RE: [ActiveDir] LDAP filter

[joseph . e . kaplan]

He hasnt published them anywhere
formally. I bet Carlos would host them on his dirteam site though. Ill
send a binary along to him and perhaps he can follow up here with the URL.



Joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Monday, May 24, 2004 5:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP
filter





Do you have an URL for Dave Stucki's
libraries?







--

Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator 
Inovis Inc. 



 





This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

[ActiveDir] OT -- to ActiveDir Mailinglist admins

[Baekelant, Erik]

Title: OT -- to ActiveDir Mailinglist admins





Hi,


Is there any chance that I or someone else could change my e-mail address on this list.
We've changed our e-mail addresses a few weeks back. I am still able to receive mails on my old address, but my reply address has changed (as a first stage).

This results in being unable to send to the mailinglist. Mailed this e-mail, after making a change in Exchange ;o)


Thanks,


old e-mail address: [EMAIL PROTECTED]
new e-mail address: [EMAIL PROTECTED]



Confidentiality note: This e-mail and any files attached to it may be privileged and/or confidential. The information transmitted may also be protected by intellectual property rights. It is for the intended addressee only. The unauthorized use, disclosure or copying of this e-mail, or any information it contains, is strictly prohibited. If you are not the intended addressee, please notify the sender immediately and delete the material from any computer.

RE: [ActiveDir] AD and Exchange not sharing.

[Roger Seielstad]

That's an issue with your offline address book settings - 
you're either not generating new ones or your clients are not downloading 
the,

-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  
  From: Steve Shaff 
  [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD and Exchange not sharing.
  
  
  
  Problem is with caching on the outlook client. 
  When caching is turned off the AD information is displayed. When caching 
  is turned on, the pervious (erroneous or blank) information is 
  displayed.
  Can you beat that.??..:)
  
  S
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve 
  ShaffSent: Monday, May 24, 
  2004 2:17 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
  not sharing.
  
  
  
  Thanks, I will check 
  on that. 
  S
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Mulnick, 
  AlSent: Monday, May 24, 2004 
  2:04 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD and Exchange 
  not sharing.
  
  RUS = Recipient 
  Update Service. It runs on one or more of your Exchange servers and is 
  responsible for updating recipients. Specifically, if you see problems 
  with the GAL, it's often the culprit. 
  
  When you checked the 
  logs, did you check them on the Exchange server that has the RUS? You 
  can find it via ESM in the Recipients | Recipient Update Services node. 
  When you click on whichever one is for your domain that has the user accounts, 
  it will give the properties which will tell you which server hosts 
  it.
  
  Al
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve 
  ShaffSent: Monday, May 24, 
  2004 3:58 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
  not sharing.
  
  That couldn't be a 
  RUS problem could it? ;) 
  Sorry, but I don't know what RUS 
  stands for.
  
  Have you checked the 
  logs for the past 24-48 hours? What do you see (Check the Exchange 
  server that has the RUS). Yes, I have checked the logs 
  and there are only errors for disabled accounts that have not been 
  deleted.
  
  What about 
  topology? Do you have only W2K3 and E2K3 servers? All of our 
  domain controllers are W2K3, as well as, the Exchange servers.. File servers 
  are mixed.
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Steve ShaffSent: Monday, May 24, 2004 2:22 
  PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
  not sharing.
  
  Office 2003 running 
  on Windows XP, some using cache and some are not. Domain is running 
  under W2K3 servers, 2k native, with an Exchange 2003 
  Server.
  Thanks,S
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Tony 
  MurraySent: Monday, May 24, 
  2004 10:35 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
  not sharing.
  
  Hi 
  Steve
  
  What sort of clients 
  are you experiencing the problem with? Ifthe problem 
  clientsare using Outlook 2000 in off-line mode or Outlook 2003 in cached 
  mode then it is conceivable that they are configured with the "no details" 
  mode in the download address book options.
  
  Maybe you could give 
  us a few more details about the environment (versions,whether it is 
  mixed or native mode, etc.).
  
  Tony
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Steve ShaffSent: Montag, 24. Mai 2004 
  18:37To: [EMAIL PROTECTED]Subject: [ActiveDir] AD and Exchange not 
  sharing.Importance: 
  High
  It appears that Exchange and the 
  AD are not syncing information. We have recently discovered that, Under 
  the global address list (displayed in Outlook), user name properties, the 
  address, phone, etc are blank. Even though, in ADUC the address, 
  department, phone are listed. It seems only to be happening for a 
  handful of people. Does anyone know how to fix this? Or what the problem 
  may be?
  
  Thanks,S 
  
  

[ActiveDir] go to my pc, revisted

[Kern, Tom]

i've posted before about this issue. a recap- my cio wants to give himself and some 
mangers access to their office pc's via Go To My PC. the attraction is no client to 
install and configure ala vpn or terminal services.
i'm trying to push remote desktop web services but he's not bitting. he feels 
installing IIS and configuring it on the target pc is just as much of a headache( i 
counter that thats why you have a salaried IT staff and thats the price you pay for 
complete control). also, he thinks IIS has had a history of vulnerablities whereas Go 
To My PC has had none so far and is relaible.


also, on my side, don't i have to then set up Port address translation on my 
firewall/router for this to work? the client would have to connect via ip or i have to 
make a dns entry on my public dns server for everyone who wants to connect to their 
office? i don't see that as a good idea ethier.
i guess i'm looking for some more info on go to my pc and how it really works and why 
its a really bad idea(documentation or techincal reasons) and why jumping thru hoops 
to get remote desktop web is really worht it in comparison(disregarding vpn for the 
moment).
and finally, someone has stated on this list that the target pc can only run on winxp 
but i see the activex control download for win2k and nt as well.

Thanks and i apologize for bringing this up again, but i really HATE the idea of Go To 
My Pc and outsourcing my security to some third party. I just need some more ammo for 
my argument.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] task pads

[Gasper, Rick]

Title: task pads






Hi all,

I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU.

Is this possible? I am thinking creating a task pad will do this, but I have not ever done that.

Rick Gasper

Manager Network Services

King's College

Wilkes-Barre PA 18711

[EMAIL PROTECTED]

PH: 570-208-5845

Fax: 570-208-6072

RE: [ActiveDir] OT: Runas command not working from command line

[Fugleberg, David A]

That was one of the first things I looked for, but no dice - There is only 1 copy of 
runas.exe on the machine, in the system32 directory.
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Byron
Fackenthall
Sent: Monday, May 24, 2004 10:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Runas command not working from command line


There is probably a different version of runas that has gotten into an
earlier position in your path.  

FOR %I IN (runas.exe) DO Dir %~$PATH:I

Will tell you what directory the exe is in when running from the command
line. If it is different from your shortcut, check your path statement.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, May 24, 2004 4:06 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Runas command not working from command line

Sorry for the offtopic post but have not been able to find the answer...
On my workstation, the runas command no longer works from the command
line.  When I try to run anything using runas from the command line, I
get a dialog box titled runas.exe - Application Error, with the text
The exception unknown software exception (0xc0fd) occurred in the
application at location 0x71002399.

If I try to run the same thing by right-clicking its icon in Explorer
and selecting Run As... it works fine.

The exact same command 'used to' work on my workstation, and still does
on other workstations.  The syntax I'm using is:
runas /user:domain\userid command

I have no idea what caused this to stop working.  User Mode Of COURSE
I haven't changed anything ! /User Mode

Any ideas what to look for ?  I really don't want to rebuild my machine
just for this, but I also really want my runas back !

