[ActiveDir] why change password does not work over Internet
hi, I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error Table does not exists. I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem. thanks in advance. roseta.
RE: [ActiveDir] why change password does not work over Internet
Does the internet server have access to the LDAP server through Firewall rules? Im sure you looked at this already, but probably worth looking at again Thanks, Raymond McClinnis Network Administrator Provident Credit Union 650-508-0300 X2557 800-632-4600 X2557 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roseta Sent: Sunday, October 26, 2003 11:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] why change password does not work over Internet hi, I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error Table does not exists. I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem. thanks in advance. roseta.
RE: [ActiveDir] why change password does not work over Internet
For making sure that this is not the problem. I have a RAS server which is for test. I set the gateway to the router so no more behind firewall. And also assigned the LDAP server a valid IP and directed the gateway directly to router. So no body behind firewall , I connected to Internet through my RAS. And tried to connect to LDAP server. But I get the error the table does not exists. Thanks for your help. Roseta. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Monday, October 27, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] why change password does not work over Internet Does the internet server have access to the LDAP server through Firewall rules? Im sure you looked at this already, but probably worth looking at again Thanks, Raymond McClinnis Network Administrator Provident Credit Union 650-508-0300 X2557 800-632-4600 X2557 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of roseta Sent: Sunday, October 26, 2003 11:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] why change password does not work over Internet hi, I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error Table does not exists. I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem. thanks in advance. roseta.
[ActiveDir] windows 2000 authentication
was wondering if any one could give us a heads up on how we prevent a windows 2000 domain controller from authenticating a user logon request. by comparison on an NT4 domain controller, the configuration of pausing the netlogon service would prevent the DC from authenticating a user logon request i would guess that the same fix may apply to a win2k DC for an NTLM logon request say from a downlevel (non Kerberos aware client) but am not sure whether this would apply to a Kerberos logon request. TIA GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Cookbook
Title: Message
You
been hanging out with Missy Koslosky lately?
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Rick Kingslan
[mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 10:48
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Active Directory Cookbook
Bite me, Joe.
:P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 25, 2003 1:17 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active
Directory Cookbook
I
thought you would think that was a good thought. But you have a good point to
counter that good thought. I should submit something, I wouldn't mind being in
the acknow. err wait a minute. How about this, people who are already in
it can submit something and pick one person to be removed from the
acknowledgements... Oh Rick :op
Hmmm
what could I submit... Oh I know, something I had to do today really quick...
Find all OU's with any GPO link whatsoever...
First off I wondered, is gplink in the GC?
adfind -schema -f ldapdisplayname=gplink
ismemberofpartialattributeset
Gets
you
dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=comisMemberOfPartialAttributeSet:
TRUE
So
it sure is... This is easy!
adfind -gc -b -f "(objectcategory=organizationalunit)(gplink=*)"
gplink
On
my home domain that rips off in less than a second...
dn:OU=Domain Controllers,DC=joehome,DC=comgPLink:
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0]
dn:OU=Cmps,DC=joehome,DC=comgPLink:
[LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0]
Oh
ok, you now want to know what the nice name of those
are...
adfind -b
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com
-s base displayname
and
adfind -b
CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com
-s base
I
don't recall those exact examples in the book. :op
Can
anyone guess how often I use adfind in the course of a normal
workday?
Me
neither. But I have wrapped it with a couple of batch files.
The
first is called findthis.cmd
It
takes whatever I enter and basically does a
adfind -gc -b -f name=%1 -dn
I
also have a kids.cmd
adfind -gc -b %1 -s one -f * -dn
and
also I have a get
adfind -b %1 -s base
Ok
that is enough, I don't want to hurt anyone. ;o)
Good
night!
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie
AllenSent: Saturday, October 25, 2003 1:40 AMTo:
'[EMAIL PROTECTED]'
And what have you been drinking at
1am??:-) Good thought, but my guess is that
peoplewhooffer goodsuggestions probably already have a copy
of the book (since they know what'sin there and what isn't). FWIW,
I would be happy to mentionin the
acknowledgements section anyone who suggests a recipe I include in the next
edition.
