Re: [ActiveDir] Admin Account Trouble
Ok, so this is an old thread - sorry to raise the dead. :-) I had an idea about this. Could it be that the Administrator account has been renamed and new account created using the name Administrator. Why anyone would want to do this I don't know, but it can be done (just tested it). If this is the case in your environment, it should be possible to locate the origional Administrator account. The RID is always 500 (or 1F4 if you look at the string representation of objectSid using e.g. LDP.EXE). Just a thought... Tony -Original Message- From: Craig Cerino [mailto:Craig_Cerino;Tiel.com] Sent: Montag, 23. September 2002 15:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Dave, Anything is possible --- but I am the only one that has authority to make any registry changes (and haven't). Also, it doesn't matter where you are - console-TS session. If it's locked out --- I have to use one of the back door accounts I created to unlock it. Cooky. -Original Message- From: Thornley, Dave H [mailto:D.H.Thornley;shu.ac.uk] Sent: Monday, September 23, 2002 9:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Admin Account Trouble Craig, I have a very vague recollection of a utility or a Registry setting or something that would allow the administrator account to be locked out via the network, but you could always log in at the console (or something like that...!) Is it possible that's what's causing your problems? dave -Original Message- From: Craig Cerino [mailto:Craig_Cerino;Tiel.com] Sent: 23 September 2002 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Rick -- that's what I thought but I am here to tell you the built in administrator account can ABSOLUTELY become locked out. I see it all the time. One of our smaller separate networks (built in) Administrator account gets locked out all the time. It's actually pretty weird and I've been working for a while now trying to figure out WHY this is happening. Craig -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, September 20, 2002 8:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Craig, Can't happen - the Administrator account can't be locked out. Which, if you think about it is the reason that it's attacked over any other potential admin equivalent account. If the account 'Rick' is an admin equiv but has a lockout of 3 attempts, I may as well go after the Administrator who won't lockout even though I'm going after it with a full onslaught brute force dictionary attack with my mongo dictionary with all possible replacement text. By open of business Monday the administrator account has taken on millions of password attempts. Yeah, it's kind of a small problem. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Craig Cerino Sent: Friday, September 20, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble I REALLY don't mean to be insulting -- but is it locked out? -Original Message- From: Michael Payne [mailto:mpayne;amocofcu.org] Sent: Friday, September 20, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Admin Account Trouble Hello Everyone, My administrator account (Windows 2000 server) can not access the group policies for the Domain\ Domain Controller. I can not install software nor does the hardware wizard respond. Any ideas or suggestions? I would appreciate any advice. Thanks in advance, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] 98 user account lockouts
Are you using IPX by any chance. We had a problem like this too. Q260399 -Original Message- From: [EMAIL PROTECTED] [mailto:rrutherford;dek.com] Sent: Tuesday, October 22, 2002 4:27 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 98 user account lockouts Hi All, We have just performed an acquisition of a company with many 98 clients, the software they used will only run on 98. The problem I am getting is that their domain accounts seem to be locking out every couple of hours. This problem did not occur with NT DCs. This is happening on 'all' the machines - any ideas why? Robert Rutherford This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK Printing Machines Ltd., or its affiliates. This footnote signifies that this message has been checked for viruses using Norton and McAfee. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Admin Account Trouble
Tony said: Could it be that the Administrator account has been renamed and new account created using the name Administrator. Why anyone would want to do this I don't know, but it can be done (just tested it). --- I have been known to do this on some DMZ or Internet facing systems - more to foil the common 'after school' scripters, rather than the more seasoned who will look for SIDs rather than just by name. It's a security practice that is really not that uncommon, and you may have hit the nailon the head, Tony. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Tony Murray Sent: Wednesday, October 23, 2002 7:49 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Admin Account Trouble Ok, so this is an old thread - sorry to raise the dead. :-) I had an idea about this. Could it be that the Administrator account has been renamed and new account created using the name Administrator. Why anyone would want to do this I don't know, but it can be done (just tested it). If this is the case in your environment, it should be possible to locate the origional Administrator account. The RID is always 500 (or 1F4 if you look at the string representation of objectSid using e.g. LDP.EXE). Just a thought... Tony -Original Message- From: Craig Cerino [mailto:Craig_Cerino;Tiel.com] Sent: Montag, 23. September 2002 15:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Dave, Anything is possible --- but I am the only