Dave 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] go to my pc, revisted

[Ken Cornetet]

You don't have to do anything to your firewall for Goto My PC to work.
In fact, that is basically their business model: they let users access
their work PCs without involvement from those pesky IT and security
Nazis. I'd be willing to bet that there are MANY companies out there who
have Goto My PC users and don't even know it!

How is this possible? The trick is that their software opens an HTTP
(HTTPS?) connection to the Goto My PC servers. To your firewall, it just
looks like normal web traffic. 

To their credit, they have a section on their web site on how to block
access to their service (which we have done).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, May 25, 2004 8:17 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] go to my pc, revisted


i've posted before about this issue. a recap- my cio wants to give
himself and some mangers access to their office pc's via Go To My PC.
the attraction is no client to install and configure ala vpn or terminal
services. i'm trying to push remote desktop web services but he's not
bitting. he feels installing IIS and configuring it on the target pc is
just as much of a headache( i counter that thats why you have a salaried
IT staff and thats the price you pay for complete control). also, he
thinks IIS has had a history of vulnerablities whereas Go To My PC has
had none so far and is relaible.


also, on my side, don't i have to then set up Port address translation
on my firewall/router for this to work? the client would have to connect
via ip or i have to make a dns entry on my public dns server for
everyone who wants to connect to their office? i don't see that as a
good idea ethier. i guess i'm looking for some more info on go to my pc
and how it really works and why its a really bad idea(documentation or
techincal reasons) and why jumping thru hoops to get remote desktop web
is really worht it in comparison(disregarding vpn for the moment). and
finally, someone has stated on this list that the target pc can only run
on winxp but i see the activex control download for win2k and nt as
well.

Thanks and i apologize for bringing this up again, but i really HATE the
idea of Go To My Pc and outsourcing my security to some third party. I
just need some more ammo for my argument.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] go to my pc, revisted

[Brent Westmoreland]

Couple of questions Tom.

Where do the managers want to access their PCs from?

What is your operating systems base?  Are all of your managers machines
windows xp?

Do you have vpn enabled at your site?

Is there a requirement that they be able to access the machines via a web
interface?  


 From: Kern, Tom [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Tue, 25 May 2004 09:16:30 -0400
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] go to my pc, revisted
 
 i've posted before about this issue. a recap- my cio wants to give himself and
 some mangers access to their office pc's via Go To My PC. the attraction is no
 client to install and configure ala vpn or terminal services.
 i'm trying to push remote desktop web services but he's not bitting. he feels
 installing IIS and configuring it on the target pc is just as much of a
 headache( i counter that thats why you have a salaried IT staff and thats the
 price you pay for complete control). also, he thinks IIS has had a history of
 vulnerablities whereas Go To My PC has had none so far and is relaible.
 
 
 also, on my side, don't i have to then set up Port address translation on my
 firewall/router for this to work? the client would have to connect via ip or i
 have to make a dns entry on my public dns server for everyone who wants to
 connect to their office? i don't see that as a good idea ethier.
 i guess i'm looking for some more info on go to my pc and how it really works
 and why its a really bad idea(documentation or techincal reasons) and why
 jumping thru hoops to get remote desktop web is really worht it in
 comparison(disregarding vpn for the moment).
 and finally, someone has stated on this list that the target pc can only run
 on winxp but i see the activex control download for win2k and nt as well.
 
 Thanks and i apologize for bringing this up again, but i really HATE the idea
 of Go To My Pc and outsourcing my security to some third party. I just need
 some more ammo for my argument.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Sent using the Microsoft Entourage 2004 for Mac Test Drive.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] task pads

[Mulnick, Al]

Title: task pads



? You want to give some sort of secretary a MMC? 
Sure, why not? Works out well. 
You'll want to give permissions over computer objects as 
well for both the current and destination OU's it sounds 
like.

Not sure why somebody would be moving a computer account 
though? Is that some sort of tracking mechanism for 
you?

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, 
RickSent: Tuesday, May 25, 2004 9:53 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] task 
pads

Hi all,
I need to give a non admin IT user access to 
aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to 
move the machine to the deployment OU.
Is this possible? I am thinking creating a task 
pad will do this, but I have not ever done that.
Rick Gasper
Manager Network 
Services
King's 
College
Wilkes-Barre PA 
18711
[EMAIL PROTECTED]
PH: 
570-208-5845
Fax: 
570-208-6072

[ActiveDir] Weird AD GPO problem

[Puetz, Christoph]

We're dealing with a 
really weird GPO problem. The password policy got changed in the default domain 
GPO. This was not supposed to happen and the changes have been reversed due to 
problems with some clients and 3rd party 
software.

However - even with 
forcing replication and forcing gpupdate on the clients, numerous reboots - the 
settings still apply to the clients.

Any idea what is 
holding on to the wrong GPO settings and how that can be cleared 
out?

Windows 2000 AD Domain 
- mixed mode.

I also refeshed the policy on the 
DCs:


secedit /refreshpolicy machine_policy 
/enforce
secedit /refreshpolicy user_policy 
/enforce

Christoph

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: [ActiveDir] OT: Exchange 2003 SP1

[Ken Schaefer]

Also continuing the OT note, it seems that the long-awaited server-side spam
filtering system (IMF) is available too:
http://www.microsoft.com/exchange/downloads/2003/imf/default.asp

Apologies if this has already been posted.

Cheers
Ken

~~
From: Tony Murray [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Exchange 2003 SP1


: Is now out.
:
: http://tinyurl.com/35ddy
:
: Tony

~~

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Weird AD GPO problem

[Darren Mar-Elia]

Christoph-
Are you saying that the password policy is still applying 
to domain users or to user accounts on the local SAMs of your workstations? If 
the latter, when you bring the gpedit.msc on a client, what does the local GPO 
show for its password policy and where is it getting its effective policy? You 
might also check the application event logs on your clients to see if you're 
getting any SCECLI errors, which would indicate a problem processing security 
policy. Also, use GPOTool.exe to make sure the Default Domain GPO is 
healthy.

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Puetz, 
ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO 
problem


We're dealing with a 
really weird GPO problem. The password policy got changed in the default domain 
GPO. This was not supposed to happen and the changes have been reversed due to 
problems with some clients and 3rd party 
software.

However - even with 
forcing replication and forcing gpupdate on the clients, numerous reboots - the 
settings still apply to the clients.

Any idea what is 
holding on to the wrong GPO settings and how that can be cleared 
out?

Windows 2000 AD Domain 
- mixed mode.

I also refeshed the policy on the 
DCs:


secedit /refreshpolicy machine_policy 
/enforce
secedit /refreshpolicy user_policy 
/enforce

Christoph__This 
email has been scanned by the MessageLabs Email Security System.For more 
information please visit http://www.messagelabs.com/email 
__

RE: [ActiveDir] Ad forest migration

[Kern, Tom]

any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange 
migration wizard that i should be aware of from the get go?

also, i assume going this route over Aleita/quest is the support and nice gui.

and finally, how would i re-acl everyting on the servers in the new forest? any tool 
or script for that?

thanks(lot of questions, i know. but i'll let you know how it went and if i crashed 
and burned my enterprise!!).

