[ActiveDir] Users file permission display on intranet page or to file

2004-05-27 Thread Kenny Lee 
Title: RE: [ActiveDir] win98



Hello, 
 I have a query here.I would like 
to track the permission ona specified folder for users ( Modify,Full 
Control, etc etc...) that can display on the intranet page or any other ways. Is 
that any Tools that can do this ? Would be great too if there is any ways that 
can put the data into a excel file. This is to know the person that modify the 
file/folders permission as well as would like toknow the latest 
file/folder permission that the users are having.
Thanks.

rgds,
ken

RE: [ActiveDir] Users file permission display on intranet page or to file

2004-05-27 Thread Nicolas Blank 
Title: RE: [ActiveDir] win98









Lots of third party tools to do this 
I did exactly this for a client the other day using Quest Reporter 
published to HTML, excel, whatever automatically  collected into a DB for
auditing  was an auditing requirement for a health provider.

File/folder mods can be tracked using
auditing on object access on the file/print box. Again used Reporter for this
to store the logs  audit requirement  and report on them on an exception
basis. Its not the only tool out there, but it fitted the clients
requirement to a T  no agents on any boxes, track
file/foldershare ACLs and compare over time what was modified and
by whom.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Lee
Sent: 27 May 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Users file
permission display on intranet page or to file





Hello, 





 I have a query
here.I would like to track the permission ona specified folder for
users ( Modify,Full Control, etc etc...) that can display on the intranet page
or any other ways. Is that any Tools that can do this ? Would be great too if
there is any ways that can put the data into a excel file. This is to know the
person that modify the file/folders permission as well as would like
toknow the latest file/folder permission that the users are having.





Thanks.











rgds,





ken

RE: [ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-27 Thread Canzoneri, Kurt 
Check out this MS KB article. 832539

Thank You,
 
Kurt Canzoneri, MCSE
Infrastructure Architect
EIG
Valassis / Operations
47585 Galleon Drive
Plymouth, MI. 48170
Tel 734-354-2496
Fax 734-354-2694
[EMAIL PROTECTED]
www.valassis.com
 
This message may have included proprietary or protected information.  This
message and the information contained herein are not to be further
communicated without my express written consent.
 
-Original Message-
From: Airhart, Cliff [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active
Directory that is running a high and low CPU pattern. The CPU flatlines at
100% for about 60 seconds then drops to 5% for about 30 seconds. This high
and low cycle continues to repeat. When the CPU is high the lsass.exe
process is the cause of the high CPU. From what I understand that is the
Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Terminal Services for administration????

2004-05-27 Thread Douglas M. Long 
Does everyone use terminal services for remote administration of all their
DCs, Fileservers, Exchange Servers, or is there something else you like
better?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password set and enable account

2004-05-27 Thread Douglas M. Long 
Title: Sysvol Damaged



Guido/Al, thanks for the help. I think I got what I need now. 


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Grillenmeier, 
  GuidoSent: Monday, May 24, 2004 10:53 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set 
  and enable account
  here's a sample-batch that should help you get 
  started
  
  /Guido
  
  
  set inputfile=%1if 
  '%inputfile%'=='' goto ErrInput
  set logfile=.\%inputfile%_log.txt
  
  echo.echo Updating password settings for user listed in: 
  %inputfile%echo Logfile: %logfile%echo.
  
  echo. 
   %logfile%echo 
    
  %logfile%echo Inputfile: 
  %inputfile% 
   %logfile%date /T  %logfile%time /T  
  %logfile%echo Step 1: setting PW to new 
  value 
   %logfile%echo 
    
  %logfile%echo. 
   %logfile%
  
  REM 
  Read users from inputfile and execute UpdatePWsetting routineset /A 
  count=1FOR /F "tokens=1-2 delims=;" %%i in (%inputfile%) DO set 
  CurUser=%%i  set newPW=%%j  call :Sub_PWchangestart notepad 
  %logfile%
  
  goto 
  END
  
  
  :Sub_PWchangeecho now updating User%count%: %CurUser% 
  PW:%newPW%echo User%count%: %CurUser% PW:%newPW%  
  %logfile%dsquery user -samid %curUser%|dsmod user -pwd %newPW%  
  %logfile%REM *** dsmod user -pwd only works on Win2k3 DCs= for Win2k "net user" cmd be 
  used***REM net user 
  %CurUser% %newPW%  %logfile%set /A count=%count%+1GOTO 
  :EOF
  
  
  :ErrInputecho.echo 
  **echo ERROR: 
  missing inputfile - script will quitecho.echo Syntax: 
  update_pwChange.bat myUser-list.csvecho Format of input-file: 
  username;newPWecho 
  **echo.pause
  
  :END
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
  LongSent: Montag, 24. Mai 2004 15:49To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set 
  and enable account
  
  Oh 
  yeah, I guess I have to read the username from a file and pass it into the 
  dsmod command also. Do I just want a list of users in a .txt file, .cvs??? And 
  how do I read from that?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. 
LongSent: Monday, May 24, 2004 9:41 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Password set and 
enable account
Ok, so my task 
is to generate random passwords and enable the accounts for 3200 users. The 
user accounts and all attributes were first created with ldife, and I am now 
thinking about using the dsmod utility to do accomplish the password set and 
account enablement. I wish I knew vbs like you guys do, but I dont yet (this 
years resolution). So here is what I have for the password generation 
part:


Function Password_GenPass( nNoChars, sValidChars )' nNoChars = 
length of generated password' sValidChars = valid characters. If 
zerolength-string ( "" )then' default is used: A-Z AND a-z AND 
0-9

Const szDefault = 
"abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789"Dim 
nCountDim sRetDim nNumberDim nLength

Randomize 'init random

If 
sValidChars = "" ThensValidChars = szDefaultEnd IfnLength = Len( 
sValidChars )

For nCount = 1 To nNoCharsnNumber = Int((nLength * Rnd) + 
1)sRet = sRet  Mid( sValidChars, nNumber, 1 
)NextPassword_GenPass = sRetEnd Function

WScript.Echo "Your password: "  Password_GenPass( 10, "" 
)

What is my next 
move? I am guessing I have to pass this password to a variable, instead of 
echo, and then somehow pass that into the dsmod command, but as I already 
said, I dont know vb script. Any help is highly 
appreciated.