one that has authority to make any registry changes (and haven't). Also, it doesn't matter where you are - console-TS session. If it's locked out --- I have to use one of the back door accounts I created to unlock it. Cooky. -Original Message- From: Thornley, Dave H [mailto:D.H.Thornley;shu.ac.uk] Sent: Monday, September 23, 2002 9:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Admin Account Trouble Craig, I have a very vague recollection of a utility or a Registry setting or something that would allow the administrator account to be locked out via the network, but you could always log in at the console (or something like that...!) Is it possible that's what's causing your problems? dave -Original Message- From: Craig Cerino [mailto:Craig_Cerino;Tiel.com] Sent: 23 September 2002 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Rick -- that's what I thought but I am here to tell you the built in administrator account can ABSOLUTELY become locked out. I see it all the time. One of our smaller separate networks (built in) Administrator account gets locked out all the time. It's actually pretty weird and I've been working for a while now trying to figure out WHY this is happening. Craig -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, September 20, 2002 8:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Craig, Can't happen - the Administrator account can't be locked out. Which, if you think about it is the reason that it's attacked over any other potential admin equivalent account. If the account 'Rick' is an admin equiv but has a lockout of 3 attempts, I may as well go after the Administrator who won't lockout even though I'm going after it with a full onslaught brute force dictionary attack with my mongo dictionary with all possible replacement text. By open of business Monday the administrator account has taken on millions of password attempts. Yeah, it's kind of a small problem. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Craig Cerino Sent: Friday, September 20, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble I REALLY don't mean to be insulting -- but is it locked out? -Original Message- From: Michael Payne [mailto:mpayne;amocofcu.org] Sent: Friday, September 20, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Admin Account Trouble Hello Everyone, My administrator account (Windows 2000 server) can not access the group policies for the Domain\ Domain Controller. I can not install software nor does the hardware wizard respond. Any ideas or suggestions? I would appreciate any advice. Thanks in
RE: [ActiveDir] ADMT v2
Diane, Glad to hear that everything is working. I was a bit concerned that your password migration scenario was not working. It's been flawless for us. Now, as to the migration can _only_ be done on the computer that generated the key - Yep. Did you miss that in the notes that I posted on the 16th? The more likely cause was that I made it so unintelligible that no one could understand it Sorry about that! Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Tuesday, October 22, 2002 9:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Yea, it meets all those. It's actually an AD to AD migration. We re-ran some tests today and the accounts came across with passwords intact and SIDhistory. Way cool. GO figure why the other tests didn't work. I guess we were too impatient when we tried the accounts after migration. One key point that I found is that the PES key is computer specific. The migration can _only_ be done on the computer that generated the key. Now if I can just figure out the best way to do an E2K to E2K migration... Diane -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org]On Behalf Of Tony Murray Sent: Tuesday, October 22, 2002 8:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Yes. It's been a while since I've done a migration, but does your PES meet the following criteria?: Must be installed on a Domain Controller (PDC or BDC) The Domain Controller must run Windows NT 4.0 Service Pack 5 (or higher) The 128-bit high encryption pack must be installed on the Server At least one PES is required per NT Account Domain Tony -- Original Message -- From: Ayers, Diane [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Oct 2002 07:49:17 -0700 Has anyone gotten the PES (password export server) portion to work? I was pulling my hair out yesterday getting the thing to recognize the keys correctly. Once it did, still no password migration. I had the same success with third party migration tools that use the PES server. Q322981 was not much help although I did make sure everything was according to Hoyle Diane -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Monday, October 21, 2002 11:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 ...and the really good news about ADMT 2.0 is that the version on the .NET RC1 CD is fully supported by Microsoft. Tony -- Original Message -- From: Ayers, Diane [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 21 Oct 2002 12:33:44 -0700 As Homer Sez: DOh! Thanks... -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 10:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Diane, Look under the ADMT folder in the I386 directory. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Monday, October 21, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADMT v2 All: I'm looking for ADMT version 2. I've dug around my .NET CDs and can't find it. Can someone point me in the right direction... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] Admin Account Trouble