-Original Message-
From: Missy Koslosky [mailto:[EMAIL PROTECTED]
Sent: Monday, May 24, 2004 10:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Ad forest migration


The Exchange Migration Wizard.
http://support.microsoft.com/default.aspx?scid=kb;en-us;328871
- Original Message - 
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 24, 2004 7:13 PM
Subject: RE: [ActiveDir] Ad forest migration


 i'm sorry if this is obvious but, whats a good exchange migration tool
that comes with exchange2k/2k3?
 and how does it differ from using exmerge to migrate mailboxes to pst's
and then import them into the new server/forest?
 thanks

 -Original Message- 
 From: Mulnick, Al [mailto:[EMAIL PROTECTED]
 Sent: Mon 5/24/2004 5:07 PM
 To: '[EMAIL PROTECTED]'
 Cc:
 Subject: RE: [ActiveDir] Ad forest migration



 Probably wouldn't use exmerge in favor of Exchange migration tools
included
 with Exchange.  And it would be worth it to use Exchange 2003 (tools at
 least), but otherwise it can be done.  Aelita is just nicer and easier to
 work with.  Both work.

 al

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Monday, May 24, 2004 4:24 PM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Ad forest migration

 I'm on a serious budget and my IT dept doesn't have/want the money to
spend
 on Alieta migration tools.
 we are looking to migrate our child domain into our own forest with
exchange
 2k and still synch our gals.

 how much hubris would it be to do most of this with free tools like
 ADMTv2,MIIS, and exmerge?
 am I insane?

 thanks
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.+-wi0-+YbmPi0-+bf.+-j!
0j!oryIV+v*

RE: [ActiveDir] go to my pc, revisited

[Jeff Salisbury]

There is a pretty good description of their security if you visit www.go2mypc.com and 
follow the How it Works links to the Security White Paper. The diagram in the PDF 
shows use of RSA SecureID as an option you could use in conjunction with what is 
already in place.

We don't allow users to VPN in to the company from their personal computers. If you do 
support this, then any trojans, viruses, etc. that they have on their personal 
computers are now on your internal network. One advantage of Go2MyPC is that it acts 
more like a pcAnywhere session but you aren't putting the remote computer directly 
onto your internal network. They can still transfer files, good or bad, to their PCs, 
but chances are they could bring in a floppy or CD and do the same when in the office. 
Certainly Expertcity's entire reputation (now owned by Citrix) is based on their 
security model. Whether you choose to trust them or not is a decision you have to 
make, just as you would if you were outsourcing your VPN infrastructure.

If your office PCs use Windows XP and your users are able to connect by VPN, you could 
choose to enable Remote Desktop. This allows you to use your PC like you would 
remotely administer a server with the same RDP client. You don't need to install 
anything additional to use this capability, but it is disabled by default and you 
would need to configure the allowed accounts on each PC.

If you must allow connection from non-company PCs, then Go2MyPC might be worth 
consideration. I would prefer to not allow non-company PCs at all, but you may not 
have that choice.

Jeff Salisbury
Network Infrastructure and Security Manager

Belkin Corporation
Information Services
310 604-2061
310 604-2022 fax
www.belkin.com

-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 8:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] go to my pc, revisted


1. where? mostly from home, though i'm sure some will from hotels as well.

2.win2k/xp.

3.we have a cisco vpn concentrator  

4.there's a desire to have them access their machines without any client software 
install or config.
minimal involvment on their part is the attraction.

thanks

-Original Message-
From: Brent Westmoreland [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 10:10 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] go to my pc, revisted


Couple of questions Tom.

Where do the managers want to access their PCs from?

What is your operating systems base?  Are all of your managers machines
windows xp?

Do you have vpn enabled at your site?

Is there a requirement that they be able to access the machines via a web
interface?  


 From: Kern, Tom [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Tue, 25 May 2004 09:16:30 -0400
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] go to my pc, revisted
 
 i've posted before about this issue. a recap- my cio wants to give himself and
 some mangers access to their office pc's via Go To My PC. the attraction is no
 client to install and configure ala vpn or terminal services.
 i'm trying to push remote desktop web services but he's not bitting. he feels
 installing IIS and configuring it on the target pc is just as much of a
 headache( i counter that thats why you have a salaried IT staff and thats the
 price you pay for complete control). also, he thinks IIS has had a history of
 vulnerablities whereas Go To My PC has had none so far and is relaible.
 
 
 also, on my side, don't i have to then set up Port address translation on my
 firewall/router for this to work? the client would have to connect via ip or i
 have to make a dns entry on my public dns server for everyone who wants to
 connect to their office? i don't see that as a good idea ethier.
 i guess i'm looking for some more info on go to my pc and how it really works
 and why its a really bad idea(documentation or techincal reasons) and why
 jumping thru hoops to get remote desktop web is really worht it in
 comparison(disregarding vpn for the moment).
 and finally, someone has stated on this list that the target pc can only run
 on winxp but i see the activex control download for win2k and nt as well.
 
 Thanks and i apologize for bringing this up again, but i really HATE the idea
 of Go To My Pc and outsourcing my security to some third party. I just need
 some more ammo for my argument.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Sent using the Microsoft Entourage 2004 for Mac Test Drive.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] go to my pc, revisted

[Kern, Tom]

 they seem to have a decent security policy-
 
https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Corporate_Security_FAQs.pdf
 
 
so outside from the outsourcing issue and money spent, it seems ok.
i think..  

-Original Message-
From: Brent Westmoreland [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 10:10 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] go to my pc, revisted


Couple of questions Tom.

Where do the managers want to access their PCs from?

What is your operating systems base?  Are all of your managers machines
windows xp?

Do you have vpn enabled at your site?

Is there a requirement that they be able to access the machines via a web
interface?  


 From: Kern, Tom [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Tue, 25 May 2004 09:16:30 -0400
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] go to my pc, revisted
 
 i've posted before about this issue. a recap- my cio wants to give himself and
 some mangers access to their office pc's via Go To My PC. the attraction is no
 client to install and configure ala vpn or terminal services.
 i'm trying to push remote desktop web services but he's not bitting. he feels
 installing IIS and configuring it on the target pc is just as much of a
 headache( i counter that thats why you have a salaried IT staff and thats the
 price you pay for complete control). also, he thinks IIS has had a history of
 vulnerablities whereas Go To My PC has had none so far and is relaible.
 
 
 also, on my side, don't i have to then set up Port address translation on my
 firewall/router for this to work? the client would have to connect via ip or i
 have to make a dns entry on my public dns server for everyone who wants to
 connect to their office? i don't see that as a good idea ethier.
 i guess i'm looking for some more info on go to my pc and how it really works
 and why its a really bad idea(documentation or techincal reasons) and why
 jumping thru hoops to get remote desktop web is really worht it in
 comparison(disregarding vpn for the moment).
 and finally, someone has stated on this list that the target pc can only run
 on winxp but i see the activex control download for win2k and nt as well.
 
 Thanks and i apologize for bringing this up again, but i really HATE the idea
 of Go To My Pc and outsourcing my security to some third party. I just need
 some more ammo for my argument.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Sent using the Microsoft Entourage 2004 for Mac Test Drive.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] go to my pc, revisted

[Brent Westmoreland]

If you truly want to block the use of go to my pc, I would suggest
approaching this from the standpoint of other users.  You don't want someone
in accounting who just got fired to be able to go home and utilize gotomypc.
Therefore the gotomypc site would need to be blocked at the proxy level to
ensure the security of the organization.  Perhaps you can also look into
some industry regulations about requirements of privacy, I am grasping at
straws here, but talk to legal about what your role in HIPAA or Sarbanes
Oxley might be.  I haven't read the specifications, but see if there is
something in one of the many regulatory compliance laws that you can
leverage to your benefit.

Then I would setup a demo of the builtin rdp client on windows xp.  You can
access it by typing mstsc at the command line with no additional software if
you are running windows xp.  The only software install issue is if you want
to use the cisco ipsec client as opposed to the builtin pptp client for
accessing the network over vpn.

Of course, if your managers are running something other than windows xp the
rdp client will have to be installed. You could build packages for both rdp
and cisco so that a single msi will install both packages preconfigured to
your specifications.

Consider that if your boss really wants this done, all your efforts to buck
his decision could be a CLM.