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread cflesher 
It's convenient to use. There are things you can't do while you have a
session open. Overall, it's adequate for us, all things considered.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Douglas M. Long
 Sent: Thursday, May 27, 2004 8:37 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Terminal Services for administration
 
 
 Does everyone use terminal services for remote administration 
 of all their DCs, Fileservers, Exchange Servers, or is there 
 something else you like better?
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread Rutherford, Robert 
Tend to use TS on an everyday level... and also Dameware for
emergencies.

-Original Message-
From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
Sent: 27 May 2004 14:37
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Terminal Services for administration


Does everyone use terminal services for remote administration of all
their DCs, Fileservers, Exchange Servers, or is there something else you
like better?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread Charlie Kaiser 
I use TS for a lot of admin work, but we also use dameware, since it allows
for a console session on W2K machines (which we have a lot of, as well as a
few remaining NT 4 boxes). It's got some bugs, but it's easy to use and the
dameware utilities allow a lot of centralized remote management. We use it
for client work a lot too...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

 -Original Message-
 From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, May 27, 2004 6:37 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Terminal Services for administration
 
 Does everyone use terminal services for remote administration 
 of all their
 DCs, Fileservers, Exchange Servers, or is there something 
 else you like
 better?
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Pages Printed

2004-05-27 Thread JCARROS 




Hello,
Does everyone use any software to audit pages printed ?. Another 
solution ?

Thanks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread joe 
I prefer to use remote tools from workstations. When you log directly into
servers there is a higher probability of doing something bad by accident.
There are some things you can't do remotely but they should be things you
don't have to very often at all, like for instance recovery mode on a DC. 

If you have specific tasks you are interested in, you could probably post a
list and people could say what remote tools to use. 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 27, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Terminal Services for administration

Does everyone use terminal services for remote administration of all their
DCs, Fileservers, Exchange Servers, or is there something else you like
better?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread Gasper, Rick 
I use TS all the time.
There is a console switch in Windows Server 2003, and supports the
Remote Desktop Protocol (RDP) 5.1 feature set It also has the ability to
remote the actual console session of the server. from the ms web site


Joe brought up an interesting point, certain things should not be from a
rdp session. Always run rdp in a window and you should avoid most of the
issues.

There is a version of rdp that runs on Linux as well and that makes it a
convenient tool from anywhere.



Rick Gasper
Manager Network Services
King's College
Wilkes-Barre PA 18711
[EMAIL PROTECTED]
PH:  570-208-5845
Fax: 570-208-6072


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 27, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services for administration

I prefer to use remote tools from workstations. When you log directly
into
servers there is a higher probability of doing something bad by
accident.
There are some things you can't do remotely but they should be things
you
don't have to very often at all, like for instance recovery mode on a
DC. 

If you have specific tasks you are interested in, you could probably
post a
list and people could say what remote tools to use. 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 27, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Terminal Services for administration

Does everyone use terminal services for remote administration of all
their
DCs, Fileservers, Exchange Servers, or is there something else you like
better?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Pages Printed

2004-05-27 Thread Gasper, Rick 








Pcounter here

http://www.andtechnologies.com.
IT can pull the users from AD and do just about everything you need. The price
was right as well



Rick Gasper 
Manager Network
Services 
King's College 
Wilkes-Barre PA
18711 
[EMAIL PROTECTED]

PH:
570-208-5845 
Fax: 570-208-6072 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 27, 2004 10:09
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Pages Printed
Sensitivity: Private







Hello,

Does
everyone use any software to audit pages printed ?. Another solution ?



Thanks.



AVISO
LEGAL:
Esta informacion es privada y confidencial y esta dirigida unicamente a su
destinatario. Si usted no es el destinatario original de este mensaje y por
este medio pudo acceder a dicha informacion por favor elimine el mensaje. La
distribucion o copia de este mensaje esta estrictamente prohibida. Esta
comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A.
y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el
correo electronico sea seguro o libre de error. Por consiguiente, no
manifestamos que esta informacion sea completa o precisa. Toda informacion esta
sujeta a alterarse sin previo aviso.

This information is private and confidential and intended for the recipient
only. If you are not the intended recipient of this message you are hereby
notified that any review, dissemination, distribution or copying of this
message is strictly prohibited. This communication is for information purposes
only and shall not be regarded neither as a proposal, acceptance nor as a
statement of will or official statement from REPSOL YPF S.A. and/or
subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be
secure or error-free. Therefore, we do not represent that this information is
complete or accurate and it should not be relied upon as such. All information
is subject to change without notice.

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread Marcus.Oh 
Stay native as much as possible here... TS unless TS is crapped out... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 27, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Terminal Services for administration

Does everyone use terminal services for remote administration of all
their
DCs, Fileservers, Exchange Servers, or is there something else you like
better?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal Services for administration????

2004-05-27 Thread rmcdonald 

Return Receipt
   
Your  RE: [ActiveDir] Terminal Services for administration 
document   
:  
   
was   Ryan McDonald/bankersbank
received   
by:
   
at:   05/27/2004 10:49:52 AM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] linked server error in SQL/AD query

2004-05-27 Thread Creamer, Mark 








Im trying to use the OLEDB provider to link
AD to SQL server to run some add hoc queries. Its returning an error:

Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO,
Line 4

An error occurred while preparing a query for
execution against OLE DB provider 'ADSDSOObject'. 

OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare
returned 0x80040e14].



There are numerous articles on this error, but they
all seem to indicate syntax, but Im using the exact same syntax as the
query they say works (as far as I can tell).



After executing my sp_addlinkedserver statement,
which works fine, I run the following:



SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName,
givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here''
where objectClass = ''User''')



Thats when I get the above error. Just
thought Id check to see if anyone else has had success with this.
Thanks!



Mark Creamer

Systems Engineer

Cintas
Corporation

[ActiveDir] Manual DC removal EventID

2004-05-27 Thread J0mb 
Good morning,

Some days ago i had to manually remove a dead Win2000 DC from our network,
according to Q216498 and
http://www.winnetmag.com/Article/ArticleID/13414/13414.html.

Removal semeed ok. Today i got the following event in my log. I believe it's
an expected warning, however i'd just want to make sure that there's nothing
to be concerned about.

Thanks all

Alex


Event Type: Information
Event Source:   NTDS KCC
Event Category: (1)
Event ID:   1272
Date:   27/05/2004
Time:   10.59.52
User:   N/A
Computer:   RMD01
Description:
No nTDSConnection object exists for inbound replication from server CN=NTDS
Settings
DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02
DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG,CN=Sites,CN=C
onfiguration,DC=acs,DC=local at address
b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local.  The partition
CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from it.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password set and enable account

2004-05-27 Thread joe 
Title: Sysvol Damaged



Below isa quick and dirty perl script to do it to 
give the perl viewpoint for anyone wondering, hey how do I do this in perl. 
:o)

You will feed it the following command line 
args

input file name. This is a file which one id per line like 
joe\joeuser
output file name. This is where you want details 
sent
base pwd length. How long is the shortest password? 
(i.e. min password length)
random pwd length. How many possible random characters to 
add to base (i.e. max password length)

You only have to feed it input file name and it will dump 
to console and use defaults of 8 and 6 for the other options. 


Note the password character sets are manipulated down in 
the GeneratePassword routine.

The default sets are

 @sets[0]="abcdefghijkmnpqrstuvwxyz"; 
@sets[1]="ABCDEFGHJKLMNPQRSTUVWXYZ"; @sets[2]="23456789"; 
@sets[3]="-+~*%$#!";
The script will build a password (length allowing) of at 
least one character from every set. It will then take and randomly pick from the 
sets and add new characters until it reaches the specified password length. You 
can remove sets if you would like. Say you don't want set 3, you simply delete 
that line or comment it. If you don't want set 0, delete or comment it and 
renumber the other sets. 

Note that I do not use lowercase l (ell) and the number 1 
(one). This is because they can be confused in many fonts. 

If you wanted all IDs to have a password length of 6 you 
would do something like

bulkpwdrst infile outfile 6 0

Here is an example run

___TEST.TXT___
joe\joeusejoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuser


___SCREEN SHOT___
[Thu 05/27/2004 
10:56:55.90]F:\DEV\Perl\PwdRstbulkpwdrst test.txt 
test.out

BulkPwdRst V01.00.00pl Joe Richards 
([EMAIL PROTECTED]) May 2004

Password BaseLength: 8Password MaxLength : 
14Processing joe\joeuse...ERROR: Couldn't translate 
joe\joeuseProcessing joe\joeuser...Processing 
joe\joeuser...Processing joe\joeuser...Processing 
joe\joeuser...Processing joe\joeuser...Processing 
joe\joeuser...Processing joe\joeuser...Processing 
joe\joeuser...

[Thu 05/27/2004 
10:57:00.80]F:\DEV\Perl\PwdRst


___TEST.OUT___
ERROR: Couldn't translate joe\joeuseResetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to gA8*8j7-L+E29Resetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to qL5**2yRa3Resetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to gR7!2C66N79fResetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to rW7%KHfkD!VResetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to aZ4~wz7UF6~n3Resetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to rC5*iuUPResetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to bR9+~wL!6*ecResetting 
joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to 
sP2%T!*7*









##* 
BulkPwdRst 
*#*==*#* 
Author : Joe Richards ([EMAIL PROTECTED]) 
*#* Version: 
V01.01.00 
*#* Modification 
History: 
*#* V01.00.00 2004.05.27 
joe Original 
Version 
*#*--*#* 
This file is a PERL script that resets 
passwords. 
*#*--*#* 
Notes: 
*##

use 
Win32::OLE;use Win32::OLE::Enum;

$infile=shift;$outfile=shift;$baselength=(shift or 
8);$randlength=(shift or 6);

$quiet=0;$randinit=0;

print 
"\nBulkPwdRst V01.00.00pl Joe Richards ([EMAIL PROTECTED]) May 
2004\n\n";

if (!$infile) 
{DisplayUsage()};open ifh,"$infile" or die("ERROR: Couldn't open input 
file: $infile - $!\n");

print "Password 
BaseLength: $baselength\n";print "Password MaxLength : 
",$baselength+$randlength,"\n";if (!$outfile) { print 
"Writing output to Console...\n"; $outfile="CON:"; 
$quiet=1;}else {$outfile="$outfile"};

open 
ofh,"$outfile" or die("Error: Couldn't open output file: $outfile - 
$!\n");

foreach $thisid 
(ifh) { chomp $thisid; next unless 
$thisid; if (!$quiet) {print "Processing $thisid...\n"}; 
 $userdn=TranslateNT4Name($thisid); if (!$userdn) 
 { if (!$quiet) {print "ERROR: Couldn't 
translate $thisid\n"}; print ofh "ERROR: Couldn't 
translate $thisid\n"; next; } 
$password=GeneratePassword($thisid, $baselength, $randlength); print 
ofh "Resetting $thisid ($userdn) to $password\n"; 
$o=Win32::OLE-GetObject("LDAP://$userdn"); $lasterror = 
Win32::OLE-LastError(); if ($lasterror) {print ofh 
"$lasterror\n"} else { 
$o-setpassword($password); $lasterror = 
Win32::OLE-LastError(); if ($lasterror) {print ofh 
"$lasterror\n"} }}

exit;

sub 
DisplayUsage{ print "Usage: BulkPwdRst infile [outfile 
[baselength [randomlength]]]\n"; print "