I'd consider that a false sense of security, for the exact reason Tony mentioned - administrator has the same RID regardless of name - any half intelligent script kiddie would hack using the RID rather than the username anyway. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Burns, Clyde [mailto:Clyde.Burns;nortonhealthcare.org] Sent: Wednesday, October 23, 2002 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble I have done just that for security reasons. (Rename the administrator account and create a dummy Administrator account with no real privileges.) Its been for situations where someone is trying to 'guess' what the administrator account is and let them spin their wheels harmlessly. And in one case where someone who I could not say 'No' to wanted to know the administrators account password. The guy was known as 'the tweaker' because he couldnt leave things alone and would never admit to changing things, despite being slapped with audit logs showing otherwise. -Original Message- From: Tony Murray [mailto:tony;mail.activedir.org] Sent: Wednesday, October 23, 2002 8:49 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Admin Account Trouble Ok, so this is an old thread - sorry to raise the dead. :-) I had an idea about this. Could it be that the Administrator account has been renamed and new account created using the name Administrator. Why anyone would want to do this I don't know, but it can be done (just tested it). If this is the case in your environment, it should be possible to locate the origional Administrator account. The RID is always 500 (or 1F4 if you look at the string representation of objectSid using e.g. LDP.EXE). Just a thought... Tony -Original Message- From: Craig Cerino [mailto:Craig_Cerino;Tiel.com] Sent: Montag, 23. September 2002 15:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Dave, Anything is possible --- but I am the only one that has authority to make any registry changes (and haven't). Also, it doesn't matter where you are - console-TS session. If it's locked out --- I have to use one of the back door accounts I created to unlock it. Cooky. -Original Message- From: Thornley, Dave H [mailto:D.H.Thornley;shu.ac.uk] Sent: Monday, September 23, 2002 9:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Admin Account Trouble Craig, I have a very vague recollection of a utility or a Registry setting or something that would allow the administrator account to be locked out via the network, but you could always log in at the console (or something like that...!) Is it possible that's what's causing your problems? dave -Original Message- From: Craig Cerino [mailto:Craig_Cerino;Tiel.com] Sent: 23 September 2002 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Rick -- that's what I thought but I am here to tell you the built in administrator account can ABSOLUTELY become locked out. I see it all the time. One of our smaller separate networks (built in) Administrator account gets locked out all the time. It's actually pretty weird and I've been working for a while now trying to figure out WHY this is happening. Craig -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, September 20, 2002 8:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Craig, Can't happen - the Administrator account can't be locked out. Which, if you think about it is the reason that it's attacked over any other potential admin equivalent account. If the account 'Rick' is an admin equiv but has a lockout of 3 attempts, I may as well go after the Administrator who won't lockout even though I'm going after it with a full onslaught brute force dictionary attack with my mongo dictionary with all possible replacement text. By open of business Monday the administrator account has taken on millions of password attempts. Yeah, it's kind of a small problem. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Craig Cerino Sent: Friday, September 20, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble I REALLY don't mean to be insulting -- but is it locked out? -Original Message- From: Michael Payne [mailto:mpayne;amocofcu.org] Sent: Friday, September 20, 2002
RE: [ActiveDir] LDAP referral during subtree search
I'm curious too. The app server is WebLogic 7.0, configured to use AD/LDAP as the authentication provider. When the search base is the Users container, it binds to AD (using an account created for that purpose), searches for the user, and binds as that user with the credentials the user supplied. If the bind is successful, it then rebinds with its own account and searches for groups which contain the user in the members attribute. It then recursively searches to find any groups that group might be nested under. WebLogic can then use that information to make access control decisions (i.e., only members of groupABC can access a particular URL). The group info is also mapped to 'roles' which can be referenced within applications for finer grained control (i.e., if user is in RoleA, enable this option programmatically). When the search base is DC=xyz,DC=com, the network trace shows that it does all the same queries, and gets all the expected results, but it denies access to the URL even though the user is part of the requisite group. The only difference I see is that referral, so I surmise that's what is confusing WebLogic. I don't see WebLogic attempting to chase the referral, nor does it seem to have any option to turn referral chasing on or off. I suspect that its LDAP client implementation is simply not very robust and is not equipped to handle exceptions gracefully. We've been using their LDAP support since version 6.1, and it has been steadily improving, but it has room to grow. Everything works OK if I do the same thing on port 3268, though, so I think that's where we'll go, at least for now. Thanks for your insight - very helpful, as always :) Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Tuesday, October 22, 2002 6:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Yeah, if the app servers are just searching for a CN that might be anywhere in the forest, searching the GC is the better strategy. I'm curious as to why the app was choking on the referral... -g -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Tuesday, October 22, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP referral during subtree search Thanks Gil - I knew you would know g Am I correct in assuming that it's an all-around better practice to point those app servers at the GC (port 3268) anyhow ? Right now, the only issue is that the app server seems to choke on the referral, but in the future if I should add a domain to the forest, I imagine I'd want to go to the GC anyhow so I wouldn't need to be concerned about which domain the user was in. I should point out that we use a unique ID for user CNs, so there's no issue of duplicate RDNs to be concerned with... Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Tuesday, October 22, 2002 5:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Not quite correct... From a logical perspective, your tree has a root NC (DC=XYZ,DC=com) and that NC contains a subordinate config NC (CN=Configuration,DC=XYZ,DC=com), which itself contains a subordinate schema NC (CN=Schema,CN=Configuration,DC=XYZ,DC=com). When you search the root domain, and you don't use the LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339) control, AD generates referrals to the subordinate NCs that were included in the scope of your search so that you can chase the referrals appropriately *even though there is a replica of that NC on the DC you are searching*. In your case, you get the referral to the only NC subordinate to the root: CN=Configuration. The GC is effectively a separate NC that includes the entire scope of the forest, so there are no subordinate referrals to be had. -gil -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Tuesday, October 22, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP referral during subtree search I noticed something while doing LDAP searches against AD that I'd like to understand. Take the example of a single-domain forest called xyz.com. User objects are stored in various OUs, and the OUs exist directly under the domain (OU=orgunit1,DC=xyz,DC=com, OU=orgunit2,DC=xyz,DC=com, etc.) Let's say you want to look for a user object with CN=joeuser, and it might be anywhere in the OU structure. You try two different methods: 1. Bind to a Domain Controller on port 389. Issue a subtree search with a base DN of DC=xyz,DC=com and a filter of ((cn=joeuser)(objectclass=user)). 2. Bind to a Global Catalog server on port 3268. Issue a subtree search with a base DN of DC=xyz,DC=com and a filter of ((cn=joeuser)(objectclass=user)). If you do option 1, joeuser is found, and his full DN is returned. The DC also returns an LDAP referral to
RE: [ActiveDir] ADMT v2
What is the difference between ADMT v2 and v1? Can you use the ADMT v2 in a Windows 2000 Active Directory Enviorment? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] ADMT v2 Diane, Look under the ADMT folder in the I386 directory. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Monday, October 21, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADMT v2 All: I'm looking for ADMT version 2. I've dug around my .NET CDs and can't find it. Can someone point me in the right direction... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RAID configuration on DC's
Oh yeah, I realized that after I sent it. -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Friday, October 18, 2002 2:07 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] RAID configuration on DC's Justin, Check that - NTDS.DIT resides in the %systemroot%\NTDS folder, not SYSVOL. You can, however, put the .DIT file on the same volume/drive with the SYSVOL, if you desire. DS doesn't replicate with the SYSVOL. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Friday, October 18, 2002 11:35 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] RAID configuration on DC's The SYSVOL is the folder that contains the NTDS.DIT so they would end up on the same ARRAY. I would do ARRAY 1 OS and Page File ARRAY 2 Transaction Logs ARRAY 3 SYSVOL and NTDS.DIT Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Devan Pala [mailto:dpala;hotmail.com] Sent: Friday, October 18, 2002 12:31 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] RAID configuration on DC's Hello all, I have the option to either build our site domain controllers/ global catalog servers with the following configurations: Array 1 (RAID 1): OS, SYSVOL Page File Array 2 (RAID 1): Transaction Logs Array 3 (RAID 1): Database (NTDS.DIT) OR Array 1 (RAID 1): OS, SYSVOL Page File Array 2 (RAID 5): Transaction Logs Database (NTDS.DIT) Either On-line spare or nothing Currently, I'm more swayed towards the first configuration only to see the benefits of segregating the Logs from the Database. I will be interested in viewing some of your comments. BTW, the server will have 2GB of RAM and a high-end array controller. There is only SCSI channel on this particular server though. Rgds, _ Choose an Internet access plan right for you -- try MSN! http://resourcecenter.msn.com/access/plans/default.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP referral during subtree search