I would recommend against exposing each individual pc to the internet via
iis and the remotedesktop activex component, but that is just me.


 From: Kern, Tom [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Tue, 25 May 2004 11:01:42 -0400
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] go to my pc, revisted
 
 1. where? mostly from home, though i'm sure some will from hotels as well.
 
 2.win2k/xp.
 
 3.we have a cisco vpn concentrator  
 
 4.there's a desire to have them access their machines without any client
 software install or config.
 minimal involvment on their part is the attraction.
 
 thanks
 
 -Original Message-
 From: Brent Westmoreland [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, May 25, 2004 10:10 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] go to my pc, revisted
 
 
 Couple of questions Tom.
 
 Where do the managers want to access their PCs from?
 
 What is your operating systems base?  Are all of your managers machines
 windows xp?
 
 Do you have vpn enabled at your site?
 
 Is there a requirement that they be able to access the machines via a web
 interface?  
 
 
 From: Kern, Tom [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Tue, 25 May 2004 09:16:30 -0400
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] go to my pc, revisted
 
 i've posted before about this issue. a recap- my cio wants to give himself
 and
 some mangers access to their office pc's via Go To My PC. the attraction is
 no
 client to install and configure ala vpn or terminal services.
 i'm trying to push remote desktop web services but he's not bitting. he feels
 installing IIS and configuring it on the target pc is just as much of a
 headache( i counter that thats why you have a salaried IT staff and thats the
 price you pay for complete control). also, he thinks IIS has had a history of
 vulnerablities whereas Go To My PC has had none so far and is relaible.
 
 
 also, on my side, don't i have to then set up Port address translation on my
 firewall/router for this to work? the client would have to connect via ip or
 i
 have to make a dns entry on my public dns server for everyone who wants to
 connect to their office? i don't see that as a good idea ethier.
 i guess i'm looking for some more info on go to my pc and how it really works
 and why its a really bad idea(documentation or techincal reasons) and why
 jumping thru hoops to get remote desktop web is really worht it in
 comparison(disregarding vpn for the moment).
 and finally, someone has stated on this list that the target pc can only run
 on winxp but i see the activex control download for win2k and nt as well.
 
 Thanks and i apologize for bringing this up again, but i really HATE the idea
 of Go To My Pc and outsourcing my security to some third party. I just need
 some more ammo for my argument.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 Sent using the Microsoft Entourage 2004 for Mac Test Drive.
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Sent using the Microsoft Entourage 2004 for Mac Test Drive.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 

[ActiveDir] Looking for a tool that displays SID

[Lanci, Richard]

Title: Looking for a tool that displays SID 





In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration.

Thanks in advance

RE: [ActiveDir] task pads

[Darren Mar-Elia]

Title: task pads



Rick-
Another option to consider is to use security group 
filtering on that GPO instead of relying on moving machines around. In other 
words, permission the GPO so that only machines that are part of the "O2K3 
Install" group will process the policy. Then, getting Office installed is simply 
a matter of adding a machine to a group rather than having to move machines back 
and forth between OUs.

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, 
RickSent: Tuesday, May 25, 2004 9:18 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] task 
pads


We want to have the 
first level support person move the machine into an OU so that office 2003 can 
be installed via group policy.


Rick 
Gasper 
Manager Network 
Services 
King's 
College 
Wilkes-Barre PA 
18711 [EMAIL PROTECTED] 
PH: 
570-208-5845 
Fax: 
570-208-6072 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Tuesday, May 25, 2004 
10:30 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] task 
pads

? You want to give some 
sort of secretary a MMC? Sure, why not? Works out well. 

You'll want to give 
permissions over computer objects as well for both the current and destination 
OU's it sounds like.

Not sure why somebody 
would be moving a computer account though? Is that some sort of tracking 
mechanism for you?

Al




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gasper, 
RickSent: Tuesday, May 25, 
2004 9:53 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] task 
pads
Hi 
all,
I need to 
give a non admin IT user access to aduc. Our plan is to use gpo to push out 
office 2k3. The non admin IT user is to move the machine to the deployment 
OU.
Is this 
possible? I am thinking creating a task pad will do this, but I have not ever 
done that.
Rick 
Gasper
Manager Network 
Services
King's 
College
Wilkes-Barre PA 18711
[EMAIL PROTECTED]
PH: 
570-208-5845
Fax: 
570-208-6072

RE: [ActiveDir] task pads

[Passo, Larry]

Title: task pads








If youre always going to move the
computer accounts to a specific OU, you could also do a simple script. It would
be simple to modify this one to include the computer name as an argument.



http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx













From: Gasper, Rick
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 25, 2004 9:18
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] task pads





We want to have the first level support
person move the machine into an OU so that office 2003 can be installed via
group policy.





Rick Gasper 
Manager Network
Services 
King's College 
Wilkes-Barre PA
18711 
[EMAIL PROTECTED]

PH:
570-208-5845 
Fax: 570-208-6072 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, May 25, 2004 10:30
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] task pads





? You want to give some sort of secretary
a MMC? Sure, why not? Works out well. 

You'll want to give permissions over
computer objects as well for both the current and destination OU's it sounds
like.



Not sure why somebody would be moving a
computer account though? Is that some sort of tracking mechanism for you?



Al









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Tuesday, May 25, 2004 9:53
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] task pads

Hi
all,

I need to
give a non admin IT user access to aduc. Our plan is to use gpo to push out
office 2k3. The non admin IT user is to move the machine to the deployment OU.

Is this
possible? I am thinking creating a task pad will do this, but I have not ever
done that.

Rick Gasper

Manager Network Services

King's College

Wilkes-Barre
 PA 18711

[EMAIL PROTECTED]

PH: 570-208-5845

Fax: 570-208-6072

RE: [ActiveDir] Looking for a tool that displays SID

[Salandra, Justin A.]

Title: Looking for a tool that displays SID 









The LDP.exe should do it for the AD side
of the house, not sure about the NT side



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard
Sent: Tuesday, May 25, 2004 11:59
AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Looking for a
tool that displays SID 



In the middle of a migration from NT4 to AD and am
looking for a tool that will display the SIDs (NT and AD) of migrated
users. We are using the NET IQ product for the user/computer migration.

Thanks in advance 

Re: [ActiveDir] Ad forest migration

[Missy Koslosky]

Don't know of any gotchas offhand, but I haven't used it in production.
Google is your friend.

Aleta/Quest costs more, but there's definite value in their tools.

Have you read the documentation?
- Original Message - 
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 11:23 AM
Subject: RE: [ActiveDir] Ad forest migration


 any known gotchas(i know everything has gotchas) with admtv2,miis,and
exchange migration wizard that i should be aware of from the get go?

 also, i assume going this route over Aleita/quest is the support and nice
gui.

 and finally, how would i re-acl everyting on the servers in the new
forest? any tool or script for that?

 thanks(lot of questions, i know. but i'll let you know how it went and if
i crashed and burned my enterprise!!).

