[ActiveDir] Joeware Perl Script for showing AD ACL's
Title: Message
I was tech reviewing
a book chapter and realized I had a perl script that others may find useful in
the AD world, especially if they are doing ACE/ACL coding via scripts. I wrote
this like a year ago so be gentle as I may have done silly things or may not
even recall why I did certain things.
It uses ADFIND
because I hate using ADO for searching and I don't like burying passwords in
scripts or having to ask for them. ADFIND is a free download from www.joeware.net and is harmless except that it
gets your mind wondering what else you can do which some people find dangerous
enough by itself. You will note that any perl script I do AD searches from I
always fall back to adfind. I may use adsi to open up a specific object
sometimes, but it is always search via adfind.
Anyway, I use this
script when I am really looking close at AD ACL's and when I have to whip up a
quick script to do something. I set the perms manually through the GUI and then
see what it produced with this. If you use the /verbose switch it will show you
GUIDs and such that you need to insert into your script for control access
rights and property sets, etc. The debug switch isn't fleshed out at
all.
I guess I should
work on getting this up on the website. :op
I had started
writing it in vbscript but vbscript pisses me off more times than not, I wish MS
would just get it over with and buy ActiveState and have perl be default on all
of its OS's. MS has nothing else that touches it and I won't argue this point.
You can do simple things simply and bigger things with a little more work and
you don't have to keep going back to a book for objectclass references. Once
simple webreference page will generally do the trick.
Hope it is
helpful.
joe
Usage is
#**#AccessMask
constants#**$ADS_RIGHT_GENERIC_READ
= 0x8000;$ADS_RIGHT_GENERIC_WRITE =
0x4000;$ADS_RIGHT_GENERIC_EXECUTE =
0x2000;$ADS_RIGHT_GENERIC_ALL =
0x1000;$ADS_RIGHT_SYSTEM_SECURITY = 0x100;$ADS_RIGHT_SYNCHRONIZE
= 0x10;$ADS_RIGHT_WRITE_OWNER = 0x8;$ADS_RIGHT_WRITE_DAC =
0x4;$ADS_RIGHT_READ_CONTROL = 0x2;$ADS_RIGHT_DELETE =
0x1;$ADS_RIGHT_DS_CONTROL_ACCESS = 0x100;$ADS_RIGHT_DS_LIST_OBJECT =
0x80;$ADS_RIGHT_DS_DELETE_TREE = 0x40;$ADS_RIGHT_DS_WRITE_PROP =
0x20;$ADS_RIGHT_DS_READ_PROP = 0x10;$ADS_RIGHT_DS_SELF =
0x8;$ADS_RIGHT_ACTRL_DS_LIST = 0x4;$ADS_RIGHT_DS_DELETE_CHILD =
0x2;$ADS_RIGHT_DS_CREATE_CHILD = 0x1;$FULL_CONTROL =
-1; # This isn't right...
#**#AceType
constants#**$ADS_ACETYPE_SYSTEM_ALARM_OBJECT
= 0x8;$ADS_ACETYPE_SYSTEM_AUDIT_OBJECT =
0x7;$ADS_ACETYPE_ACCESS_DENIED_OBJECT =
0x6;$ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5;$ADS_ACETYPE_SYSTEM_AUDIT =
0x2;$ADS_ACETYPE_ACCESS_DENIED = 0x1;$ADS_ACETYPE_ACCESS_ALLOWED =
0x0;
#**#AceFlags
constants#**$ADS_ACEFLAG_FAILED_ACCESS
= 0x80;$ADS_ACEFLAG_SUCCESSFUL_ACCESS =
0x40;$ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1F;$ADS_ACEFLAG_INHERITED_ACE
= 0x10;$ADS_ACEFLAG_INHERIT_ONLY_ACE =
0x8;$ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4;$ADS_ACEFLAG_INHERIT_ACE
= 0x2;
#**#Security
Descriptor
constants#**$ADS_SD_CONTROL_SE_OWNER_DEFAULTED
= 0x1;$ADS_SD_CONTROL_SE_GROUP_DEFAULTED =
0x2;$ADS_SD_CONTROL_SE_DACL_PRESENT =
0x4;$ADS_SD_CONTROL_SE_DACL_DEFAULTED =
0x8;$ADS_SD_CONTROL_SE_SACL_PRESENT =
0x10;$ADS_SD_CONTROL_SE_SACL_DEFAULTED =
0x20;$ADS_SD_CONTROL_SE_DACL_AUTO_INHERIT_REQ =
0x100;$ADS_SD_CONTROL_SE_SACL_AUTO_INHERIT_REQ =
0x200;$ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED =
0x400;$ADS_SD_CONTROL_SE_SACL_AUTO_INHERITED =
0x800;$ADS_SD_CONTROL_SE_DACL_PROTECTED =
0x1000;$ADS_SD_CONTROL_SE_SACL_PROTECTED = 0x2000;
#**#Flags
constants#**$ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
= 0x2;$ADS_FLAG_OBJECT_TYPE_PRESENT = 0x1;
#**#MAIN#**use
Win32::OLE;use Win32::OLE::Enum;
%schemaids=();%propertysetids=();$debug=0;$verbose=0;
print "\nPerlChkSec
V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June
2002\n\n";
$obj=shift;
if
(grep(/\/debug/i,@ARGV)){ $debug=1;}
if
(grep(/\/verbose/i,@ARGV)){
$verbose=1;}
if ($debug) {print "Debugging
enabled...\n"};
if (!$obj){ print
[ActiveDir] Connection speed
Not really on topic, but hmmm, I would love to have this connectionspeed J http://www.pcpro.co.uk/?news/news_story.php?id=42921 Jochen ICT Department Mercatorpress Jabbeke Belgium
RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message Rick - Thanks for the info. I've found VSS to be quite useful in our lab, but don't think it will work well for Disaster Recovery. What bad experience did you have with DFS? Jeff -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Jeffrey, I personally am not a big fan of Dfs - mainly due to a very bad experience in the early days of Windows 2000 (April 2000). It has gotten better, but is not really a great solution to bank your DR process on. IMHO, depending on what your bandwidth is like, the move with Windows Server 2003 might justify itself with Volume Shadow Services. I've been working closely with VSS and primarily, Volume Shadow Copy, and IMHO, it Rocks! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Wednesday, June 11, 2003 6:31 PMTo: [EMAIL PROTECTED] I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message Rick - Did PSS give you any documentation about what files could and could not be copied using DFS? Was there a size limitation on the actual file (not the DFS database which is documented as 5MB)? Thanks! Jeff -Original Message-From: Jeffrey Dubyn [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 6:28 AMTo: '[EMAIL PROTECTED]'Cc: 'Rick Kingslan'Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Rick - Thanks for the info. I've found VSS to be quite useful in our lab, but don't think it will work well for Disaster Recovery. What bad experience did you have with DFS? Jeff -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Jeffrey, I personally am not a big fan of Dfs - mainly due to a very bad experience in the early days of Windows 2000 (April 2000). It has gotten better, but is not really a great solution to bank your DR process on. IMHO, depending on what your bandwidth is like, the move with Windows Server 2003 might justify itself with Volume Shadow Services. I've been working closely with VSS and primarily, Volume Shadow Copy, and IMHO, it Rocks! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Wednesday, June 11, 2003 6:31 PMTo: [EMAIL PROTECTED] I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Been here. Busy. Vacation. Back soon. -gil -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 8:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Sadly, Gil has not been spending as much time here as he has in the past. Not sure why. He does post now and then - especially when the replication or lower level programming talk gets deep. Robbie Allen and Richard Puckett have been fairly visible - Richard, I can't say why he hasn't been here. Robbie, though - I can speak for. I KNOW what he's doing :-) He'll be free(er) shortly.. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:59 PMTo: [EMAIL PROTECTED] It will definitely be fun. I personally am waiting for a Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and every other LDAP joeware tool) wouldn't exist except for Gil and his book and that would be a sadthing for me because I love those tools. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Yeah! LOL! That's waay too good. Glad you could make it. You will certainly be a worthy addition to the characters that wander in here. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem, as there are no real 'downfalls'. However - if they don't want them - stick to your guns. Policy says NO. If there are any questions, refer to latter statement. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
