[ActiveDir] why change password does not work over Internet
hi, I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error Table does not exists. I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem. thanks in advance. roseta.
RE: [ActiveDir] why change password does not work over Internet
Does the internet server have access to the LDAP server through Firewall rules? Im sure you looked at this already, but probably worth looking at again Thanks, Raymond McClinnis Network Administrator Provident Credit Union 650-508-0300 X2557 800-632-4600 X2557 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roseta Sent: Sunday, October 26, 2003 11:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] why change password does not work over Internet hi, I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error Table does not exists. I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem. thanks in advance. roseta.
RE: [ActiveDir] why change password does not work over Internet
For making sure that this is not the problem. I have a RAS server which is for test. I set the gateway to the router so no more behind firewall. And also assigned the LDAP server a valid IP and directed the gateway directly to router. So no body behind firewall , I connected to Internet through my RAS. And tried to connect to LDAP server. But I get the error the table does not exists. Thanks for your help. Roseta. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Monday, October 27, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] why change password does not work over Internet Does the internet server have access to the LDAP server through Firewall rules? Im sure you looked at this already, but probably worth looking at again Thanks, Raymond McClinnis Network Administrator Provident Credit Union 650-508-0300 X2557 800-632-4600 X2557 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roseta Sent: Sunday, October 26, 2003 11:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] why change password does not work over Internet hi, I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error Table does not exists. I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem. thanks in advance. roseta.
[ActiveDir] windows 2000 authentication
was wondering if any one could give us a heads up on how we prevent a windows 2000 domain controller from authenticating a user logon request. by comparison on an NT4 domain controller, the configuration of pausing the netlogon service would prevent the DC from authenticating a user logon request i would guess that the same fix may apply to a win2k DC for an NTLM logon request say from a downlevel (non Kerberos aware client) but am not sure whether this would apply to a Kerberos logon request. TIA GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Cookbook
Title: Message You been hanging out with Missy Koslosky lately? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook Bite me, Joe. :P Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Saturday, October 25, 2003 1:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook I thought you would think that was a good thought. But you have a good point to counter that good thought. I should submit something, I wouldn't mind being in the acknow. err wait a minute. How about this, people who are already in it can submit something and pick one person to be removed from the acknowledgements... Oh Rick :op Hmmm what could I submit... Oh I know, something I had to do today really quick... Find all OU's with any GPO link whatsoever... First off I wondered, is gplink in the GC? adfind -schema -f ldapdisplayname=gplink ismemberofpartialattributeset Gets you dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=comisMemberOfPartialAttributeSet: TRUE So it sure is... This is easy! adfind -gc -b -f "(objectcategory=organizationalunit)(gplink=*)" gplink On my home domain that rips off in less than a second... dn:OU=Domain Controllers,DC=joehome,DC=comgPLink: [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0] dn:OU=Cmps,DC=joehome,DC=comgPLink: [LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0] Oh ok, you now want to know what the nice name of those are... adfind -b CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com -s base displayname and adfind -b CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com -s base I don't recall those exact examples in the book. :op Can anyone guess how often I use adfind in the course of a normal workday? Me neither. But I have wrapped it with a couple of batch files. The first is called findthis.cmd It takes whatever I enter and basically does a adfind -gc -b -f name=%1 -dn I also have a kids.cmd adfind -gc -b %1 -s one -f * -dn and also I have a get adfind -b %1 -s base Ok that is enough, I don't want to hurt anyone. ;o) Good night! joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie AllenSent: Saturday, October 25, 2003 1:40 AMTo: '[EMAIL PROTECTED]' And what have you been drinking at 1am??:-) Good thought, but my guess is that peoplewhooffer goodsuggestions probably already have a copy of the book (since they know what'sin there and what isn't). FWIW, I would be happy to mentionin the acknowledgements section anyone who suggests a recipe I include in the next edition. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 12:54 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PMTo: '[EMAIL
RE: [ActiveDir] Do you have a development (DEV) forest?