David, Glad to help... Is the app server running on W2K or some Unix variant? If its running on W2K, I'd be amazed if they were using their own LDAP client instead of the MSFT-supplied client. You could check to see if the server loads the WLDAP32.DLL. -g -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Wednesday, October 23, 2002 7:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP referral during subtree search I'm curious too. The app server is WebLogic 7.0, configured to use AD/LDAP as the authentication provider. When the search base is the Users container, it binds to AD (using an account created for that purpose), searches for the user, and binds as that user with the credentials the user supplied. If the bind is successful, it then rebinds with its own account and searches for groups which contain the user in the members attribute. It then recursively searches to find any groups that group might be nested under. WebLogic can then use that information to make access control decisions (i.e., only members of groupABC can access a particular URL). The group info is also mapped to 'roles' which can be referenced within applications for finer grained control (i.e., if user is in RoleA, enable this option programmatically). When the search base is DC=xyz,DC=com, the network trace shows that it does all the same queries, and gets all the expected results, but it denies access to the URL even though the user is part of the requisite group. The only difference I see is that referral, so I surmise that's what is confusing WebLogic. I don't see WebLogic attempting to chase the referral, nor does it seem to have any option to turn referral chasing on or off. I suspect that its LDAP client implementation is simply not very robust and is not equipped to handle exceptions gracefully. We've been using their LDAP support since version 6.1, and it has been steadily improving, but it has room to grow. Everything works OK if I do the same thing on port 3268, though, so I think that's where we'll go, at least for now. Thanks for your insight - very helpful, as always :) Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Tuesday, October 22, 2002 6:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Yeah, if the app servers are just searching for a CN that might be anywhere in the forest, searching the GC is the better strategy. I'm curious as to why the app was choking on the referral... -g -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Tuesday, October 22, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP referral during subtree search Thanks Gil - I knew you would know g Am I correct in assuming that it's an all-around better practice to point those app servers at the GC (port 3268) anyhow ? Right now, the only issue is that the app server seems to choke on the referral, but in the future if I should add a domain to the forest, I imagine I'd want to go to the GC anyhow so I wouldn't need to be concerned about which domain the user was in. I should point out that we use a unique ID for user CNs, so there's no issue of duplicate RDNs to be concerned with... Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Tuesday, October 22, 2002 5:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Not quite correct... From a logical perspective, your tree has a root NC (DC=XYZ,DC=com) and that NC contains a subordinate config NC (CN=Configuration,DC=XYZ,DC=com), which itself contains a subordinate schema NC (CN=Schema,CN=Configuration,DC=XYZ,DC=com). When you search the root domain, and you don't use the LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339) control, AD generates referrals to the subordinate NCs that were included in the scope of your search so that you can chase the referrals appropriately *even though there is a replica of that NC on the DC you are searching*. In your case, you get the referral to the only NC subordinate to the root: CN=Configuration. The GC is effectively a separate NC that includes the entire scope of the forest, so there are no subordinate referrals to be had. -gil -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Tuesday, October 22, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP referral during subtree search I noticed something while doing LDAP searches against AD that I'd like to understand. Take the example of a single-domain forest called xyz.com. User objects are stored in various OUs, and the OUs exist directly under the domain (OU=orgunit1,DC=xyz,DC=com, OU=orgunit2,DC=xyz,DC=com, etc.) Let's say you want to look for a user object with CN=joeuser, and it might be anywhere in the OU structure. You try two different
[ActiveDir] File Server
Good Morning, We are in the process of changing over a file server from one server to another. The new server will be in our new AD and we use roaming profiles. I very much value this group's opinion and was therefore looking to see if I am missing anything or could do the job better. Here are the steps that I am planning to take. * all users logged off * copy files from ServerA to ServerB (9GB) using xcopy with the /o /x /e switches. * confirm copy and permissions on ServerB * disconnect ServerA from the network * rename ServerB to ServerA and connect to the new AD structure * run a rmtshare script to add share permissions to the user folders. Does this sound feasible? In the past we have relied on scopy for most of our network copying but the new version of xcopy seems to do the job. Is there another file copy utility that might offer our network more? Thanks for listening, any advice is welcome, and I guess I'm just a bit nervous and wanted to outline the plan. Thank you Patrick Jackson Technical Analyst Information Systems Whitehorse General Hospital E-mail: [EMAIL PROTECTED] Phone: 867.393.8729 Fax: 867.393.8707 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Folder Redirection using .NET AD Tools