RE: [ActiveDir] OU and GPO Design Comments
I understand this, but I wonder if someone could suggest a better way of achieving what I currently do with a deny ACE. I work in a college and there is a security group for each course we run (about 4000). Each student is in the security group for their course(s). Most students are not allowed to access the control panel, desktop etc and this is controlled by a group policy. A small number of students need this access so we deny their groups access to the policy which would otherwise enforce the desktop restrictions. This works but, from the stuff below and elsewhere, is obviously a bad idea. The obvious solution is to remove the allow ACE for authenticated users and explicitly allow access for all the groups that do need to be restricted. This would be a lot of groups (but I'd guess they could all be added to a single group for tidiness) but could cause conflicts - a student might take course ABCD1234 which doesn't allow desktop access but also DEFG5678 which does need desktop access. The fact that the first group is allowed to apply the policy means that this student won't get to control panel etc and I can't see any way round this. Help! Steve -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: 10 June 2003 19:58 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and GPO Design Comments Note: Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE given to a user or computer because of membership in another group. I liked the way one of the MS guys put it in the GP newsgroup a while back- I would discourage you from using Deny ACEs - they tend to over-complicate your security group model and make things difficult to troubleshoot. You can also get into trouble if you accidentally set a deny permission for the wrong group and end up denying them from having access to the GPO to fix it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Joeware Perl Script for showing AD ACL's
Title: Message
Oh
yeah I should have shown a sample output. Here is what it looks like with
verbose option:
F:\LAPTOP\F\Work\Office\pc\Dev\CMPACCperlchksec.pl dc=joehome,dc=com
/verbose
PerlChkSec V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June 2002
Control :
33796
ADS_SD_CONTROL_SE_DACL_PRESENT
ADS_SD_CONTROL_SE_DACL_AUTO_INHERITEDGroup
:
BUILTIN\AdministratorsOwner
: BUILTIN\AdministratorsDefault Owner :
0Revision : 1
ACE
Trustee :
BUILTIN\Administrators Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
2
ADS_ACEFLAG_VALID_INHERIT_FLAGS
ADS_ACEFLAG_INHERIT_ACE Access
Mask :
983485
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DELETE
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_CREATE_CHILD ACE
Trustee : NT
AUTHORITY\Authenticated Users Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
0 Access Mask :
131220
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_ACTRL_DS_LIST ACE
Trustee : JOEHOME\Domain
Admins Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
0 Access Mask :
917949
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_CREATE_CHILD ACE
Trustee :
JOEHOME\Enterprise Admins Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
2
ADS_ACEFLAG_VALID_INHERIT_FLAGS
ADS_ACEFLAG_INHERIT_ACE Access
Mask :
983551
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DELETE
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_DS_CREATE_CHILD ACE
Trustee :
BUILTIN\Pre-Windows 2000 Compatible Access Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
2
ADS_ACEFLAG_VALID_INHERIT_FLAGS
ADS_ACEFLAG_INHERIT_ACE Access
Mask :
4
ADS_RIGHT_ACTRL_DS_LIST ACE
Trustee :
BUILTIN\Pre-Windows 2000 Compatible Access Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
0 Access Mask :
131072
ADS_RIGHT_READ_CONTROL ACE
Trustee : NT
AUTHORITY\SYSTEM Ace
Type : (0) -
ADS_ACETYPE_ACCESS_ALLOWED Ace
Flag :
0 Access Mask :
983551
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DELETE
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_DS_CREATE_CHILD ACE
Trustee :
BUILTIN\Administrators Ace Type
Flags :
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType :
({1131F6AA-9C07-11D1-F79F-00C04FC2DCD2}) - Replicating Directory
Changes Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
0 Access Mask :
256
ADS_RIGHT_DS_CONTROL_ACCESS ACE
Trustee :
BUILTIN\Administrators Ace Type
Flags :
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType :
({1131F6AB-9C07-11D1-F79F-00C04FC2DCD2}) - Replication
Synchronization Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
0 Access Mask :
256
ADS_RIGHT_DS_CONTROL_ACCESS ACE
Trustee :
BUILTIN\Administrators Ace Type
Flags :
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType :
({1131F6AC-9C07-11D1-F79F-00C04FC2DCD2}) - Manage Replication
Topology Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
0 Access Mask :
256
ADS_RIGHT_DS_CONTROL_ACCESS ACE
Trustee : NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Ace
Type Flags :
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType :
({1131F6AA-9C07-11D1-F79F-00C04FC2DCD2}) - Replicating Directory
Changes Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
0 Access Mask :
256
ADS_RIGHT_DS_CONTROL_ACCESS ACE
Trustee : NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Ace
Type Flags :
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType :
({1131F6AB-9C07-11D1-F79F-00C04FC2DCD2}) - Replication
Synchronization Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
0 Access Mask :
256
ADS_RIGHT_DS_CONTROL_ACCESS ACE
Trustee : NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Ace
Type Flags :
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType :
({1131F6AC-9C07-11D1-F79F-00C04FC2DCD2}) - Manage Replication
Topology Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
0 Access Mask :
256
ADS_RIGHT_DS_CONTROL_ACCESS ACE
Trustee :
BUILTIN\Pre-Windows 2000 Compatible Access Ace
Type Flags :
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
ObjectType :
({BF967ABA-0DE6-11D0-A285-00AA003049E2}) -
user Ace
Type : (5) -
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT Ace
Flag :
10
ADS_ACEFLAG_VALID_INHERIT_FLAGS
ADS_ACEFLAG_INHERIT_ONLY_ACE
ADS_ACEFLAG_INHERIT_ACE Access
Mask :
131220
ADS_RIGHT_READ_CONTROL
[ActiveDir] restoring files
i am trying to restore files from my travan cartridge on win2k. But get anytime message: "Pls check the Removable Storage Management MMC". what I don't understand. Can somebody help. very urgent. Thks.