RE: [ActiveDir] user script

2004-05-27 Thread joe 
Are these different forests?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 26, 2004 4:44 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] user script

would this script let me add users from domain A to universal group in
domain B?-
 

Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
  (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;)
objGroup.PutEx ADS_PROPERTY_APPEND, member, _
 
Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net
, _
 
cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _
 
cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net)
objGroup.SetInfo


i ran this from task scheduler and got an exit code of 0(sucess?), however
when i look in the group, these users are not present.
do i need to specify a GC for universal groups? and how? should I run the
script on a GC?

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and Exchange not sharing.

2004-05-27 Thread joe 



Sorry on the delay on this... 

I just wanted to say that RUS isresponsible for 
pulling things into and out of the GAL and updating A.L.'s , etc. If 
theuser objects arein the GAL at all, the RUS has done its job. The 
client should be calling out to get the rest of the info. Depending on the 
client version, it will either go through DSPROXY on the Exchange Server or go 
directly to the GCs.

So if you have a user who isn't showing up in the GAL, look 
at RUSand/or look at AD replication.

If you have a user who shouldn't be showing up in the GAL, 
look at the RUS and/or look at AD replication.

If you have user who doesn't have all info showing up, 
chase how it gets that info. Could be cache issue, could be data not in AD 
issue, could possibly be but not sure how a DSPROXY issue. 

If you have an A.L. that isn't displaying users, look at 
the RUS and/or look at AD replication.

If you have an A.L. that isn't displaying some users, 
look at the RUS (and specifically verify the filter works as expected and no, 
looking at the ESM will not tell you if the filter is working as expected) 
and/or look at AD replication.






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Monday, May 24, 2004 5:04 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD and 
Exchange not sharing.

RUS = Recipient Update Service. It runs on one or 
more of your Exchange servers and is responsible for updating recipients. 
Specifically, if you see problems with the GAL, it's often the culprit. 


When you checked the logs, did you check them on the 
Exchange server that has the RUS? You can find it via ESM in the 
Recipients | Recipient Update Services node. When you click on whichever 
one is for your domain that has the user accounts, it will give the properties 
which will tell you which server hosts it.

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
ShaffSent: Monday, May 24, 2004 3:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
not sharing.



That couldn't be a RUS 
problem could it? ;) 
Sorry, but I don't know what RUS 
stands for.

Have you checked the 
logs for the past 24-48 hours? What do you see (Check the Exchange server 
that has the RUS). Yes, I have checked the logs 
and there are only errors for disabled accounts that have not been 
deleted.

What about 
topology? Do you have only W2K3 and E2K3 servers? All of our 
domain controllers are W2K3, as well as, the Exchange servers.. File servers are 
mixed.




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Steve ShaffSent: Monday, May 24, 2004 2:22 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
not sharing.

Office 2003 running on 
Windows XP, some using cache and some are not. Domain is running under 
W2K3 servers, 2k native, with an Exchange 2003 
Server.
Thanks,S





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Tony 
MurraySent: Monday, May 24, 
2004 10:35 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange 
not sharing.

Hi 
Steve

What sort of clients 
are you experiencing the problem with? Ifthe problem 
clientsare using Outlook 2000 in off-line mode or Outlook 2003 in cached 
mode then it is conceivable that they are configured with the "no details" mode 
in the download address book options.

Maybe you could give us 
a few more details about the environment (versions,whether it is mixed or 
native mode, etc.).

Tony




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Steve ShaffSent: Montag, 24. Mai 2004 
18:37To: [EMAIL PROTECTED]Subject: [ActiveDir] AD and Exchange not 
sharing.Importance: 
High
It appears that Exchange and the AD 
are not syncing information. We have recently discovered that, Under the 
global address list (displayed in Outlook), user name properties, the address, 
phone, etc are blank. Even though, in ADUC the address, department, phone 
are listed. It seems only to be happening for a handful of people. 
Does anyone know how to fix this? Or what the problem may 
be?

Thanks,S

RE: [ActiveDir] Manual DC removal EventID

2004-05-27 Thread Rutherford, Robert 
Go in sites and services and delete any server objects relating to the
deleted server.

BR

Rob

-Original Message-
From: J0mb [mailto:[EMAIL PROTECTED] 
Sent: 27 May 2004 15:53
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Manual DC removal  EventID


Good morning,

Some days ago i had to manually remove a dead Win2000 DC from our
network, according to Q216498 and
http://www.winnetmag.com/Article/ArticleID/13414/13414.html.

Removal semeed ok. Today i got the following event in my log. I believe
it's an expected warning, however i'd just want to make sure that
there's nothing to be concerned about.

Thanks all

Alex


Event Type: Information
Event Source:   NTDS KCC
Event Category: (1)
Event ID:   1272
Date:   27/05/2004
Time:   10.59.52
User:   N/A
Computer:   RMD01
Description:
No nTDSConnection object exists for inbound replication from server
CN=NTDS Settings DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02
DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG,CN=Sites,
CN=C
onfiguration,DC=acs,DC=local at address
b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local.  The partition
CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from
it.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and Exchange not sharing.