 -Original Message-
 From: Missy Koslosky [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 24, 2004 10:58 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Ad forest migration


 The Exchange Migration Wizard.
 http://support.microsoft.com/default.aspx?scid=kb;en-us;328871
 - Original Message - 
 From: Kern, Tom [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, May 24, 2004 7:13 PM
 Subject: RE: [ActiveDir] Ad forest migration


  i'm sorry if this is obvious but, whats a good exchange migration tool
 that comes with exchange2k/2k3?
  and how does it differ from using exmerge to migrate mailboxes to pst's
 and then import them into the new server/forest?
  thanks
 
  -Original Message- 
  From: Mulnick, Al [mailto:[EMAIL PROTECTED]
  Sent: Mon 5/24/2004 5:07 PM
  To: '[EMAIL PROTECTED]'
  Cc:
  Subject: RE: [ActiveDir] Ad forest migration
 
 
 
  Probably wouldn't use exmerge in favor of Exchange migration tools
 included
  with Exchange.  And it would be worth it to use Exchange 2003 (tools at
  least), but otherwise it can be done.  Aelita is just nicer and easier
to
  work with.  Both work.
 
  al
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
  Sent: Monday, May 24, 2004 4:24 PM
  To: ActiveDir (E-mail)
  Subject: [ActiveDir] Ad forest migration
 
  I'm on a serious budget and my IT dept doesn't have/want the money to
 spend
  on Alieta migration tools.
  we are looking to migrate our child domain into our own forest with
 exchange
  2k and still synch our gals.
 
  how much hubris would it be to do most of this with free tools like
  ADMTv2,MIIS, and exmerge?
  am I insane?
 
  thanks
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 .+-w i 0g-+Yb mPi 0 -+b f.+-j!  0j! or yIV+v*

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Looking for a tool that displays SID

[Kitchens Arthur E]

Title: Looking for a tool that displays SID



getsid from nt 4.0 reskit will do that (in the downlevel 
domain), but i expect there is something that would work in both environments. 
(joeware?).


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Tuesday, May 25, 2004 12:51 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking for a 
tool that displays SID 


The LDP.exe should do 
it for the AD side of the house, not sure about the NT side

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lanci, 
RichardSent: Tuesday, May 25, 
2004 11:59 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Looking for a tool 
that displays SID 

In the middle of a migration from NT4 to AD and am 
looking for a tool that will display the SIDs (NT and AD) of migrated 
users. We are using the NET IQ product for the user/computer 
migration.
Thanks in advance 

RE: [ActiveDir] Weird AD GPO problem

[Puetz, Christoph]

Yes, that is correct. The Default domain policy still 
applies - even if I change the password length setting to 
non-defined.

Here's is what I did now:

New OU - I blocked inheritance. The applied a new GPO with 
password specific settings (Password length = 12, maximum age, minimum age, 
etc.). The default domain policy had 8 characters for the password length but 
now got changed to non-defined.

I moved a user and a machine into that new, clean OU and 
logon. The user receives the 8 character password requirement from the default 
domain GPObut all the other settings from the new GPO.

AGPResult shows only the new GPO and the local GPO 
applied - not the default domain GPO though. The local GPO has never been 
modified and is clean.

Christoph


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Tuesday, May 25, 2004 9:11 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Weird AD GPO 
problem

Christoph-
Are you saying that the password policy is still applying 
to domain users or to user accounts on the local SAMs of your workstations? If 
the latter, when you bring the gpedit.msc on a client, what does the local GPO 
show for its password policy and where is it getting its effective policy? You 
might also check the application event logs on your clients to see if you're 
getting any SCECLI errors, which would indicate a problem processing security 
policy. Also, use GPOTool.exe to make sure the Default Domain GPO is 
healthy.

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Puetz, 
ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO 
problem


We're dealing with a 
really weird GPO problem. The password policy got changed in the default domain 
GPO. This was not supposed to happen and the changes have been reversed due to 
problems with some clients and 3rd party 
software.

However - even with 
forcing replication and forcing gpupdate on the clients, numerous reboots - the 
settings still apply to the clients.

Any idea what is 
holding on to the wrong GPO settings and how that can be cleared 
out?

Windows 2000 AD Domain 
- mixed mode.

I also refeshed the policy on the 
DCs:


secedit /refreshpolicy machine_policy 
/enforce
secedit /refreshpolicy user_policy 
/enforce

Christoph__This 
email has been scanned by the MessageLabs Email Security System.For more 
information please visit http://www.messagelabs.com/email 
__

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: [ActiveDir] Weird AD GPO problem

[Puetz, Christoph]

Forgot to mention: the gptool shows all my GPOs as 
Ok.

Any idea what might be going on?

Christoph


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Puetz, 
ChristophSent: Tuesday, May 25, 2004 11:32 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Weird AD GPO 
problem

Yes, that is correct. The Default domain policy still 
applies - even if I change the password length setting to 
non-defined.

Here's is what I did now:

New OU - I blocked inheritance. The applied a new GPO with 
password specific settings (Password length = 12, maximum age, minimum age, 
etc.). The default domain policy had 8 characters for the password length but 
now got changed to non-defined.

I moved a user and a machine into that new, clean OU and 
logon. The user receives the 8 character password requirement from the default 
domain GPObut all the other settings from the new GPO.

AGPResult shows only the new GPO and the local GPO 
applied - not the default domain GPO though. The local GPO has never been 
modified and is clean.

Christoph


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Tuesday, May 25, 2004 9:11 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Weird AD GPO 
problem

Christoph-
Are you saying that the password policy is still applying 
to domain users or to user accounts on the local SAMs of your workstations? If 
the latter, when you bring the gpedit.msc on a client, what does the local GPO 
show for its password policy and where is it getting its effective policy? You 
might also check the application event logs on your clients to see if you're 
getting any SCECLI errors, which would indicate a problem processing security 
policy. Also, use GPOTool.exe to make sure the Default Domain GPO is 
healthy.

Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Puetz, 
ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO 
problem


We're dealing with a 
really weird GPO problem. The password policy got changed in the default domain 
GPO. This was not supposed to happen and the changes have been reversed due to 
problems with some clients and 3rd party 
software.

However - even with 
forcing replication and forcing gpupdate on the clients, numerous reboots - the 
settings still apply to the clients.

Any idea what is 
holding on to the wrong GPO settings and how that can be cleared 
out?

Windows 2000 AD Domain 
- mixed mode.

I also refeshed the policy on the 
DCs:


secedit /refreshpolicy machine_policy 
/enforce
secedit /refreshpolicy user_policy 
/enforce

Christoph__This 
email has been scanned by the MessageLabs Email Security System.For more 
information please visit http://www.messagelabs.com/email 
This 
email has been scanned by the MessageLabs Email Security System.For more 
information please visit http://www.messagelabs.com/email 
__

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: [ActiveDir] Looking for a tool that displays SID

[Justin_Leney]

There are the Account Lockout and Management
Tools from MS: 

http://www.microsoft.com/downloads/details.aspx?displaylang=enfamilyid=7af2e69c-91f3-4e63-8629-b999adde0b9e

After registering AcctInfo.dll, you
will be able to see the SID and SIDHISTORY of migrated users. If you're
migrating the users' SID, then SIDHISTORY may prove invaluable. 



 






Kitchens Arthur E [EMAIL PROTECTED]

Sent by: [EMAIL PROTECTED]
05/25/2004 01:02 PM



Please respond to
[EMAIL PROTECTED]





To
[EMAIL PROTECTED]


cc



Subject
RE: [ActiveDir] Looking for
a tool that displays SID








getsid from nt 4.0 reskit will
do that (in the downlevel domain), but i expect there is something that
would work in both environments. (joeware?).


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, May 25, 2004 12:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 

The LDP.exe should do it for
the AD side of the house, not sure about the NT side

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Lanci, Richard
Sent: Tuesday, May 25, 2004 11:59 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Looking for a tool that displays SID 

In the middle of a migration from
NT4 to AD and am looking for a tool that will display the SIDs (NT and
AD) of migrated users. We are using the NET IQ product for the user/computer
migration.
Thanks in advance

RE: [ActiveDir] Weird AD GPO problem

[Roger Seielstad]

That's not weird - that's by design.

Password related policies are domain specific. Its one of 
the few really good reasons to have a separate domain.