[ActiveDir] Adding Employee ID to Actiive Directory
Windows 2000 advance server, SP3. If I assign an attribute to the employee ID field, will it add another block in the Users and Computer when adding a new user? That way the employee id number can be assigned when user is add to the domain. Someone out there has to had this field added. What is the easiest way to do this? If using the AD Schema in the MMC, how can the attributes be changed? Ron Pennell [EMAIL PROTECTED]
Re: [ActiveDir] Adding Employee ID to Actiive Directory
Ron, If you get an answer to this outside the list I would appreciate what you find out. We would also like to configur the employeeId attribute to be searchable (indexed) to use as a key for flowing other attributes. Jerry Jerry WelchCPS SystemsUS/Canada: 1 888 666 0277International: +1 703 827 0919 (-5 GMT)www.cps-systems.com - Original Message - From: Pennell, Ronald B. To: [EMAIL PROTECTED] Sent: Thursday, June 12, 2003 8:51 AM Subject: [ActiveDir] Adding Employee ID to Actiive Directory Windows 2000 advance server, SP3. If I assign an attribute to the employee ID field, will it add another block in the Users and Computer when adding a new user? That way the employee id number can be assigned when user is add to the domain. Someone out there has to had this field added. What is the easiest way to do this? If using the AD Schema in the MMC, how can the attributes be changed? Ron Pennell [EMAIL PROTECTED]
RE: [ActiveDir] Adding Employee ID to Actiive Directory
As soon as I get an answer and see if it works Ill pass it on. Ron -Original Message- From: Jerry Welch [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 9:11 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Adding Employee ID to Actiive Directory Ron, If you get an answer to this outside the list I would appreciate what you find out. We would also like to configur the employeeId attribute to be searchable (indexed) to use as a key for flowing other attributes. Jerry Jerry Welch CPS Systems US/Canada: 1 888 666 0277 International: +1 703 827 0919 (-5 GMT) www.cps-systems.com - Original Message - From: Pennell, Ronald B. To: [EMAIL PROTECTED] Sent: Thursday, June 12, 2003 8:51 AM Subject: [ActiveDir] Adding Employee ID to Actiive Directory Windows 2000 advance server, SP3. If I assign an attribute to the employee ID field, will it add another block in the Users and Computer when adding a new user? That way the employee id number can be assigned when user is add to the domain. Someone out there has to had this field added. What is the easiest way to do this? If using the AD Schema in the MMC, how can the attributes be changed? Ron Pennell [EMAIL PROTECTED]
RE: [ActiveDir] Active Directory Tools on XP Clients
Title: Message Rick, That's the reason I asked since it sounded like BS to me,so I installed it anyways. I too have had no problems and like the fact that all the tools are in one console that I didn't have to customize. Oddly, my version of Hyena is acting really weird since I switched it over to a W2K domain. I don't believe the person was familiar with the 2K3 tools, so it was probably an uninformed statement. Nothing against the guy, he was VERY knowledgable otherwise. Thanks, Raymond McClinnis -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients Raymond, I'd be interested in hearing what justification someone might have used, but Ihave used the tools pretty much since they were available to us in the Windows Server 2003 beta - which I suspect was better than a year ago. I've had absolutely NO problem with the tools in a pure Windows 2000 environment, or my mixed 2k /2k3 environment at home. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Wednesday, June 11, 2003 12:22 PMTo: [EMAIL PROTECTED] Just a question regarding this I had someone tell me that it was not safe to run the 2k3 tools against a 2k domain, is this true or is it just a matter of opinion? Sorry if this has been brought up before Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan SchlegelSent: Wednesday, June 11, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3DisplayLang=en -Original Message-From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory Tools on XP Clients I think if you have a beta or full release of 2003 server you can install adminpak.msi on XP and have your tools there."Salandra, Justin A." [EMAIL PROTECTED] wrote: I know this might have been a topic before, but I am unable to find thee-mails on this topic. Where do I get the AD tools to run on a XPWorkstation?Justin A. Salandra, MCSESenior Network EngineerCatholic Healthcare System212.752.7300 primary office917.455.0110 cell[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Do you Yahoo!?Free online calendar with sync to Outlook(TM).
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message It monitors the services, yes. It doesn't monitor Exchange or AD, however. Nothing in WUG will monitor replication delay, message queues, etc. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Ferrara, Sandra SYNETICS (PKI) [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 6:41 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Monitoring with MOM Monitors the services I am most interested in. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Wednesday, June 11, 2003 5:53 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Monitoring with MOM NetIQ is more expensive than MOM, and What's Up Gold doesn't actually monitor anything. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Ferrara, Sandra SYNETICS (PKI) [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 3:47 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Monitoring with MOM Net IQ, What's Up Gold. MOM is extremely expensive. I don't know anyone using it. -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED]Sent: Wednesday, June 11, 2003 1:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Monitoring with MOM I'm wondering if anyone uses Microsoft Operations Manager to monitor their AD infrastructure? If not, what other product(s) are used, and how do you feel about them? What are the relative costs for the product? Chris Flesher
RE: [ActiveDir] Looking up all email addresses
Title: Message
I've
never gotten the ADO/LDAP search process to work consistantly when I've tried it
in the past.
Then
again, I cribbed the script I posted originally from a larger script I wrote to
deal with multiple Exchange organization merges and divestitures, where
iteration is necessary.
Roger
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 10:12
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Looking up all email addresses
I
would just say that iteration through the users in this way has two
failings
1.
If you have users in some other container or OU, you ain't seeing them
here.
2.
Iteration is kind of slow compared to doing an LDAP search and displaying the
specific fields you asked to have returned, even if you use vbscript and ado.
Basically asyour directorygrew this script would really slow down.
IfI understand what you are trying to gethere (white space
management is throwing me), to display the user's that have mailboxes
userprincipalname, samaccountname, homemdb and proxyaddresses info I think I
wouldsimply do something like:
adfind -default -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
I
don't have the exchange attributes handy to see if homemdb is indexed, if it
isn't I would use some other exchange attribute that is indexed instead. The
beauty of that query is that it will do the entire domain, if you just wanted
the users container you could do
adfind -b cn=users,dc=domain,dc=com -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
or
if you wanted the whole forest you could do
adfind -gc -b"" -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
It
will have a count of how many matching objects at the very end of the
run.
SorryI didn't postscript code, shouldn't be hard to put it
together though if you understand the concepts I am trying to propose. Should
be a ton of stuff you can leverage at the script center or in
microsoft.public.adsi.general that you can convert.
joe
--
www.joeware.net
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Wednesday, June 11, 2003 5:12 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking up
all email addresses
Thanks. I just figured it out a couple of minutes ago. This
works:
Set objContainer = GetObject("LDAP://" +
DomainName)
objContainer.Filter =
Array("User") i = 0
For Each objUser In
objContainer name =
objUser.name wscript.echo
"name: " name " upn: " objUser.UserPrincipalName "
sam: "
objUser.samAccountName name =
Right(name, Len(name) - 3) Set
objMailbox = objUser If
objMailbox.HomeMDB = ""
Then
'Wscript.echo name + " (no
mailbox)"
Else
'Wscript.echo name + " (has
mailbox)"
'Wscript.echo objMailbox.HomeMDB ' email
addressesSet objR = objUserAddressList =
objR.ProxyAddressesfor each Address in
AddressListif lcase (left (Address, 5)) = "smtp:"
Then Wscript.echo
Addressend
ifnext End
If i = i +
1 Next
'Wscript.echo "Number of users found in "
DomainName ": " i
-Original Message-From: Roger
Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday,
June 11, 2003 5:03 PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Looking
up all email addresses
I wrote the code below a while ago to do
something similar, and should work for you.
http://www.wiredeuclid.com/modules.php?op=modloadname=Sectionsfile=indexreq=viewarticleartid=2page=1
Its written for an Exchange 5.5 server, but the logic is pretty
similar for AD/E2k as well.