2004-05-27 Thread joe 
I agree with Deji. These slow your server down considerably every time it is
hit. Personally I think the issue is a stupid one but MS stands behind it.
They assume that if the userid is disabled and the user object has mail
information the only possible reason is that the mailbox is supposed to be
tied to some other userid in some other forest/nt domain. Of course you
could NEVER have just a disabled userid. 

It is fun because you could have normal user admins seriously impacting the
functionality of Exchange.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, May 24, 2004 7:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and Exchange not sharing.

Yes, I have checked the logs and there are only errors for disabled
accounts that have not been deleted.
 
I know that this is NOT the cause of your current problem, but I strongly
advise you to NOT ignore these errors. The more of them you get, the more
performance impact your Exchange server sees.
 
See http://support.microsoft.com/?id=278966 on how to fix/prevent the
errors.
I got a tool (from PSS, I think) called NoMas.exe that goes through AD and
associate unassociated disabled accounts appropriately. Next time you speak
with PSS, mention your Event ID 9548 problem to them and request that they
give you something like NoMas.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Steve Shaff
Sent: Mon 5/24/2004 12:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and Exchange not sharing.



 

That couldn't be a RUS problem could it? ;)   Sorry, but I don't know what
RUS stands for.

 

Have you checked the logs for the past 24-48 hours?  What do you see (Check
the Exchange server that has the RUS).  Yes, I have checked the logs and
there are only errors for disabled accounts that have not been deleted.

 

What about topology?  Do you have only W2K3 and E2K3 servers? All of our
domain controllers are W2K3, as well as, the Exchange servers.. File servers
are mixed.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, May 24, 2004 2:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and Exchange not sharing.

Office 2003 running on Windows XP, some using cache and some are not.
Domain is running under W2K3 servers, 2k native, with an Exchange 2003
Server.

Thanks,
S

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, May 24, 2004 10:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and Exchange not sharing.

 

Hi Steve

 

What sort of clients are you experiencing the problem with?  If the problem
clients are using Outlook 2000 in off-line mode or Outlook 2003 in cached
mode then it is conceivable that they are configured with the no details
mode in the download address book options.

 

Maybe you could give us a few more details about the environment (versions,
whether it is mixed or native mode, etc.).

 

Tony

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Montag, 24. Mai 2004 18:37
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD and Exchange not sharing.
Importance: High

It appears that Exchange and the AD are not syncing information.  We have
recently discovered that, Under the global address list (displayed in
Outlook), user name properties, the address, phone, etc are blank.  Even
though, in ADUC the address, department, phone are listed.  It seems only to
be happening for a handful of people.  Does anyone know how to fix this? Or
what the problem may be?

 

Thanks,
S 

 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Imaged Computers

2004-05-27 Thread stefano tufillaro 
Exactly
you can
SYSPREP is driven by a file of configuration.

From: Chris Blair [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Imaged Computers
Date: Wed, 26 May 2004 09:56:07 -0500
MIME-Version: 1.0
Received: from mail.activedir.org ([64.245.160.7]) by mc10-f8.hotmail.com 
with Microsoft SMTPSVC(5.0.2195.6824); Wed, 26 May 2004 08:06:16 -0700
Received: from fargomnus1.fargo.com [66.162.55.2] by mail.activedir.org  
(SMTPD32-8.11) id A00C23770120; Wed, 26 May 2004 10:56:12 -0400
Received: (qmail 29481 invoked by uid 104); 26 May 2004 14:56:08 -
Received: from [EMAIL PROTECTED] by fargomnus1 with network-box 
scanner-1.10 (received+scanned in 1.167545 secs); 26 May 2004 14:56:08 
-
Received: from unknown (HELO fargont2.FARGO.COM) (206.152.208.134)  by 
10.1.210.1 with SMTP; 26 May 2004 14:56:07 -
Received: from exchange01.mn.fargo.com ([206.152.208.3])  by 
fargont2.FARGO.COM (Post.Office MTA v3.5.3 release 223  ID# 
0-63606U200L2S100V35) with ESMTP id COM  for 
[EMAIL PROTECTED];  Wed, 26 May 2004 09:56:07 -0500
X-Message-Info: yilqo4+6kc4YmtTDON7T/Gk5bge+y/y4
X-Scanned-By-fargomnus1: Virus scan performed by network-box 
(www.network-box.com)
X-Scanned-By-fargomnus1: Scanner file id is fargomnus1108558336751129467
X-Scanned-By-fargomnus1: No known viruses found in message 
(received+scanned in 1.167545 secs)
X-Scanned-By-fargomnus1: Spam-Check-Result: No, Not Run
X-Spam-Status: No
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0
Message-ID: 
[EMAIL PROTECTED]
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Imaged Computers
Thread-Index: AcRDMZDJG5XkmXLERpKjxdR861iD2Q==
Precedence: bulk
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 26 May 2004 15:06:17.0089 (UTC) 
FILETIME=[FE86CF10:01C44332]

Our testing group is imaging computers for testing. The problem is with
the computer object and the SID. The PC was imaged as a member of our
Domain. So when it is re-imaged the computer password are not synced.
The only way I have found to fix this is Delete the computer object,
remove the computer from the domain, and add it back again.
So I am trying to figure out a better way to do this. If I use
SYSPREP before the image is created, will I still need to add the PC to
the domain or can the image then be created with the computer as a
domain member?
My other thought is creating an OU and giving them rights to
add/remove computers from there only. Is that a good idea?
I have not had much luck with NETDOM on the computer in
question. But I believe that is due to the mixed up SIDs and computer
passwords. If I use the SYSPREP, should I be able to use NETDOM to add
the computer to the domain with out physically being there?
_
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] linked server error in SQL/AD query

2004-05-27 Thread Mikael Svennungsson 



Mark,

I tried your SQL-statement with a linked server and it works perfectly.

