RE: [ActiveDir] which attribute to use for disabled account
Or if you're just looking for the ldap search filter syntax, try: ((objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=2)) This uses a bitwise filter. For further details have a look at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q269181; Tony -- Original Message -- From: Sullivan, Kevin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Nov 2002 21:08:06 -0500 How about this... Option Explicit Dim objUser Dim objAccountDisabled Set objUser = GetObject(LDAP://CN=User,DC=Domain,DC=MSFT;) If objUser.AccountDisabled = True Then objAccountDisabled = Yes Else objAccountDisabled = No End If WScript.Echo objAccountDisabled ** -Original Message- From: pio eqbal [mailto:eqbalpio;yahoo.com] Sent: Wednesday, November 06, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] which attribute to use for disabled account Hi, is there an attribute in the user class, that I can use in the LDAP query to find if the user account is disabled? If so what is the name of the attribute? Thanks Eqbal __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IIS behind firewall
Actually, there are a lot of secure ways to do this - none of them, however, involve putting IIS outside your firewall. There's no reason that it can't be behind the firewall, with just ports 443 and 80 open from the outside world. The flip side to that is putting it outside your firewall, you need all the NT or AD authentication ports open, plus you have to do a lot of hacking your Exchange servers to set static ports for the services (by default they are dynamicly assigned ports). We happen to use a proxy server in our DMZ that functions as both a reverse proxy (many clients to one server) and an SSL accelerator, with the OWA server inside the firewall, and limited to just the proxy box for connections. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Garello, Kenneth [mailto:KGarello;worcester.edu] Sent: Wednesday, November 06, 2002 2:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Rick, Thank you very much for your thoughts. My task at hand is to provide Outlook Web Access to our internal mail system. From your discussion, I take it that there really is no secure way to do this. Are there options that I am not aware of? Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, November 06, 2002 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec _p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up, too. I know that Cisco has ACS, but I'm not quite as up on that as I should be to know if it would help in this scenario. Hope this helps Any questions, please ask! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert
RE: [ActiveDir] IIS behind firewall
Thanks for everyone's input. I've got a lot of planning to do! Ken -Original Message- From: Roger Seielstad [mailto:roger.seielstad;inovis.com] Sent: Thursday, November 07, 2002 7:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Actually, there are a lot of secure ways to do this - none of them, however, involve putting IIS outside your firewall. There's no reason that it can't be behind the firewall, with just ports 443 and 80 open from the outside world. The flip side to that is putting it outside your firewall, you need all the NT or AD authentication ports open, plus you have to do a lot of hacking your Exchange servers to set static ports for the services (by default they are dynamicly assigned ports). We happen to use a proxy server in our DMZ that functions as both a reverse proxy (many clients to one server) and an SSL accelerator, with the OWA server inside the firewall, and limited to just the proxy box for connections. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Garello, Kenneth [mailto:KGarello;worcester.edu] Sent: Wednesday, November 06, 2002 2:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Rick, Thank you very much for your thoughts. My task at hand is to provide Outlook Web Access to our internal mail system. From your discussion, I take it that there really is no secure way to do this. Are there options that I am not aware of? Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, November 06, 2002 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec _p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up,
RE: [ActiveDir] IIS Question on DC
Title: Message Im not sure what type of load you have or want to put on your DC but the only reason I can see that it (IIS) HAS TO or SHOULD be on a DC is if you are going to either: Use it as an FTP server Host a site on the DC -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 11:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] IIS Question on DC Is there a reason why IIS should be on a DC? Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] IIS Question on DC
Title: Message No. Regards, /Jimmy --Jimmy Andersson, Q Advice ABMicrosoft MVP - Active DirectoryWhistler Tech Beta Program MemberWindows Pre-release Community Member -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Murawski (Lenox)Sent: den 7 november 2002 17:43To: [EMAIL PROTECTED]Subject: [ActiveDir] IIS Question on DC Is there a reason why IIS should be on a DC? Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
[ActiveDir] Domain Controllers per users...
Title: Message Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick
RE: [ActiveDir] Active Directory Log
Title: Message Well. Not so good, this only holds the info since the last sync, after 90 minutes, its a gonner. About the only resolve given by Microsoft was to restore a DC backup and run a script to retrieve the machines location before the move was done. Rick -Original Message- From: Jones, Rick J.(Desktop Engineering) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 06, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Log Every System has a log within the registry! http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q201453 Rick Jones -Original Message- From: David N. Precht [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 06, 2002 5:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Log http://www.sunbelt-software.com/product.cfm?id=871 could be part of the solution -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jones, Rick J.(Desktop Engineering) Sent: Tuesday, November 05, 2002 22:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Log We had a list of computers that got moved to an incorrect OU. Is there a way of looking on the Computer account to see what NT ID was used to move that computer? Is there a way of looking on the Computer account to see what OU it was moved from? Is there a way of looking in a log file somewhere in AD to tell this information if none of the above is available? Would appreciate anyones input, I am dieing here to fix a booboo (HUGE ONE) Thanks; Rick
RE: [ActiveDir] Domain Controllers per users...
Title: Message It's no longer a question of a hard number of users per DC, but an overall forest question because of the DC to DC and GC replication and replicas that must be maintained. Though there are many 3rd party tools (NetPro DirectorySim, others, to be sure) Microsoft has the ADSizer.exe tool that will help you with some of the nuances of the process. http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q274305 Hope this helps! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, November 07, 2002 12:11 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Domain Controllers per users... Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick
RE: [ActiveDir] Domain Controllers per users...
Title: Message Todd - - theres not really an IN STONE amount with AD - - -I believe the suggested limit is somewhere in the 26,000 range, but you really take the forest as a whole into consideration with AD unlike NT. Craig -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 1:11 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Domain Controllers per users... Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick
RE: [ActiveDir] Domain Controllers per users...