--
Roger D.
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator
Inovis
Inc.
-Original Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11,
2003 3:51 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Looking up
all email addresses
I need a
piece of code that, given a user object, returns me an object or
collection to all of the email addresses for that user. I can't find the
object.
Help!
Set
objContainer = GetObject("LDAP://CN=Users," +
[ActiveDir] DDNS Host registering without a host name
Title: Message Windows 2000 Servers runningSP3. Client machines running XP. We have encountered several client machines dynamically registering "A" records without a host name.The records show up as: name: same as parent folder type: A address: correct IP address "Same as parent folder" is equal to the name of the domain. Domain controllers dynamically register these domain "A" records. If you create a DNS record manually and neglect to type in a host name the record is created using "same as parent folder". In our case however, these records were created dynamically. Does anyone have any idea how this could happen? Thanks in advance. David Rudolph Anadarko Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited.
RE: [ActiveDir] Looking up all email addresses
Title: Message
Dude,
you rock. It took me a little while to get the LDAP search string to be exactly
what I wanted (a plus for iteration!), but after that it worked
great!
Thanks
so much for the pointer.
I do
have one question - I was somehow under the impression that LDAPqueries
via ADODBwere limited to returning about 1,000 records. Am I
wrong?
1 --
yeah, i had arecursive subroutine that actually was calling another
subroutine for each OU of interest. A PITA.
2 --
even on my test domain it was slow. On my test domain, the LDAP search seems to
be about 10 times faster. On a larger domain, I'm sure it would ramp up
quickly.
Thanks
again,
Michael
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 10:12
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Looking up all email addresses
I
would just say that iteration through the users in this way has two
failings
1.
If you have users in some other container or OU, you ain't seeing them
here.
2.
Iteration is kind of slow compared to doing an LDAP search and displaying the
specific fields you asked to have returned, even if you use vbscript and ado.
Basically asyour directorygrew this script would really slow down.
IfI understand what you are trying to gethere (white space
management is throwing me), to display the user's that have mailboxes
userprincipalname, samaccountname, homemdb and proxyaddresses info I think I
wouldsimply do something like:
adfind -default -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
I
don't have the exchange attributes handy to see if homemdb is indexed, if it
isn't I would use some other exchange attribute that is indexed instead. The
beauty of that query is that it will do the entire domain, if you just wanted
the users container you could do
adfind -b cn=users,dc=domain,dc=com -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
or
if you wanted the whole forest you could do
adfind -gc -b"" -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
It
will have a count of how many matching objects at the very end of the
run.
SorryI didn't postscript code, shouldn't be hard to put it
together though if you understand the concepts I am trying to propose. Should
be a ton of stuff you can leverage at the script center or in
microsoft.public.adsi.general that you can convert.
joe
--
www.joeware.net
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Wednesday, June 11, 2003 5:12 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking up
all email addresses
Thanks. I just figured it out a couple of minutes ago. This
works:
Set objContainer = GetObject("LDAP://" +
DomainName)
objContainer.Filter =
Array("User") i = 0
For Each objUser In
objContainer name =
objUser.name wscript.echo
"name: " name " upn: " objUser.UserPrincipalName "
sam: "
objUser.samAccountName name =
Right(name, Len(name) - 3) Set
objMailbox = objUser If
objMailbox.HomeMDB = ""
Then
'Wscript.echo name + " (no
mailbox)"
Else
'Wscript.echo name + " (has
mailbox)"
'Wscript.echo objMailbox.HomeMDB ' email
addressesSet objR = objUserAddressList =
objR.ProxyAddressesfor each Address in
AddressListif lcase (left (Address, 5)) = "smtp:"
Then Wscript.echo
Addressend
ifnext End
If i = i +
1 Next
'Wscript.echo "Number of users found in "
DomainName ": " i
-Original Message-From: Roger
Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday,
June 11, 2003 5:03 PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Looking
up all email addresses
I wrote the code below a while ago to do
something similar, and should work for you.
http://www.wiredeuclid.com/modules.php?op=modloadname=Sectionsfile=indexreq=viewarticleartid=2page=1
Its written for an Exchange 5.5 server, but the logic is pretty
similar for AD/E2k as well.
--
Roger D.
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator
Inovis
Inc.
-Original Message-From: Michael B.
Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11,
2003 3:51 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Looking up
all email addresses
I need a
piece of code that, given a user object, returns
RE: [ActiveDir] Looking up all email addresses
Title: Message
1,000
records sounds right for the default ADODB limit. However, you can specify a
Page Size on the ADODB commandwhich will allow you to return more than
1,000 records.
set adoRecordset =
CreateObject("ADODB.Recordset")
set Com =
CreateObject("ADODB.Command")set Com.ActiveConnection =
adoConnection
Com.Properties("Page Size") =
100Com.Properties("Timeout") = 30 'secondsCom.Properties("Searchscope")
= 2 'ADS_Scope_subtree
strQuery =your query here
Com.CommandText = strQuery
Set adoRecordset =
Com.Execute
From: Michael B. Smith
[mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 9:51
AMTo: [EMAIL PROTECTED]
Dude, you rock. It took me a little while to get the LDAP
search string to be exactly what I wanted (a plus for iteration!), but after
that it worked great!
Thanks
so much for the pointer.
I do
have one question - I was somehow under the impression that LDAPqueries
via ADODBwere limited to returning about 1,000 records. Am I
wrong?
1 --
yeah, i had arecursive subroutine that actually was calling another
subroutine for each OU of interest. A PITA.
2 --
even on my test domain it was slow. On my test domain, the LDAP search seems to
be about 10 times faster. On a larger domain, I'm sure it would ramp up
quickly.
Thanks
again,
Michael
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 10:12
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Looking up all email addresses
I
would just say that iteration through the users in this way has two
failings
1.
If you have users in some other container or OU, you ain't seeing them
here.
2.
Iteration is kind of slow compared to doing an LDAP search and displaying the
specific fields you asked to have returned, even if you use vbscript and ado.
Basically asyour directorygrew this script would really slow down.
IfI understand what you are trying to gethere (white space
management is throwing me), to display the user's that have mailboxes
userprincipalname, samaccountname, homemdb and proxyaddresses info I think I
wouldsimply do something like:
adfind -default -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
I
don't have the exchange attributes handy to see if homemdb is indexed, if it
isn't I would use some other exchange attribute that is indexed instead. The
beauty of that query is that it will do the entire domain, if you just wanted
the users container you could do
adfind -b cn=users,dc=domain,dc=com -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
or
if you wanted the whole forest you could do
adfind -gc -b"" -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)" userprincipalname
samaccountname homemdb proxyadddresses
It
will have a count of how many matching objects at the very end of the
run.