-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  
  From: Puetz, Christoph 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 
  1:32 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Weird AD GPO problem
  
  Yes, that is correct. The Default domain policy still 
  applies - even if I change the password length setting to 
  non-defined.
  
  Here's is what I did now:
  
  New OU - I blocked inheritance. The applied a new GPO 
  with password specific settings (Password length = 12, maximum age, minimum 
  age, etc.). The default domain policy had 8 characters for the password length 
  but now got changed to non-defined.
  
  I moved a user and a machine into that new, clean OU and 
  logon. The user receives the 8 character password requirement from the default 
  domain GPObut all the other settings from the new 
  GPO.
  
  AGPResult shows only the new GPO and the local GPO 
  applied - not the default domain GPO though. The local GPO has never been 
  modified and is clean.
  
  Christoph
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Darren 
  Mar-EliaSent: Tuesday, May 25, 2004 9:11 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Weird AD GPO 
  problem
  
  Christoph-
  Are you saying that the password policy is still applying 
  to domain users or to user accounts on the local SAMs of your workstations? If 
  the latter, when you bring the gpedit.msc on a client, what does the local GPO 
  show for its password policy and where is it getting its effective policy? You 
  might also check the application event logs on your clients to see if you're 
  getting any SCECLI errors, which would indicate a problem processing security 
  policy. Also, use GPOTool.exe to make sure the Default Domain GPO is 
  healthy.
  
  Darren
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, 
  ChristophSent: Tuesday, May 25, 2004 7:39 AMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] Weird AD GPO 
  problem
  
  
  We're dealing with a 
  really weird GPO problem. The password policy got changed in the default 
  domain GPO. This was not supposed to happen and the changes have been reversed 
  due to problems with some clients and 3rd party 
  software.
  
  However - even with 
  forcing replication and forcing gpupdate on the clients, numerous reboots - 
  the settings still apply to the 
  clients.
  
  Any idea what is 
  holding on to the wrong GPO settings and how that can be cleared 
  out?
  
  Windows 2000 AD 
  Domain - mixed mode.
  
  I also refeshed the policy on the 
  DCs:
  
  
  secedit /refreshpolicy machine_policy 
  /enforce
  secedit /refreshpolicy user_policy 
  /enforce
  
  Christoph__This 
  email has been scanned by the MessageLabs Email Security System.For more 
  information please visit http://www.messagelabs.com/email 
  This 
  email has been scanned by the MessageLabs Email Security System.For more 
  information please visit http://www.messagelabs.com/email 
  __

RE: [ActiveDir] task pads

[Gasper, Rick]

Title: task pads








Thanks for the ideas. I think I am going
to probably script the move. I was trying to make this as simple for the help desk personnel as possible.





Rick Gasper 
Manager Network
Services 
King's College 
Wilkes-Barre PA
18711 
[EMAIL PROTECTED]

PH:
570-208-5845 
Fax: 570-208-6072 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Tuesday, May 25, 2004 12:34
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] task pads





If youre always going to move the
computer accounts to a specific OU, you could also do a simple script. It would
be simple to modify this one to include the computer name as an argument.



http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx













From: Gasper, Rick
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 25, 2004 9:18
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] task pads





We want to have the first level support
person move the machine into an OU so that office 2003 can be installed via
group policy.





Rick Gasper 
Manager Network
Services 
King's College 
Wilkes-Barre PA
18711 
[EMAIL PROTECTED]

PH:
570-208-5845 
Fax: 570-208-6072 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, May 25, 2004 10:30
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] task pads





? You want to give some sort of secretary
a MMC? Sure, why not? Works out well. 

You'll want to give permissions over
computer objects as well for both the current and destination OU's it sounds
like.



Not sure why somebody would be moving a
computer account though? Is that some sort of tracking mechanism for you?



Al









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
Sent: Tuesday, May 25, 2004 9:53
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] task pads

Hi
all,

I need to
give a non admin IT user access to aduc. Our plan is to use gpo to push out office
2k3. The non admin IT user is to move the machine to the deployment OU.

Is this
possible? I am thinking creating a task pad will do this, but I have not ever
done that.

Rick Gasper

Manager Network Services

King's College

Wilkes-Barre PA 18711

[EMAIL PROTECTED]

PH: 570-208-5845

Fax: 570-208-6072

RE: [ActiveDir] Looking for a tool that displays SID

[joe]

Title: Looking for a tool that displays SID



Yeah getsid will pull NT4 SID andobjectSID from AD. 
It will not get sIDHistory. You can use adfind(on the website) to get 
easily get sIDHistory and objectSID. So if you want just the AD SID and the SID 
migrated from NT4 which should be in the sIDHistory attribute, adfind will 
totally handle that...

adfind -gc -b -f name=xxx objectSid 
sIDHistory

If you need to resolve a sid to a name, the sidtoname tool 
on my site will handle that.


 joe

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur 
ESent: Tuesday, May 25, 2004 1:02 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking for a 
tool that displays SID 

getsid from nt 4.0 reskit will do that (in the downlevel 
domain), but i expect there is something that would work in both environments. 
(joeware?).


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Tuesday, May 25, 2004 12:51 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Looking for a 
tool that displays SID 


The LDP.exe should do 
it for the AD side of the house, not sure about the NT side

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lanci, 
RichardSent: Tuesday, May 25, 
2004 11:59 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Looking for a tool 
that displays SID 

In the middle of a migration from NT4 to AD and am 
looking for a tool that will display the SIDs (NT and AD) of migrated 
users. We are using the NET IQ product for the user/computer 
migration.
Thanks in advance 

RE: [ActiveDir] Looking for a tool that displays SID

[Anderson Santos Patricio]

Hi Joe,
 
You can use acctinfo.dll found in Resource kit of Windows 2003.
 
regsvr32 acctinfo.dll and this information and more appear in dsa.msc (active 
directory users and computers).
 
Thanks for advanced,
 
Anderson Patricio
Microsoft Certified Systems Engineer on 2000/2003
Microsoft Certified Systems Administrator on 2000/2003 + Messaging
Red Hat Certified Technician
Computer Associates Unicenter Administrator
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 25/5/2004 15:26
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 


Yeah getsid will pull NT4 SID and objectSID from AD. It will not get sIDHistory. You 
can use adfind (on the website) to get easily get sIDHistory and objectSID. So if you 
want just the AD SID and the SID migrated from NT4 which should be in the sIDHistory 
attribute, adfind will totally handle that...
 
adfind -gc -b -f name=xxx objectSid sIDHistory
 
If you need to resolve a sid to a name, the sidtoname tool on my site will handle that.
 
 
  joe
-
http://www.joeware.net http://www.joeware.net/(download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E
Sent: Tuesday, May 25, 2004 1:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 


getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there 
is something that would work in both environments. (joeware?).



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, May 25, 2004 12:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 



The LDP.exe should do it for the AD side of the house, not sure about the NT side

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard
Sent: Tuesday, May 25, 2004 11:59 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Looking for a tool that displays SID 

 

In the middle of a migration from NT4 to AD and am looking for a tool that will 
display the SIDs (NT and AD) of migrated users.  We are using the NET IQ product for 
the user/computer migration.

Thanks in advance 

winmail.dat

RE: [ActiveDir] Ad forest migration

[Kern, Tom]

For Quest?
yes, they sound great and i'd love to use them but its just not in the budget.

thanks

-Original Message-
From: Missy Koslosky [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 1:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Ad forest migration


Don't know of any gotchas offhand, but I haven't used it in production.
Google is your friend.

Aleta/Quest costs more, but there's definite value in their tools.