What account are you running the linked server as?

Our experience is that if you change the account informationused forthe linked server, you should delete it, create a new and set the account info before you hit the OK-buttonto get best result.

Hope that this tiny information can help you.

Regards,

/MS

By the way: W2k Sp3, SQL 2000 sp3 was used



From: Creamer, MarkSent: Thu 2004-05-27 16:49To: [EMAIL PROTECTED]Subject: [ActiveDir] linked server error in SQL/AD query


Im trying to use the OLEDB provider to link AD to SQL server to run some add hoc queries. Its returning an error:
Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO, Line 4
An error occurred while preparing a query for execution against OLE DB provider 'ADSDSOObject'. 
OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14].

There are numerous articles on this error, but they all seem to indicate syntax, but Im using the exact same syntax as the query they say works (as far as I can tell).

After executing my sp_addlinkedserver statement, which works fine, I run the following:

SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass = ''User''')

Thats when I get the above error. Just thought Id check to see if anyone else has had success with this. Thanks!

Mark Creamer
Systems Engineer
Cintas Corporation

[ActiveDir] Forest Integrated DNS Question

2004-05-27 Thread James_Day 




Hi List

I have been lurking for about a year and have pulled a lot of knowledge and
information from the list - thank you all.  I do have a specific issue I
wanted some opinions on regarding DNS.

Our current configuration is a 10 domain AD 2003 functional forest, with 1
empty root and 9 child domains.  We have about 100 domain controllers
between the domains that are in about 85 sites (in other words, except for
a few hub sites most locations have only 1 DC).  The majority of the sites
have 50 or more users with link speeds below 256kbs.  There are 3 DCs in
the empty root.

Currently we have DNS on every domain controller - partly due to the slow
link speeds and partly due to the unreliability of a lot of the links.
Every server has a primary zone that is AD integrated for it's own domain,
and a secondary zone for the root domain.  The zone transfers were left at
the default - every 15 minutes.  This has led to 3 issues that have just
started cropping up.
1) The root DC DNS servers are starting to be overwhelmed with requests,
and some of the zone transfers are failing due to lack of resources.
2) Occasionally we will have a link go down for long enough to make the
secondary zone stale.  The DC then has problems getting a new copy of the
zone, and cannot replicate properly until it gets the updated zone.  This
issue seems to have gone away since we went to 2K3
3) We have a security issue at the root.  Our 3 root DCs are set to allow
transfers to anybody - a relatively insecure setup.  We have looked at only
allowing transfers to specific partners but with over 100 DCs now, and
another 400 to come online in the next 2 years the management of this list
would become a full time position.

The solution we are looking at is a forest integrated root zone.  Microsoft
does suggest making the msdcs zone forest integrated - which would help
some.  We also have a number of users that log in cross domain, and they
need to lookup the delegation records to find the name servers for the
other domains to either authenticate, or to access resources cross domain
(ie. we have a number of sharepoint sites in different resources that are
accessible by users in all domains).With a full forest integrated root
zone we should be able to solve the zone transfer problem, the unreliable
link problem, and the security issue.  It also should allow users to make a
cross domain request on their local DC without the query going to the root
to find the delegation records - decreasing network traffic.  We have run
our test forest this way (20 DCs in 10 domains with 2 in the root) for 3
months with no problems.

Anybody have any comments?  Is anybody else doing this?  Can anybody see a
potential flaw in the plan?

Thank you in advance;

James R. Day
National Parks Service - AD Core Team
(202) 354-1464
Fax (202) 371-1549
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Manual DC removal EventID

2004-05-27 Thread J0mb 
I believe i already did it, i followed the article step-by-step. That's why
i was worried i might have forgotten something.
i'll have another check tomorrow, now i am out of office.

Thank you.



 Go in sites and services and delete any server objects 
 relating to the deleted server.
 
 BR
 
 Rob
 
 -Original Message-
 From: J0mb [mailto:[EMAIL PROTECTED]
 Sent: 27 May 2004 15:53
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Manual DC removal  EventID
 
 
 Good morning,
 
 Some days ago i had to manually remove a dead Win2000 DC from our
 network, according to Q216498 and
 http://www.winnetmag.com/Article/ArticleID/13414/13414.html.
 
 Removal semeed ok. Today i got the following event in my log. 
 I believe
 it's an expected warning, however i'd just want to make sure that
 there's nothing to be concerned about.
 
 Thanks all
 
 Alex
 
 
 Event Type:   Information
 Event Source: NTDS KCC
 Event Category:   (1)
 Event ID: 1272
 Date: 27/05/2004
 Time: 10.59.52
 User: N/A
 Computer: RMD01
 Description:
 No nTDSConnection object exists for inbound replication from server
 CN=NTDS Settings DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02
 DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG
,CN=Sites,
 CN=C
 onfiguration,DC=acs,DC=local at address
 b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local.  The partition
 CN=Schema,CN=Configuration,DC=acs,DC=local is no longer 
 replicated from
 it.
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 This e-mail and the information it contains are confidential 
 and may be privileged. If you have received this e-mail in 
 error please notify the sender immediately and delete the 
 material from any computer. Unless you are the intended 
 recipient, you should not copy this e-mail for any purpose, 
 or disclose its contents to any other person. 
 The MCPS-PRS Alliance is not responsible for the completeness 
 or accuracy of this communication as it has been transmitted 
 over a public network. Whilst the MCPS-PRS Alliance monitors 
 all communications for potential viruses, we accept no 
 responsibility for any loss or damage caused by this e-mail 
 and the information it contains.
 It is the recipient's responsibility to scan this e-mail and 
 any attachments for viruses. Any 
 e-mails sent to and from the MCPS-PRS Alliance servers may be 
 monitored for quality control and other purposes.
 