SorryI didn't postscript code, shouldn't be hard to put it
together though if you understand the concepts I am trying to propose. Should
be a ton of stuff you can leverage at the script center or in
microsoft.public.adsi.general that you can convert.
joe
--
www.joeware.net
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Wednesday, June 11, 2003 5:12 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking up
all email addresses
Thanks. I just figured it out a couple of minutes ago. This
works:
Set objContainer = GetObject("LDAP://" +
DomainName)
objContainer.Filter =
Array("User") i = 0
For Each objUser In
objContainer name =
objUser.name wscript.echo
"name: " name " upn: " objUser.UserPrincipalName "
sam: "
objUser.samAccountName name =
Right(name, Len(name) - 3) Set
objMailbox = objUser If
objMailbox.HomeMDB = ""
Then
'Wscript.echo name + " (no
mailbox)"
Else
'Wscript.echo name + " (has
mailbox)"
'Wscript.echo objMailbox.HomeMDB ' email
addressesSet objR = objUserAddressList =
objR.ProxyAddressesfor each Address in
AddressListif lcase (left (Address, 5)) = "smtp:"
Then Wscript.echo
Addressend
ifnext End
If i = i +
1 Next
'Wscript.echo "Number of users found in "
DomainName ": " i
-Original Message-From: Roger
Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday,
June 11, 2003 5:03 PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Looking
up all email addresses
I wrote the code below a while ago to do
something similar, and should work for you.
[ActiveDir] GPO to deny changes
Hi everyone, Is there a GPO I can apply against my users so that they cannot manually change the proxy settings I have defined in another GPO. Thanks -Daniel Do you Yahoo!? Free online calendar with sync to Outlook(TM).
RE: [ActiveDir] Looking up all email addresses
Title: Message
Outstanding. Thank you.
-Original Message-From: Coleman, Hunter
[mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 12:47
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] Looking up all email addresses
1,000 records sounds right for the default ADODB limit. However, you
can specify a Page Size on the ADODB commandwhich will allow you to
return more than 1,000 records.
set adoRecordset =
CreateObject("ADODB.Recordset")
set Com =
CreateObject("ADODB.Command")set Com.ActiveConnection =
adoConnection
Com.Properties("Page Size") =
100Com.Properties("Timeout") = 30
'secondsCom.Properties("Searchscope") = 2 'ADS_Scope_subtree
strQuery =your query here
Com.CommandText = strQuery
Set adoRecordset =
Com.Execute
From: Michael B. Smith
[mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 9:51
AMTo: [EMAIL PROTECTED]
Dude, you rock. It took me a little while to get the LDAP
search string to be exactly what I wanted (a plus for iteration!), but after
that it worked great!
Thanks so much for the pointer.
I do
have one question - I was somehow under the impression that LDAPqueries
via ADODBwere limited to returning about 1,000 records. Am I
wrong?
1 --
yeah, i had arecursive subroutine that actually was calling another
subroutine for each OU of interest. A PITA.
2 --
even on my test domain it was slow. On my test domain, the LDAP search seems
to be about 10 times faster. On a larger domain, I'm sure it would ramp up
quickly.
Thanks again,
Michael
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003
10:12 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Looking up all email addresses
I
would just say that iteration through the users in this way has two
failings
1.
If you have users in some other container or OU, you ain't seeing them
here.
2.
Iteration is kind of slow compared to doing an LDAP search and displaying
the specific fields you asked to have returned, even if you use vbscript and
ado. Basically asyour directorygrew this script would really
slow down.
IfI understand what you are trying to gethere (white
space management is throwing me), to display the user's that have mailboxes
userprincipalname, samaccountname, homemdb and proxyaddresses info I think I
wouldsimply do something like:
adfind -default -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)"
userprincipalname samaccountname homemdb proxyadddresses
I
don't have the exchange attributes handy to see if homemdb is indexed, if it
isn't I would use some other exchange attribute that is indexed instead. The
beauty of that query is that it will do the entire domain, if you just
wanted the users container you could do
adfind -b cn=users,dc=domain,dc=com -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)"
userprincipalname samaccountname homemdb
proxyadddresses
or
if you wanted the whole forest you could do
adfind -gc -b"" -f
"(objectcategory=person)(samnaccountname=*)(homemdb=*)"
userprincipalname samaccountname homemdb
proxyadddresses
It
will have a count of how many matching objects at the very end of the
run.
SorryI didn't postscript code, shouldn't be hard to put
it together though if you understand the concepts I am trying to propose.
Should be a ton of stuff you can leverage at the script center or in
microsoft.public.adsi.general that you can convert.
joe
--
www.joeware.net
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Wednesday, June 11, 2003 5:12 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking up
all email addresses
Thanks. I just figured it out a couple of minutes ago. This
works:
Set objContainer = GetObject("LDAP://" +
DomainName)
objContainer.Filter =
Array("User") i = 0
For Each objUser In
objContainer name =
objUser.name wscript.echo
"name: " name " upn: " objUser.UserPrincipalName "
sam: "
objUser.samAccountName name
= Right(name, Len(name) - 3)
Set objMailbox = objUser If
objMailbox.HomeMDB = ""
Then
'Wscript.echo name + " (no
mailbox)"
Else
'Wscript.echo name + " (has
mailbox)"
'Wscript.echo objMailbox.HomeMDB ' email
addressesSet objR = objUserAddressList =
objR.ProxyAddressesfor each Address in
AddressListif lcase (left (Address, 5)) = "smtp:"
Then Wscript.echo
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message Well there is two schools of thought. Tell me what it looks like and how to respond or Tell me when something is wrong and automatically respond. I prefer a more focused view of my Active Directory, that I can delegate out to other Domain Administrators and give them a view of the Entire Directories Health. The only product I seen that can do that is NETPRO's Directory Analyzer. I personally think that combining DA with MOM offers the best combination of synthesis of information, and automated response and warning. Although it is expensive to offer two solutions, NETPRO offers a suite of utilities to compliment DA, including proactive DNS monitoring, Schema and Configuration container monitoring,change log reporting, and Troubleshooting Tools. So my preference is to use NETPRO combined with NETIQ to do Directory and System monitoring. In the future we plan to remove NETIQ Appmanager and replace it with MOM. Todd -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 1:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Monitoring with MOM I'm wondering if anyone uses Microsoft Operations Manager to monitor their AD infrastructure? If not, what other product(s) are used, and how do you feel about them? What are the relative costs for the product? Chris Flesher
RE: [ActiveDir] Active Directory Tools on XP Clients
Title: Message There is now a 5.0 version of Hyena out. See if it fixes the problem. Todd -Original Message-From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients Rick, That's the reason I asked since it sounded like BS to me,so I installed it anyways. I too have had no problems and like the fact that all the tools are in one console that I didn't have to customize. Oddly, my version of Hyena is acting really weird since I switched it over to a W2K domain. I don't believe the person was familiar with the 2K3 tools, so it was probably an uninformed statement. Nothing against the guy, he was VERY knowledgable otherwise. Thanks, Raymond McClinnis -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients Raymond, I'd be interested in hearing what justification someone might have used, but Ihave used the tools pretty much since they were available to us in the Windows Server 2003 beta - which I suspect was better than a year ago. I've had absolutely NO problem with the tools in a pure Windows 2000 environment, or my mixed 2k /2k3 environment at home. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Wednesday, June 11, 2003 12:22 PMTo: [EMAIL PROTECTED] Just a question regarding this... I had someone tell me that it was not "safe" to run the 2k3 tools against a 2k domain, is this true or is it just a matter of opinion? Sorry if this has been brought up before... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan SchlegelSent: Wednesday, June 11, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3DisplayLang=en -Original Message-From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory Tools on XP Clients I think if you have a beta or full release of 2003 server you can install adminpak.msi on XP and have your tools there."Salandra, Justin A." [EMAIL PROTECTED] wrote: I know this might have been a topic before, but I am unable to find thee-mails on this topic. Where do I get the AD tools to run on a XPWorkstation?Justin A. Salandra, MCSESenior Network EngineerCatholic Healthcare System212.752.7300 primary office917.455.0110 cell[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Do you Yahoo!?Free online calendar with sync to Outlook(TM).