Hi, Has anyone tried setting up Folder Redirection Group Policies with the .NET version of the AD Users and Computers Tool? Normally, Folder Redirection is located under: User Configuration--Windows Settings--Folder Redirection. However, w/ the .NET version of the tools, there are no Folder Redirection policies listed. Even the help page within the Group Policy MMC tells you the path. Any help would be appreciated, Thanks, jbl Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] File Server
I have used a tool from www.smallwonders.com called secure copy. I dont know what it can offer you moving files between domains but I use it to move files around within a domain all the time. It moves files, ntfs perms, shares and perms, and will even recreate local groups on the destination server. It has a command line version with it thats great for scripting. I had to do something very similar to what you plan (moving home directories). Heres how mine worked out. Used Secure copy to make the inital copy of everyone home drive. Had a scheduled task setup to run a 'synchronise files' every night. The night we were going to cut over some users I did this. Warned user that they had to log out / reboot to get their home drive back in the morning. (and warned the help desk who I was touching that night) Used setacl to correctly order inherited permissions on files in new share. I was copying from NT to 2000 and wanted to set inheritance up. Used chown to set ownership of files to the user (for 2000 quotas) Used rmtshare to document users old home drive share permissions to text file Used rmtshare to remove old home drive share. (left files there just in case) Used home grown adsi script to update users home drive settings in AD. Worked out quite well as I was able to do all this with scheduled scripts in the middle of the night so I could be there first AM to take care of any users that things didnt work out on. Clyde Burns -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Wednesday, October 23, 2002 1:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] File Server What is a rmtshare script? -Original Message- From: Patrick.Jackson [mailto:Patrick.Jackson;gov.yk.ca] Sent: Wednesday, October 23, 2002 12:45 PM To: '[EMAIL PROTECTED]' Subject:[ActiveDir] File Server Good Morning, We are in the process of changing over a file server from one server to another. The new server will be in our new AD and we use roaming profiles. I very much value this group's opinion and was therefore looking to see if I am missing anything or could do the job better. Here are the steps that I am planning to take. * all users logged off * copy files from ServerA to ServerB (9GB) using xcopy with the /o /x /e switches. * confirm copy and permissions on ServerB * disconnect ServerA from the network * rename ServerB to ServerA and connect to the new AD structure * run a rmtshare script to add share permissions to the user folders. Does this sound feasible? In the past we have relied on scopy for most of our network copying but the new version of xcopy seems to do the job. Is there another file copy utility that might offer our network more? Thanks for listening, any advice is welcome, and I guess I'm just a bit nervous and wanted to outline the plan. Thank you Patrick Jackson Technical Analyst Information Systems Whitehorse General Hospital E-mail: [EMAIL PROTECTED] Phone: 867.393.8729 Fax: 867.393.8707 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP referral during subtree search
It's running on Solaris. I don't know what LDAP libraries they use. Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Wednesday, October 23, 2002 11:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Glad to help... Is the app server running on W2K or some Unix variant? If its running on W2K, I'd be amazed if they were using their own LDAP client instead of the MSFT-supplied client. You could check to see if the server loads the WLDAP32.DLL. -g -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Wednesday, October 23, 2002 7:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP referral during subtree search I'm curious too. The app server is WebLogic 7.0, configured to use AD/LDAP as the authentication provider. When the search base is the Users container, it binds to AD (using an account created for that purpose), searches for the user, and binds as that user with the credentials the user supplied. If the bind is successful, it then rebinds with its own account and searches for groups which contain the user in the members attribute. It then recursively searches to find any groups that group might be nested under. WebLogic can then use that information to make access control decisions (i.e., only members of groupABC can access a particular URL). The group info is also mapped to 'roles' which can be referenced within applications for finer grained control (i.e., if user is in RoleA, enable this option programmatically). When the search base is DC=xyz,DC=com, the network trace shows that it does all the same queries, and gets all the expected results, but it denies access to the URL even though the user is part of the requisite group. The only difference I see is that referral, so I surmise that's what is confusing WebLogic. I don't see WebLogic attempting to chase the referral, nor does it seem to have any option to turn referral chasing on or off. I suspect that its LDAP client implementation is simply not very robust and is not equipped to handle exceptions gracefully. We've been using their LDAP support since version 6.1, and it has been steadily improving, but it has room to grow. Everything works OK if I do the same thing on port 3268, though, so I think that's where we'll go, at least for now. Thanks for your insight - very helpful, as always :) Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Tuesday, October 