 The MCPS-PRS Alliance Limited is a limited company registered 
 in England under company number 03444246 whose registered 
 office is at c/o 29-33 Berners Street, London, W1T 3AB.
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] linked server error in SQL/AD query

2004-05-27 Thread Creamer, Mark 








Mikael, I
wonder if I can get a little clarification. When you say what account am I
running the linked server as  maybe I made an assumption about how it
should work. What I did was log in to a test SQL server using the Query
Analyzer on my own system. I used Windows Authentication to gain access to that
server, then ran the sp_addlinkedserver. So I guess I ran the linked server as
me. Is that what youre pointing to? Thanks a lot for your help on this!





mc



-Original Message-
From: Mikael Svennungsson
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 27, 2004 11:42
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] linked
server error in SQL/AD query







Mark,











I tried your SQL-statement with a
linked server and it works perfectly.











What account are you running the
linked server as?











Our experience is that if you change
the account informationused forthe linked server, you should delete
it, create a new and set the account info before you hit the OK-buttonto
get best result.











Hope that this tiny information can
help you.











Regards,











/MS











By the way: W2k Sp3, SQL 2000 sp3
was used





















From: Creamer, Mark
Sent: Thu 2004-05-27 16:49
To: [EMAIL PROTECTED]
Subject: [ActiveDir] linked server
error in SQL/AD query





Im trying to use the
OLEDB provider to link AD to SQL server to run some add hoc queries. Its
returning an error:

Server: Msg 7321, Level 16,
State 2, Procedure vw_AD_USER_INFO, Line 4

An error occurred while
preparing a query for execution against OLE DB provider 'ADSDSOObject'. 

OLE DB error trace [OLE/DB
Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14].



There are numerous articles
on this error, but they all seem to indicate syntax, but Im using the
exact same syntax as the query they say works (as far as I can tell).



After executing my
sp_addlinkedserver statement, which works fine, I run the following:



SELECT * FROM
OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn,
physicalDeliveryOfficeName FROM
''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass =
''User''')



Thats when I get the
above error. Just thought Id check to see if anyone else has had success
with this. Thanks!



Mark Creamer

Systems Engineer

Cintas Corporation

[ActiveDir] strange error on logon

2004-05-27 Thread Raymond McClinnis 








I
began receiving calls yesterday about a strange looking error that users were getting
at logon. Here is the message:



Cannot
find the file /idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON (or one
of its components).



I
originally thought that it may be an issue with a script I was pushing through
group policy, but that is not the case. I still need to look at the
startup on the machines in question and see if there is anything there.





Thanks,

Raymond McClinnis

RE: [ActiveDir] user script

2004-05-27 Thread Kern, Tom 
no. same forest, 2 diff. domains. child to root.
i read in robbie allen's book(ad cookbook) that the member of attribute will only 
list the user's domain not other domains. is this the issue?
do i need access to a gc to do this? do i need to use member?
how does one manipulate info on a gc? do i need to run a script as local system on a 
dc? is this possible? is universal groups the problem?
a lot of questions, i know. sorry.
thanks


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 27, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] user script


Are these different forests?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 26, 2004 4:44 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] user script

would this script let me add users from domain A to universal group in
domain B?-
 

Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
  (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;)
objGroup.PutEx ADS_PROPERTY_APPEND, member, _
 
Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net
, _
 
cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _
 
cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net)
objGroup.SetInfo


i ran this from task scheduler and got an exit code of 0(sucess?), however
when i look in the group, these users are not present.
do i need to specify a GC for universal groups? and how? should I run the
script on a GC?

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user script

2004-05-27 Thread Kern, Tom 
no. same forest, 2 diff. domains. child to root.
i read in robbie allen's book(ad cookbook) that the member of attribute will only 
list the user's domain not other domains. is this the issue?
do i need access to a gc to do this? do i need to use member?
how does one manipulate info on a gc? do i need to run a script as local system on a 
dc? is this possible? is universal groups the problem?
a lot of questions, i know. sorry.
thanks


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 27, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] user script


Are these different forests?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 26, 2004 4:44 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] user script

would this script let me add users from domain A to universal group in
domain B?-
 

Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
  (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;)
objGroup.PutEx ADS_PROPERTY_APPEND, member, _
 
Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net
, _
 
cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _
 
cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net)
objGroup.SetInfo


i ran this from task scheduler and got an exit code of 0(sucess?), however
when i look in the group, these users are not present.
do i need to specify a GC for universal groups? and how? should I run the
script on a GC?

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Exchange 2003 SP1

2004-05-27 Thread Steve Shaff 










Has anyone installed SP1 for Exchange
2003? Did you have any problems, quirkiness or issues on your exchange server,
domain or the Active Directory? I am just looking for some input.



Thanks,
S

[ActiveDir] NTDS perf counters

2004-05-27 Thread Fugleberg, David A 
We have some DCs in locations that probably no longer justify a local DC.  I'm trying 
to do some quantitative analysis to see just how busy the DC is in those locations.  
I'd like to dcpromo some of them down if possible so the boxes can be used as member 
servers.  The business want to install IIS on some of them for some training 
application, and I don't want IIS on my DCs.

I figured I'd track some perfmon stats over time on each DC.  Problem is, I don't 
fully understand what I should be looking for.  These sites should be all Win2K 
workstations, but there may still be some NT4 workstations.  The DC is the only server 
in these sites. 

