[ActiveDir] Strange issue with NT4 to W3K AD authentication
Hi all. New to the list. Roger says this is the group that knows their stuff with AD. I've got an oddball one that I can't figure out. Sorry for the long post as a beginning. Here's the deal. I'm performing a migration from NT 4 domain to W3K AD. New domain, new hdw, migrate only the necessary stuff to the new domain. Need to rebuild xch 5.5 from NT4 to w2k server in new domain, but leave it at 5.5. Just switch domains and OS. Using a swing server for that. Move mailboxes, rebuild current server, then remove xch from swing server. Once AD is spinning normally, migrate users and shut down old domain. Built test lab. 2 W3K servers, both DCs, both DNS, both GCs. Working fine. Built production domain. 2 W3K servers, both DCs, both DNS, both GCs. Working fine. Same builds on both domains, same security templates, all set up the same. No radical lockdowns. Pretty basic behind-the-firewall builds. Two-way trusts between all 3 domains. No other domains involved. Installed fastlane migrator in the test domain to try some migration strategies. Created svc account for that app in the test domain. Built w2k server, joined new production domain, put xch 5.5 on it. SP4 for both OS and xch. Everything tests out fine. Did svc account hack to provide new domain svc account. Went fine, xch services started fine under new account. That's when things started looking a little strange... I looked at the old xch server to make sure things were still running OK. Spotted something odd. I looked at the members of the local admins group on the NT4 xch server. Saw that the svc account was listed as newdomain\account unknown. Tried adding another account from the new domain to that group. Added OK, but as soon as I view the group again, it reverts to newdomain\account unknown. Funny thing is, though, I can see the accounts from the testlab domain just fine. And, if I look in the perms within exchange, the accounts enumerate just fine. Tried doing same test on a w2k wkst in old domain, same issue. Newdomain account reverts to SID immediately after creation, but testlab account looks fine. Hmmm. OK, so I log in to the NT4 xch box as the new svc account. No prob. Logs in fine. But, I can't do everything. When I set a service to start as the svc account, it chokes and returns the error Cannot set the startup parameters for the ...service. Error 1057 occurred: the account name is invalid or does not exist.. OK, so I try a couple other accounts to test, same issue if they're in the new domain. If I use a testlab account, it works fine. Then I try to run exAdmin while logged on as the svc account. When I connect to the new server, it works fine. When I connect to the old server, I get an error stating: Network problems are preventing connection to the MS xch server. Mapi was unable to load the information service emsabp.dll. Be sure the service is correctly installed... Microsoft Address Book ID no. 00040380-000- I then try as a few different accounts in the new domain. Same issue. Not an Outlook problem; Office/Outlook is not installed on that xch server. If I use an account from the testlab domain, exadmin works as it should. Netdom, netdiag, dcdiag, all run OK. Tried rebooting all involved boxes. No change. DNS resolution/registration appears to be working fine. Using same WINS box as old domain, names registering in db OK. Trusts have been verified with gui and netdom. Haven't blown away and recreated them; wouldn't I see logon issues if I had a trust failure? Seems like something about the way I built the new domain is different from the testlab. I checked the security policy template, RSOP, domain controller policy, and made sure all the security options and user rights assignments were the same. I don't know what the issue is. Anyone know where I should start to look? I can't find any Qs or tech articles that accurately address the xch error I'm getting. My guess is it's one little security setting that I've overlooked. All help will be appreciated, and if I overlooked something obvious, then I deserve whatever I get. :-) Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching an d Profiling
thanks Tony for the reference, but I wasn't involved in John and Sally's book, which is truly excellent. However, I did inspire John to add some specific details on Object Level recovery to his AD Disaster Recovery session - you can download his slides from his web-page (need to register first) at http://www.kimberry.co.uk/Downloads/Index.aspx My DEC slides on AD Disaster Recovery / Object Level Restore are available on the NetPro site in the PW protected DEC section - whoever attendet DEC can get them here. Others may send me an eMail if they're interessted. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sonntag, 26. Oktober 2003 20:00To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching and Profiling Yup, this is a good resource. I also think the whole area of LDAP (and specifically using LDP) is very well addressed in John Craddock and Sally Storey's "Active Directory Forestry" book. http://www.amazon.com/exec/obidos/tg/detail/-/0954421809/qid=1053245104/sr=1-6/ref=sr_1_6/103-9641365-7010257?v=glances=books Unless I'm very much mistaken, I believe Guido Grillenmeier had a hand in it somewhere? MS also has a pretty good whitepaper. http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Samstag, 25. Oktober 2003 21:34To: [EMAIL PROTECTED]Subject: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching and Profiling http://www.rallenhome.com/conferences/RAllen_LDAP_Searching.ppt Hey I didn't previouslyknow it but Robbie postedhis DEC presentation on his web site. If this was posted before I apologize. It is a pretty good little doc for those who do anything with LDAP. There are probably a couple of you on this list... joe
RE: [ActiveDir] Strange issue with NT4 to W3K AD authentication
Welcome to the list Charlie. You say that you haven't blown away the trust and recreated it. I would strongly recommend that you do this first and then rebuild the two way trust between your W2K3 production domain and your old NT 4.0 domain. Do this before you go ahead and build the other two-way trust. I realise you've verified the trusts with netdom, but I'm not sure if this always picks up all problems. http://support.microsoft.com/default.aspx?scid=kb;[LN];112214 (okay, so it's an old article, but the principle may still apply) If that doesn't work, check out if any SID filtering is in place in the W2K3 domain. Don't think this is the issue, but I don't know what the FastLane Migrator might have done as part of the installation. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Dienstag, 28. Oktober 2003 08:50 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Strange issue with NT4 to W3K AD authentication Hi all. New to the list. Roger says this is the group that knows their stuff with AD. I've got an oddball one that I can't figure out. Sorry for the long post as a beginning. Here's the deal. I'm performing a migration from NT 4 domain to W3K AD. New domain, new hdw, migrate only the necessary stuff to the new domain. Need to rebuild xch 5.5 from NT4 to w2k server in new domain, but leave it at 5.5. Just switch domains and OS. Using a swing server for that. Move mailboxes, rebuild current server, then remove xch from swing server. Once AD is spinning normally, migrate users and shut down old domain. Built test lab. 2 W3K servers, both DCs, both DNS, both GCs. Working fine. Built production domain. 2 W3K servers, both DCs, both DNS, both GCs. Working fine. Same builds on both domains, same security templates, all set up the same. No radical lockdowns. Pretty basic behind-the-firewall builds. Two-way trusts between all 3 domains. No other domains involved. Installed fastlane migrator in the test domain to try some migration strategies. Created svc account for that app in the test domain. Built w2k server, joined new production domain, put xch 5.5 on it. SP4 for both OS and xch. Everything tests out fine. Did svc account hack to provide new domain svc account. Went fine, xch services started fine under new account. That's when things started looking a little strange... I looked at the old xch server to make sure things were still running OK. Spotted something odd. I looked at the members of the local admins group on the NT4 xch server. Saw that the svc account was listed as newdomain\account unknown. Tried adding another account from the new domain to that group. Added OK, but as soon as I view the group again, it reverts to newdomain\account unknown. Funny thing is, though, I can see the accounts from the testlab domain just fine. And, if I look in the perms within exchange, the accounts enumerate just fine. Tried doing same test on a w2k wkst in old domain, same issue. Newdomain account reverts to SID immediately after creation, but testlab account looks fine. Hmmm. OK, so I log in to the NT4 xch box as the new svc account. No prob. Logs in fine. But, I can't do everything. When I set a service to start as the svc account, it chokes and returns the error Cannot set the startup parameters for the ...service. Error 1057 occurred: the account name is invalid or does not exist.. OK, so I try a couple other accounts to test, same issue if they're in the new domain. If I use a testlab account, it works fine. Then I try to run exAdmin while logged on as the svc account. When I connect to the new server, it works fine. When I connect to the old server, I get an error stating: Network problems are preventing connection to the MS xch server. Mapi was unable to load the information service emsabp.dll. Be sure the service is correctly installed... Microsoft Address Book ID no. 00040380-000- I then try as a few different accounts in the new domain. Same issue. Not an Outlook problem; Office/Outlook is not installed on that xch server. If I use an account from the testlab domain, exadmin works as it should. Netdom, netdiag, dcdiag, all run OK. Tried rebooting all involved boxes. No change. DNS resolution/registration appears to be working fine. Using same WINS box as old domain, names registering in db OK. Trusts have been verified with gui and netdom. Haven't blown away and recreated them; wouldn't I see logon issues if I had a trust failure? Seems like something about the way I built the new domain is different from the testlab. I checked the security policy template, RSOP, domain controller policy, and made sure all the security options and user rights assignments were the same. I don't know what the issue is. Anyone know where I should start to look? I can't find any Qs or tech articles that accurately address the xch error I'm getting. My guess is it's one little security setting that I've overlooked. All help will be
