RE: [ActiveDir] LDAP filter
He hasnt published them anywhere formally. I bet Carlos would host them on his dirteam site though. Ill send a binary along to him and perhaps he can follow up here with the URL. Joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, May 24, 2004 5:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP filter Do you have an URL for Dave Stucki's libraries? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
[ActiveDir] OT -- to ActiveDir Mailinglist admins
Title: OT -- to ActiveDir Mailinglist admins Hi, Is there any chance that I or someone else could change my e-mail address on this list. We've changed our e-mail addresses a few weeks back. I am still able to receive mails on my old address, but my reply address has changed (as a first stage). This results in being unable to send to the mailinglist. Mailed this e-mail, after making a change in Exchange ;o) Thanks, old e-mail address: [EMAIL PROTECTED] new e-mail address: [EMAIL PROTECTED] Confidentiality note: This e-mail and any files attached to it may be privileged and/or confidential. The information transmitted may also be protected by intellectual property rights. It is for the intended addressee only. The unauthorized use, disclosure or copying of this e-mail, or any information it contains, is strictly prohibited. If you are not the intended addressee, please notify the sender immediately and delete the material from any computer.
RE: [ActiveDir] AD and Exchange not sharing.
That's an issue with your offline address book settings - you're either not generating new ones or your clients are not downloading the, -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. Problem is with caching on the outlook client. When caching is turned off the AD information is displayed. When caching is turned on, the pervious (erroneous or blank) information is displayed. Can you beat that.??..:) S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Monday, May 24, 2004 2:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. Thanks, I will check on that. S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Monday, May 24, 2004 2:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD and Exchange not sharing. RUS = Recipient Update Service. It runs on one or more of your Exchange servers and is responsible for updating recipients. Specifically, if you see problems with the GAL, it's often the culprit. When you checked the logs, did you check them on the Exchange server that has the RUS? You can find it via ESM in the Recipients | Recipient Update Services node. When you click on whichever one is for your domain that has the user accounts, it will give the properties which will tell you which server hosts it. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Monday, May 24, 2004 3:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. That couldn't be a RUS problem could it? ;) Sorry, but I don't know what RUS stands for. Have you checked the logs for the past 24-48 hours? What do you see (Check the Exchange server that has the RUS). Yes, I have checked the logs and there are only errors for disabled accounts that have not been deleted. What about topology? Do you have only W2K3 and E2K3 servers? All of our domain controllers are W2K3, as well as, the Exchange servers.. File servers are mixed. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Monday, May 24, 2004 2:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. Office 2003 running on Windows XP, some using cache and some are not. Domain is running under W2K3 servers, 2k native, with an Exchange 2003 Server. Thanks,S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony MurraySent: Monday, May 24, 2004 10:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. Hi Steve What sort of clients are you experiencing the problem with? Ifthe problem clientsare using Outlook 2000 in off-line mode or Outlook 2003 in cached mode then it is conceivable that they are configured with the "no details" mode in the download address book options. Maybe you could give us a few more details about the environment (versions,whether it is mixed or native mode, etc.). Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Montag, 24. Mai 2004 18:37To: [EMAIL PROTECTED]Subject: [ActiveDir] AD and Exchange not sharing.Importance: High It appears that Exchange and the AD are not syncing information. We have recently discovered that, Under the global address list (displayed in Outlook), user name properties, the address, phone, etc are blank. Even though, in ADUC the address, department, phone are listed. It seems only to be happening for a handful of people. Does anyone know how to fix this? Or what the problem may be? Thanks,S
[ActiveDir] go to my pc, revisted
i've posted before about this issue. a recap- my cio wants to give himself and some mangers access to their office pc's via Go To My PC. the attraction is no client to install and configure ala vpn or terminal services. i'm trying to push remote desktop web services but he's not bitting. he feels installing IIS and configuring it on the target pc is just as much of a headache( i counter that thats why you have a salaried IT staff and thats the price you pay for complete control). also, he thinks IIS has had a history of vulnerablities whereas Go To My PC has had none so far and is relaible. also, on my side, don't i have to then set up Port address translation on my firewall/router for this to work? the client would have to connect via ip or i have to make a dns entry on my public dns server for everyone who wants to connect to their office? i don't see that as a good idea ethier. i guess i'm looking for some more info on go to my pc and how it really works and why its a really bad idea(documentation or techincal reasons) and why jumping thru hoops to get remote desktop web is really worht it in comparison(disregarding vpn for the moment). and finally, someone has stated on this list that the target pc can only run on winxp but i see the activex control download for win2k and nt as well. Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To My Pc and outsourcing my security to some third party. I just need some more ammo for my argument. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] task pads
Title: task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
RE: [ActiveDir] OT: Runas command not working from command line