22, 2002 6:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Yeah, if the app servers are just searching for a CN that might be anywhere in the forest, searching the GC is the better strategy. I'm curious as to why the app was choking on the referral... -g -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Tuesday, October 22, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP referral during subtree search Thanks Gil - I knew you would know g Am I correct in assuming that it's an all-around better practice to point those app servers at the GC (port 3268) anyhow ? Right now, the only issue is that the app server seems to choke on the referral, but in the future if I should add a domain to the forest, I imagine I'd want to go to the GC anyhow so I wouldn't need to be concerned about which domain the user was in. I should point out that we use a unique ID for user CNs, so there's no issue of duplicate RDNs to be concerned with... Dave -Original Message- From: Gil Kirkpatrick [mailto:gilk;netpro.com] Sent: Tuesday, October 22, 2002 5:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP referral during subtree search David, Not quite correct... From a logical perspective, your tree has a root NC (DC=XYZ,DC=com) and that NC contains a subordinate config NC (CN=Configuration,DC=XYZ,DC=com), which itself contains a subordinate schema NC (CN=Schema,CN=Configuration,DC=XYZ,DC=com). When you search the root domain, and you don't use the LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339) control, AD generates referrals to the subordinate NCs that were included in the scope of your search so that you can chase the referrals appropriately *even though there is a replica of that NC on the DC you are searching*. In your case, you get the referral to the only NC subordinate to the root: CN=Configuration. The GC is effectively a separate NC that includes the entire scope of the forest, so there are no subordinate referrals to be had. -gil -Original Message- From: Fugleberg, David A [mailto:david.fugleberg;nwa.com] Sent: Tuesday, October 22, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP referral during subtree search I noticed something while doing LDAP searches against AD that I'd like to understand. Take the example of a single-domain forest called xyz.com.
[ActiveDir] Sites with no DC
Title: Message We have subnets without dc's, do you need to create a site and subnet in Sites and Services anyway for those sites? Don L Murawski
RE: [ActiveDir] Sites with no DC
Title: Message Hey Don, Is this your first post to the list? If so, welcome. To answer your question, no you don't have to create a site for each subnet. You can associate multiple subnets with a single site. Or you can leavethe subnets unassigned, and the DC locator will do its best to find a DC "close" to the authenticating PC. -gil -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 23, 2002 1:02 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Sites with no DC We have subnets without dc's, do you need to create a site and subnet in Sites and Services anyway for those sites? Don L Murawski
RE: [ActiveDir] Sites with no DC
Title: Message How much overhead does leaving it up to the locator incur? Ken -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 23, 2002 4:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Sites with no DC Hey Don, Is this your first post to the list? If so, welcome. To answer your question, no you don't have to create a site for each subnet. You can associate multiple subnets with a single site. Or you can leavethe subnets unassigned, and the DC locator will do its best to find a DC close to the authenticating PC. -gil -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 23, 2002 1:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sites with no DC We have subnets without dc's, do you need to create a site and subnet in Sites and Services anyway for those sites? Don L Murawski
RE: [ActiveDir] ADMT v2
Version 1 was/is usable in Win2k environments as well - typically cross forest. From the ADMT v 2.0 README: Scripting and command-line interface Password migration Migration log files Credentials needed for migration operators SID Mapping Files for security translation Windows 2000 attribute exclusion Agent credentials no longer required Fix membership is optional Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Salandra, Justin A. Sent: Wednesday, October 23, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADMT v2 What is the difference between ADMT v2 and v1? Can you use the ADMT v2 in a Windows 2000 Active Directory Enviorment? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Monday, October 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADMT v2 Diane, Look under the ADMT folder in the I386 directory. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Ayers, Diane Sent: Monday, October 21, 2002 12:29 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADMT v2 All: I'm looking for ADMT version 2. I've dug around my .NET CDs and can't find it. Can someone point me in the right direction... Diane List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Opposite of GETSID.EXE (OT?)
Title: Opposite of GETSID.EXE (OT?) All- I am looking for a utility (or script) that will translate an account's SID into an account name. I want to feed the utility (or script) the SID and have the account named returned via the command prompt. Basically, the tool would do the opposite of getsid.exe (from Win2k Resource Kit). getsid.exe will give me the SID if I supply the account name. I've looked around but can't find anything. Any ideas? Thanks. Brian
RE: [ActiveDir] Opposite of GETSID.EXE (OT?)