Title: Message Exactly. Having a test lab is critical for this kind of thing. Worst case, a few copies of VMWare Workstation or GSX Server and some decent desktops would do nicely for a low volume lab environment. In fact, one of the 4 machines in my cube is basically dedicated as a VMWare host. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 2:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do you have a development (DEV) forest? We do not have a DEV forest, per se. We have a TEST Lab in which anything that would affect AD would be tested before it can be put into production. Our DEV staff does not do any level of programming that would touch AD. They do not do any level of LDAP, GC lookups, ADO connections to the AD, or Schema changes / looks / updates. Given what our DEV staff does, it would be a huge waste of money for us to put them in their own forest. If they start to develop AD integrated programs, we would likely reconsider as the risk to potential schema problems is still too high, IMHO. Obviously, I'm not going to give access to DEV to make changes to schema anyway, but if the program needs to update schema, it's obviously going to need to be tested (in our current 'waterfall' project management model - ineffective and pointless as it is.) and the test lab is currently where that would happen. If they feel that they require production access to 'eat their own dog food', then we would have to reconsider. Likely, a DEV forest would be implemented if the requirement changed to a Production-like' system for DEV. Hope this helps. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of StickmanRunner87Sent: Saturday, October 25, 2003 1:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do you have a development (DEV) forest? Hello! BACKGROUNDRecently,our Active Directory Team was asked byexecutive management to implement a development forest that very much mimics our production forest in many ways. However, many of us struggle with this request because we're afraid a development forest will incur more work and cost than benefit. QUESTIONSDo you have a development (DEV) forest? If yes, How does DEV's size compare to PROD in terms of users, computers, domain controllers, domains, sites, gpo's? Do DEV admins support PROD too? How does DEV's SLA compare to PROD? How has DEV added-value to your company? Any stories to share? How current is DEV compared to PROD? Identical, one schema version behind, etc.? How does DEV's change control practices compare to PROD? If no, Is there a specific reason why you don't have a DEV forest? Did you havea DEV forest previously and tear it down? Are you considering a DEV forest at the present time? I appreciate any feedback you can share with me.If you would prefer to discuss in a telephone call, I'm willing to "phone a friend." Sincerely,Stick Do you Yahoo!?The New Yahoo! Shopping - with improved product search
RE: [ActiveDir] Active Directory Cookbook
BindView is in for the first month if you guys want to head down this path...this could get interesting. Chip DiBias -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 7:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development
[ActiveDir] Active Directory Cookbook Bake-off
I'm working with O'Reilly to see if they would host something like this. If not, I can put it up on my site. If any other companies (or individuals) are interested in participating, please email me at [EMAIL PROTECTED] I don't have any details yet; I'm just trying to gauge general interest. Thanks for the nudge Todd. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: DiBias, Chip [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook BindView is in for the first month if you guys want to head down this path...this could get interesting. Chip DiBias Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Active Directory Cookbook
33 bux on Amazon. 23 in the new and used. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them
RE: [ActiveDir] Active Directory Cookbook
I didn't see the discount for some reason. I apologize. Toddler -Original Message- From: John Parker [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook 33 bux on Amazon. 23 in the new and used. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory
RE: [ActiveDir] Active Directory Cookbook
Just ordered it. Can't wait to start cooking. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 8:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook I didn't see the discount for some reason. I apologize. Toddler -Original Message- From: John Parker [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook 33 bux on Amazon. 23 in the new and used. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active
[ActiveDir] AD recovery after disaster
Title: Message Pls point me to info re how to backup AD for restore on a new server after a disaster. Regards, Orin Rehorst Port of Houston Authority
RE: [ActiveDir] AD recovery after disaster