Robbie Allen
http://www.rallenhome.com/
-Original Message-From: Myrick, Todd
(NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October
25, 2003 12:54 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active
Directory Cookbook
Hey
Rob,
What about this
donate a cookbook a month for someone who comes up with a great idea for
additions to the next version of the cookbook.
Basically the
submissions have to follow the format of the book, and have to work.
They would be judge
based on the following criteria.
The topic covered
in AD. 1-25 points (Existing topics with a spin get up to 12.5 points;
new topics getting up to 25 if worthy.)
The issues
identified within the topic 1-25 points. (Each issue identified gets
2.5 points for existing topics. Max 10)
The solutions that
meet the needs identified for each topic. 1-50 points. (Each need that
gets a solution gets 5 points per solutions. Solutions should identify
any GUI, CLI, and VB methods for automation.)
To make things
interesting if it takes off, If one of the vendors (CoughNETPRO,
CoughAELITA, Cough.Quest, Cough..BV) was willing to support this
contest, it would be really interesting.
Just an Idea at
1AM...
Toddler
-Original
Message-From: Robbie
Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43
PMTo:
'[EMAIL
RE: [ActiveDir] Do you have a development (DEV) forest?
Title: Message Exactly. Having a test lab is critical for this kind of thing. Worst case, a few copies of VMWare Workstation or GSX Server and some decent desktops would do nicely for a low volume lab environment. In fact, one of the 4 machines in my cube is basically dedicated as a VMWare host. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 2:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do you have a development (DEV) forest? We do not have a DEV forest, per se. We have a TEST Lab in which anything that would affect AD would be tested before it can be put into production. Our DEV staff does not do any level of programming that would touch AD. They do not do any level of LDAP, GC lookups, ADO connections to the AD, or Schema changes / looks / updates. Given what our DEV staff does, it would be a huge waste of money for us to put them in their own forest. If they start to develop AD integrated programs, we would likely reconsider as the risk to potential schema problems is still too high, IMHO. Obviously, I'm not going to give access to DEV to make changes to schema anyway, but if the program needs to update schema, it's obviously going to need to be tested (in our current 'waterfall' project management model - ineffective and pointless as it is.) and the test lab is currently where that would happen. If they feel that they require production access to 'eat their own dog food', then we would have to reconsider. Likely, a DEV forest would be implemented if the requirement changed to a Production-like' system for DEV. Hope this helps. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of StickmanRunner87Sent: Saturday, October 25, 2003 1:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do you have a development (DEV) forest? Hello! BACKGROUNDRecently,our Active Directory Team was asked byexecutive management to implement a development forest that very much mimics our production forest in many ways. However, many of us struggle with this request because we're afraid a development forest will incur more work and cost than benefit. QUESTIONSDo you have a development (DEV) forest? If yes, How does DEV's size compare to PROD in terms of users, computers, domain controllers, domains, sites, gpo's? Do DEV admins support PROD too? How does DEV's SLA compare to PROD? How has DEV added-value to your company? Any stories to share? How current is DEV compared to PROD? Identical, one schema version behind, etc.? How does DEV's change control practices compare to PROD? If no, Is there a specific reason why you don't have a DEV forest? Did you havea DEV forest previously and tear it down? Are you considering a DEV forest at the present time? I appreciate any feedback you can share with me.If you would prefer to discuss in a telephone call, I'm willing to "phone a friend." Sincerely,Stick Do you Yahoo!?The New Yahoo! Shopping - with improved product search
RE: [ActiveDir] Active Directory Cookbook
BindView is in for the first month if you guys want to head down this path...this could get interesting. Chip DiBias -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 7:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development
[ActiveDir] Active Directory Cookbook Bake-off
I'm working with O'Reilly to see if they would host something like this. If not, I can put it up on my site. If any other companies (or individuals) are interested in participating, please email me at [EMAIL PROTECTED] I don't have any details yet; I'm just trying to gauge general interest. Thanks for the nudge Todd. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: DiBias, Chip [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook BindView is in for the first month if you guys want to head down this path...this could get interesting. Chip DiBias Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Active Directory Cookbook