Re: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching an d Profiling
Guido, I am definitely interested in this material. I will be a very glad recipient GT - Original Message - From: GRILLENMEIER,GUIDO (HP-Germany,ex1) To: [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 7:58 AM Subject: RE: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching an d Profiling thanks Tony for the reference, but I wasn't involved in John and Sally's book, which is truly excellent. However, I did inspire John to add some specific details on Object Level recovery to his AD Disaster Recovery session - you can download his slides from his web-page (need to register first) at http://www.kimberry.co.uk/Downloads/Index.aspx My DEC slides on AD Disaster Recovery / Object Level Restore are available on the NetPro site in the PW protected DEC section - whoever attendet DEC can get them here. Others may send me an eMail if they're interessted. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sonntag, 26. Oktober 2003 20:00To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching and Profiling Yup, this is a good resource. I also think the whole area of LDAP (and specifically using LDP) is very well addressed in John Craddock and Sally Storey's "Active Directory Forestry" book. http://www.amazon.com/exec/obidos/tg/detail/-/0954421809/qid=1053245104/sr=1-6/ref=sr_1_6/103-9641365-7010257?v=glances=books Unless I'm very much mistaken, I believe Guido Grillenmeier had a hand in it somewhere? MS also has a pretty good whitepaper. http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Samstag, 25. Oktober 2003 21:34To: [EMAIL PROTECTED]Subject: [ActiveDir] Robbie Allen DEC Presentation - LDAP Searching and Profiling http://www.rallenhome.com/conferences/RAllen_LDAP_Searching.ppt Hey I didn't previouslyknow it but Robbie postedhis DEC presentation on his web site. If this was posted before I apologize. It is a pretty good little doc for those who do anything with LDAP. There are probably a couple of you on this list... joe
[ActiveDir] delegation cookbook
don't know if i am jumping the gun once again, but am especially keen to get hold of the documentation from Micrsoft on the delegations of administrative tasks within Active Directory. any news on its availability. GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OT] Alert when trying to force replication across sites
I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] You guys amaze me!
I would build an NT4 BDC on the domain, yank it off the main network and in the lab promote it to PDC, build another NT4 BDC (so you can retry if the process is wrong), upgrade the NT4 PDC to W2K, build and promote a fresh W2K Server. See how the process goes and get familiar with it and run some tests against that little test domain and make sure there really isn't any data that you lose that you aren't comfortable with losing so you can work out processes to not lose it. There are obviously missing details here (like setting up a little dns and this needs to be off the main network). This will get you the comfort level you want for this and the timing and then you can sell your bosses and then you can schedule the modification in production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, October 28, 2003 7:35 AM To: [EMAIL PROTECTED] Joe, Thank you for responding to my question, in light of the work you do and the others. I'm sorry I did not respond before, but I've been under attack. Our AD is very unpopulated. It contains nothing more than what migrates over during a Win2K Domain upgrade. We do not run Exchange or any other AD aware application. I'm really not concerned with losing much. I don't know what I would lose but if Users could still log on, access reources and work away, I would consider it a success. What I am concerned with is the potential for a train wreck and getting called on the carpet, the former, more than the latter. Rocky ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Sent: Saturday, October 25, 2003 1:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! Right up front, the domain rename scares me. Everyone seems to say, yeah it is there but Before I answer anything else though, what kind of data do you have in AD? Is it the basic NOS stuff or have you deployed Exchange or other AD aware apps that have populated it? My guess is you aren't doing a lot with AD yet so most likely following option two doesn't lose much if any information that you can't export off into LDIFs and reimport after you are back to W2K DC's. Pay isn't bad. However, in relative terms you are probably doing better. 100 users per admin versus our ratio of something like 83000 users per admin and I would be lucky to be making 5x-10x what you make let alone 830x On the flip side though, you probably haven't put a provisioning system and auto password reset system into place - yet. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, October 23, 2003 10:06 AM To: [EMAIL PROTECTED] I'm serious. Here is a question for you. As always, if you could offer any info, I would be very grateful. We're a small shop with only 2 Admins managing 200 users in 4 states and we don't have the firepower you guys do. Let's say you don't like your AD domain name and you want to change it. You have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed mode. You could move the NT DC to 2K, then move everyone to W2K3, then raise the Forest functionality level and then play Russian Roulette with Rendom. That's one option. Or could it be as simple as DCPromoing all 3 W2K3 servers down to Standalone servers, allowing the NT4 DC which still controls the pre-W2K subdomain name to take full control of the domain again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO and renaming the domain to what you want? I would love to believe I could do it and get away with it. Thank you people. PS: I don't envy you Joe. I hope you're being paid well! RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Alert when trying to force replication across sites
In my testing, forcing it still forces it even though that error pops. I have a little tool (adqueueloop) that will display the replication queue in near real time and doing that force always throws something into the replication queue. I was actually quite surprised to see that when working with the Product team on the AD FAQ a while back and I was testing it. There may be some reason MS put that message up there that I have never configured on my machines or possibly they want to cover against the possibility that maybe the sites are out of touch except for during the scheduled windows say you have network windows that open up at certain times. In that case the queued request would sit in the queue until it could be completed. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Tuesday, October 28, 2003 6:10 AM To: [EMAIL PROTECTED] I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Object Perms
Hey Deji, quick point. You don't need ADS_UF_PASSWD_NOTREQD set on the machine account. I approached MS previously on this. Some of their tools do it, and some of them don't. They are inconsistent but it works fine without it. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 27, 2003 3:16 PM To: [EMAIL PROTECTED] I want to allow a low level user to join a computer to the domain only when the computer account has been pre-populated as a new account or the account has been reset in the case of a reimage. However, I do not want them to be able to overwrite computer accounts that are in use. Any help is appreciated. Here is a modified copy of the script I use for this purpose. I have tried to put some intelligent comments in there for understanding. Normally, I'd send this to you directly, but I can't get your email. How it works is that you supply the If the code wraps or needs some debugging, email me offline. The full code is a more complicated ASP that sets all the required parameters based on authentication. If you need that, I can share it too. HTH Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ On Error Resume Next Dim strComputer, strComputerUser, strUsername, strPassword Dim objRootDSE, objContainer, objComputer, openDS, objDomain Dim Connect, myDSN, RS, Query Dim strLocation, strDept, strOU Dim strSessionDept, strSessionLoc, strSessioncreator, strComputerDescription Dim objSecurityDescriptor, objDACL Dim objACE1, objACE2, objACE3, objACE4, objACE5 Dim objACE6, objACE7, objACE8, objACE9 ' ADS_USER_FLAG_ENUM Const ADS_UF_PASSWD_NOTREQD = h0020 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = h1000 ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED = h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_GENERIC_READ = h8000 Const ADS_RIGHT_DS_SELF = h8 Const ADS_RIGHT_DS_WRITE_PROP = h20 Const ADS_RIGHT_DS_CONTROL_ACCESS = h100 'controlAccessRight rightsGuid values Const ALLOWED_TO_AUTHENTICATE = {68B1D179-0D15-4d4f-AB71-46152E79A7BC} Const RECEIVE_AS = {AB721A56-1E2f-11D0-9819-00AA0040529B} Const SEND_AS = {AB721A54-1E2f-11D0-9819-00AA0040529B} Const USER_CHANGE_PASSWORD = {AB721A53-1E2f-11D0-9819-00AA0040529b} Const USER_FORCE_CHANGE_PASSWORD = {00299570-246D-11D0-A768-00AA006E0529} Const USER_ACCOUNT_RESTRICTIONS = {4C164200-20C0-11D0-A768-00AA006E0529} Const VALIDATED_DNS_HOST_NAME = {72E39547-7B18-11D1-ADEF-00C04FD8D5CD} Const VALIDATED_SPN = {F3A64788-5306-11D1-A9C5-F80367C1} strComputer =theNameOfTheComputerToCreate or theNameOfTheExistingComputerYouWantToModifyACEOn strComputerUser =The name of the user who will be joining the computer to the Domain AFTER we have created it in AD strComputerDescription = Created by blahblah objDomain = The path to the OU/Container where we want the Computer Account created in, e.g., LDAP://OU=MyComputers,DC=myChild,DC=myParent,DC=com