That was one of the first things I looked for, but no dice - There is only 1 copy of runas.exe on the machine, in the system32 directory. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Byron Fackenthall Sent: Monday, May 24, 2004 10:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Runas command not working from command line There is probably a different version of runas that has gotten into an earlier position in your path. FOR %I IN (runas.exe) DO Dir %~$PATH:I Will tell you what directory the exe is in when running from the command line. If it is different from your shortcut, check your path statement. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Monday, May 24, 2004 4:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Runas command not working from command line Sorry for the offtopic post but have not been able to find the answer... On my workstation, the runas command no longer works from the command line. When I try to run anything using runas from the command line, I get a dialog box titled runas.exe - Application Error, with the text The exception unknown software exception (0xc0fd) occurred in the application at location 0x71002399. If I try to run the same thing by right-clicking its icon in Explorer and selecting Run As... it works fine. The exact same command 'used to' work on my workstation, and still does on other workstations. The syntax I'm using is: runas /user:domain\userid command I have no idea what caused this to stop working. User Mode Of COURSE I haven't changed anything ! /User Mode Any ideas what to look for ? I really don't want to rebuild my machine just for this, but I also really want my runas back ! Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] go to my pc, revisted
You don't have to do anything to your firewall for Goto My PC to work. In fact, that is basically their business model: they let users access their work PCs without involvement from those pesky IT and security Nazis. I'd be willing to bet that there are MANY companies out there who have Goto My PC users and don't even know it! How is this possible? The trick is that their software opens an HTTP (HTTPS?) connection to the Goto My PC servers. To your firewall, it just looks like normal web traffic. To their credit, they have a section on their web site on how to block access to their service (which we have done). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, May 25, 2004 8:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] go to my pc, revisted i've posted before about this issue. a recap- my cio wants to give himself and some mangers access to their office pc's via Go To My PC. the attraction is no client to install and configure ala vpn or terminal services. i'm trying to push remote desktop web services but he's not bitting. he feels installing IIS and configuring it on the target pc is just as much of a headache( i counter that thats why you have a salaried IT staff and thats the price you pay for complete control). also, he thinks IIS has had a history of vulnerablities whereas Go To My PC has had none so far and is relaible. also, on my side, don't i have to then set up Port address translation on my firewall/router for this to work? the client would have to connect via ip or i have to make a dns entry on my public dns server for everyone who wants to connect to their office? i don't see that as a good idea ethier. i guess i'm looking for some more info on go to my pc and how it really works and why its a really bad idea(documentation or techincal reasons) and why jumping thru hoops to get remote desktop web is really worht it in comparison(disregarding vpn for the moment). and finally, someone has stated on this list that the target pc can only run on winxp but i see the activex control download for win2k and nt as well. Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To My Pc and outsourcing my security to some third party. I just need some more ammo for my argument. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] go to my pc, revisted
Couple of questions Tom. Where do the managers want to access their PCs from? What is your operating systems base? Are all of your managers machines windows xp? Do you have vpn enabled at your site? Is there a requirement that they be able to access the machines via a web interface? From: Kern, Tom [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 09:16:30 -0400 To: [EMAIL PROTECTED] Subject: [ActiveDir] go to my pc, revisted i've posted before about this issue. a recap- my cio wants to give himself and some mangers access to their office pc's via Go To My PC. the attraction is no client to install and configure ala vpn or terminal services. i'm trying to push remote desktop web services but he's not bitting. he feels installing IIS and configuring it on the target pc is just as much of a headache( i counter that thats why you have a salaried IT staff and thats the price you pay for complete control). also, he thinks IIS has had a history of vulnerablities whereas Go To My PC has had none so far and is relaible. also, on my side, don't i have to then set up Port address translation on my firewall/router for this to work? the client would have to connect via ip or i have to make a dns entry on my public dns server for everyone who wants to connect to their office? i don't see that as a good idea ethier. i guess i'm looking for some more info on go to my pc and how it really works and why its a really bad idea(documentation or techincal reasons) and why jumping thru hoops to get remote desktop web is really worht it in comparison(disregarding vpn for the moment). and finally, someone has stated on this list that the target pc can only run on winxp but i see the activex control download for win2k and nt as well. Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To My Pc and outsourcing my security to some third party. I just need some more ammo for my argument. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] task pads
Title: task pads ? You want to give some sort of secretary a MMC? Sure, why not? Works out well. You'll want to give permissions over computer objects as well for both the current and destination OU's it sounds like. Not sure why somebody would be moving a computer account though? Is that some sort of tracking mechanism for you? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Tuesday, May 25, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
[ActiveDir] Weird AD GPO problem
We're dealing with a really weird GPO problem. The password policy got changed in the default domain GPO. This was not supposed to happen and the changes have been reversed due to problems with some clients and 3rd party software. However - even with forcing replication and forcing gpupdate on the clients, numerous reboots - the settings still apply to the clients. Any idea what is holding on to the wrong GPO settings and how that can be cleared out? Windows 2000 AD Domain - mixed mode. I also refeshed the policy on the DCs: secedit /refreshpolicy machine_policy /enforce secedit /refreshpolicy user_policy /enforce Christoph __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: [ActiveDir] OT: Exchange 2003 SP1
Also continuing the OT note, it seems that the long-awaited server-side spam filtering system (IMF) is available too: http://www.microsoft.com/exchange/downloads/2003/imf/default.asp Apologies if this has already been posted. Cheers Ken ~~ From: Tony Murray [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2003 SP1 : Is now out. : : http://tinyurl.com/35ddy : : Tony ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Weird AD GPO problem