[ActiveDir] OT:(maybe) Distribution list problems
I have an active directory forest with 1 parent domain and two childdomains which I upgraded from Winnt 4.0. The parent and one of the child domains are running in native mode. I have an exchange2000/exchange5.5 mixed mode environment in which some 5.5 distribution lists were upgraded into the parent domain (native AD) as universal distribution lists. I have had no issues with maintenance of the distribution lists until recently. If I try to add a name from any of the domains to the Accept Message Only from list and click apply, I receive a constraint violation 8007202F. The box is titled Active Directory - Exchange extension. Does anyone have any idea how to troubleshoot this error? There are no event messages that give me any insight. Thanks, Ken List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Forest Migration and consolidation
Title: Message Ran into a customer today who wants to consolidate 8 Windows 2000 Forests into 1 new Forest w/8 domains. The Resource kit explicitly says that you cannot move a domain between forests. TheADMT seems to be more of a Intra-Forest Domain tool also. Anyone with any experience or suggestions? Thanks!
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Yeah, I like those joeware tools too :-)He even does Perl! Robbie Allen http://www.rallenhome.com/ -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain LOL, no problem, glad you like the tools, that is why I put them out there. So many things lacking that need to be done... so little time, especially when it is for free. ;oP~ I really have some serious updates coming for ADFIND or at least I want them to be coming, I want to restructure and go to V2 and add Security Descriptor stuff and decoding of more values like useraccountcontrols, et al and also allowing reencoding of nice names into blobs for searching if possible. However I expect that I will be gearing a little towards E2K right now as that is what my paying job is throwing me into now. Note that if you hadn't heard joeware has been getting shut down at the end of the month or so every month lately so I moved it to a new provider so that shouldn't happen for a bit now. Man I got some serious flames when that would happen too, made me laugh pretty hard. I also finally killed the midi's that everyone bitched about. I started seeing how much bandwidth those little things were taking up and decided I didn't like them that much either. eg Anyway, thanks for the welcome. Hopefully I can contribute my share. :o) joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, June 12, 2003 12:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem, as there are
RE: [ActiveDir] A plea to stay on-topic
Title: Message While we are on the off-topic topic, is there a similar alias to activedir.org, except for Win Server 2003 sys admin stuff (besides the microsoft newslists)? Robbie Allen http://www.rallenhome.com/ -Original Message-From: Charles Oppermann [mailto:[EMAIL PROTECTED] Sent: Friday, May 16, 2003 1:48 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] A plea to stay on-topic I have no idea if you're right or wrong. I thought this was an Active Directory mailing list. Guys, can we at least attempt to stay on topic? -Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Friday, May 16, 2003 8:14 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Am I right or am I right ? there is no product available that will resize a BASIC volume that has been set up on a Windows 2000 server ? I have just installed Veritas VolumeManger 3.1 Enterprise Edition and it seems it will only resize DYNAMIC volumes. I need to resize (make smaller) a BASIC volume so how can i do it !?!?!? Many thanks Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED]Sent: Donnerstag, 15. Mai 2003 21:14To: [EMAIL PROTECTED]Subject: [ActiveDir] Cisco router and IAS server Hi all, We have a Cisco 2600 router with analog port to allow user to dial into the router. The authentication is passes by the Cisco device to an internal IAS server which is running RADIUS. Now my problem is that if the user dials in using a normal windows client (tested windows xp and 2000) they are able to authenticate and log in BUT if the user has a call back option on their user profile the Cisco advice does not ask the user for the number to call the user back even though they have this option enabled. We also have a Windows 2000 RRAS server installed the authentication setting is also to that IAS server with RADIUS but in this case the call back option works? I know about Cisco VSA's but have tried a a lot of different ones but no luck , I was wondering if anyone here knew about anything else be it VSA's or settings on the IAS or Cisco router to check for? I would love to know cause this is driving me insane! ADSI and DirectoryServices advice : http://groups.yahoo.com/group/ADSIANDDirectoryServices WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING ASPELITE member: www.aspelite.com Carlos Magalhaes
RE: [ActiveDir] Active Directory Tools on XP Clients
Title: Message Agreed, I've never had any problems using the W2K3 tools against W2K AD. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients Raymond, I'd be interested in hearing what justification someone might have used, but Ihave used the tools pretty much since they were available to us in the Windows Server 2003 beta - which I suspect was better than a year ago. I've had absolutely NO problem with the tools in a pure Windows 2000 environment, or my mixed 2k /2k3 environment at home. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Wednesday, June 11, 2003 12:22 PMTo: [EMAIL PROTECTED] Just a question regarding this... I had someone tell me that it was not "safe" to run the 2k3 tools against a 2k domain, is this true or is it just a matter of opinion? Sorry if this has been brought up before... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan SchlegelSent: Wednesday, June 11, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3DisplayLang=en -Original Message-From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory Tools on XP Clients I think if you have a beta or full release of 2003 server you can install adminpak.msi on XP and have your tools there."Salandra, Justin A." [EMAIL PROTECTED] wrote: I know this might have been a topic before, but I am unable to find thee-mails on this topic. Where do I get the AD tools to run on a XPWorkstation?Justin A. Salandra, MCSESenior Network EngineerCatholic Healthcare System212.752.7300 primary office917.455.0110 cell[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Do you Yahoo!?Free online calendar with sync to Outlook(TM).