Title: Message I do not believe it is judged that way anymore, it truly depends on physical topology, Sites, Subnets, Domain Services. All these things will determine how many DC are needed. You could have 2000 users in 5 different locations and need to have a DC in each location based on the info above. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 1:11 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Domain Controllers per users... Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick
[ActiveDir] OT: Public Folders Replication
If you have multiple domains and only one exchange forest, how many Public Folder Replication Connection Agreements do you need? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:jasalandra;chcsnet.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Re-installing DC?
I reformatted a second DC (name - jax1) and brought it up again, ran dcpromo and it says this : The operation failed because: The attempt to join this computer to the targettire.com domain failed. The credentials supplied conflict with an existing set of credentials. WTF? I've done this a few times already without any problems, now all of a sudden its doing it. I ran ntdsutil par of Q216498 and deleted all the junk.. Also I've tried renaming it to jax2, to no avail. Thanks, -- Wes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Re-installing DC?
I could be wrong - but it sounds to me like the SID for that box is still in AD -Original Message- From: Weston Rogers [mailto:wrogers;targettire.com] Sent: Thursday, November 07, 2002 2:58 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Re-installing DC? I reformatted a second DC (name - jax1) and brought it up again, ran dcpromo and it says this : The operation failed because: The attempt to join this computer to the targettire.com domain failed. The credentials supplied conflict with an existing set of credentials. WTF? I've done this a few times already without any problems, now all of a sudden its doing it. I ran ntdsutil par of Q216498 and deleted all the junk.. Also I've tried renaming it to jax2, to no avail. Thanks, -- Wes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS Question on DC
Title: Message Its pretty much a requirement if you want to use MS's Webadmin 1.0 [or components thereof]which afaik has to reside on a DC. Apart from that and other services which depend on its presence... nope. All the best, Andy - Original Message - From: Don Murawski (Lenox) To: [EMAIL PROTECTED] Sent: Thursday, November 07, 2002 5:43 PM Subject: [ActiveDir] IIS Question on DC Is there a reason why IIS should be on a DC? Don L Murawski Sr. Network Administrator - MCSE 4.0, 2000 WorldTravel BTI 1055 Lenox Park Blvd Suite 420 Atlanta, GA 30319 Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264
RE: [ActiveDir] Psched error?
http://www.eventid.net/display.asp?eventid=1008source= -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Chris J. Popp Sent: Thursday, November 07, 2002 15:58 To: [EMAIL PROTECTED] Subject: [ActiveDir] Psched error? I am constantly getting the following in Win2K SP3's App Log. Time and date changes (of course) when it occurs: Event Type: Error Event Source: Perflib Event Category: None Event ID: 1008 Date: 11/7/2002 Time: 11:32:18 AM User: N/A Computer: PACKERS Description: The Open Procedure for service PSched in DLL C:\WINNT\system32\pschdprf.dll failed. Performance data for this service will not be available. Status code returned is data DWORD 0. Data: : 02 00 00 00 Any ideas? MS's site came up blank on this. Thanks, Chris List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Psched error?
What counter? -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Thursday, November 07, 2002 3:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Psched error? Try unloading the counter and then reloading it and restarting the machine -Original Message- From: Chris J. Popp [mailto:chris.popp;sharpeengineering.com] Sent: Thursday, November 07, 2002 3:58 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] Psched error? I am constantly getting the following in Win2K SP3's App Log. Time and date changes (of course) when it occurs: Event Type: Error Event Source: Perflib Event Category: None Event ID: 1008 Date: 11/7/2002 Time: 11:32:18 AM User: N/A Computer: PACKERS Description: The Open Procedure for service PSched in DLL C:\WINNT\system32\pschdprf.dll failed. Performance data for this service will not be available. Status code returned is data DWORD 0. Data: : 02 00 00 00 Any ideas? MS's site came up blank on this. Thanks, Chris List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Controllers per users...
Title: Message I can't imagine how one could make such a recommendation without at least taking into account the DC h/w characteristics and the network characteristics. -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 07, 2002 11:11 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Domain Controllers per users... Greetings all, Quick question, has anyone seen a KB or White paper that outlines the guideline of how many DC's you need per number of users. The old rule for NT4 was 1 BDC for every 2000 active users. I have read all the AD sizing papers etc, but just wanted to know if anyone remembered coming across this little tidbit. Thanks, Todd Myrick
RE: [ActiveDir] Psched error?
I've seen this problem when the reg entry for the perf counter DLL points to a DLL that doesn't exist or is somehow broken. -Original Message- From: Salandra, Justin A. [mailto:jasalandra;chcsnet.org] Sent: Thursday, November 07, 2002 2:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Psched error? Try unloading the counter and then reloading it and restarting the machine -Original Message- From: Chris J. Popp [mailto:chris.popp;sharpeengineering.com] Sent: Thursday, November 07, 2002 3:58 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] Psched error? I am constantly getting the following in Win2K SP3's App Log. Time and date changes (of course) when it occurs: Event Type: Error Event Source: Perflib Event Category: None Event ID: 1008 Date: 11/7/2002 Time: 11:32:18 AM User: N/A Computer: PACKERS Description: The Open Procedure for service PSched in DLL C:\WINNT\system32\pschdprf.dll failed. Performance data for this service will not be available. Status code returned is data DWORD 0. Data: : 02 00 00 00 Any ideas? MS's site came up blank on this. Thanks, Chris List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP Display Name for User logged into computer
Title: [ActiveDir] LDAP Display Name for User logged into computer What is the LDAP display name on a computer account for the user that logged into the system from that computer? What I am trying to do is pole active directory with a vbscript I have to find out the UserID of the user that last logged into the domain from that computer. Any thoughts? Rick