ldap:// 'The following values are usually stored in a SQL database and read on the fly. They are not hardcoded into the script strUserName = NameOfADomainAdminAccount 'This is an account that has the ability/rights to modify Properties strPassword = myPass 'This is the Password of the Domain Admin Account. As Noted above, VERY BAD Idea to hard-code this into the script. Use inputBox to get the values instead of store it in a Database and read it back Set openDS = GetObject(LDAP:) Set objContainer = openDS.OpenDSObject(objDomain, strUsername, strPassword, 1) 'This is where you create a NEW computer Set objComputer = objContainer.Create(Computer, cn= strComputer) objComputer.Put sAMAccountName, strComputer $ objComputer.Put Description, strComputerDescription objComputer.Put userAccountControl, _ ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo 'If we can't create the Computer Account, then error out and stop If NOT Err.Number = 0 Then Wscript.Echo Unable to create Computer account, probably because the name already exists '''Comment out the next line so that the script does not stop '''You will do this IF you don't intend to create a NEW computer Account, and you only want to give a User the rights to add an EXISTING Computer to the Domain Wscript.Quit(0) End If Set objSecurityDescriptor = objComputer.Get(ntSecurityDescriptor) Set objDACL = objSecurityDescriptor.DiscretionaryAcl Set objACE1 = Server.CreateObject(AccessControlEntry) objACE1.Trustee = strComputerUser objACE1.AccessMask = ADS_RIGHT_GENERIC_READ objACE1.AceFlags = 0 objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED ' objACE2 through objACE6: Extended Rights Set objACE2 = Server.CreateObject(AccessControlEntry) objACE2.Trustee = strComputerUser objACE2.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS objACE2.AceFlags = 0
RE: [ActiveDir] delegation cookbook
the news is, it's not out yet. The review is over and they've got some work to do now to finish it (e.g. changing the definition of some of the recommended admin roles etc.). As soon as I know it's out, I'll send a quick update - my guess is MS is trying to officially release it at ITforum in Europe, which is taking place Nov 11-14 in Copenhagen, Denmark. /Guido -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Dienstag, 28. Oktober 2003 11:14 To: [EMAIL PROTECTED] Subject: [ActiveDir] delegation cookbook don't know if i am jumping the gun once again, but am especially keen to get hold of the documentation from Micrsoft on the delegations of administrative tasks within Active Directory. any news on its availability. GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Object Perms
Yeah after thinking about it more it doesn't surprise me though without testing I don't want to say anymore about my theory and look more silly for saying things off the cuff. I don't know of any detailed logging like you are talking about. I wouldn't be entirely surprised if it wasn't something you could log and I am sure a netmon trace would't be entirely helpful because it would probably just be a bunch of RPC traffic and I haven't gotten my fingers on any RPC Parsers yet If I get a chance, I will try to play with this. No promises though. Sorry. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ama Hanjef Sent: Monday, October 27, 2003 12:39 PM To: [EMAIL PROTECTED] Tried that. I get access denied when joining the domain, even after reseting account in ADUC. I even tried delegating, Change Password. Do you know a way to turn on logging or debugging to find out what attempted action (when joining the domain) is failing and causing the access denied? --- Joe [EMAIL PROTECTED] wrote: AH... Didn't think someone would try that but it is valid. I don't have a lab to test right this second, but I think I would start with removing the reset password and see if that buys anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ama Hanjef Sent: Thursday, October 23, 2003 11:38 AM To: [EMAIL PROTECTED] Joe, Thanks for the reply. The users are admins on the computer, thats not a problem. The problem we are having with delegating Write Account Restrictions, Write Service Principal Name, Write DNS Host Name and Reset Password perms is that the users/workstation techs can join a computer to the domain with the same name as a computer that already exists, thus disjoining the first computer. We are looking to make is necesary that a Domain Admin reset the computer account before the users/workstation techs can join that computer. --- Joe [EMAIL PROTECTED] wrote: The user will need to be an admin on the computer itself. I know of no way around that. In AD if using the GUI, simply spepcify the person or group that can do the join when creating the object. If creating the machine acount via script, delegate the following to the computer: Write Account Restrictions Write Service Principal Name Write DNS Host Name Reset Password Here is some perl code for that little piece that I use to write acl's to an OU for that purpose. # # Write Account Restrictions on computer # if ($debug) {print Setting $securitygroup with Write Account Restrictions on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={4C164200-20C0-11D0-A768-00AA006E0529}; # Account Restrictions $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=32; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; # # Validated Write Service Principal Name on computer # if ($debug) {print Setting $securitygroup with Write servicePrincipalName on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={F3A64788-5306-11D1-A9C5-F80367C1}; # servicePrincipalName $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=8; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; # # Validated Write dNSHostName on computer # if ($debug) {print Setting $securitygroup with Write dNSHostName on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={72E39547-7B18-11D1-ADEF-00C04FD8D5CD}; # dNSHostName $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=8; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; # # Reset Password on computer # if ($debug) {print Setting $securitygroup with Reset Password on Computers...\n}; $ace = Win32::OLE-CreateObject(AccessControlEntry); $ace-{Trustee}=$securitygroup; $ace-{ObjectType}={00299570-246D-11D0-A768-00AA006E0529}; # Reset Password $ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2}; # computer $ace-{AccessMask}=256; $ace-{Flags}=3; $ace-{AceType}=5; $ace-{aceflags}=10; $dACL-AddAce($ace); undef $ace; -Original Message- From:
RE: [ActiveDir] [OT] Alert when trying to force replication acros s sites
This error is by design. This is what you get by default when you try to force a replication between two DCs in different sites using ADSitSvcs. However, usually the replication DOES actually occur within the next couple of minutes. You could use replmon to check whether or not the replication has taken place. What the heck ... You could use replmon to force the replication if you don't like errors. Q232072 describes 4 ways to force the replication between DCs ... However, keep in mind ... Active Directory is like a river, it will get there ;-) --- Gil, does this give you inspiration for a Haiku? Cheers! John -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: dinsdag 28 oktober 2003 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Alert when trying to force replication across sites I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Alert when trying to force replication acros s sites
that's when you use the AD Sites Services Snap-In - it only has the ability to force replication within the same site - I believe this is because it uses the normal DC notification method, which by default is disabled between sites. just use repadmin or replmon from the support tools - this will allow to force replication accross site-boundaries. /Guido -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Dienstag, 28. Oktober 2003 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Alert when trying to force replication across sites I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Alert when trying to force replication across sites
Thanks Joe. Where do you get this tool from ? -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: 28 October 2003 13:54 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Alert when trying to force replication across sites In my testing, forcing it still forces it even though that error pops. I have a little tool (adqueueloop) that will display the replication queue in near real time and doing that force always throws something into the replication queue. I was actually quite surprised to see that when working with the Product team on the AD FAQ a while back and I was testing it. There may be some reason MS put that message up there that I have never configured on my machines or possibly they want to cover against the possibility that maybe the sites are out of touch except for during the scheduled windows say you have network windows that open up at certain times. In that case the queued request would sit in the queue until it could be completed. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Tuesday, October 28, 2003 6:10 AM To: [EMAIL PROTECTED] I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OT]'ish DHCP authorization error and ADSIEdit
I have the exact issue detailed in this KB article; http://support.microsoft.com/default.aspx?scid=kb;en-us;306925 I have done exactly what it says there, allowing loads of time for replication and rebooting etc etc and I still get exactly the same error. Using ADSIEdit removes the entries from the DHCPRoot object, and the changes get replicated. Authorizing the DHCP server adds the server entry to the DHCPRoot object again as it should, though the MMC applet still reports that the server cant be authorised even though it is has just added it itself !!! :( I have a director who will be flying to that office tomorrow with a laptop set to Dynamically Assign IP addresses, and he will be majorly hacked off if he cant get surfing! Any ideas what happening? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: enterprise Spam blocking products
Title: RE: [ActiveDir] OT: enterprise Spam blocking products We are using Exchange 5.5 and the version of CDO that comes with Exchange 5.5 SP4 has problems. Namely for us. The exchange directory name has to match the AD username, Exchange Alias, and the SMTP address. Which is not true for our environment. So the product did not work for all of my users. Sunbelt did contact me with a possible fix, but I had already moved on to testing another anti-spam package. jb From: Lin Lancaster [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 3:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: enterprise Spam blocking products What was it about I hate spam server you were worried about with the CDO? I have a customer that installed it and they're pretty happy with it. From: [EMAIL PROTECTED] on behalf of Fuller, StuartSent: Tue 10/21/2003 2:05 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Jason,Two possible solutions to consider:1. Cloudmark SpamNet - this runs locally on the client and automagicallymoves spam from the inbox to a "spam" folder. See http://www.cloudmark.com/2. Hardware based Spam appliance - this device sits in front of your mailgateways and filters the mail before it even hits Exchange. Users get adaily email report so that they can see what has been blocked and have anopportunity to request the blocked mail. An example of this is Espion'sInterceptor appliance - see http://www.espionintl.com/interceptor.html-Stuart-Original Message-From: Jason Benway [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 21, 2003 11:34 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] OT: enterprise Spam blocking productsI started testing different spam products for our company. I'm testing GFIright now. I'm really like Ihatespam Gateway edition, but it has limitationsbecause of CDO.What I'm looking for a software that will move "spam" into a user's folderother than the inbox without the user having to setup a filter in outlook. Iwould also like for the user to have the ability to 'tell' the software whenit missed a spam message or incorrect tags a message as spam. I would prefera product that does not run directly on the Exchange box.We are currently running Exchange 5.5 in a cluster.I know I'm asking a lot, but I thought will everyone's help I could find aproduct that is close.Thank you.jbList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] You guys amaze me!
Joe, Thank you for your suggestions. They are very pragmatic and logical and most importantly to me, understandable. As soon as possible, we will consider their implementation and post our results. Rocky Habeeb _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Sent: Tuesday, October 28, 2003 8:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! I would build an NT4 BDC on the domain, yank it off the main network and in the lab promote it to PDC, build another NT4 BDC (so you can retry if the process is wrong), upgrade the NT4 PDC to W2K, build and promote a fresh W2K Server. See how the process goes and get familiar with it and run some tests against that little test domain and make sure there really isn't any data that you lose that you aren't comfortable with losing so you can work out processes to not lose it. There are obviously missing details here (like setting up a little dns and this needs to be off the main network). This will get you the comfort level you want for this and the timing and then you can sell your bosses and then you can schedule the modification in production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, October 28, 2003 7:35 AM To: [EMAIL PROTECTED] Joe, Thank you for responding to my question, in light of the work you do and the others. I'm sorry I did not respond before, but I've been under attack. Our AD is very unpopulated. It contains nothing more than what migrates over during a Win2K Domain upgrade. We do not run Exchange or any other AD aware application. I'm really not concerned with losing much. I don't know what I would lose but if Users could still log on, access reources and work away, I would consider it a success. What I am concerned with is the potential for a train wreck and getting called on the carpet, the former, more than the latter. Rocky ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Sent: Saturday, October 25, 2003 1:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You guys amaze me! Right up front, the domain rename scares me. Everyone seems to say, yeah it is there but Before I answer anything else though, what kind of data do you have in AD? Is it the basic NOS stuff or have you deployed Exchange or other AD aware apps that have populated it? My guess is you aren't doing a lot with AD yet so most likely following option two doesn't lose much if any information that you can't export off into LDIFs and reimport after you are back to W2K DC's. Pay isn't bad. However, in relative terms you are probably doing better. 100 users per admin versus our ratio of something like 83000 users per admin and I would be lucky to be making 5x-10x what you make let alone 830x On the flip side though, you probably haven't put a provisioning system and auto password reset system into place - yet. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, October 23, 2003 10:06 AM To: [EMAIL PROTECTED] I'm serious. Here is a question for you. As always, if you could offer any info, I would be very grateful. We're a small shop with only 2 Admins managing 200 users in 4 states and we don't have the firepower you guys do. Let's say you don't like your AD domain name and you want to change it. You have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed mode. You could move the NT DC to 2K, then move everyone to W2K3, then raise the Forest functionality level and then play Russian Roulette with Rendom. That's one option. Or could it be as simple as DCPromoing all 3 W2K3 servers down to Standalone servers, allowing the NT4 DC which still controls the pre-W2K subdomain name to take full control of the domain again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO and renaming the domain to what you want? I would love to believe I could do it and get away with it. Thank you people. PS: I don't envy you Joe. I hope you're being paid well! RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] [OT] Alert when trying to force replication across sites
AdQueueLoop is freely available from www.joeware.net on the free win32 c++ tools page. You can also use repadmin with the /showqueue option but good luck actually catching the item when it hits the queue... :op That is why I wrote the tool in the first place. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Tuesday, October 28, 2003 9:07 AM To: [EMAIL PROTECTED] Thanks Joe. Where do you get this tool from ? -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: 28 October 2003 13:54 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Alert when trying to force replication across sites In my testing, forcing it still forces it even though that error pops. I have a little tool (adqueueloop) that will display the replication queue in near real time and doing that force always throws something into the replication queue. I was actually quite surprised to see that when working with the Product team on the AD FAQ a while back and I was testing it. There may be some reason MS put that message up there that I have never configured on my machines or possibly they want to cover against the possibility that maybe the sites are out of touch except for during the scheduled windows say you have network windows that open up at certain times. In that case the queued request would sit in the queue until it could be completed. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Tuesday, October 28, 2003 6:10 AM To: [EMAIL PROTECTED] I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [OT] Alert when trying to force replication across sites
Check Joe's excellent web site - http://www.joeware.net/. Specifically http://www.joeware.net/win32/ under Windows 2000/XP/Windows 2003 Only. al Oliver Marshall wrote: Thanks Joe. Where do you get this tool from ? -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: 28 October 2003 13:54 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Alert when trying to force replication across sites In my testing, forcing it still forces it even though that error pops. I have a little tool (adqueueloop) that will display the replication queue in near real time and doing that force always throws something into the replication queue. I was actually quite surprised to see that when working with the Product team on the AD FAQ a while back and I was testing it. There may be some reason MS put that message up there that I have never configured on my machines or possibly they want to cover against the possibility that maybe the sites are out of touch except for during the scheduled windows say you have network windows that open up at certain times. In that case the queued request would sit in the queue until it could be completed. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Tuesday, October 28, 2003 6:10 AM To: [EMAIL PROTECTED] I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Alert when trying to force replication acros s sites
Nope, it will do it cross site as well, it just throws the stupid error message. I was of the same opinion as you until working on the AD FAQ and actually sat down in a lab environment and tested it. It sticks the replication request right in the queue just like normal. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, October 28, 2003 8:44 AM To: [EMAIL PROTECTED] that's when you use the AD Sites Services Snap-In - it only has the ability to force replication within the same site - I believe this is because it uses the normal DC notification method, which by default is disabled between sites. just use repadmin or replmon from the support tools - this will allow to force replication accross site-boundaries. /Guido -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Dienstag, 28. Oktober 2003 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Alert when trying to force replication across sites I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: enterprise Spam blocking products
Stuart, Do you have experience with Espion's Interceptor appliance? It sounds like a very nice device but I haven't been able to find any reviews online. Thanks,jb -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 2:05 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Jason, Two possible solutions to consider: 1. Cloudmark SpamNet - this runs locally on the client and automagically moves spam from the inbox to a spam folder. See http://www.cloudmark.com/ 2. Hardware based Spam appliance - this device sits in front of your mail gateways and filters the mail before it even hits Exchange. Users get a daily email report so that they can see what has been blocked and have an opportunity to request the blocked mail. An example of this is Espion's Interceptor appliance - see http://www.espionintl.com/interceptor.html -Stuart -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 11:34 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: enterprise Spam blocking products I started testing different spam products for our company. I'm testing GFI right now. I'm really like Ihatespam Gateway edition, but it has limitations because of CDO. What I'm looking for a software that will move spam into a user's folder other than the inbox without the user having to setup a filter in outlook. I would also like for the user to have the ability to 'tell' the software when it missed a spam message or incorrect tags a message as spam. I would prefer a product that does not run directly on the Exchange box. We are currently running Exchange 5.5 in a cluster. I know I'm asking a lot, but I thought will everyone's help I could find a product that is close. Thank you. jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Alert when trying to force replication acros s sites
Thanks Joe and John - good to know! /Guido -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 28. Oktober 2003 16:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Alert when trying to force replication acros s sites Nope, it will do it cross site as well, it just throws the stupid error message. I was of the same opinion as you until working on the AD FAQ and actually sat down in a lab environment and tested it. It sticks the replication request right in the queue just like normal. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, October 28, 2003 8:44 AM To: [EMAIL PROTECTED] that's when you use the AD Sites Services Snap-In - it only has the ability to force replication within the same site - I believe this is because it uses the normal DC notification method, which by default is disabled between sites. just use repadmin or replmon from the support tools - this will allow to force replication accross site-boundaries. /Guido -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Dienstag, 28. Oktober 2003 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Alert when trying to force replication across sites I'm trying to fix an error with the pony DHCP server in windows, but in the section of the detailed instructions from the MS site, im getting an odd alert. I am trying to force replication from one branch office to another. The schedule is once every two hours, and I cant be arsed to wait. The error says that; one or more of these active directory connections are between domain controllers in different sites and cannot be replicated immediately. Active Directory will replicate these connections at the next opportunity ...which is nice. Now, the chances are that the replication will happen anyway before I can work out the cause of this alert box, but im still interested in knowing why I cant force a replication across sites. I tried it between two AD servers within the same site, and it works fine. Any ideas ? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Index a atribute
Hello What is the diference between "Index this attribute for containerized searchess in the Active Directory " and "Index this attribute in the Active Directory" Thanks. Raul.
RE: [ActiveDir] Index a atribute
Index for containerized searches permits searching a container rather than the entire directory. This can be used to improve lookup times for container searches. Hope this was what you were looking for? Cheers! John From: Raul Martínez [mailto:[EMAIL PROTECTED] Sent: dinsdag 28 oktober 2003 16:47To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Index a atribute Hello What is the diference between "Index this attribute for containerized searchess in the Active Directory " and "Index this attribute in the Active Directory" Thanks. Raul.
RE: [ActiveDir] Index a atribute
Hello I create a new class named doc, this class is the type organizationalUnit. I have a OU with about 10 OU, and once OU have 4 objects. Its recomemend active the option Index this attribute for containerized searchess in the Active Directory ? Thanks Raul. -Mensaje original- De: John Reijnders [mailto:[EMAIL PROTECTED] Enviado el: martes, 28 de octubre de 2003 17:10 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] Index a atribute Index for containerized searches permits searching a container rather than the entire directory. This can be used to improve lookup times for container searches. Hope this was what you were looking for? Cheers! John From: Raul Martínez [mailto:[EMAIL PROTECTED] Sent: dinsdag 28 oktober 2003 16:47 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Index a atribute Hello What is the diference between Index this attribute for containerized searchess in the Active Directory and Index this attribute in the Active Directory Thanks. Raul.
[ActiveDir] NTDSUTIL and Metadata Cleanup
We had a dirty shutdown on a DC a few days ago, and it would not boot back up successfully. We called MS PSS before we took any recovery measures since this was our first dead DC. After some initial troubleshooting, MS recommended that we manually remove the server from AD with ntdsutil and rebuild. One thing they mentioned is that all DC's need to fully replicate to learn of the DC removal before rebuilding it with the same name and IP. Otherwise, they said we would have an identity crisis on our hands. Since we have our last seven DC's that we built at corporate in route to remote locations... I guess we'll have to wait. My question is have any of you guys had to do this? And have you used the same name and IP for the server? Did you in fact wait for all DC's to be online and fully replicate? And for you real AD guru's out there, what are the details behind the possible identity crisis? Thanks, guys. -Rick Dayton __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Changing Passwords
Title: Changing Passwords My company is about to implement a security policy that forces users to change their passwords every 60 Days. Problem some of our user accounts do not have self listed under security permissions within the ADUC. This user gets access denied when trying to change his/her password. This is an upgraded Windows 2000 Domain upgraded from NT 4.0 to Windows 2000 All Dc's Are Currently Windows 2000 SP4 and we are in Native Mode. Note we have tried to add Self under security but once replication occurs it removes Self. Has anyone ever heard of this ? TIA, Joshua
RE: [ActiveDir] NTDSUTIL and Metadata Cleanup
For that very reason, I have no inhibitions about using a new name and ip address. Unless you have a process that is hardcoded to use that IP address, then I can think of no reason to wait for replication just to get back to operational stability. Al -Original Message- From: FDiskThePC [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] NTDSUTIL and Metadata Cleanup We had a dirty shutdown on a DC a few days ago, and it would not boot back up successfully. We called MS PSS before we took any recovery measures since this was our first dead DC. After some initial troubleshooting, MS recommended that we manually remove the server from AD with ntdsutil and rebuild. One thing they mentioned is that all DC's need to fully replicate to learn of the DC removal before rebuilding it with the same name and IP. Otherwise, they said we would have an identity crisis on our hands. Since we have our last seven DC's that we built at corporate in route to remote locations... I guess we'll have to wait. My question is have any of you guys had to do this? And have you used the same name and IP for the server? Did you in fact wait for all DC's to be online and fully replicate? And for you real AD guru's out there, what are the details behind the possible identity crisis? Thanks, guys. -Rick Dayton __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: enterprise Spam blocking products
This is probably drifting off-topic for the list, so if anyone would rather that we take it offline that's ok. And I'm not Stuart, but enough people in our office mix us up that it shouldn't make a difference for the list :-) There are some things about the Interceptor that I've been very pleased with, and others that have room for improvement. It runs some ungodly number of tests against each inbound message, and each test gets assigned a point value depending on the results. The total number of points gets calculated, and if it exceeds a certain threshold then the message gets marked as spam. You can configure the points assigned to many of the tests, and you can adjust the threshold as well. So from that standpoint, we've found it very effective in tuning to fit our environment. We expect that to improve over time as we get better adjusting it and it builds a more comprehensive corpus of our email. After a couple of weeks running it, we're finding about 48% of our inbound mail qualifies as spam. No problems with reliability so far. Their support folks have been great, which has been a double-edged sword from my perspective. They're quick to answer questions and make configuration changes; that's good. I've had a hard time getting documentation, but that may be because our internal security department is our contact point so I'm not working directly with the Espion folks. I still get the sense that Espion prefers a more hands-on approach than what I'd like...they're quick to remotely login to the box (after we open firewall access) and work on it. I'd rather we have sufficient documentation to configure and troubleshoot the device, and only contact them when we can't resolve the issue. Hopefully that will improve over time. Some folks might prefer to offload all of the support and troubleshooting to the vendor. Let me know if you have other questions Hunter -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 8:26 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Stuart, Do you have experience with Espion's Interceptor appliance? It sounds like a very nice device but I haven't been able to find any reviews online. Thanks,jb -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 2:05 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Jason, Two possible solutions to consider: 1. Cloudmark SpamNet - this runs locally on the client and automagically moves spam from the inbox to a spam folder. See http://www.cloudmark.com/ 2. Hardware based Spam appliance - this device sits in front of your mail gateways and filters the mail before it even hits Exchange. Users get a daily email report so that they can see what has been blocked and have an opportunity to request the blocked mail. An example of this is Espion's Interceptor appliance - see http://www.espionintl.com/interceptor.html -Stuart -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 11:34 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: enterprise Spam blocking products I started testing different spam products for our company. I'm testing GFI right now. I'm really like Ihatespam Gateway edition, but it has limitations because of CDO. What I'm looking for a software that will move spam into a user's folder other than the inbox without the user having to setup a filter in outlook. I would also like for the user to have the ability to 'tell' the software when it missed a spam message or incorrect tags a message as spam. I would prefer a product that does not run directly on the Exchange box. We are currently running Exchange 5.5 in a cluster. I know I'm asking a lot, but I thought will everyone's help I could find a product that is close. Thank you. jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Publishing Applications
Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks, Steve
RE: [ActiveDir] Publishing Applications
Title: Message I don't believe you can publish applications to groups. You'd need to publish it to the OU which houses the user accounts, and then filter it by giving Read access to the GPO to the group of users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Publishing Applications Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks,Steve
RE: [ActiveDir] Publishing Applications
Are there any errors getting logged? Are you getting a message saying that group policies are getting applied successfully? I had some issues getting a 2003 server to accept group policies from a 2000 DC. I had to grant some additional domain permissions. Getting error messages will help tremendously in troubleshooting. Damon Erickson -Original Message- From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Publishing Applications Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks, Steve
RE: [ActiveDir] OT: enterprise Spam blocking products
I was Hunter in a past life or was it yesterday... :) Jason - to your specific question about an online review, I can't find one on the net either. I asked our security guy about this and where he found out about Espion. He told me that he originally found a review on MSN and other security sites that led him to the company, however, that review has been lost to the gods of the Internet Ether. Sorry... No soup for you... I would suggest contacting Espion directly for references/reviews. -Stuart (not Hunter) -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 12:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products This is probably drifting off-topic for the list, so if anyone would rather that we take it offline that's ok. And I'm not Stuart, but enough people in our office mix us up that it shouldn't make a difference for the list :-) There are some things about the Interceptor that I've been very pleased with, and others that have room for improvement. It runs some ungodly number of tests against each inbound message, and each test gets assigned a point value depending on the results. The total number of points gets calculated, and if it exceeds a certain threshold then the message gets marked as spam. You can configure the points assigned to many of the tests, and you can adjust the threshold as well. So from that standpoint, we've found it very effective in tuning to fit our environment. We expect that to improve over time as we get better adjusting it and it builds a more comprehensive corpus of our email. After a couple of weeks running it, we're finding about 48% of our inbound mail qualifies as spam. No problems with reliability so far. Their support folks have been great, which has been a double-edged sword from my perspective. They're quick to answer questions and make configuration changes; that's good. I've had a hard time getting documentation, but that may be because our internal security department is our contact point so I'm not working directly with the Espion folks. I still get the sense that Espion prefers a more hands-on approach than what I'd like...they're quick to remotely login to the box (after we open firewall access) and work on it. I'd rather we have sufficient documentation to configure and troubleshoot the device, and only contact them when we can't resolve the issue. Hopefully that will improve over time. Some folks might prefer to offload all of the support and troubleshooting to the vendor. Let me know if you have other questions Hunter -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 8:26 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Stuart, Do you have experience with Espion's Interceptor appliance? It sounds like a very nice device but I haven't been able to find any reviews online. Thanks,jb -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 2:05 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: enterprise Spam blocking products Jason, Two possible solutions to consider: 1. Cloudmark SpamNet - this runs locally on the client and automagically moves spam from the inbox to a spam folder. See http://www.cloudmark.com/ 2. Hardware based Spam appliance - this device sits in front of your mail gateways and filters the mail before it even hits Exchange. Users get a daily email report so that they can see what has been blocked and have an opportunity to request the blocked mail. An example of this is Espion's Interceptor appliance - see http://www.espionintl.com/interceptor.html -Stuart -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 11:34 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: enterprise Spam blocking products I started testing different spam products for our company. I'm testing GFI right now. I'm really like Ihatespam Gateway edition, but it has limitations because of CDO. What I'm looking for a software that will move spam into a user's folder other than the inbox without the user having to setup a filter in outlook. I would also like for the user to have the ability to 'tell' the software when it missed a spam message or incorrect tags a message as spam. I would prefer a product that does not run directly on the Exchange box. We are currently running Exchange 5.5 in a cluster. I know I'm asking a lot, but I thought will everyone's help I could find a product that is close. Thank you. jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Publishing Applications
Negative. There are no errors, nether on the client or server. Clarification We are running Windows 2003 on all DCs, just in AD 2000 Native. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damon R. Erickson Sent: Tuesday, October 28, 2003 12:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Publishing Applications Are there any errors getting logged? Are you getting a message saying that group policies are getting applied successfully? I had some issues getting a 2003 server to accept group policies from a 2000 DC. I had to grant some additional domain permissions. Getting error messages will help tremendously in troubleshooting. Damon Erickson -Original Message- From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Publishing Applications Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks, Steve
[ActiveDir] DNS WMI Provider
OK, I just gotta share, to vent some of my frustration. The DNS provider on Windows 2000 (included in the resource kit supplement and available for download from Microsoft) is NOT compatible with the DNS provider on Window 2003! Dagnabit! The CreateZone() and the WriteBackZone() routines are different!! And the documentation on MSDN isn't right -- it's somewhere in between the two versions. To figure it out, I eventually had to go into the blasted MOF files. Silly. VERY silly. And secondly, pass-through authentication does not work with WMI. Whose idea was THAT one? Bah. Humbug. So, because of these two things, I've gotta have code like this: Const int2000ADZone = 0Const int2000PrimaryZone = 1Const int2000SecondaryZone = 2 Const int2003PrimaryZone = 0Const int2003SecondaryZone = 1Const int2003StubZone = 2Const int2003ForwardZone = 3 ' ' code ' Sub CreateTheZone (objZoneRef, strZoneName)' Create the Zone Dim errResult WScript.Echo "Creating zone " strZoneNameIf intOS = 2000 ThenerrResult = objZoneRef.CreateZone (strZoneName, int2000PrimaryZone)Else'intOS = 2003errResult = objZoneRef.CreateZone (strZoneName, int2003PrimaryZone, False)End If WScript.Echo "Created zone " strZoneName ", will now create resource records"End Sub Sub SaveTheZone (objWMI, strZoneName)' Write the zone back to diskDim objZone, objZones WScript.Echo "Updating disk image of zone"set objZones = objWMI.ExecQuery ("Select * from MicrosoftDNS_Zone " _"where ContainerName = '" strZoneName "'")For Each objZone in objZonesIf intOS = 2000 ThenobjZone.WriteBackZoneToFile ()Else' intOS = 2003objZone.WriteBackZone ()End IfNextWScript.Echo "Disk image updated"End Sub Function OSVersion (strUser, strPass, strServer)Dim colOS, objOS, strCaption, intOSver, objWMI intOSver = -1 If ConnectComputer (strUser, strPass, strServer, "root\cimv2", objWMI) ThenWscript.Echo "*** Error: Could not connect to CIMv2 namespace on " strServerWScript.Quit 1End If Set colOS = objWMI.ExecQuery ("Select * from Win32_OperatingSystem")For Each objOS in colOS'Wscript.Echo objOS.Caption ' " " objOS.VersionstrCaption = objOS.CaptionIf Instr (strCaption, "2000") ThenintOSver = 2000ElseIf Instr (strcaption, "2003") ThenintOSver = 2003End IfEnd IfExit ForNext set objWMI = Nothing OSVersion = intOSver End Function Function ConnectComputer(ByVal strUserName, _ ByVal strPassword, _ ByVal strServer, _ ByRef strNameSpace, _ ByRef objService) On Error Resume Next Dim objLocator, objWshNet ConnectComputer = False 'There is no error. 'Create Locator object to connect to remote CIM object manager If IsEmpty (strUserName) ThenSet objService = GetObject ("winmgmts:" "{impersonationLevel=impersonate}!\\" strServer "\" strNameSpace) If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in acquiring a WMI object." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurredEnd If Exit Function End If Set objLocator = CreateObject ("WbemScripting.SWbemLocator") If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in creating a locator object." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurred Exit Function End If 'Connect to the namespace which is either local or remote Set objService = objLocator.ConnectServer (strServer, strNameSpace, strUserName, strPassword) ObjService.Security_.impersonationlevel = 3 If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) _ " occurred in connecting to server " _ strServer "." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurred End If End Function