Title: Message Windows NT4.0 and Windows 2000 Disaster Recovery and Backup and RestoreProcedures:http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q287061How to Back Up and Restore the System State in Windows 2000:http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240363Backup of the Active Directory Has 60-Day Useful Life:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216993Regards,/Jimmy- Jimmy Andersson, Q Advice AB CEO Principal AdvisorMicrosoft MVP - Active Directory-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Orin RehorstSent: Monday, October 27, 2003 4:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD recovery after disaster Pls point me to info re how to backup AD for restore on a new server after a disaster. Regards, Orin Rehorst Port of Houston Authority
RE: [ActiveDir] why change password does not work over Internet
When you say "upload to my site," are you trying to set it up so that you can change a password through a web page? If so, the script is likely executing under the security context of the IUSR account of the web server, and the domain has no idea who that IUSR is. You can embed LDAP authentication into your script, or you can set up your web server so that the script will execute under the user's credentials. Hunter From: roseta [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 5:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] why change password does not work over Internet For making sure that this is not the problem. I have a RAS server which is for test. I set the gateway to the router so no more behind firewall. And also assigned the LDAP server a valid IP and directed the gateway directly to router. So no body behind firewall , I connected to Internet through my RAS. And tried to connect to LDAP server. But I get the error the table does not exists. Thanks for your help. Roseta. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Monday, October 27, 2003 12:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] why change password does not work over Internet Does the internet server have access to the LDAP server through Firewall rules? I'm sure you looked at this already, but probably worth looking at again Thanks, Raymond McClinnis Network Administrator Provident Credit Union 650-508-0300 X2557 800-632-4600 X2557 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rosetaSent: Sunday, October 26, 2003 11:23 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] why change password does not work over Internet hi,I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error "Table does not exists". I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem.thanks in advance.roseta.
RE: [ActiveDir] GPMC on XP
Mike- I'm assuming that when you talk about viewing Windows settings, you doing this against the GPO itself, rather than doing an RSoP logging report? If so, then you might want to verify that you don't have a problem with the permissions on the SYSVOL portion of that GPO, stored under SYSVOL\domain\policies\GUID of GPO. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike KemkerSent: Friday, October 24, 2003 11:11 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPMC on XP Hello from a long time listener/first time caller. I have a Windows 2000 AD Domain and I am on a call with PSS right now concerning my XP machine running the Windows 2003 AdminPak and the new GPMC utility. My problem is that when I open the Windows Settings under User Configuration I cant see anything but the Remote Installation Service topic. I cant see any other categories such as Internet Explorer Maintenance, Scripts, Security Settings, and Folder Redirection. PSS is struggling with it right now and I wanted to know if any of you have seen this before. Any help is greatly appreciated! Thank you! Mike Kemker MCSE, CNE Kimball International
RE: [ActiveDir] AD Object Perms
Tried that. I get access denied when joining the domain, even after reseting account in ADUC. I even tried delegating, Change Password. Do you know a way to turn on logging or debugging to find out what attempted action (when joining the domain) is failing and causing the access denied? --- Joe [EMAIL PROTECTED] wrote: AH... Didn't think someone would try that but it is valid. I don't have a lab to test right this second, but I think I would start with removing the reset password and see if that buys anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ama Hanjef Sent: Thursday, October 23, 2003 11:38 AM To: [EMAIL PROTECTED] Joe, Thanks for the reply. The users are admins on the computer, thats not a problem. The problem we are having with delegating Write Account Restrictions, Write Service Principal Name, Write DNS Host Name and Reset Password perms is that the users/workstation techs can join a computer to the domain with the same name as a computer that already exists, thus disjoining the first computer. We are looking to make is necesary that a Domain Admin reset the computer account before the users/workstation techs can join