Christoph- Are you saying that the password policy is still applying to domain users or to user accounts on the local SAMs of your workstations? If the latter, when you bring the gpedit.msc on a client, what does the local GPO show for its password policy and where is it getting its effective policy? You might also check the application event logs on your clients to see if you're getting any SCECLI errors, which would indicate a problem processing security policy. Also, use GPOTool.exe to make sure the Default Domain GPO is healthy. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO problem We're dealing with a really weird GPO problem. The password policy got changed in the default domain GPO. This was not supposed to happen and the changes have been reversed due to problems with some clients and 3rd party software. However - even with forcing replication and forcing gpupdate on the clients, numerous reboots - the settings still apply to the clients. Any idea what is holding on to the wrong GPO settings and how that can be cleared out? Windows 2000 AD Domain - mixed mode. I also refeshed the policy on the DCs: secedit /refreshpolicy machine_policy /enforce secedit /refreshpolicy user_policy /enforce Christoph__This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email __
RE: [ActiveDir] Ad forest migration
any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange migration wizard that i should be aware of from the get go? also, i assume going this route over Aleita/quest is the support and nice gui. and finally, how would i re-acl everyting on the servers in the new forest? any tool or script for that? thanks(lot of questions, i know. but i'll let you know how it went and if i crashed and burned my enterprise!!). -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration The Exchange Migration Wizard. http://support.microsoft.com/default.aspx?scid=kb;en-us;328871 - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 24, 2004 7:13 PM Subject: RE: [ActiveDir] Ad forest migration i'm sorry if this is obvious but, whats a good exchange migration tool that comes with exchange2k/2k3? and how does it differ from using exmerge to migrate mailboxes to pst's and then import them into the new server/forest? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mon 5/24/2004 5:07 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Ad forest migration Probably wouldn't use exmerge in favor of Exchange migration tools included with Exchange. And it would be worth it to use Exchange 2003 (tools at least), but otherwise it can be done. Aelita is just nicer and easier to work with. Both work. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 24, 2004 4:24 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Ad forest migration I'm on a serious budget and my IT dept doesn't have/want the money to spend on Alieta migration tools. we are looking to migrate our child domain into our own forest with exchange 2k and still synch our gals. how much hubris would it be to do most of this with free tools like ADMTv2,MIIS, and exmerge? am I insane? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-wi0-+YbmPi0-+bf.+-j! 0j!oryIV+v*
RE: [ActiveDir] go to my pc, revisited
There is a pretty good description of their security if you visit www.go2mypc.com and follow the How it Works links to the Security White Paper. The diagram in the PDF shows use of RSA SecureID as an option you could use in conjunction with what is already in place. We don't allow users to VPN in to the company from their personal computers. If you do support this, then any trojans, viruses, etc. that they have on their personal computers are now on your internal network. One advantage of Go2MyPC is that it acts more like a pcAnywhere session but you aren't putting the remote computer directly onto your internal network. They can still transfer files, good or bad, to their PCs, but chances are they could bring in a floppy or CD and do the same when in the office. Certainly Expertcity's entire reputation (now owned by Citrix) is based on their security model. Whether you choose to trust them or not is a decision you have to make, just as you would if you were outsourcing your VPN infrastructure. If your office PCs use Windows XP and your users are able to connect by VPN, you could choose to enable Remote Desktop. This allows you to use your PC like you would remotely administer a server with the same RDP client. You don't need to install anything additional to use this capability, but it is disabled by default and you would need to configure the allowed accounts on each PC. If you must allow connection from non-company PCs, then Go2MyPC might be worth consideration. I would prefer to not allow non-company PCs at all, but you may not have that choice. Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 8:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] go to my pc, revisted 1. where? mostly from home, though i'm sure some will from hotels as well. 2.win2k/xp. 3.we have a cisco vpn concentrator 4.there's a desire to have them access their machines without any client software install or config. minimal involvment on their part is the attraction. thanks -Original Message- From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] go to my pc, revisted Couple of questions Tom. Where do the managers want to access their PCs from? What is your operating systems base? Are all of your managers machines windows xp? Do you have vpn enabled at your site? Is there a requirement that they be able to access the machines via a web interface? From: Kern, Tom [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 09:16:30 -0400 To: [EMAIL PROTECTED] Subject: [ActiveDir] go to my pc, revisted i've posted before about this issue. a recap- my cio wants to give himself and some mangers access to their office pc's via Go To My PC. the attraction is no client to install and configure ala vpn or terminal services. i'm trying to push remote desktop web services but he's not bitting. he feels installing IIS and configuring it on the target pc is just as much of a headache( i counter that thats why you have a salaried IT staff and thats the price you pay for complete control). also, he thinks IIS has had a history of vulnerablities whereas Go To My PC has had none so far and is relaible. also, on my side, don't i have to then set up Port address translation on my firewall/router for this to work? the client would have to connect via ip or i have to make a dns entry on my public dns server for everyone who wants to connect to their office? i don't see that as a good idea ethier. i guess i'm looking for some more info on go to my pc and how it really works and why its a really bad idea(documentation or techincal reasons) and why jumping thru hoops to get remote desktop web is really worht it in comparison(disregarding vpn for the moment). and finally, someone has stated on this list that the target pc can only run on winxp but i see the activex control download for win2k and nt as well. Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To My Pc and outsourcing my security to some third party. I just need some more ammo for my argument. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] go to my pc, revisted