33 bux on Amazon. 23 in the new and used. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them
RE: [ActiveDir] Active Directory Cookbook
I didn't see the discount for some reason. I apologize. Toddler -Original Message- From: John Parker [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook 33 bux on Amazon. 23 in the new and used. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory
RE: [ActiveDir] Active Directory Cookbook
Just ordered it. Can't wait to start cooking. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 8:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook I didn't see the discount for some reason. I apologize. Toddler -Original Message- From: John Parker [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook 33 bux on Amazon. 23 in the new and used. John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 6:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook $60.00 is a lot. I would want to review in by hand first. Todd. BTW I meant Tony, not Rick. Toddler New Post on the ADOG Blog! http://www.toddm.org/adog -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Sunday, October 26, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Rick! Care to address the issue? Who's this Rick guy everyone keeps talking about? ;-) I've removed the offending email address corresponding to the auto-responder. The list is once again a safe place to post. Be careful out there. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Samstag, 25. Oktober 2003 07:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Na, I am not that Bad, it is the guy who keeps auto responding to every message we send on the list. He needs a hockey puck; Slapshot style. Rick! Care to address the issue? Thanks, Toddler -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 1:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Todd, You are s badd Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active
[ActiveDir] AD recovery after disaster
Title: Message Pls point me to info re how to backup AD for restore on a new server after a disaster. Regards, Orin Rehorst Port of Houston Authority
RE: [ActiveDir] AD recovery after disaster
Title: Message Windows NT4.0 and Windows 2000 Disaster Recovery and Backup and RestoreProcedures:http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q287061How to Back Up and Restore the System State in Windows 2000:http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240363Backup of the Active Directory Has 60-Day Useful Life:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216993Regards,/Jimmy- Jimmy Andersson, Q Advice AB CEO Principal AdvisorMicrosoft MVP - Active Directory-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Orin RehorstSent: Monday, October 27, 2003 4:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD recovery after disaster Pls point me to info re how to backup AD for restore on a new server after a disaster. Regards, Orin Rehorst Port of Houston Authority
RE: [ActiveDir] why change password does not work over Internet
When you say "upload to my site," are you trying to set it up so that you can change a password through a web page? If so, the script is likely executing under the security context of the IUSR account of the web server, and the domain has no idea who that IUSR is. You can embed LDAP authentication into your script, or you can set up your web server so that the script will execute under the user's credentials. Hunter From: roseta [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 5:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] why change password does not work over Internet For making sure that this is not the problem. I have a RAS server which is for test. I set the gateway to the router so no more behind firewall. And also assigned the LDAP server a valid IP and directed the gateway directly to router. So no body behind firewall , I connected to Internet through my RAS. And tried to connect to LDAP server. But I get the error the table does not exists. Thanks for your help. Roseta. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Monday, October 27, 2003 12:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] why change password does not work over Internet Does the internet server have access to the LDAP server through Firewall rules? I'm sure you looked at this already, but probably worth looking at again Thanks, Raymond McClinnis Network Administrator Provident Credit Union 650-508-0300 X2557 800-632-4600 X2557 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rosetaSent: Sunday, October 26, 2003 11:23 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] why change password does not work over Internet hi,I have the script to change a password of a user with a LDAP server(AD) on W2000. It works perfectly on the LAN. but when I upload it to my site and connect to Internet and want to change my password. it gives me error "Table does not exists". I do not know why? any suggestion? Does it have to have any certificate on server like SSL certificate? I do not know why but any clue would be appriciated so I will check it and see all the sides of this problem.thanks in advance.roseta.