that computer. --- Joe [EMAIL PROTECTED] wrote: The user will need to be an admin on the computer itself. I know of no way around that. In AD if using the GUI, simply spepcify the person or group that can do the join when creating the object. If creating the machine acount via script, delegate the following to the computer: Write Account Restrictions Write Service Principal Name Write DNS Host Name Reset Password Here is some perl code for that little piece that I use to write acl's to an OU for that purpose. # # Write Account Restrictions on computer # if ($debug) {print Setting $securitygroup with Write Account Restrictions on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={4C164200-20C0-11D0-A768-00AA006E0529}; # Account Restrictions $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=32; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; # # Validated Write Service Principal Name on computer # if ($debug) {print Setting $securitygroup with Write servicePrincipalName on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={F3A64788-5306-11D1-A9C5-F80367C1}; # servicePrincipalName $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=8; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; # # Validated Write dNSHostName on computer # if ($debug) {print Setting $securitygroup with Write dNSHostName on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={72E39547-7B18-11D1-ADEF-00C04FD8D5CD}; # dNSHostName $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=8; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; # # Reset Password on computer # if ($debug) {print Setting $securitygroup with Reset Password on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={00299570-246D-11D0-A768-00AA006E0529}; # Reset Password $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=256; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of fact hunter Sent: Wednesday, October 22, 2003 10:39 AM To: [EMAIL PROTECTED] I want to allow a low level user to join a computer to the domain only when the computer account has been pre-populated as a new account or the account has been reset in the case of a reimage. However, I do not want them to be able to overwrite computer accounts that are in use. Any help is appreciated. Ama __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] AD recovery after disaster
Return Receipt Your RE: [ActiveDir] AD recovery after disaster document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 10/27/2003 01:28:15 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Object Perms
I want to allow a low level user to join a computer to the domain only when the computer account has been pre-populated as a new account or the account has been reset in the case of a reimage. However, I do not want them to be able to overwrite computer accounts that are in use. Any help is appreciated. Here is a modified copy of the script I use for this purpose. I have tried to put some intelligent comments in there for understanding. Normally, I'd send this to you directly, but I can't get your email. How it works is that you supply the If the code wraps or needs some debugging, email me offline. The full code is a more complicated ASP that sets all the required parameters based on authentication. If you need that, I can share it too. HTH Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon On Error Resume Next Dim strComputer, strComputerUser, strUsername, strPassword Dim objRootDSE, objContainer, objComputer, openDS, objDomain Dim Connect, myDSN, RS, Query Dim strLocation, strDept, strOU Dim strSessionDept, strSessionLoc, strSessioncreator, strComputerDescription Dim objSecurityDescriptor, objDACL Dim objACE1, objACE2, objACE3, objACE4, objACE5 Dim objACE6, objACE7, objACE8, objACE9 ' ADS_USER_FLAG_ENUM Const ADS_UF_PASSWD_NOTREQD = h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = h1000 ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED = h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_GENERIC_READ = h8000 Const ADS_RIGHT_DS_SELF = h8 Const ADS_RIGHT_DS_WRITE_PROP = h20 Const ADS_RIGHT_DS_CONTROL_ACCESS = h100 'controlAccessRight rightsGuid values Const ALLOWED_TO_AUTHENTICATE = {68B1D179-0D15-4d4f-AB71-46152E79A7BC} Const RECEIVE_AS = {AB721A56-1E2f-11D0-9819-00AA0040529B} Const SEND_AS = {AB721A54-1E2f-11D0-9819-00AA0040529B} Const USER_CHANGE_PASSWORD = {AB721A53-1E2f-11D0-9819-00AA0040529b} Const USER_FORCE_CHANGE_PASSWORD = {00299570-246D-11D0-A768-00AA006E0529} Const USER_ACCOUNT_RESTRICTIONS = {4C164200-20C0-11D0-A768-00AA006E0529} Const VALIDATED_DNS_HOST_NAME = {72E39547-7B18-11D1-ADEF-00C04FD8D5CD} Const VALIDATED_SPN = {F3A64788-5306-11D1-A9C5-F80367C1} strComputer =theNameOfTheComputerToCreate or theNameOfTheExistingComputerYouWantToModifyACEOn strComputerUser =The name of the user who will be joining the computer to the Domain AFTER we have created it in AD strComputerDescription = Created by blahblah objDomain = The path to the OU/Container where we want the Computer Account created in, e.g., LDAP://OU=MyComputers,DC=myChild,DC=myParent,DC=com; 'The following values are usually stored in a SQL database and read on the fly. They are not hardcoded into the script strUserName = NameOfADomainAdminAccount 'This is an account that has the ability/rights to modify Properties strPassword = myPass 'This is the Password of the Domain Admin Account. As Noted above, VERY BAD Idea to hard-code this into the script. Use inputBox to get the values instead of store it in a Database and read it back Set openDS = GetObject(LDAP:) Set objContainer = openDS.OpenDSObject(objDomain, strUsername, strPassword, 1) 'This is where you create a NEW computer Set objComputer = objContainer.Create(Computer, cn= strComputer) objComputer.Put sAMAccountName, strComputer $ objComputer.Put Description, strComputerDescription objComputer.Put userAccountControl, _ ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo 'If we can't create the Computer Account, then error out and stop If NOT Err.Number = 0 Then Wscript.Echo Unable to create Computer account, probably because the name already exists '''Comment out the next line so that the script does not stop '''You will do this IF you don't intend to create a NEW computer Account, and you only want to give a User the rights to add an EXISTING Computer to the Domain Wscript.Quit(0) End If Set objSecurityDescriptor = objComputer.Get(ntSecurityDescriptor) Set objDACL = objSecurityDescriptor.DiscretionaryAcl Set objACE1 = Server.CreateObject(AccessControlEntry) objACE1.Trustee = strComputerUser objACE1.AccessMask = ADS_RIGHT_GENERIC_READ objACE1.AceFlags = 0 objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED ' objACE2 through objACE6: Extended Rights Set objACE2 = Server.CreateObject(AccessControlEntry) objACE2.Trustee = strComputerUser objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE2.AceFlags = 0 objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE Set objACE3 = server.CreateObject(AccessControlEntry) objACE3.Trustee = strComputerUser objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE3.AceFlags = 0 objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.Flags =
RE: [ActiveDir] Active Directory Cookbook
Title: Message LOL! Heh Yeah, I forgot that you and Missy are acquainted. Too funny. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, October 27, 2003 7:46 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook You been hanging out with Missy Koslosky lately? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook Bite me, Joe. :P Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Saturday, October 25, 2003 1:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook I thought you would think that was a good thought. But you have a good point to counter that good thought. I should submit something, I wouldn't mind being in the acknow. err wait a minute. How about this, people who are already in it can submit something and pick one person to be removed from the acknowledgements... Oh Rick :op Hmmm what could I submit... Oh I know, something I had to do today really quick... Find all OU's with any GPO link whatsoever... First off I wondered, is gplink in the GC? adfind -schema -f ldapdisplayname=gplink ismemberofpartialattributeset Gets you dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=comisMemberOfPartialAttributeSet: TRUE So it sure is... This is easy! adfind -gc -b -f "(objectcategory=organizationalunit)(gplink=*)" gplink On my home domain that rips off in less than a second... dn:OU=Domain Controllers,DC=joehome,DC=comgPLink: [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0] dn:OU=Cmps,DC=joehome,DC=comgPLink: [LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0] Oh ok, you now want to know what the nice name of those are... adfind -b CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com -s base displayname and adfind -b CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com -s base I don't recall those exact examples in the book. :op Can anyone guess how often I use adfind in the course of a normal workday? Me neither. But I have wrapped it with a couple of batch files. The first is called findthis.cmd It takes whatever I enter and basically does a adfind -gc -b -f name=%1 -dn I also have a kids.cmd adfind -gc -b %1 -s one -f * -dn and also I have a get adfind -b %1 -s base Ok that is enough, I don't want to hurt anyone. ;o) Good night! joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie AllenSent: Saturday, October 25, 2003 1:40 AMTo: '[EMAIL PROTECTED]' And what have you been drinking at 1am??:-) Good thought, but my guess is that peoplewhooffer goodsuggestions probably already have a copy of the book (since they know what'sin there and what isn't). FWIW, I would be happy to mentionin the acknowledgements section anyone who suggests a recipe I include in the next edition. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 12:54 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting