RE: [ActiveDir] Do I really need to add UPNs?
actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
there'll be quite a few more folks standing at the bar that you'd love to chat with... - really worth it! From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 04:44To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Poor excuse, you learn better when people are standing around ripping on you. Sort of like being thrown in the middle of the lake. Anyway, who says I won't be the one doing all the learning? We will expect to see you at the bar in the Hyatt Sunday, Monday, Tuesday, Wednesday. I'll be the one being propped up Guido,Robbie, and Gil. My boss will be there too and you can ask how in the world he can put up with me. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? I'm onlyan hour and a halfaway, but I came to the conclusion that I wasn't ready to be in the same place with all you real experts. :-P Performance anxiety, you know. :-P -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Changing ACLs via VBscript
Last trip was to Bahamas in December... tough to do that one with just a backpack if you know what I mean. :op Other than that it was a flight to Redmond Sept 2002 right when new regulations and such were kicking in and everyone seemed rather confused on what you could and couldn't do anymore. And yes, you should be seeing me in a couple of weeks. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 20, 2004 2:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript "Anyone know if I can get on a plane with a backpack and a laptop backpack? If so I don't need to check baggage. It is the MVP backpack (smallish) and a Dell laptop backpack." Yep - you can. Haven't travelled much lately, huh? :o) Enjoy yourself at DEC, and give my regards to everyone. I'll see you all in a couple of weeks anyway, right? Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 19, 2004 9:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript You will like perl... I am a c guy myself. The first time I picked up KR I sat there going "of course" "of course" "of course" "of course" through the whole book. I had a precursor to that though that made it work so well for me... DEC Macro Assembler on a DEC PDP11 (34 and 84). Little things like the ++ came right straight from commands built into the Macro Assembler and DEC instructions. Actually if I could find my old Macro Asm stuff you would find macros/functions that I had written that made my ASM code very c-like before I actually saw c. Think of perl as c with really good string manipulation. It is actually easier than c and you don't tend to get bitten as easily nor as hard. And if you want, it isn't too bad to extend perl with c compiled code so if you have that 'thing" you just have to do in c, you can do it, and call it from perl. Probably the biggest gripe I have against perl that I liked in c was you ALWAYS have to enclose statement blocks in perl, where in c it was only good form. ;o) I.E. In perl if (some condition) {some action}; in c if (some condition) some action; If you reverse it the biggest gripe I have against c is that perl hasAWESOME regular _expression_ functionality. At first REGEX's scare people. Once you get into them you have a hard time doing without. They have some regex libraries for c but I haven't seen one I really liked yet, not as transparent as perl's regex capability. I missed the HASH (Associative Array) as well until I started getting decent with the STL mapstring,string. If you use the STL a lot then you will also like perl. Give it a try, you will be shocked I think. Oh btw, if you really start liking perl, check out the whole activestate site because they have res kits and gui dev environments and tools for compiling perl code to executable, etc. They also have fun stuff forobfuscating your scripts so it is tough for people to read them. I have seen packages that turn your script into piglatin, morse code, semi-random gibberesh, and the scripts still run fine. Anyone know if I can get on a plane with a backpack and a laptop backpack? If so I don't need to check baggage. It is the MVP backpack (smallish) and a Dell laptop backpack. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:38 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript Eh, andI wish everything worked with KR C. :-) 'Twas my primary language for 15 years, and it's still what I "think" in. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript See now this is why Microsoft should just install AS Perl by default. I don't want them to buy AS, they can fund them all they want though. I do not want Perl being turned into PerlBasic. I did like Basic at one point... I think that point was 1987 or maybe 1986. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript Yes, it's posted
RE: [ActiveDir] Do I really need to add UPNs?
It will only take three to prop me up though... See you in Reston Michael. ;o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? there'll be quite a few more folks standing at the bar that you'd love to chat with... - really worth it! From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 04:44To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Poor excuse, you learn better when people are standing around ripping on you. Sort of like being thrown in the middle of the lake. Anyway, who says I won't be the one doing all the learning? We will expect to see you at the bar in the Hyatt Sunday, Monday, Tuesday, Wednesday. I'll be the one being propped up Guido,Robbie, and Gil. My boss will be there too and you can ask how in the world he can put up with me. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? I'm onlyan hour and a halfaway, but I came to the conclusion that I wasn't ready to be in the same place with all you real experts. :-P Performance anxiety, you know. :-P -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
Oh, yeah - I remember the last heated discussion. When you've got Stuart on the run, you don't give up, do you? ;o) Looking forward to some 'brothers-in-arms' time in Redmond. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
RE: [ActiveDir] Do I really need to add UPNs?
Brothers in arms...??? COME ON RICK! It's Dean. I've go an idea. let's discuss it offline ;) BTW, Dean I'm just the Indian Swede with a bizzare life according to Rick... :) LOLDo the word Geotard come to mind ;) /The Swede - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 20, 2004 7:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Oh, yeah - I remember the last heated discussion. When you've got Stuart on the run, you don't give up, do you? ;o) Looking forward to some 'brothers-in-arms' time in Redmond. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left
RE: [ActiveDir] Do I really need to add UPNs?
I just realized, nobody knows me on this list besides Dean, Tony and Rick I hope I'm not beeing flamed because of this. :) Regards, /Jimmy the Swede - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy AnderssonSent: Saturday, March 20, 2004 10:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Brothers in arms...??? COME ON RICK! It's Dean. I've go an idea. let's discuss it offline ;) BTW, Dean I'm just the Indian Swede with a bizzare life according to Rick... :) LOLDo the word Geotard come to mind ;) /The Swede - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 20, 2004 7:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Oh, yeah - I remember the last heated discussion. When you've got Stuart on the run, you don't give up, do you? ;o) Looking forward to some 'brothers-in-arms' time in Redmond. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From:
RE: [ActiveDir] OT HIPAA Security Risk Analysis
Title: Message Can you point me to a software package that can conduct this analysis or do you have something that you could send over that would help us developing a methodology inhouse? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 20, 2004 2:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT HIPAA Security Risk Analysis Same Risk Analysis that would be used for Sorb-Ox, GLB - really, it doesn't matter. It's a methodology of determining who owns the data (you're either a data custodian (you properly have data from someone else) you are the data owner (well, you own the data) or a thief (you don't own the data)) and seeing that the data owner understands the classification of the data (Private, sensitive, confidential, etc.) and that it is classified properly. Once it's classified, then you must have procedures and processes to go with the classifications that match with HIPAA - this will determine how the Data Custodian must deal with the data. The Data Custodia cannot classify your data - it's not his. Once the classification of the data is done, the Risk Analysis pretty much falls into place with the same quantitative and qualitative methods as any other type of RA. Be sure to consider what methods of transmission, what the likelihood of the data being compromised while it's in your possession, out of your possession, and how can you transfer the risk. Remember, there are lots of ways to transfer the risk, number one being Insurance, number two out-sourcing. Hope that gives you a start. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, March 19, 2004 9:10 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: [ActiveDir] OT HIPAA Security Risk Analysis Does anyone here in the Healthcare field? If you are, what Risk Analysis methodology are you using to move forward with the HIPAA Security Rule?
RE: [ActiveDir] password gpo for a special group
Joe - thanks for the note of confidence. :-) It's true - we put the actual complexity code on a separate server, which does provide lots of other functions: synchronization, self-service reset, user enrollment, etc. etc. We can enforce all sorts of password policy rules, and it is possible to enforce different rules for different user populations (though that isn't the default behaviour). Most of that functionality is probably beyond the scope of this list, so perhaps we should move this discussion off-line? On Fri, 19 Mar 2004, joe wrote: There are several companies that put out password filters. I can't say that PSYNCH is the best as I never did a comprehensive study on who is doing what in that area however we do use PSYNCH for a fairly large corporation and it works well. Nota Bene we most use the product for syncing passwords across multiple platforms, we do not use any special complexity filtering. However I do have confidence in their ability to do so. PSYNCH does use an extra server to do the work though, it isn't completely enclosed functionality in a single DLL that goes on your Domain Controllers unless they have made changes that I am unaware of (quite possible). - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sieber R., DP ITS, FII, DD Sent: Friday, March 19, 2004 12:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] password gpo for a special group Hi Idan, does psynch really does what we are looking for? Does anybody have expieriences with such a software. There are another software out there? Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 19, 2004 5:27 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] password gpo for a special group Robert, This can be done with the password filter DLL installed on DCs. It requires either programming (be very very careful! mistakes in this DLL will crash your DC's operating system), or a product that looks after password management in general, and password policy enforcement in particular (same technology, somebody else has already done the QA). If you are interested in pursuing the product route, please visit http://psynch.com/. Good luck! -- Idan On Thu, 18 Mar 2004, Sieber R., DP ITS, FII, DD wrote: Hello all, i've a little problem :-) I want to relize a different password policy for one group of users. So the password settings are computer settings I'm a little bit confused how to relize this. Anyone a idea? sincerly yours Robert Sieber -- Deutsche Post ITSolutions GmbH it-systems / infrastructur Gerokstr. 18-20 D-01307 Dresden Phone:+49 (351) 4567 762 Fax: +49 (351) 4567 709 eMail:mailto:[EMAIL PROTECTED] web: http://dp-itsolutions.de List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/