they seem to have a decent security policy- https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Corporate_Security_FAQs.pdf so outside from the outsourcing issue and money spent, it seems ok. i think.. -Original Message- From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] go to my pc, revisted Couple of questions Tom. Where do the managers want to access their PCs from? What is your operating systems base? Are all of your managers machines windows xp? Do you have vpn enabled at your site? Is there a requirement that they be able to access the machines via a web interface? From: Kern, Tom [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 09:16:30 -0400 To: [EMAIL PROTECTED] Subject: [ActiveDir] go to my pc, revisted i've posted before about this issue. a recap- my cio wants to give himself and some mangers access to their office pc's via Go To My PC. the attraction is no client to install and configure ala vpn or terminal services. i'm trying to push remote desktop web services but he's not bitting. he feels installing IIS and configuring it on the target pc is just as much of a headache( i counter that thats why you have a salaried IT staff and thats the price you pay for complete control). also, he thinks IIS has had a history of vulnerablities whereas Go To My PC has had none so far and is relaible. also, on my side, don't i have to then set up Port address translation on my firewall/router for this to work? the client would have to connect via ip or i have to make a dns entry on my public dns server for everyone who wants to connect to their office? i don't see that as a good idea ethier. i guess i'm looking for some more info on go to my pc and how it really works and why its a really bad idea(documentation or techincal reasons) and why jumping thru hoops to get remote desktop web is really worht it in comparison(disregarding vpn for the moment). and finally, someone has stated on this list that the target pc can only run on winxp but i see the activex control download for win2k and nt as well. Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To My Pc and outsourcing my security to some third party. I just need some more ammo for my argument. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] go to my pc, revisted
If you truly want to block the use of go to my pc, I would suggest approaching this from the standpoint of other users. You don't want someone in accounting who just got fired to be able to go home and utilize gotomypc. Therefore the gotomypc site would need to be blocked at the proxy level to ensure the security of the organization. Perhaps you can also look into some industry regulations about requirements of privacy, I am grasping at straws here, but talk to legal about what your role in HIPAA or Sarbanes Oxley might be. I haven't read the specifications, but see if there is something in one of the many regulatory compliance laws that you can leverage to your benefit. Then I would setup a demo of the builtin rdp client on windows xp. You can access it by typing mstsc at the command line with no additional software if you are running windows xp. The only software install issue is if you want to use the cisco ipsec client as opposed to the builtin pptp client for accessing the network over vpn. Of course, if your managers are running something other than windows xp the rdp client will have to be installed. You could build packages for both rdp and cisco so that a single msi will install both packages preconfigured to your specifications. Consider that if your boss really wants this done, all your efforts to buck his decision could be a CLM. I would recommend against exposing each individual pc to the internet via iis and the remotedesktop activex component, but that is just me. From: Kern, Tom [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 11:01:42 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] go to my pc, revisted 1. where? mostly from home, though i'm sure some will from hotels as well. 2.win2k/xp. 3.we have a cisco vpn concentrator 4.there's a desire to have them access their machines without any client software install or config. minimal involvment on their part is the attraction. thanks -Original Message- From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] go to my pc, revisted Couple of questions Tom. Where do the managers want to access their PCs from? What is your operating systems base? Are all of your managers machines windows xp? Do you have vpn enabled at your site? Is there a requirement that they be able to access the machines via a web interface? From: Kern, Tom [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 09:16:30 -0400 To: [EMAIL PROTECTED] Subject: [ActiveDir] go to my pc, revisted i've posted before about this issue. a recap- my cio wants to give himself and some mangers access to their office pc's via Go To My PC. the attraction is no client to install and configure ala vpn or terminal services. i'm trying to push remote desktop web services but he's not bitting. he feels installing IIS and configuring it on the target pc is just as much of a headache( i counter that thats why you have a salaried IT staff and thats the price you pay for complete control). also, he thinks IIS has had a history of vulnerablities whereas Go To My PC has had none so far and is relaible. also, on my side, don't i have to then set up Port address translation on my firewall/router for this to work? the client would have to connect via ip or i have to make a dns entry on my public dns server for everyone who wants to connect to their office? i don't see that as a good idea ethier. i guess i'm looking for some more info on go to my pc and how it really works and why its a really bad idea(documentation or techincal reasons) and why jumping thru hoops to get remote desktop web is really worht it in comparison(disregarding vpn for the moment). and finally, someone has stated on this list that the target pc can only run on winxp but i see the activex control download for win2k and nt as well. Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To My Pc and outsourcing my security to some third party. I just need some more ammo for my argument. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
[ActiveDir] Looking for a tool that displays SID
Title: Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance
RE: [ActiveDir] task pads
Title: task pads Rick- Another option to consider is to use security group filtering on that GPO instead of relying on moving machines around. In other words, permission the GPO so that only machines that are part of the "O2K3 Install" group will process the policy. Then, getting Office installed is simply a matter of adding a machine to a group rather than having to move machines back and forth between OUs. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Tuesday, May 25, 2004 9:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] task pads We want to have the first level support person move the machine into an OU so that office 2003 can be installed via group policy. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 25, 2004 10:30 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] task pads ? You want to give some sort of secretary a MMC? Sure, why not? Works out well. You'll want to give permissions over computer objects as well for both the current and destination OU's it sounds like. Not sure why somebody would be moving a computer account though? Is that some sort of tracking mechanism for you? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Tuesday, May 25, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