RE: [ActiveDir] Active Directory Cookbook
Title: Message Yeah, she and I got to know each other on this list (she's one of the folks that convinced me you were worth putting up with as an MVP - then to nominate you). I know that I've met her in person, but I can't put the name to the face. She is a good one, to be sure Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, October 28, 2003 7:47 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook Yup.. Known Missy for quite a few years now. I owe her a scortch or three next time I see her, too.. Funny, I know a lot of the Exchange MVPs... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 7:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook LOL! Heh Yeah, I forgot that you and Missy are acquainted. Too funny. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, October 27, 2003 7:46 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook You been hanging out with Missy Koslosky lately? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook Bite me, Joe. :P Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Saturday, October 25, 2003 1:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook I thought you would think that was a good thought. But you have a good point to counter that good thought. I should submit something, I wouldn't mind being in the acknow. err wait a minute. How about this, people who are already in it can submit something and pick one person to be removed from the acknowledgements... Oh Rick :op Hmmm what could I submit... Oh I know, something I had to do today really quick... Find all OU's with any GPO link whatsoever... First off I wondered, is gplink in the GC? adfind -schema -f ldapdisplayname=gplink ismemberofpartialattributeset Gets you dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=comisMemberOfPartialAttributeSet: TRUE So it sure is... This is easy! adfind -gc -b -f "(objectcategory=organizationalunit)(gplink=*)" gplink On my home domain that rips off in less than a second... dn:OU=Domain Controllers,DC=joehome,DC=comgPLink: [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0] dn:OU=Cmps,DC=joehome,DC=comgPLink: [LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0] Oh ok, you now want to know what the nice name of those are... adfind -b CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com -s base displayname and adfind -b CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com -s base I don't recall those exact examples in the book. :op Can anyone guess how often I use adfind in the course of a normal workday? Me neither. But I have wrapped it with a couple of batch files. The first is called findthis.cmd It takes whatever I enter and basically does a adfind -gc -b -f name=%1 -dn I also have a kids.cmd adfind -gc -b %1 -s one -f * -dn and also I have a get adfind -b %1 -s base Ok that is enough, I don't want to hurt anyone. ;o) Good night! joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie AllenSent: Saturday, October 25, 2003 1:40 AMTo: '[EMAIL PROTECTED]' And what have you been drinking at 1am??:-) Good thought, but my guess is that peoplewhooffer goodsuggestions probably already have a
RE: [ActiveDir] DNS WMI Provider
Title: Message And don't even think about the bugs and memory leaks! -gil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, October 28, 2003 1:36 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS WMI Provider OK, I just gotta share, to vent some of my frustration. The DNS provider on Windows 2000 (included in the resource kit supplement and available for download from Microsoft) is NOT compatible with the DNS provider on Window 2003! Dagnabit! The CreateZone() and the WriteBackZone() routines are different!! And the documentation on MSDN isn't right -- it's somewhere in between the two versions. To figure it out, I eventually had to go into the blasted MOF files. Silly. VERY silly. And secondly, pass-through authentication does not work with WMI. Whose idea was THAT one? Bah. Humbug. So, because of these two things, I've gotta have code like this: Const int2000ADZone = 0Const int2000PrimaryZone = 1Const int2000SecondaryZone = 2 Const int2003PrimaryZone = 0Const int2003SecondaryZone = 1Const int2003StubZone = 2Const int2003ForwardZone = 3 ' ' code ' Sub CreateTheZone (objZoneRef, strZoneName)' Create the Zone Dim errResult WScript.Echo "Creating zone " strZoneNameIf intOS = 2000 ThenerrResult = objZoneRef.CreateZone (strZoneName, int2000PrimaryZone)Else'intOS = 2003errResult = objZoneRef.CreateZone (strZoneName, int2003PrimaryZone, False)End If WScript.Echo "Created zone " strZoneName ", will now create resource records"End Sub Sub SaveTheZone (objWMI, strZoneName)' Write the zone back to diskDim objZone, objZones WScript.Echo "Updating disk image of zone"set objZones = objWMI.ExecQuery ("Select * from MicrosoftDNS_Zone " _"where ContainerName = '" strZoneName "'")For Each objZone in objZonesIf intOS = 2000 ThenobjZone.WriteBackZoneToFile ()Else' intOS = 2003objZone.WriteBackZone ()End IfNextWScript.Echo "Disk image updated"End Sub Function OSVersion (strUser, strPass, strServer)Dim colOS, objOS, strCaption, intOSver, objWMI intOSver = -1 If ConnectComputer (strUser, strPass, strServer, "root\cimv2", objWMI) ThenWscript.Echo "*** Error: Could not connect to CIMv2 namespace on " strServerWScript.Quit 1End If Set colOS = objWMI.ExecQuery ("Select * from Win32_OperatingSystem")For Each objOS in colOS'Wscript.Echo objOS.Caption ' " " objOS.VersionstrCaption = objOS.CaptionIf Instr (strCaption, "2000") ThenintOSver = 2000ElseIf Instr (strcaption, "2003") ThenintOSver = 2003End IfEnd IfExit ForNext set objWMI = Nothing OSVersion = intOSver End Function Function ConnectComputer(ByVal strUserName, _ ByVal strPassword, _ ByVal strServer, _ ByRef strNameSpace, _ ByRef objService) On Error Resume Next Dim objLocator, objWshNet ConnectComputer = False 'There is no error. 'Create Locator object to connect to remote CIM object manager If IsEmpty (strUserName) ThenSet objService = GetObject ("winmgmts:" "{impersonationLevel=impersonate}!\\" strServer "\" strNameSpace) If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in acquiring a WMI object." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurredEnd If Exit Function End If Set objLocator = CreateObject ("WbemScripting.SWbemLocator") If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in creating a locator object." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurred Exit Function End If 'Connect to the namespace which is either local or remote Set objService = objLocator.ConnectServer (strServer, strNameSpace, strUserName, strPassword) ObjService.Security_.impersonationlevel = 3 If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) _ " occurred in connecting to server " _ strServer "." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurred End If End Function
RE: [ActiveDir] Publishing Applications
Title: Message Yep - this is correct. Group Policy is somewhat of a misnomer, as it really doesn't have anything to do WITH groups, per se. To publish, it must be done to the containers in which GP can be applied, OU, Domain, Site. And, you need Read and Apply Group Policy on the filter for the group. BTW, what if you Assign? Is the outcome any different? IOW, does this only happen with publish or with assign as well. Finally, do you have the Group Policy Management Console? If not, get it. It will assist greatly with these types of issues on who, what, how, where can I do these things with GP. Find it at http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=F39E9D60-7E41-4947-82F5-3330F37ADFEB Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, October 28, 2003 2:05 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Publishing Applications I don't believe you can publish applications to groups. You'd need to publish it to the OU which houses the user accounts, and then filter it by giving Read access to the GPO to the group of users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Publishing Applications Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks,Steve
RE: [ActiveDir] DNS WMI Provider