RE: [ActiveDir] GPMC on XP
Mike- I'm assuming that when you talk about viewing Windows settings, you doing this against the GPO itself, rather than doing an RSoP logging report? If so, then you might want to verify that you don't have a problem with the permissions on the SYSVOL portion of that GPO, stored under SYSVOL\domain\policies\GUID of GPO. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike KemkerSent: Friday, October 24, 2003 11:11 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPMC on XP Hello from a long time listener/first time caller. I have a Windows 2000 AD Domain and I am on a call with PSS right now concerning my XP machine running the Windows 2003 AdminPak and the new GPMC utility. My problem is that when I open the Windows Settings under User Configuration I cant see anything but the Remote Installation Service topic. I cant see any other categories such as Internet Explorer Maintenance, Scripts, Security Settings, and Folder Redirection. PSS is struggling with it right now and I wanted to know if any of you have seen this before. Any help is greatly appreciated! Thank you! Mike Kemker MCSE, CNE Kimball International
RE: [ActiveDir] AD Object Perms
Tried that. I get access denied when joining the
domain, even after reseting account in ADUC.
I even tried delegating, Change Password.
Do you know a way to turn on logging or debugging to
find out what attempted action (when joining the
domain) is failing and causing the access denied?
--- Joe [EMAIL PROTECTED] wrote:
AH... Didn't think someone would try that but it is
valid. I don't have a
lab to test right this second, but I think I would
start with removing the
reset password and see if that buys anything.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ama Hanjef
Sent: Thursday, October 23, 2003 11:38 AM
To: [EMAIL PROTECTED]
Joe,
Thanks for the reply.
The users are admins on the computer, thats not a
problem.
The problem we are having with delegating Write
Account Restrictions, Write
Service Principal Name, Write DNS Host Name and
Reset Password perms is that
the users/workstation techs can join a computer to
the domain with the same
name as a computer that already exists, thus
disjoining the first computer.
We are looking to make is necesary that a Domain
Admin reset the computer
account before the users/workstation techs can join
that computer.
--- Joe [EMAIL PROTECTED] wrote:
The user will need to be an admin on the computer
itself. I know of no
way around that.
In AD if using the GUI, simply spepcify the person
or group that can
do the join when creating the object.
If creating the machine acount via script,
delegate the following to
the
computer:
Write Account Restrictions
Write Service Principal Name
Write DNS Host Name
Reset Password
Here is some perl code for that little piece that
I use to write acl's
to an OU for that purpose.
#
# Write Account Restrictions on computer
#
if ($debug) {print Setting $securitygroup
with Write Account
Restrictions on Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={4C164200-20C0-11D0-A768-00AA006E0529};
# Account Restrictions
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=32;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
#
# Validated Write Service Principal Name on
computer
#
if ($debug) {print Setting $securitygroup
with Write
servicePrincipalName on Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={F3A64788-5306-11D1-A9C5-F80367C1};
# servicePrincipalName
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=8;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
#
# Validated Write dNSHostName on computer
#
if ($debug) {print Setting $securitygroup
with Write
dNSHostName on Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={72E39547-7B18-11D1-ADEF-00C04FD8D5CD};
# dNSHostName
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=8;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
#
# Reset Password on computer
#
if ($debug) {print Setting $securitygroup
with Reset Password
on Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={00299570-246D-11D0-A768-00AA006E0529};
# Reset Password
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=256;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of fact hunter
Sent: Wednesday, October 22, 2003 10:39 AM
To: [EMAIL PROTECTED]
I want to allow a low level user to join a
computer to the domain only
when the computer account has been pre-populated
as a new account or
the account has been reset in the case of a
reimage. However, I do not
want them to be able to overwrite computer
accounts that are in use.
Any help is appreciated.
Ama
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product
search
http://shopping.yahoo.com
List info :
http://www.activedir.org/mail_list.htm
List FAQ:
http://www.activedir.org/list_faq.htm
List
RE: [ActiveDir] AD recovery after disaster
Return Receipt Your RE: [ActiveDir] AD recovery after disaster document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 10/27/2003 01:28:15 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Object Perms
I want to allow a low level user to join a
computer to the domain only
when the computer account has been pre-populated
as a new account or
the account has been reset in the case of a
reimage. However, I do not
want them to be able to overwrite computer
accounts that are in use.
Any help is appreciated.