RE: [ActiveDir] task pads
Title: task pads If youre always going to move the computer accounts to a specific OU, you could also do a simple script. It would be simple to modify this one to include the computer name as an argument. http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx From: Gasper, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] task pads We want to have the first level support person move the machine into an OU so that office 2003 can be installed via group policy. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, May 25, 2004 10:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] task pads ? You want to give some sort of secretary a MMC? Sure, why not? Works out well. You'll want to give permissions over computer objects as well for both the current and destination OU's it sounds like. Not sure why somebody would be moving a computer account though? Is that some sort of tracking mechanism for you? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Tuesday, May 25, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
RE: [ActiveDir] Looking for a tool that displays SID
Title: Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance
Re: [ActiveDir] Ad forest migration
Don't know of any gotchas offhand, but I haven't used it in production. Google is your friend. Aleta/Quest costs more, but there's definite value in their tools. Have you read the documentation? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 11:23 AM Subject: RE: [ActiveDir] Ad forest migration any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange migration wizard that i should be aware of from the get go? also, i assume going this route over Aleita/quest is the support and nice gui. and finally, how would i re-acl everyting on the servers in the new forest? any tool or script for that? thanks(lot of questions, i know. but i'll let you know how it went and if i crashed and burned my enterprise!!). -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration The Exchange Migration Wizard. http://support.microsoft.com/default.aspx?scid=kb;en-us;328871 - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 24, 2004 7:13 PM Subject: RE: [ActiveDir] Ad forest migration i'm sorry if this is obvious but, whats a good exchange migration tool that comes with exchange2k/2k3? and how does it differ from using exmerge to migrate mailboxes to pst's and then import them into the new server/forest? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mon 5/24/2004 5:07 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Ad forest migration Probably wouldn't use exmerge in favor of Exchange migration tools included with Exchange. And it would be worth it to use Exchange 2003 (tools at least), but otherwise it can be done. Aelita is just nicer and easier to work with. Both work. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 24, 2004 4:24 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Ad forest migration I'm on a serious budget and my IT dept doesn't have/want the money to spend on Alieta migration tools. we are looking to migrate our child domain into our own forest with exchange 2k and still synch our gals. how much hubris would it be to do most of this with free tools like ADMTv2,MIIS, and exmerge? am I insane? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-w i 0g-+Yb mPi 0 -+b f.+-j! 0j! or yIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Looking for a tool that displays SID
Title: Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Tuesday, May 25, 2004 12:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, RichardSent: Tuesday, May 25, 2004 11:59 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance
RE: [ActiveDir] Weird AD GPO problem
Yes, that is correct. The Default domain policy still applies - even if I change the password length setting to non-defined. Here's is what I did now: New OU - I blocked inheritance. The applied a new GPO with password specific settings (Password length = 12, maximum age, minimum age, etc.). The default domain policy had 8 characters for the password length but now got changed to non-defined. I moved a user and a machine into that new, clean OU and logon. The user receives the 8 character password requirement from the default domain GPObut all the other settings from the new GPO. AGPResult shows only the new GPO and the local GPO applied - not the default domain GPO though. The local GPO has never been modified and is clean. Christoph From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, May 25, 2004 9:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Weird AD GPO problem Christoph- Are you saying that the password policy is still applying to domain users or to user accounts on the local SAMs of your workstations? If the latter, when you bring the gpedit.msc on a client, what does the local GPO show for its password policy and where is it getting its effective policy? You might also check the application event logs on your clients to see if you're getting any SCECLI errors, which would indicate a problem processing security policy. Also, use GPOTool.exe to make sure the Default Domain GPO is healthy. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO problem We're dealing with a really weird GPO problem. The password policy got changed in the default domain GPO. This was not supposed to happen and the changes have been reversed due to problems with some clients and 3rd party software. However - even with forcing replication and forcing gpupdate on the clients, numerous reboots - the settings still apply to the clients. Any idea what is holding on to the wrong GPO settings and how that can be cleared out? Windows 2000 AD Domain - mixed mode. I also refeshed the policy on the DCs: secedit /refreshpolicy machine_policy /enforce secedit /refreshpolicy user_policy /enforce Christoph__This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
RE: [ActiveDir] Weird AD GPO problem
Forgot to mention: the gptool shows all my GPOs as Ok. Any idea what might be going on? Christoph From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, ChristophSent: Tuesday, May 25, 2004 11:32 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Weird AD GPO problem Yes, that is correct. The Default domain policy still applies - even if I change the password length setting to non-defined. Here's is what I did now: New OU - I blocked inheritance. The applied a new GPO with password specific settings (Password length = 12, maximum age, minimum age, etc.). The default domain policy had 8 characters for the password length but now got changed to non-defined. I moved a user and a machine into that new, clean OU and logon. The user receives the 8 character password requirement from the default domain GPObut all the other settings from the new GPO. AGPResult shows only the new GPO and the local GPO applied - not the default domain GPO though. The local GPO has never been modified and is clean. Christoph From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, May 25, 2004 9:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Weird AD GPO problem Christoph- Are you saying that the password policy is still applying to domain users or to user accounts on the local SAMs of your workstations? If the latter, when you bring the gpedit.msc on a client, what does the local GPO show for its password policy and where is it getting its effective policy? You might also check the application event logs on your clients to see if you're getting any SCECLI errors, which would indicate a problem processing security policy. Also, use GPOTool.exe to make sure the Default Domain GPO is healthy. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO problem We're dealing with a really weird GPO problem. The password policy got changed in the default domain GPO. This was not supposed to happen and the changes have been reversed due to problems with some clients and 3rd party software. However - even with forcing replication and forcing gpupdate on the clients, numerous reboots - the settings still apply to the clients. Any idea what is holding on to the wrong GPO settings and how that can be cleared out? Windows 2000 AD Domain - mixed mode. I also refeshed the policy on the DCs: secedit /refreshpolicy machine_policy /enforce secedit /refreshpolicy user_policy /enforce Christoph__This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
RE: [ActiveDir] Looking for a tool that displays SID
There are the Account Lockout and Management Tools from MS: http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=7af2e69c-91f3-4e63-8629-b999adde0b9e After registering AcctInfo.dll, you will be able to see the SID and SIDHISTORY of migrated users. If you're migrating the users' SID, then SIDHISTORY may prove invaluable. Kitchens Arthur E [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/25/2004 01:02 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, May 25, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance
RE: [ActiveDir] Weird AD GPO problem
That's not weird - that's by design. Password related policies are domain specific. Its one of the few really good reasons to have a separate domain. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Puetz, Christoph [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 1:32 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Weird AD GPO problem Yes, that is correct. The Default domain policy still applies - even if I change the password length setting to non-defined. Here's is what I did now: New OU - I blocked inheritance. The applied a new GPO with password specific settings (Password length = 12, maximum age, minimum age, etc.). The default domain policy had 8 characters for the password length but now got changed to non-defined. I moved a user and a machine into that new, clean OU and logon. The user receives the 8 character password requirement from the default domain GPObut all the other settings from the new GPO. AGPResult shows only the new GPO and the local GPO applied - not the default domain GPO though. The local GPO has never been modified and is clean. Christoph From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, May 25, 2004 9:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Weird AD GPO problem Christoph- Are you saying that the password policy is still applying to domain users or to user accounts on the local SAMs of your workstations? If the latter, when you bring the gpedit.msc on a client, what does the local GPO show for its password policy and where is it getting its effective policy? You might also check the application event logs on your clients to see if you're getting any SCECLI errors, which would indicate a problem processing security policy. Also, use GPOTool.exe to make sure the Default Domain GPO is healthy. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO problem We're dealing with a really weird GPO problem. The password policy got changed in the default domain GPO. This was not supposed to happen and the changes have been reversed due to problems with some clients and 3rd party software. However - even with forcing replication and forcing gpupdate on the clients, numerous reboots - the settings still apply to the clients. Any idea what is holding on to the wrong GPO settings and how that can be cleared out? Windows 2000 AD Domain - mixed mode. I also refeshed the policy on the DCs: secedit /refreshpolicy machine_policy /enforce secedit /refreshpolicy user_policy /enforce Christoph__This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email __
RE: [ActiveDir] task pads
Title: task pads Thanks for the ideas. I think I am going to probably script the move. I was trying to make this as simple for the help desk personnel as possible. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Tuesday, May 25, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] task pads If youre always going to move the computer accounts to a specific OU, you could also do a simple script. It would be simple to modify this one to include the computer name as an argument. http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx From: Gasper, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] task pads We want to have the first level support person move the machine into an OU so that office 2003 can be installed via group policy. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, May 25, 2004 10:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] task pads ? You want to give some sort of secretary a MMC? Sure, why not? Works out well. You'll want to give permissions over computer objects as well for both the current and destination OU's it sounds like. Not sure why somebody would be moving a computer account though? Is that some sort of tracking mechanism for you? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Tuesday, May 25, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
RE: [ActiveDir] Looking for a tool that displays SID
Title: Looking for a tool that displays SID Yeah getsid will pull NT4 SID andobjectSID from AD. It will not get sIDHistory. You can use adfind(on the website) to get easily get sIDHistory and objectSID. So if you want just the AD SID and the SID migrated from NT4 which should be in the sIDHistory attribute, adfind will totally handle that... adfind -gc -b -f name=xxx objectSid sIDHistory If you need to resolve a sid to a name, the sidtoname tool on my site will handle that. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur ESent: Tuesday, May 25, 2004 1:02 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Tuesday, May 25, 2004 12:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, RichardSent: Tuesday, May 25, 2004 11:59 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance
RE: [ActiveDir] Looking for a tool that displays SID
Hi Joe, You can use acctinfo.dll found in Resource kit of Windows 2003. regsvr32 acctinfo.dll and this information and more appear in dsa.msc (active directory users and computers). Thanks for advanced, Anderson Patricio Microsoft Certified Systems Engineer on 2000/2003 Microsoft Certified Systems Administrator on 2000/2003 + Messaging Red Hat Certified Technician Computer Associates Unicenter Administrator From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 25/5/2004 15:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID Yeah getsid will pull NT4 SID and objectSID from AD. It will not get sIDHistory. You can use adfind (on the website) to get easily get sIDHistory and objectSID. So if you want just the AD SID and the SID migrated from NT4 which should be in the sIDHistory attribute, adfind will totally handle that... adfind -gc -b -f name=xxx objectSid sIDHistory If you need to resolve a sid to a name, the sidtoname tool on my site will handle that. joe - http://www.joeware.net http://www.joeware.net/(download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Tuesday, May 25, 2004 1:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, May 25, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance winmail.dat
RE: [ActiveDir] Ad forest migration
For Quest? yes, they sound great and i'd love to use them but its just not in the budget. thanks -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 1:11 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration Don't know of any gotchas offhand, but I haven't used it in production. Google is your friend. Aleta/Quest costs more, but there's definite value in their tools. Have you read the documentation? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 11:23 AM Subject: RE: [ActiveDir] Ad forest migration any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange migration wizard that i should be aware of from the get go? also, i assume going this route over Aleita/quest is the support and nice gui. and finally, how would i re-acl everyting on the servers in the new forest? any tool or script for that? thanks(lot of questions, i know. but i'll let you know how it went and if i crashed and burned my enterprise!!). -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration The Exchange Migration Wizard. http://support.microsoft.com/default.aspx?scid=kb;en-us;328871 - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 24, 2004 7:13 PM Subject: RE: [ActiveDir] Ad forest migration i'm sorry if this is obvious but, whats a good exchange migration tool that comes with exchange2k/2k3? and how does it differ from using exmerge to migrate mailboxes to pst's and then import them into the new server/forest? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mon 5/24/2004 5:07 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Ad forest migration Probably wouldn't use exmerge in favor of Exchange migration tools included with Exchange. And it would be worth it to use Exchange 2003 (tools at least), but otherwise it can be done. Aelita is just nicer and easier to work with. Both work. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 24, 2004 4:24 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Ad forest migration I'm on a serious budget and my IT dept doesn't have/want the money to spend on Alieta migration tools. we are looking to migrate our child domain into our own forest with exchange 2k and still synch our gals. how much hubris would it be to do most of this with free tools like ADMTv2,MIIS, and exmerge? am I insane? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-w i 0g-+Yb mPi 0 -+b f.+-j! 0j! or yIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Looking for a tool that displays SID
Title: Re: [ActiveDir] Looking for a tool that displays SID I knew it was a job for joeware :o) From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 25 May 2004 14:26:44 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID Yeah getsid will pull NT4 SID and objectSID from AD. It will not get sIDHistory. You can use adfind (on the website) to get easily get sIDHistory and objectSID. So if you want just the AD SID and the SID migrated from NT4 which should be in the sIDHistory attribute, adfind will totally handle that... adfind -gc -b -f name=xxx objectSid sIDHistory If you need to resolve a sid to a name, the sidtoname tool on my site will handle that. joe - http://www.joeware.net http://www.joeware.net/ (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Tuesday, May 25, 2004 1:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, May 25, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance Sent using the Microsoft Entourage 2004 for Mac Test Drive.
Re: [ActiveDir] Ad forest migration
Right. I was wondering why you'd asked about them - that'd been my impression. - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 2:48 PM Subject: RE: [ActiveDir] Ad forest migration For Quest? yes, they sound great and i'd love to use them but its just not in the budget. thanks -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 1:11 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration Don't know of any gotchas offhand, but I haven't used it in production. Google is your friend. Aleta/Quest costs more, but there's definite value in their tools. Have you read the documentation? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 11:23 AM Subject: RE: [ActiveDir] Ad forest migration any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange migration wizard that i should be aware of from the get go? also, i assume going this route over Aleita/quest is the support and nice gui. and finally, how would i re-acl everyting on the servers in the new forest? any tool or script for that? thanks(lot of questions, i know. but i'll let you know how it went and if i crashed and burned my enterprise!!). -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration The Exchange Migration Wizard. http://support.microsoft.com/default.aspx?scid=kb;en-us;328871 - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 24, 2004 7:13 PM Subject: RE: [ActiveDir] Ad forest migration i'm sorry if this is obvious but, whats a good exchange migration tool that comes with exchange2k/2k3? and how does it differ from using exmerge to migrate mailboxes to pst's and then import them into the new server/forest? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mon 5/24/2004 5:07 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Ad forest migration Probably wouldn't use exmerge in favor of Exchange migration tools included with Exchange. And it would be worth it to use Exchange 2003 (tools at least), but otherwise it can be done. Aelita is just nicer and easier to work with. Both work. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 24, 2004 4:24 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Ad forest migration I'm on a serious budget and my IT dept doesn't have/want the money to spend on Alieta migration tools. we are looking to migrate our child domain into our own forest with exchange 2k and still synch our gals. how much hubris would it be to do most of this with free tools like ADMTv2,MIIS, and exmerge? am I insane? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-w i 0g-+Yb mPi 0 -+b f.+-j! 0j! or yIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ . .+-j! 0j! or yIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Looking for a tool that displays SID