Brian, There's probably a couple of tools/scripts out there, but here's one using WMI and VBS. Hope this helps, Richard option explicit ' declares dim strUsrPDC, strUsrDom, strUsrAct, strUsrPwd, strUsrSid, strUsrName ' - target userid information - ' string sid to search for strUsrSid = S-1-5-21-xx-x-x-500 ' domain userid (blank for impersonation) strUsrAct = DOMAIN\userid ' domain password (blank for impersonation) strUsrPwd = password_here ' domain controller name strUsrPDC = domain_controller_or_server_name ' domain name strUsrDom = domain_name_here strUsrName = get_name(strUsrSid, _ strUsrAct, _ strUsrPwd, _ strUsrDom, _ strUsrPDC) wscript.echo the name associated with strUsrSid is: strUsrName wscript.quit ' Retrieve the name associated with a SID using a WQL Query with Win32_Account '___ ___ ' function get_name (strSid, strUsr, strPwd, strDom, strDC) '___ ___ dim objWbemLocator, objWmiCon, objQuery, objName, strQry set objWbemLocator = CreateObject(WbemScripting.SWbemLocator) strQry = SELECT Name FROM Win32_Account WHERE SID = ' _ strSid _ ' AND Domain = ' _ strDom ' if len(strUsr) = 0 then set objWmiCon = objwbemLocator.ConnectServer _ (strDC, _ root\cimv2) else set objWmiCon = objwbemLocator.ConnectServer _ (strDC, _ root\cimv2, _ strUsr, _ strPwd) objWmiCon.Security_.AuthenticationLevel = 2 end if objWmiCon.Security_.ImpersonationLevel = 3 set objQuery = objWmiCon.ExecQuery(strQry, WQL) for each objName in objQuery get_name = objSid.Name next set objWbemLocator = Nothing set objWmiCon = Nothing set objQuery = Nothing set objname = Nothing end function -Original Message- From: Brian Svidergol [mailto:bsvidergol;sitelite.com] Sent: Wednesday, October 23, 2002 7:38 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Opposite of GETSID.EXE (OT?) All- I am looking for a utility (or script) that will translate an account's SID into an account name. I want to feed the utility (or script) the SID and have the account named returned via the command prompt. Basically, the tool would do the opposite of getsid.exe (from Win2k Resource Kit). getsid.exe will give me the SID if I supply the account name. I've looked around but can't find anything. Any ideas? Thanks. Brian List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Opposite of GETSID.EXE (OT?)
Title: Message Brian, I like Richard's script. Great stuff to learn from. BUT - just in case you want a compiled tool, check out a fellow MVP's site for tools that will do what you need. Joe even bills it as the complement to getsid.exe. Find Joe Richard's site and collection of tools at: www.joeware.net Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server]"Any sufficiently advanced technologyis indistinguishable from magic." --- Arthur C. Clarke -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian SvidergolSent: Wednesday, October 23, 2002 6:38 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Opposite of GETSID.EXE (OT?) All- I am looking for a utility (or script) that will translate an account's SID into an account name. I want to feed the utility (or script) the SID and have the account named returned via the command prompt. Basically, the tool would do the opposite of getsid.exe (from Win2k Resource Kit). getsid.exe will give me the SID if I supply the account name. I've looked around but can't find anything. Any ideas? Thanks. Brian
RE: [ActiveDir] Opposite of GETSID.EXE (OT?)
Title: Message ahh, compiled... right... where's the fun it that? :-p To augment Rick's suggestion, you might alsotryRichard MacDonald's SID Checker v1.0. It converts both ways sid - username/username - sid http://www.richmac.org/tools/sidchk/sidchk2.html Regards, Richard -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 23, 2002 8:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Opposite of GETSID.EXE (OT?) Brian, I like Richard's script. Great stuff to learn from. BUT - just in case you want a compiled tool, check out a fellow MVP's site for tools that will do what you need. Joe even bills it as the complement to getsid.exe. Find Joe Richard's site and collection of tools at: www.joeware.net Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server]"Any sufficiently advanced technologyis indistinguishable from magic." --- Arthur C. Clarke -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian SvidergolSent: Wednesday, October 23, 2002 6:38 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Opposite of GETSID.EXE (OT?) All- I am looking for a utility (or script) that will translate an account's SID into an account name. I want to feed the utility (or script) the SID and have the account named returned via the command prompt. Basically, the tool would do the opposite of getsid.exe (from Win2k Resource Kit). getsid.exe will give me the SID if I supply the account name. I've looked around but can't find anything. Any ideas? Thanks. Brian