RE: [ActiveDir] Windows Server 2003: Groups type
Well there are the Authorization Manager groups, but they are only for role-based applications. I got excited when I first heard references to LDAP query groups, which define membership based on an LDAP search filter, but unfortunately that is only available with Authz Mgr (stored in AD), not for native access control in AD. Here is more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/h tml/AzManRoles.asp Robbie Allen http://www.rallenhome.com/ -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows Server 2003: Groups type Same in W2K3. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vincent Faraut Sent: den 27 maj 2003 15:16 To: [EMAIL PROTECTED] Hi, Under Windows 2000, a group scope (or type) can be Local, Global, or Universal. Does anybody knows if there is new type for groups object in Active Directory under Windows Server 2003 ? Thanks in advance Vince List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message *ding!* *ding!**ding!*... my 'joeware' filter alarm just went off (it's set toalert mewhen it detects +1.0 blood/alcohol level on a thread). :-) Sorry folks, I've been super busy answering to "the master... yes preciou..." and haven't had lots of time to participate (though I've been enjoying some the threads).I'll try to be a more responsible netizen and chime in when and whereI can with code and what not. As for Robbie - well *hmpfh* - he's moved into a cushy architecture job where he gets caviar and champagne all the time (or so I hear). :-p From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 11:46 PMTo: [EMAIL PROTECTED] Well that sucks about Gil, I'll have to see if I can start some down and dirty threads to pull him out of the corner. I owe Richard a note, don't let him know I am here... s... peers about I read like 6 last night, 2 more tonight and my part will be done and Robbie should be cool. NowI get to focus full time on trying to dress thatE2K pig up and making it dance and pretend to be a scaleable properly manageable mail system. I just learned the dirty secret about msExchSecurityDescriptor this afternoon and stomped out of the lab in disgust, not even sure why they used the attribute at all. Either do it in the store or do it in the directory, one or the other, JUMP! Reminds me of the parable of the grape who couldn't figure out which side of the road was betterand squish. Because of that and I think for fun and to egg on the Premier guys this week I am going to turn on inefficient query logging on the Exchange lab DC's to see how funny it is. ;oP We have indexed objectclass now so that should help it out quite a bit. Definitely helped out with some of the other poorly written apps running around that were experiencing time outs. We were toldwe could probably expect a 25-30%+ DIT size growth doing that, it was a tiny growth, indexed a whole bunch of other attributes as welland our GC DIT only grew by like 100-150MB which is a drop in the bucket to the 6GB GC DIT. Ah, I need to get back into Word. Though before I go does Laura hang out here as well? How about Dean/Roger/Ace/Jimmy/Thomas and the rest of the troublemakers? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 11:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Sadly, Gil has not been spending as much time here as he has in the past. Not sure why. He does post now and then - especially when the replication or lower level programming talk gets deep. Robbie Allen and Richard Puckett have been fairly visible - Richard, I can't say why he hasn't been here. Robbie, though - I can speak for. I KNOW what he's doing :-) He'll be free(er) shortly.. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:59 PMTo: [EMAIL PROTECTED] It will definitely be fun. I personally am waiting for a Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and every other LDAP joeware tool) wouldn't exist except for Gil and his book and that would be a sadthing for me because I love those tools. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Yeah! LOL! That's waay too good. Glad you could make it. You will certainly be a worthy addition to the characters that wander in here. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2 000 Domain
Welcome, Joe. I am one of the biggest joeware leaches. On top of that, I get to brag that I know you personally :) Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, June 12, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2 000 Domain Perl rocks and thanks Robbie. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Thursday, June 12, 2003 5:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2 000 Domain Yeah, I like those joeware tools too :-) He even does Perl! Robbie Allen http://www.rallenhome.com/ -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain LOL, no problem, glad you like the tools, that is why I put them out there. So many things lacking that need to be done... so little time, especially when it is for free. ;oP~ I really have some serious updates coming for ADFIND or at least I want them to be coming, I want to restructure and go to V2 and add Security Descriptor stuff and decoding of more values like useraccountcontrols, et al and also allowing reencoding of nice names into blobs for searching if possible. However I expect that I will be gearing a little towards E2K right now as that is what my paying job is throwing me into now. Note that if you hadn't heard joeware has been getting shut down at the end of the month or so every month lately so I moved it to a new provider so that shouldn't happen for a bit now. Man I got some serious flames when that would happen too, made me laugh pretty hard. I also finally killed the midi's that everyone bitched about. I started seeing how much bandwidth those little things were taking up and decided I didn't like them that much either. eg Anyway, thanks for the welcome. Hopefully I can contribute my share. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 12, 2003 12:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] _ From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PM To: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, June 11, 2003 10:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Wednesday, June 11, 2003 8:54 PM To: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message Weve just started down the MOM path. I agree with some of your statements regarding MOMs clunky interface and AppManagers more intuitive interface. Theres a lot to be said about what NetIQ has done in terms of making script deployment relatively easy. Thats about where it ends, however. Speaking outside of functionality, in terms of a support organization, NetIQ consistently fails to make good grades. We have had outages of our monitoring product for 4-5 days at greatest length. With Microsoft, we at least know what were in for in terms of support. There were times that we had 15-20 outstanding issues open with NetIQ some going on for months! We have some issues with some of the NetIQ reporting functionality (charting on the other hand is awesome). For example, it seems to be a very common occurrence that data points are simply missing. There doesnt seem to be any agent intelligence in knowing that it delivered the data to the database correctly, even though it stores its information in a local Access db. Also, in order to do any long term trending, you have to use the Analysis Center product which keeps driving up the price of ownership. An excellent example is the System Uptime report. We could NEVER rely on that report being accurate enough to use for publishing. As far as AD monitoring, we werent very impressed w/ what it offered out of the box. Without buying yet another add-on (Active Directory Response Time), there didnt seem to be any end-to-end type of checks for user experience or synthetic transactions to verify replication. Database grooming also has issues. Theres a table called Aggregate data where data does NOT seem to go away (had to get them to write a sql script to handle this function). Since theres no standard DTS packages or anything like that to setup a reporting database, if you decide to keep any amount of data for a reasonable length of time, the console takes a cups of coffee until it opens up. Weve used NetIQ for 2-3 years. In the last 2-3 years, the product has not had many significant changes. Weve gone through 2 full version number changes and it seems to be the same thing. I like AppManager for its vast functionality and ease of use but am wholly displeased by their poor support, poor infrastructure, poor reporting and did I mention poor support? J -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Wednesday, June 11, 2003 7:13 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Monitoring with MOM yep, use MOM here for our AD infrastructure (2 Forests, 4 domains total). I've deployed both NetIQ and MOM. A repost of something similar asked on the exchange lists: Essentially both products can perform the same levels of monitoring and reporting, however MOM requires a LOT more legwork to get the same result. The NetIQ interface as you said is more logical and easier to navigate, and it seems a lot more thought has been given to providing a clean interface for administrators. Setting up alerts etc for MOM for say a single server is MUCH more tedious than for NetIQ. MOM's grouping of monitoring into a hierarchal structure based on attributes creates more confusion IMHO. We have required some scripting to create custom attributes on servers just to enable some groups to be created (by pulling back these custom attributes), not necessary on NetIQ as it allow arbitrary grouping of servers (MOM does allow this as well, but its not as intuitive or efficient). With NetIQ a simple drag/drop of a task or monitoring job onto the device in question is much easier and allows more targeted monitoring to occur. Currently with MOM if I really want to perform specific monitoring of a server, I jump into perfmon and set up custom monitoring, rather than try and make MOM do it. Arbitrary grouping / monitoring of different core servers in a different way is where MOM really falls down IMHO. With NetIQ, I can simply change the monitored jobs on each specific server, changing thresholds for each one, and even disabling some jobs if I feel like. Attempting to do this with MOM is an exercise in frustration, since most settings are based on the monitoring groups which are attached to a group of servers based on a specific attribute (registry setting, name etc), not the server itself. For example, we have 6 exchange servers. If I want to monitor the gateway server differently, or set different thresholds (eg I'm not concerned if the outgoing SMTP queue length on the gateway gets about 50, but on a mailbox server I am), this is MUCH more difficult on MOM than it should be. Currently, I set the threshold lower for all exchange servers, and simply ignore the ones from the gateway where they are under *my* determined threshold. Not pretty, and makes it more difficult for me to set up paging / sms interfaces for our after-hours support team, as they get a
RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR
Title: Message Hmmm... I guess we can agree to disagree on the VSS. I can't think of a better solution than to have a fat pipe between two remote data centers with SANs of critical data being replicated in real time. Having data separated by 1500 miles and being up-to-the-second replicated - what more would one need? We're doing this at present with Cisco FC switches for the SAN, ATM for the fat pipe. Intent is to get Win2k3 involved as the method for user managed restore of deleted files. My experiences with Dfs have more to do with FRS and general issues that are about 3 years old. FRS is better - not great, and had to do with just a lot of limitation that was in Dfs 3 years ago that likely may no longer exist. We're quite successful without it - and the lastI need to do is to create more headaches. The client departments do enough of that for me. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Thursday, June 12, 2003 5:27 AMTo: [EMAIL PROTECTED]Cc: 'Rick Kingslan' Rick - Thanks for the info. I've found VSS to be quite useful in our lab, but don't think it will work well for Disaster Recovery. What bad experience did you have with DFS? Jeff -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 8:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Possibly OT - DFS vs 3rd party DR Jeffrey, I personally am not a big fan of Dfs - mainly due to a very bad experience in the early days of Windows 2000 (April 2000). It has gotten better, but is not really a great solution to bank your DR process on. IMHO, depending on what your bandwidth is like, the move with Windows Server 2003 might justify itself with Volume Shadow Services. I've been working closely with VSS and primarily, Volume Shadow Copy, and IMHO, it Rocks! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey DubynSent: Wednesday, June 11, 2003 6:31 PMTo: [EMAIL PROTECTED] I have a customer looking for a disaster recovery solution for their Active Directory domain. They have one site on each coast and want to replicate the data. A VPN is available to each location. I was looking at either DoubleTake or a Veritas solution (Volume Replicator or Storage Replicator) but am having a hard time justifying using this over the built-in DFS. Anyone with any thoughts on this?