Absolutely, however if I need to do this with more than say 3 users or in any domain that has more than 500 users or users spread across multiple OUs you won't catch me saying GUI. Heck, you will rarely catch me saying it anyway. There are some things that are better from the GUI, but not many. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anderson Santos Patricio Sent: Tuesday, May 25, 2004 2:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID Hi Joe, You can use acctinfo.dll found in Resource kit of Windows 2003. regsvr32 acctinfo.dll and this information and more appear in dsa.msc (active directory users and computers). Thanks for advanced, Anderson Patricio Microsoft Certified Systems Engineer on 2000/2003 Microsoft Certified Systems Administrator on 2000/2003 + Messaging Red Hat Certified Technician Computer Associates Unicenter Administrator _ From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 25/5/2004 15:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID Yeah getsid will pull NT4 SID and objectSID from AD. It will not get sIDHistory. You can use adfind (on the website) to get easily get sIDHistory and objectSID. So if you want just the AD SID and the SID migrated from NT4 which should be in the sIDHistory attribute, adfind will totally handle that... adfind -gc -b -f name=xxx objectSid sIDHistory If you need to resolve a sid to a name, the sidtoname tool on my site will handle that. joe - http://www.joeware.net http://www.joeware.net/(download joeware) http://www.cafeshops.com/joewarenet (wear joeware) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Tuesday, May 25, 2004 1:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, May 25, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance attachment: winmail.dat
[ActiveDir] Question about federated trusts in 2003
Title: Message I understand the principal of federated trusts for Winsows 2003 forests. However, I have a question that I'm hoping someone can answer for me. Let's say you have a 2003 forest authenticating to a Unix MIT Kerberos realm. Furthermore, you want to set up a federated trust between that forest and another 2003 forest which uses the native KDC in 2003 for authentication. Is this possible? Would something break? Any thoughts on this issue would be greatly appreciated. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Anonymous bind
LDAP with SSL/TLS is way better than NIS. As for environment, it's two W2K3 forests with Kerberos forest trust. Forest A has several child domains and holds user accounts. Forest B is where my hosts are (We are relatively small organization in the enterprise, but we are RD and want to have control at least over the hosts). So users can come from any child domain of forest A and logon to hosts in forest B. Now Linux does not play well, when the host is in one realm, and users are from several other realms... The only workaround is to map uid to Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is not an option, and it's quite reasonable considering the small size of our division. So here I am, stuck with LDAP authentication ... If you have any better idea, I am all ears ;) Guy On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote: Just for curiousity... You don't want to use NIS because it's less secure, yet you are going to use LDAP for authentication? Isn't that a counter? Can you give an overview of your topology and what you're wanting to accomplish in the end? I think we tried to help with the original post without all of the topology information. Sounds like an interesting problem though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 21, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind If you excuse me, I will break the inline pattern ;). It got too unreadable. I have seen the interoperability doc. I have also read the whole doc mentioned in the post. It's a very good reference, but is lacking any description of Kerberos deployments in multi-realm environments. Personally I had to choose LDAP authentication instead of Kerberos because my hosts are in one forest, while user accounts are from a child domain of another forest. If someone is aware of a workaround for that, monthly beer supply is on me ;) SFU is nice, but it tries to emulate NIS and with all do respect to NIS, it's time is gone. There are just too many security issues with NIS. As for having more than one directory, see my reply to joe. I wish I could put it all in one place, but it's not always possible. Guy On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote: A few bits more. [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? And just about anything around SFU (which might I point out again won best app at Linux world)? I think we've done a great job of interop. Can we do better? Always! And we continue to work on it. But we're doing a *lot* in this space. We have doc's out there that go down to even walk you through how to set up the pam modules! We have a lot out there. Here's one of my fav docs, but there are others this is from a post to this very DL: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.html 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without posixAccount and posixGroup objectClasses) or have a cut down functionality (sendmail LDAP mail routing is great, but I would not extend the AD's schema just to make sendmail happy). And if you are still short on the $$$, you are starting to improvise (talking about OpenLDAP...). SMBs are somewhat neglected in this area. 2) Small *heterogeneous* environments. If all you have is Windows, there is no reason to bring in more overhead. Long live and prosper AD ! 3) a) Linux clients logons require uid, uidNumber, gidNumber and etc... (SFU sounds nice at first, till you hit the non-RFC compliance barrier of uid attribute in SFU and realize that NIS is by no means not a secure environment) [EFLEIS] - Yup, SFU can do this. Schema extension required of course, but painless (if memory serves me correctly, no PAS extensions there). b) a lot of *nix services can be easily managed through LDAP backend, though the interoperability issues with AD force the creation of another directory. I totally agree with you here - it IS overhead, but if I extend the
[ActiveDir] Really goofy DNS trouble
Title: Looking for a tool that displays SID Hey guys, I inherited a network with a very goofed up AD/DNS server. The forward lookup zone contains no msdcs entry, nor does it contain any client entries. Weve been limping along with it this way, but now weve got a new DC+DNS in to take over. Trouble is, new DC cant complete replication, and it seems to be because of a failed DNS resolution. Yuck! I tried ipconfig /registerdns but to no avail. Any ideas? My hope was to start anew with a fresh DNS server, but its a little discomforting doing a backup from one Win2K machine and a restore onto the new Win2K3 machine when COM+ registry settings and friends are involved in an AD backup/restore so I opted for replication, and here we are Mal From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Tuesday, May 25, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, May 25, 2004 12:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Looking for a tool that displays SID The LDP.exe should do it for the AD side of the house, not sure about the NT side -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard Sent: Tuesday, May 25, 2004 11:59 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Looking for a tool that displays SID In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration. Thanks in advance