Here is a modified copy of the script I use for this purpose. I have tried to
put some intelligent comments in there for understanding. Normally, I'd send
this to you directly, but I can't get your email. How it works is that you
supply the
If the code wraps or needs some debugging, email me offline.
The full code is a more complicated ASP that sets all the required parameters
based on authentication. If you need that, I can share it too.
HTH
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
On Error Resume Next
Dim strComputer, strComputerUser, strUsername, strPassword
Dim objRootDSE, objContainer, objComputer, openDS, objDomain
Dim Connect, myDSN, RS, Query
Dim strLocation, strDept, strOU
Dim strSessionDept, strSessionLoc, strSessioncreator, strComputerDescription
Dim objSecurityDescriptor, objDACL
Dim objACE1, objACE2, objACE3, objACE4, objACE5
Dim objACE6, objACE7, objACE8, objACE9
' ADS_USER_FLAG_ENUM
Const ADS_UF_PASSWD_NOTREQD = h0020
Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = h1000
' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED = h0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = h5
' ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = h1
' ADS_RIGHTS_ENUM
Const ADS_RIGHT_GENERIC_READ = h8000
Const ADS_RIGHT_DS_SELF = h8
Const ADS_RIGHT_DS_WRITE_PROP = h20
Const ADS_RIGHT_DS_CONTROL_ACCESS = h100
'controlAccessRight rightsGuid values
Const ALLOWED_TO_AUTHENTICATE = {68B1D179-0D15-4d4f-AB71-46152E79A7BC}
Const RECEIVE_AS = {AB721A56-1E2f-11D0-9819-00AA0040529B}
Const SEND_AS = {AB721A54-1E2f-11D0-9819-00AA0040529B}
Const USER_CHANGE_PASSWORD = {AB721A53-1E2f-11D0-9819-00AA0040529b}
Const USER_FORCE_CHANGE_PASSWORD = {00299570-246D-11D0-A768-00AA006E0529}
Const USER_ACCOUNT_RESTRICTIONS = {4C164200-20C0-11D0-A768-00AA006E0529}
Const VALIDATED_DNS_HOST_NAME = {72E39547-7B18-11D1-ADEF-00C04FD8D5CD}
Const VALIDATED_SPN = {F3A64788-5306-11D1-A9C5-F80367C1}
strComputer =theNameOfTheComputerToCreate or
theNameOfTheExistingComputerYouWantToModifyACEOn
strComputerUser =The name of the user who will be joining the computer to
the Domain AFTER we have created it in AD
strComputerDescription = Created by blahblah
objDomain = The path to the OU/Container where we want the Computer Account
created in, e.g., LDAP://OU=MyComputers,DC=myChild,DC=myParent,DC=com;
'The following values are usually stored in a SQL database and read on the
fly. They are not hardcoded into the script
strUserName = NameOfADomainAdminAccount 'This is an account that has the
ability/rights to modify Properties
strPassword = myPass 'This is the Password of the Domain Admin Account. As
Noted above, VERY BAD Idea to hard-code this into the script. Use inputBox to
get the values instead of store it in a Database and read it back
Set openDS = GetObject(LDAP:)
Set objContainer = openDS.OpenDSObject(objDomain, strUsername, strPassword,
1)
'This is where you create a NEW computer
Set objComputer = objContainer.Create(Computer, cn= strComputer)
objComputer.Put sAMAccountName, strComputer $
objComputer.Put Description, strComputerDescription
objComputer.Put userAccountControl, _
ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT
objComputer.SetInfo
'If we can't create the Computer Account, then error out and stop
If NOT Err.Number = 0 Then
Wscript.Echo Unable to create Computer account, probably because the name
already exists
'''Comment out the next line so that the script does not stop
'''You will do this IF you don't intend to create a NEW computer Account, and
you only want to give a User the rights to add an EXISTING Computer to the
Domain
Wscript.Quit(0)
End If
Set objSecurityDescriptor = objComputer.Get(ntSecurityDescriptor)
Set objDACL = objSecurityDescriptor.DiscretionaryAcl
Set objACE1 = Server.CreateObject(AccessControlEntry)
objACE1.Trustee = strComputerUser
objACE1.AccessMask = ADS_RIGHT_GENERIC_READ
objACE1.AceFlags = 0
objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
' objACE2 through objACE6: Extended Rights
Set objACE2 = Server.CreateObject(AccessControlEntry)
objACE2.Trustee = strComputerUser
objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE2.AceFlags = 0
objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE2.ObjectType = ALLOWED_TO_AUTHENTICATE
Set objACE3 = server.CreateObject(AccessControlEntry)
objACE3.Trustee = strComputerUser
objACE3.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
objACE3.AceFlags = 0
objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE3.Flags =
RE: [ActiveDir] Active Directory Cookbook
Title: Message
LOL!