Have you read the documentation?
- Original Message - 
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 11:23 AM
Subject: RE: [ActiveDir] Ad forest migration


 any known gotchas(i know everything has gotchas) with admtv2,miis,and
exchange migration wizard that i should be aware of from the get go?

 also, i assume going this route over Aleita/quest is the support and nice
gui.

 and finally, how would i re-acl everyting on the servers in the new
forest? any tool or script for that?

 thanks(lot of questions, i know. but i'll let you know how it went and if
i crashed and burned my enterprise!!).

 -Original Message-
 From: Missy Koslosky [mailto:[EMAIL PROTECTED]
 Sent: Monday, May 24, 2004 10:58 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Ad forest migration


 The Exchange Migration Wizard.
 http://support.microsoft.com/default.aspx?scid=kb;en-us;328871
 - Original Message - 
 From: Kern, Tom [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, May 24, 2004 7:13 PM
 Subject: RE: [ActiveDir] Ad forest migration


  i'm sorry if this is obvious but, whats a good exchange migration tool
 that comes with exchange2k/2k3?
  and how does it differ from using exmerge to migrate mailboxes to pst's
 and then import them into the new server/forest?
  thanks
 
  -Original Message- 
  From: Mulnick, Al [mailto:[EMAIL PROTECTED]
  Sent: Mon 5/24/2004 5:07 PM
  To: '[EMAIL PROTECTED]'
  Cc:
  Subject: RE: [ActiveDir] Ad forest migration
 
 
 
  Probably wouldn't use exmerge in favor of Exchange migration tools
 included
  with Exchange.  And it would be worth it to use Exchange 2003 (tools at
  least), but otherwise it can be done.  Aelita is just nicer and easier
to
  work with.  Both work.
 
  al
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
  Sent: Monday, May 24, 2004 4:24 PM
  To: ActiveDir (E-mail)
  Subject: [ActiveDir] Ad forest migration
 
  I'm on a serious budget and my IT dept doesn't have/want the money to
 spend
  on Alieta migration tools.
  we are looking to migrate our child domain into our own forest with
 exchange
  2k and still synch our gals.
 
  how much hubris would it be to do most of this with free tools like
  ADMTv2,MIIS, and exmerge?
  am I insane?
 
  thanks
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 .+-w i 0g-+Yb mPi 0 -+b f.+-j!  0j! or yIV+v*

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Looking for a tool that displays SID

[Brent Westmoreland]

Title: Re: [ActiveDir] Looking for a tool that displays SID 



I knew it was a job for joeware :o)


From: joe [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Tue, 25 May 2004 14:26:44 -0400
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 

Yeah getsid will pull NT4 SID and objectSID from AD. It will not get sIDHistory. You can use adfind (on the website) to get easily get sIDHistory and objectSID. So if you want just the AD SID and the SID migrated from NT4 which should be in the sIDHistory attribute, adfind will totally handle that...
 
adfind -gc -b -f name=xxx objectSid sIDHistory
 
If you need to resolve a sid to a name, the sidtoname tool on my site will handle that.
 

 joe
-
http://www.joeware.net http://www.joeware.net/  (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E
Sent: Tuesday, May 25, 2004 1:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 

getsid from nt 4.0 reskit will do that (in the downlevel domain), but i expect there is something that would work in both environments. (joeware?).

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, May 25, 2004 12:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 

The LDP.exe should do it for the AD side of the house, not sure about the NT side
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard
Sent: Tuesday, May 25, 2004 11:59 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Looking for a tool that displays SID 
 
In the middle of a migration from NT4 to AD and am looking for a tool that will display the SIDs (NT and AD) of migrated users. We are using the NET IQ product for the user/computer migration.

Thanks in advance 


Sent using the Microsoft Entourage 2004 for Mac Test Drive.

Re: [ActiveDir] Ad forest migration

[Missy Koslosky]

Right.  I was wondering why you'd asked about them - that'd been my
impression.
- Original Message - 
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 2:48 PM
Subject: RE: [ActiveDir] Ad forest migration


 For Quest?
 yes, they sound great and i'd love to use them but its just not in the
budget.

 thanks

 -Original Message-
 From: Missy Koslosky [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, May 25, 2004 1:11 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Ad forest migration


 Don't know of any gotchas offhand, but I haven't used it in production.
 Google is your friend.

 Aleta/Quest costs more, but there's definite value in their tools.

 Have you read the documentation?
 - Original Message - 
 From: Kern, Tom [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, May 25, 2004 11:23 AM
 Subject: RE: [ActiveDir] Ad forest migration


  any known gotchas(i know everything has gotchas) with admtv2,miis,and
 exchange migration wizard that i should be aware of from the get go?
 
  also, i assume going this route over Aleita/quest is the support and
nice
 gui.
 
  and finally, how would i re-acl everyting on the servers in the new
 forest? any tool or script for that?
 
  thanks(lot of questions, i know. but i'll let you know how it went and
if
 i crashed and burned my enterprise!!).
 
  -Original Message-
  From: Missy Koslosky [mailto:[EMAIL PROTECTED]
  Sent: Monday, May 24, 2004 10:58 PM
  To: [EMAIL PROTECTED]
  Subject: Re: [ActiveDir] Ad forest migration
 
 
  The Exchange Migration Wizard.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;328871
  - Original Message - 
  From: Kern, Tom [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Monday, May 24, 2004 7:13 PM
  Subject: RE: [ActiveDir] Ad forest migration
 
 
   i'm sorry if this is obvious but, whats a good exchange migration tool
  that comes with exchange2k/2k3?
   and how does it differ from using exmerge to migrate mailboxes to
pst's
  and then import them into the new server/forest?
   thanks
  
   -Original Message- 
   From: Mulnick, Al [mailto:[EMAIL PROTECTED]
   Sent: Mon 5/24/2004 5:07 PM
   To: '[EMAIL PROTECTED]'
   Cc:
   Subject: RE: [ActiveDir] Ad forest migration
  
  
  
   Probably wouldn't use exmerge in favor of Exchange migration tools
  included
   with Exchange.  And it would be worth it to use Exchange 2003 (tools
at
   least), but otherwise it can be done.  Aelita is just nicer and easier
 to
   work with.  Both work.
  
   al
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
   Sent: Monday, May 24, 2004 4:24 PM
   To: ActiveDir (E-mail)
   Subject: [ActiveDir] Ad forest migration
  
   I'm on a serious budget and my IT dept doesn't have/want the money to
  spend
   on Alieta migration tools.
   we are looking to migrate our child domain into our own forest with
  exchange
   2k and still synch our gals.
  
   how much hubris would it be to do most of this with free tools like
   ADMTv2,MIIS, and exmerge?
   am I insane?
  
   thanks
   List info   : http://www.activedir.org/mail_list.htm
   List FAQ: http://www.activedir.org/list_faq.htm
   List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
   List info   : http://www.activedir.org/mail_list.htm
   List FAQ: http://www.activedir.org/list_faq.htm
   List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
  
 
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
  .+-w i 0g-+Yb mPi 0 -+b f.+-j!  0j! or yIV+v*

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 .  .+-j!  0j! or yIV+v*

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Looking for a tool that displays SID

[joe]

Absolutely, however if I need to do this with more than say 3 users or in
any domain that has more than 500 users or users spread across multiple OUs
you won't catch me saying GUI. Heck, you will rarely catch me saying it
anyway. There are some things that are better from the GUI, but not many. 
 
  joe
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anderson Santos
Patricio
Sent: Tuesday, May 25, 2004 2:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID


Hi Joe,
 
You can use acctinfo.dll found in Resource kit of Windows 2003.
 
regsvr32 acctinfo.dll and this information and more appear in dsa.msc
(active directory users and computers).
 