Title: Message Ahhh yes, the DNS WMI Provider. What a piece of ..., ok I won't go there :-) What kills me is that the MSDN documentation has NEVER been right. Even after they updated it for 2003 it was still wrong. I've submitted corrections to newsgroups and even to anMS internal docs group, but have notseen any corrections on MSDN. I was really hoping they were going to fix the problems in 2003, but alas I was disappointed. I find the WMI CIM Studio to be the best resource when you have questions about how a particular class is implemented. It is a little easier than digging through the MOF files. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:47 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS WMI Provider And don't even think about the bugs and memory leaks! -gil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, October 28, 2003 1:36 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS WMI Provider OK, I just gotta share, to vent some of my frustration. The DNS provider on Windows 2000 (included in the resource kit supplement and available for download from Microsoft) is NOT compatible with the DNS provider on Window 2003! Dagnabit! The CreateZone() and the WriteBackZone() routines are different!! And the documentation on MSDN isn't right -- it's somewhere in between the two versions. To figure it out, I eventually had to go into the blasted MOF files. Silly. VERY silly. And secondly, pass-through authentication does not work with WMI. Whose idea was THAT one? Bah. Humbug. So, because of these two things, I've gotta have code like this: Const int2000ADZone = 0Const int2000PrimaryZone = 1Const int2000SecondaryZone = 2 Const int2003PrimaryZone = 0Const int2003SecondaryZone = 1Const int2003StubZone = 2Const int2003ForwardZone = 3 ' ' code ' Sub CreateTheZone (objZoneRef, strZoneName)' Create the Zone Dim errResult WScript.Echo "Creating zone " strZoneNameIf intOS = 2000 ThenerrResult = objZoneRef.CreateZone (strZoneName, int2000PrimaryZone)Else'intOS = 2003errResult = objZoneRef.CreateZone (strZoneName, int2003PrimaryZone, False)End If WScript.Echo "Created zone " strZoneName ", will now create resource records"End Sub Sub SaveTheZone (objWMI, strZoneName)' Write the zone back to diskDim objZone, objZones WScript.Echo "Updating disk image of zone"set objZones = objWMI.ExecQuery ("Select * from MicrosoftDNS_Zone " _"where ContainerName = '" strZoneName "'")For Each objZone in objZonesIf intOS = 2000 ThenobjZone.WriteBackZoneToFile ()Else' intOS = 2003objZone.WriteBackZone ()End IfNextWScript.Echo "Disk image updated"End Sub Function OSVersion (strUser, strPass, strServer)Dim colOS, objOS, strCaption, intOSver, objWMI intOSver = -1 If ConnectComputer (strUser, strPass, strServer, "root\cimv2", objWMI) ThenWscript.Echo "*** Error: Could not connect to CIMv2 namespace on " strServerWScript.Quit 1End If Set colOS = objWMI.ExecQuery ("Select * from Win32_OperatingSystem")For Each objOS in colOS'Wscript.Echo objOS.Caption ' " " objOS.VersionstrCaption = objOS.CaptionIf Instr (strCaption, "2000") ThenintOSver = 2000ElseIf Instr (strcaption, "2003") ThenintOSver = 2003End IfEnd IfExit ForNext set objWMI = Nothing OSVersion = intOSver End Function Function ConnectComputer(ByVal strUserName, _ ByVal strPassword, _ ByVal strServer, _ ByRef strNameSpace, _ ByRef objService) On Error Resume Next Dim objLocator, objWshNet ConnectComputer = False 'There is no error. 'Create Locator object to connect to remote CIM object manager If IsEmpty (strUserName) ThenSet objService = GetObject ("winmgmts:" "{impersonationLevel=impersonate}!\\" strServer "\" strNameSpace) If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in acquiring a WMI object." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An error occurredEnd If Exit Function End If Set objLocator = CreateObject ("WbemScripting.SWbemLocator") If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in creating
RE: [ActiveDir] Publishing Applications
Title: Message Thanks for the info. I assign to computers specifically, which is a total hassle to manage. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 12:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Publishing Applications Yep - this is correct. Group Policy is somewhat of a misnomer, as it really doesn't have anything to do WITH groups, per se. To publish, it must be done to the containers in which GP can be applied, OU, Domain, Site. And, you need Read and Apply Group Policy on the filter for the group. BTW, what if you Assign? Is the outcome any different? IOW, does this only happen with publish or with assign as well. Finally, do you have the Group Policy Management Console? If not, get it. It will assist greatly with these types of issues on who, what, how, where can I do these things with GP. Find it at http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=F39E9D60-7E41-4947-82F5-3330F37ADFEB Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, October 28, 2003 2:05 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Publishing Applications I don't believe you can publish applications to groups. You'd need to publish it to the OU which houses the user accounts, and then filter it by giving Read access to the GPO to the group of users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:55 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Publishing Applications Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks, Steve
[ActiveDir]
I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Publishing Applications
Title: Message Steve, Something that has a tendency to escape some folks is that, like users, you can create a group for Computer Objects as well. Just because they are computer objects doesn't mean that they can't be in a group. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Tuesday, October 28, 2003 3:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Publishing Applications Thanks for the info. I assign to computers specifically, which is a total hassle to manage. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Tuesday, October 28, 2003 12:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Publishing Applications Yep - this is correct. Group Policy is somewhat of a misnomer, as it really doesn't have anything to do WITH groups, per se. To publish, it must be done to the containers in which GP can be applied, OU, Domain, Site. And, you need Read and Apply Group Policy on the filter for the group. BTW, what if you Assign? Is the outcome any different? IOW, does this only happen with publish or with assign as well. Finally, do you have the Group Policy Management Console? If not, get it. It will assist greatly with these types of issues on who, what, how, where can I do these things with GP. Find it at http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=F39E9D60-7E41-4947-82F5-3330F37ADFEB Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, October 28, 2003 2:05 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Publishing Applications I don't believe you can publish applications to groups. You'd need to publish it to the OU which houses the user accounts, and then filter it by giving Read access to the GPO to the group of users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Publishing Applications Greetings, I am experiencing a problem with publishing applications through a GPO policy. We are running Windows 2003, in a Windows 2000 Native environment. SMS 2.0 is able to install the apps from the distribution point, but the Policy does not seem to be working. I have created an OU and added the policy to publish an application to this OU. I have placed a security group inside the OU for those who I want to have access. I have done a gpupdate /Force to refresh the policy on the DCs, as well as, the clients. The application still does not show up in the add new programs inside the add/remove programs menu. I have done this before on the assigning computers, but never to a user account (group). What am I doing wrong? Thanks,Steve
[ActiveDir] Importing a LDIF file
Could anyone told me how to import and LDIF file, from a LDAP directory, to an AD domain? I really appreciate it. Juan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing a LDIF file
Use LDIFDE... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/sgw _install_ldifde.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juan Ibarra Sent: Tuesday, October 28, 2003 2:52 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Importing a LDIF file Could anyone told me how to import and LDIF file, from a LDAP directory, to an AD domain? I really appreciate it. Juan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Setting up Sites
We're going from 2 sites to 3 sites. So far, we've used the DEFAULTSITELINK for simplicity's sake and have the KCC creating replication links. The only thing we changed was the replication interval to every 15 minutes. With the creation of a 3rd site, plus to allow for future expansion, we're going to begin creating site links and such. Site 1 and 2 are connected via a very high speed network. Site 3 is connected to Sites 1 and 2 via a T3. Connectivity to Site 3 is fast, but we still want to avoid unnecessary WAN authentication and optimize replication as much as possible. I'm interested in people's opinions on setting up the metric's for the site links or any other suggestions you have for a relatively new AD implementation. I'm pretty familiar with how things work and have read through various whitepapers, but I'd like to hear people's real world experiences. TTIA. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange issue with NT4 to W3K AD authentication
That was it. I removed the trust, recreated it, and all works perfectly. Summabeech. You'd think there would be a way to verify this with a tool. None of the ones I have picked up on it. I played with security settings till I was blue in the face. Thank god for security templates. Sure makes configuring all that stuff easy when you start messing with it. All I have to do is re-import my template, configure the computer, and it's done. Thanks much, Tony. ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** You say that you haven't blown away the trust and recreated it. I would strongly recommend that you do this first and then rebuild the two way trust between your W2K3 production domain and your old NT 4.0 domain. Do this before you go ahead and build the other two-way trust. I realise you've verified the trusts with netdom, but I'm not sure if this always picks up all problems. Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir]
Shawn- You can use AD auditing to see changes to a GPO, since any GPO that is modified touches both the Group Policy Container object in AD as well as SYSVOL. Using the AD auditing event is a quick and dirty way of finding out who changed the GPO, although, as Gil mentioned, you can't really tell what was changed. If you audit SYSVOL as well, then you can at least pinpoint what policy area was modified by seeing which file within SYSVOL was affected. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/