Heh Yeah, I forgot that you and Missy are
acquainted. Too funny.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Monday, October 27, 2003 7:46 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active
Directory Cookbook
You
been hanging out with Missy Koslosky lately?
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Rick Kingslan
[mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 10:48
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Active Directory Cookbook
Bite me, Joe.
:P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 25, 2003 1:17 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active
Directory Cookbook
I
thought you would think that was a good thought. But you have a good point to
counter that good thought. I should submit something, I wouldn't mind being in
the acknow. err wait a minute. How about this, people who are already in
it can submit something and pick one person to be removed from the
acknowledgements... Oh Rick :op
Hmmm
what could I submit... Oh I know, something I had to do today really quick...
Find all OU's with any GPO link whatsoever...
First off I wondered, is gplink in the GC?
adfind -schema -f ldapdisplayname=gplink
ismemberofpartialattributeset
Gets
you
dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=comisMemberOfPartialAttributeSet:
TRUE
So
it sure is... This is easy!
adfind -gc -b -f "(objectcategory=organizationalunit)(gplink=*)"
gplink
On
my home domain that rips off in less than a second...
dn:OU=Domain Controllers,DC=joehome,DC=comgPLink:
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0]
dn:OU=Cmps,DC=joehome,DC=comgPLink:
[LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0]
Oh
ok, you now want to know what the nice name of those
are...
adfind -b
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com
-s base displayname
and
adfind -b
CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com
-s base
I
don't recall those exact examples in the book. :op
Can
anyone guess how often I use adfind in the course of a normal
workday?
Me
neither. But I have wrapped it with a couple of batch files.
The
first is called findthis.cmd
It
takes whatever I enter and basically does a
adfind -gc -b -f name=%1 -dn
I
also have a kids.cmd
adfind -gc -b %1 -s one -f * -dn
and
also I have a get
adfind -b %1 -s base
Ok
that is enough, I don't want to hurt anyone. ;o)
Good
night!
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie
AllenSent: Saturday, October 25, 2003 1:40 AMTo:
'[EMAIL PROTECTED]'
And what have you been drinking at
1am??:-) Good thought, but my guess is that
peoplewhooffer goodsuggestions probably already have a copy
of the book (since they know what'sin there and what isn't). FWIW,
I would be happy to mentionin the
acknowledgements section anyone who suggests a recipe I include in the next
edition.
Robbie Allen
http://www.rallenhome.com/
-Original Message-From: Myrick, Todd
(NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October
25, 2003 12:54 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active
Directory Cookbook
Hey
Rob,
What about this
donate a cookbook a month for someone who comes up with a great idea for
additions to the next version of the cookbook.
Basically the
submissions have to follow the format of the book, and have to work.
They would be judge
based on the following criteria.
The topic covered
in AD. 1-25 points (Existing topics with a spin get up to 12.5 points;
new topics getting up to 25 if worthy.)
The issues
identified within the topic 1-25 points. (Each issue identified gets
2.5 points for existing topics. Max 10)
The solutions that
meet the needs identified for each topic. 1-50 points. (Each need that
gets a solution gets 5 points per solutions. Solutions should identify
any GUI, CLI, and VB methods for automation.)
To make things
interesting