Thanks for advanced,
 
Anderson Patricio
Microsoft Certified Systems Engineer on 2000/2003
Microsoft Certified Systems Administrator on 2000/2003 + Messaging
Red Hat Certified Technician
Computer Associates Unicenter Administrator
 

  _  

From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 25/5/2004 15:26
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 


Yeah getsid will pull NT4 SID and objectSID from AD. It will not get
sIDHistory. You can use adfind (on the website) to get easily get sIDHistory
and objectSID. So if you want just the AD SID and the SID migrated from NT4
which should be in the sIDHistory attribute, adfind will totally handle
that...
 
adfind -gc -b -f name=xxx objectSid sIDHistory
 
If you need to resolve a sid to a name, the sidtoname tool on my site will
handle that.
 
 
  joe
-
http://www.joeware.net http://www.joeware.net/(download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E
Sent: Tuesday, May 25, 2004 1:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 


getsid from nt 4.0 reskit will do that (in the downlevel domain), but i
expect there is something that would work in both environments. (joeware?).

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, May 25, 2004 12:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking for a tool that displays SID 



The LDP.exe should do it for the AD side of the house, not sure about the NT
side

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard
Sent: Tuesday, May 25, 2004 11:59 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Looking for a tool that displays SID 

 

In the middle of a migration from NT4 to AD and am looking for a tool that
will display the SIDs (NT and AD) of migrated users.  We are using the NET
IQ product for the user/computer migration.

Thanks in advance 

attachment: winmail.dat

[ActiveDir] Question about federated trusts in 2003

[cflesher]

Title: Message



I understand the 
principal of federated trusts for Winsows 2003 forests. However, I have a 
question that I'm hoping someone can answer for me. 

Let's say you have a 
2003 forest authenticating to a Unix MIT Kerberos realm. Furthermore, you want 
to set up a federated trust between that forest and another 2003 forest which 
uses the native KDC in 2003 for authentication. Is this possible? Would 
something break? 

Any thoughts on this 
issue would be greatly appreciated.

Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

LDAP with SSL/TLS is way better than NIS.

As for environment, it's two W2K3 forests with Kerberos forest trust.
Forest A has several child domains and holds user accounts.
Forest B is where my hosts are (We are relatively small organization in
the enterprise, but we are RD and want to have control at least over
the hosts).

So users can come from any child domain of forest A and logon to hosts
in forest B. Now Linux does not play well, when the host is in one
realm, and users are from several other realms... The only workaround is
to map uid to Kerb principal in the LDAP. Modifying the A forest schema
(user accounts) is not an option, and it's quite reasonable considering
the small size of our division.

So here I am, stuck with LDAP authentication ...
If you have any better idea, I am all ears ;)

Guy

On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote:
 Just for curiousity...
 
 You don't want to use NIS because it's less secure, yet you are going to use
 LDAP for authentication?  Isn't that a counter?
 
 Can you give an overview of your topology and what you're wanting to
 accomplish in the end?  I think we tried to help with the original post
 without all of the topology information.  
 
 Sounds like an interesting problem though...
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
 Sent: Friday, May 21, 2004 7:01 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Anonymous bind
 
 If you excuse me, I will break the inline pattern ;). It got too unreadable.
 
 I have seen the interoperability doc. I have also read the whole doc
 mentioned in the post. It's a very good reference, but is lacking any
 description of Kerberos deployments in multi-realm environments.
 Personally I had to choose LDAP authentication instead of Kerberos because
 my hosts are in one forest, while user accounts are from a child domain of
 another forest. If someone is aware of a workaround for that, monthly beer
 supply is on me ;)
 
 SFU is nice, but it tries to emulate NIS and with all do respect to NIS,
 it's time is gone. There are just too many security issues with NIS.
 
 As for having more than one directory, see my reply to joe. I wish I could
 put it all in one place, but it's not always possible.
 
 Guy
 
 On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote:
  A few bits more.
  
  [Guy] I know that I am speculating here but all I wanted to do is to 
  point the finger to the interoperability issue. Setting up a 
  heterogeneous environment is a pain. Putting *nix clients (or 
  services) into the AD mix is not easy. One would blame the marketing 
  attitude, the other would blame the maturity level of the other OSes. 
  The truth, I believe, is somewhere in between. So here we go:
  
  [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? 
  And just about anything around SFU (which might I point out again won best
 app at Linux world)? 
  I think we've done a great job of interop. Can we do better? Always! And
 we continue to work on it. 
  But we're doing a *lot* in this space.
  We have doc's out there that go down to even walk you through how to set
 up the pam modules! 
  We have a lot out there. Here's one of my fav docs, but there are
 others
  this is from a post to this very DL: 
  http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.html
  
  
  1) You are right. Nobody mentioned schema extensions, but the truth is 
  that if you are considering the integration of open source services, 
  you probably do have some Linux boxes around. NIS sucks big time. NIS+ 
  is a pain to configure and both do not give you SSO. AD is great, but 
  does not have out-of-the-box capabilities to absorb non-MS clients. So 
  what is left for those that can not afford VAS ? Either tweak the 
  schema (Linux client will have hard time without posixAccount and 
  posixGroup
  objectClasses) or have a cut down functionality (sendmail LDAP mail 
  routing is great, but I would not extend the AD's schema just to make 
  sendmail happy). And if you are still short on the $$$, you are 
  starting to improvise (talking about OpenLDAP...). SMBs are somewhat 
  neglected in this area.
  
  2) Small *heterogeneous* environments. If all you have is Windows, 
  there is no reason to bring in more overhead. Long live and prosper AD !
  
  3) 
  a) Linux clients logons require uid, uidNumber, gidNumber and etc...
  (SFU sounds nice at first, till you hit the non-RFC compliance barrier 
  of uid attribute in SFU and realize that NIS is by no means not a 
  secure
  environment)
  [EFLEIS] - Yup, SFU can do this. Schema extension required of course, but
 painless (if memory serves me correctly, no PAS extensions there).
   
  b) a lot of *nix services can be easily managed through LDAP
 backend, 
  though the interoperability issues with AD force the creation of 
  another directory. I totally agree with you here - it IS overhead, but 
  if I extend the 

[ActiveDir] Really goofy DNS trouble

[Malachi Burke]

Title: Looking for a tool that displays SID








Hey guys, I inherited a network with a
very goofed up AD/DNS server. The forward lookup zone contains no msdcs entry,
nor does it contain any client entries. Weve been limping along with it
this way, but now weve got a new DC+DNS in to take over. Trouble is,
new DC cant complete replication, and it seems to be because of a failed
DNS resolution. Yuck! I tried ipconfig /registerdns but to no avail. Any
ideas?



My hope was to start anew with a fresh DNS
server, but its a little discomforting doing a backup from one Win2K
machine and a restore onto the new Win2K3 machine when COM+ registry settings
and friends are involved in an AD backup/restore  so I opted for
replication, and here we are



Mal















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E
Sent: Tuesday, May 25, 2004 9:02
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking
for a tool that displays SID 





getsid from nt 4.0 reskit will do that (in
the downlevel domain), but i expect there is something that would work in both
environments. (joeware?).









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Tuesday, May 25, 2004 12:51
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Looking
for a tool that displays SID 

The LDP.exe should do it for the AD side
of the house, not sure about the NT side



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lanci, Richard
Sent: Tuesday, May 25, 2004 11:59
AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Looking for a
tool that displays SID 



In the middle of a migration from NT4 to AD and am
looking for a tool that will display the SIDs (NT and AD) of migrated
users. We are using the NET IQ product for the user/computer migration.

Thanks in advance