RE: [ActiveDir] Active Directory Tools on XP Clients
Title: Message Cool - no worries. Have you upgraded to Hyena 5.0? That's working like a charm for me Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, June 12, 2003 8:49 AMTo: [EMAIL PROTECTED] Rick, That's the reason I asked since it sounded like BS to me,so I installed it anyways. I too have had no problems and like the fact that all the tools are in one console that I didn't have to customize. Oddly, my version of Hyena is acting really weird since I switched it over to a W2K domain. I don't believe the person was familiar with the 2K3 tools, so it was probably an uninformed statement. Nothing against the guy, he was VERY knowledgable otherwise. Thanks, Raymond McClinnis -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 4:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients Raymond, I'd be interested in hearing what justification someone might have used, but Ihave used the tools pretty much since they were available to us in the Windows Server 2003 beta - which I suspect was better than a year ago. I've had absolutely NO problem with the tools in a pure Windows 2000 environment, or my mixed 2k /2k3 environment at home. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Wednesday, June 11, 2003 12:22 PMTo: [EMAIL PROTECTED] Just a question regarding this I had someone tell me that it was not safe to run the 2k3 tools against a 2k domain, is this true or is it just a matter of opinion? Sorry if this has been brought up before Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan SchlegelSent: Wednesday, June 11, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3DisplayLang=en -Original Message-From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory Tools on XP Clients I think if you have a beta or full release of 2003 server you can install adminpak.msi on XP and have your tools there."Salandra, Justin A." [EMAIL PROTECTED] wrote: I know this might have been a topic before, but I am unable to find thee-mails on this topic. Where do I get the AD tools to run on a XPWorkstation?Justin A. Salandra, MCSESenior Network EngineerCatholic Healthcare System212.752.7300 primary office917.455.0110 cell[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Do you Yahoo!?Free online calendar with sync to Outlook(TM).
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message Todd, Are you aware that NetPro has now introduced what I would call a Management Pack for AD for MOM? I haven't had time to look at it in depth yet, but am looking forward to it possibly this weekend. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, June 12, 2003 1:19 PMTo: '[EMAIL PROTECTED]' Well there is two schools of thought. Tell me what it looks like and how to respond or Tell me when something is wrong and automatically respond. I prefer a more focused view of my Active Directory, that I can delegate out to other Domain Administrators and give them a view of the Entire Directories Health. The only product I seen that can do that is NETPRO's Directory Analyzer. I personally think that combining DA with MOM offers the best combination of synthesis of information, and automated response and warning. Although it is expensive to offer two solutions, NETPRO offers a suite of utilities to compliment DA, including proactive DNS monitoring, Schema and Configuration container monitoring,change log reporting, and Troubleshooting Tools. So my preference is to use NETPRO combined with NETIQ to do Directory and System monitoring. In the future we plan to remove NETIQ Appmanager and replace it with MOM. Todd -Original Message-From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 1:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Monitoring with MOM I'm wondering if anyone uses Microsoft Operations Manager to monitor their AD infrastructure? If not, what other product(s) are used, and how do you feel about them? What are the relative costs for the product? Chris Flesher
Re: [ActiveDir] Active Directory Monitoring with MOM
Title: Message Tech Ed had a few sessions on MOM. It might be worth checking the site http://www.mymsevents.com/MyMSEvents/Search.aspxMany of them have the PowerPoint slides available for downloading.
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message Jan, I suspect that the average person is not going to be able to get the slides for anything other than specific public sessions - keynotes, etc. Typically, the site (as it is this year as well) is username and password protected. If I'm missing something, let me know. All I see here is the Global Mobility. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan WilsonSent: Friday, June 13, 2003 12:09 AMTo: [EMAIL PROTECTED] Tech Ed had a few sessions on MOM. It might be worth checking the site http://www.mymsevents.com/MyMSEvents/Search.aspxMany of them have the PowerPoint slides available for downloading.
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2 000 Domain
Deji, You've got that over a lot of MVPs. I've been waiting two years to meet Joe face to face - and the one function that I can't go to, he goes. Can he go to Summit? No Can he go to Win2k3 Server Launch? No I'm beginning to get a complex. Well, OK - I've been in therapy for years for that, but, well... Damn. Nevermind. ;P Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Sent: Thursday, June 12, 2003 10:03 PM To: [EMAIL PROTECTED] Welcome, Joe. I am one of the biggest joeware leaches. On top of that, I get to brag that I know you personally :) Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, June 12, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2 000 Domain Perl rocks and thanks Robbie. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Thursday, June 12, 2003 5:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2 000 Domain Yeah, I like those joeware tools too :-) He even does Perl! Robbie Allen http://www.rallenhome.com/ -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain LOL, no problem, glad you like the tools, that is why I put them out there. So many things lacking that need to be done... so little time, especially when it is for free. ;oP~ I really have some serious updates coming for ADFIND or at least I want them to be coming, I want to restructure and go to V2 and add Security Descriptor stuff and decoding of more values like useraccountcontrols, et al and also allowing reencoding of nice names into blobs for searching if possible. However I expect that I will be gearing a little towards E2K right now as that is what my paying job is throwing me into now. Note that if you hadn't heard joeware has been getting shut down at the end of the month or so every month lately so I moved it to a new provider so that shouldn't happen for a bit now. Man I got some serious flames when that would happen too, made me laugh pretty hard. I also finally killed the midi's that everyone bitched about. I started seeing how much bandwidth those little things were taking up and decided I didn't like them that much either. eg Anyway, thanks for the welcome. Hopefully I can contribute my share. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 12, 2003 12:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] _ From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PM To: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, June 11, 2003 10:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert
