse universal groups to scope management in multiple domains within the same forest
Use global groups in very rare situations where you need to implement scope of management in a trusting domain
e.g. add group directly to an ACL in a trusting domain
Switch to global/universal groups as token size solution
Use global security groups when the rule is implemented using Group Policy security group filtering (GPO_ groups)
MembershipTypically: user role groups and computer roles
Exceptions: individual users and/or computers
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 19
37
Windows Group Scopes
Identity AccessGlobal Domain LocalIdentity Role Group Rule Group
Access ManagementResource
Rule Groups OU
OU structure example
DelegationDelegate to business owners of the ‘rule’
Delegate Allow:Write:Members
Where group managers manage few groupsDelegate group directly to resource owner(break the rule of scoping delegation by OU)
Can use the ManagedBy property and select“allow manager to change group membership”
Provision group management!
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 20
Rule Groups Summary
Domain local security groupsExcept Group Policy rule groups
Dedicated OU(s)
Delegate membership to those responsible for defining the rules/business logic
Contain roles, individual users or computers
Strict naming conventionPrefix indicating group purpose (e.g. ACL_)
BUSINESS LOGIC: RULES
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 21
Represent Business Requirements
Role groups are “nested” into capability groupsOr, said in reverse
Rules are assigned to roles
“Owner” maintains Members property of group
This “layer” should be 100% aligned with business requirements
Automate, provision, and proxy
ROLE‐BASED MANAGEMENT OUTCOMES
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 22
Visibility And Auditing
“Who has the capability to do x?”ADUC: traverse group Members
dsget group <GroupDN> ‐members ‐expandShows members of group (GroupDN), optionally includingnested members (‐expand)
Get‐ADGroupMember <GroupDN> ‐recursive | Select sAMAccountName
MEMBERS REPORT tool
MMC extension
Web application
44
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 23
Visibility And Auditing
“What can x do?”ADUC: traverse Member Of tab
dsget user|computer <ObjectDN> ‐memberof ‐expandShows membership of user or computer (ObjectDN), optionally including nested group memberships (‐expand)
Web application
MMC extension
MEMBER OF REPORT tool
46
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 24
Auditing And Maintaining RBAC
Scan the ACLsLook for any security principal (user/group/computer)
that does not begin with ACL_
and is not System | Administrators | Creator Owner
and you’ve ensured that RBM is being implemented
Folder ACL Report.vbs
Create “event sinks” to report ACL changes
Audit use of Change Permissions permission
Proxy all tasks related to folder security
48
Folder ACL Report.vbs
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 25
49
Auditing
CONSIDERING RBM
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 26
Won’t There Be A Lot Of Groups?
Yes!If implemented fully, RBAC alone will have several resource groups for each resource collection: one for each access level
What’s the alternative?
What’s the problem?
What’s The Alternative?
Multiple ACEs on multiple ACLs on multiple folders on multiple servers
Managing ACEs on ACLs is complex
Scanning, analyzing , reporting ACEs How often do you do this? How stale are your ACLs?
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 27
53
Interpreting An ACL
54
Interpreting An ACL
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 28
What’s The Alternative?
RBMSignificant reduction in "points of management"
Significant reduction in complexity of managementGroup membership management is easy
We’ve grown numb to pain of managing ACLsOr we’ve stopped doing parts of it (cleaning, reporting, analyzing) altogether
Tip: ACLs should be the focus of your security effort, not the latest “fad” hack
What’s The Problem?
1) Tools for managing groups in AD are lousyNot administrator friendly
Not available to non‐technical users (e.g. resource owners)
Solve it!How easy was our tool to provision the groups?
Provide easy tools to manage the groups!
2) Token size
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 29
Token SizeTwo Problems
Bytes‐per‐group in tokenHas gotten better over OS updates, service packs
1200 (overhead) +40 x [# domain local group memberships] +8 x [# global & universal group memberships]
Calculate token size with tokensz.exe
Default size of token itselfWindows 2000 RTM/SP1: 8KB, 100‐200 groups
Windows 2000 SP2/XP/2003: 12KB, 200‐300 groups
Problems And Solutions
ErrorsWindows, windows apps, web apps… you name it
All over the map!! Access, logon, out of memory…
Registry mod to solve problemHKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
MaxTokenSize
REG_DWORD: Decimal:65536 (Hex:0xFFFF)
1600 domain local or 8000 global/universal groups
Deploy forest‐wide to all systems
Kerberos limit 1024 groups
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 30
Token Size Solutions
Deploy MaxTokenSize
Monitor auth problems for intranet web apps
Clean up sIDHistory attribute
Bottom lineProblem is less likely than it was before
With large, complex RBM environments, you will need to change MaxTokenSize
Critical reading: KB 263693 & 327825Also read the “Related Articles” in those KBs
Global Groups Solution
Global groups take 1/5 the space in your token
Assumes you have a single domainor “empty forest root / child domain”
or completely decentralized domains within a forest
Implement all (or most) groups as global groups
When you trust another domainSome groups will have to convert to domain local (very easy to do)
Trusted domains are so 1990s. Federation is so today.
Don’t tell me I ever told you to do this
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 31
“Double Rule” Solution
ACL_Sales Folders_Read has Read permissionRule for “normal” read access
ACL_All Folders_Read has Read permissionAuditors get read permission from this ruleinstead of being nested into every _Read rule group
This is important for high‐level admins and usersPrevents over‐nesting
TRANSITIONING TO ROLE‐BASED MANAGEMENT
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 32
Selling RBM In Your Organization
Get there, yourself, firstYou must be the expert
Fully understand RBM Concepts & terms
Data, business & presentation “layers”
Understand the reliance on groupsBenefit: groups can be used to scope many management technologies
Get past “scars” from group management days of yore
Active Directory ain’t your grandfather’s SAM
Selling RBM In Your Organization
Highlight the pain pointsWhat can <name a user> do?
If <name a user> loses his or her computer, what applications need to be installed on a new computer?
Who can make changes to <name a sensitive resource>?
A new user is hired who needs the same access as <name a user>. What access is that, exactly?
Chances are, your environment cannot answer all these questions
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 33
Selling RBM In Your Organization
Demonstrate the solutionsMy Memberships
Access Report
Then start discussing how it is achievedDiscuss IT as roles and rule‐based management
Focus on aligning IT so that there are “collections” and workflows that align with and support the requirements of the business
Don’t talk “group scope” (domain local/global) or “OU vs. group” (difficult to avoid, but avoid it)
Getting There
AnalyzeIdentify capabilities you are trying to manageresource collections, apps, updates, etc.
Identify the roles associated with those capabilities
Identify the exceptions you need to manage
Identify data sources (e.g. HR)
DesignEstablish consistent naming conventions
Establish consistent process (workflow)
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 34
Getting There
Encourage or mandate disciplineUtilize description field for groups
OptionallyProvision
Automate
Enforce
Separate credentials for provisioned management
Create a transition planYou do not have to get there overnight
Role‐Based Management
MaxTokenSize long story short>200‐300 groups and you’re in trouble
You can work around it: deploy a larger MaxTokenSizethroughout forest
1024 is the hard limit (Kerberos)
Double‐rule your resources
Migration to RBMDesign your managed framework
Draw a line in the sand: From now on, managed
Back‐fill the management over time
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 35
GROUP MANAGEMENT
Best Practices for Group Documentation
Why document groups?Easier to find them when you need them
Easier to understand how and when to use a group
Establish and adhere to a strict naming convention
Prefix, for example, helps distinguishAPP_Budget from ACL_Budget_Edit
Prefix helps you find the group in the Select dialog box
Summarize a group's purpose with its description
Appears in Active Directory Users and Computers details pane
Detail a group's purpose in its Notes field
Contact information on Managed By tab
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 36
Copy Group Membership
Copy members from one group to another
Copy memberships of one user to another
dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr
dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"
Protect Groups from Accidental Deletion
1. In the Active Directory Users and Computers snap‐in, click the Viewmenu and make sure that Advanced Features is selected.
2. Open the Properties dialog box for a group.3. On the Object tab, select the Protect Object From
Accidental Deletion check box.
4. Click OK.
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 37
Delegate Membership Management with Managed By
The Managed By tab serves two purposes:
Provide contact information for who manages the group
Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected
TipsMust click OK (not just Apply)to change the ACL on the group
To set a group in the Name box,click Change, then clickObject Types, and then click Groups
Shadow groups
Membership based on an LDAP queryGroup_Shadow.vbs
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 38
Shadow groups
Define group membership based on a query of Active Directory attributes
Group_Shadow.vbs
ChallengesOptimize accuracy vs. impact on replication
Requires logoff/logon (user) or restart (computer)
ResourcesWindows Administration Resource Kit: Productivity Solutions for IT Professionals
Solutions Collection 3: Managing User Data and Settings
Windows IT Pro magazineFebruary & March 2008 issues
@danholme
Questions & Answers
Please fill in your feedback forms!
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 39
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:http://www.technet‐newsletters.be
• Technical updates
• Event announcements and registration
• Top downloads
Join us on Facebook
http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget
TechDays 2011 On‐Demand
• Watch this session on‐demand via TechNet Edge http://technet.microsoft.com/fr‐be/edge/
http://technet.microsoft.com/nl‐be/edge/
• Download to your favorite MP3 or video player
• Get access to slides and recommended resources by the speakers
Role‐Based ManagementDan Holme – [email protected] April 2011
© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.
Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 40
THANK YOUDan Holme, MVP, SharePointChief SharePoint Evangelist, AvePointAuthor, SharePoint 2010 Training Kit (Microsoft Press)Trainer & Consultant, Microsoft Technologies Consultant, NBC OlympicsCommunity Lead, www.sharepointpromag.com
Founding Partner, Aptillon (www.aptillon.com)
@[email protected]: http://bit.ly/gPH8hn (Case Sensitive)