I thought I'd look at the following:
DS Directory Reads/sec
DS Directory Searches/sec
DS Directory Writes/sec
KDC AS Requests
KDC TGS Requests
NTLM Authentications

I purposely left out the DSA counters regarding replication, etc., as my purpose is 
basically to find out how heavily the DC is being used in that site.

Any others I should consider ?  Any pointers to good resources on this topic ?  Most 
of what I find just gives a one-line description of the counters, without telling me 
what to look for.

Dave Fugleberg
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user script

2004-05-27 Thread joe 
OK, the reason I thought that was the way the DNs were specified below. 

Memberof is a funny attribute, first off it is a link to the group attribute
member. Depending on what port and machine you query in a multidomain
environment, you could get different responses as it is based on what group
memberships are kept on that DC, versus anything else. For instance if you
query memberof on a GC of domain1 for user domain2\user you will see user's
group memberships from domain1 and any universal groups he/she is in.

You will want to bind to the universal group in whatever domain it lives in,
you can't write to a GC so don't worry about the GC aspect for the update,
just do your LDAP:// bind to the group object and you are where you need to
be to update. 

Now that that is done, you do the update. Now assuming the DNs you specify
for the user are correct, I would expect this script to work fine. 

Run it from the regular command line and get AT out of it and make sure it
works normally. Depending on where you look, it may take a bit for the
membership to show up. Also if you are looking at the group with ADUC and
this is 2003, watch out, you may be getting bit by a bug (MS feature)
where by default they hide the Uni group membership from other domains to be
consistent in case you look on a NON-GC DC.

Best thing to do to check membership would be to use a good ol command line
tool to look at the group on a DC that hosts the group... Something like
this might work

Adfind -b cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain -s base
-f * member


Like for example

[Thu 05/27/2004 13:37:41.19]
F:\DEV\Perl\PwdRstAdfind -b cn=schema admins,cn=users,dc=joe,dc=com -s
base -f * member

AdFind V01.15.00cpp Joe Richards ([EMAIL PROTECTED]) April 2004

Using server: 2k3dc01.joe.com

dn:cn=schema admins,cn=users,dc=joe,dc=com
member: CN=$jricha34,CN=Users,DC=joe,DC=com
member: CN=Administrator,CN=Users,DC=joe,DC=com


1 Objects returned

[Thu 05/27/2004 13:44:27.63]
F:\DEV\Perl\PwdRst





 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 27, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] user script

no. same forest, 2 diff. domains. child to root.
i read in robbie allen's book(ad cookbook) that the member of attribute
will only list the user's domain not other domains. is this the issue?
do i need access to a gc to do this? do i need to use member?
how does one manipulate info on a gc? do i need to run a script as local
system on a dc? is this possible? is universal groups the problem?
a lot of questions, i know. sorry.
thanks


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 27, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] user script


Are these different forests?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 26, 2004 4:44 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] user script

would this script let me add users from domain A to universal group in
domain B?-
 

Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
  (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;)
objGroup.PutEx ADS_PROPERTY_APPEND, member, _
 
Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net
, _
 
cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _
 
cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net)
objGroup.SetInfo


i ran this from task scheduler and got an exit code of 0(sucess?), however
when i look in the group, these users are not present.
do i need to specify a GC for universal groups? and how? should I run the
script on a GC?

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user script

2004-05-27 Thread Kern, Tom 
no. same forest, 2 diff. domains. child to root.
i read in robbie allen's book(ad cookbook) that the member of attribute will only 
list the user's domain not other domains. is this the issue?
do i need access to a gc to do this? do i need to use member?
how does one manipulate info on a gc? do i need to run a script as local system on a 
dc? is this possible? is universal groups the problem?
a lot of questions, i know. sorry.
thanks


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 27, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] user script


Are these different forests?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 26, 2004 4:44 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] user script

would this script let me add users from domain A to universal group in
domain B?-
 

Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject _
  (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;)
objGroup.PutEx ADS_PROPERTY_APPEND, member, _
 
Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net
, _
 
cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _
 
cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net)
objGroup.SetInfo


i ran this from task scheduler and got an exit code of 0(sucess?), however
when i look in the group, these users are not present.
do i need to specify a GC for universal groups? and how? should I run the
script on a GC?

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTDS perf counters

2004-05-27 Thread Eric Fleischman 
Great question! And your approach is solid.

I'd probably encourage you to take a slightly different direction in
terms of coming to the answer. The answer isn't as much how busy is
this DC so much as it probably is what is the user impact if we remove
this dc. That is, we want to know user impact vs. cost of removing DC,
not so much what is the DC doing (although you do want to have some
understanding of the latter for sure).

That said, I usually take a two-pronged approach to such tasks:
1) Measure what this DC is doing
a) How busy is it and what is it doing (understand what it does
today)
b) Do my DCs elsewhere have the excess capacity to service the
requests they will see if this DC is removed
2) Measure user impact on removing DC
a) If user requires DC/GC connectivity over the wan, is latency
acceptable?
b) Are centralized DCs performant enough to service additional
requests while keeping user SLA under control?

With that you can start to make some really solid conclusions.

The largest complaint I've heard from end users in sites without a DC is
from network performance. That is, I perform an action, and the response
is slow as the network has an RTT of X ms and that is unacceptably slow.
That's something I would personally get a handle on before I yank DCs
out of the remote site. That could be ldap performance, authentication,
name resolution, etc.

In terms of specific counters, I think you have some solid metrics
below. I would also encourage you to measure perf on the DCs that would
pick up the load should the remove DCs in question (in AD speak, you'd
say the DCs that would cover this DC-less site). That is equally
important really.

In terms of DC consolidation, 2003 is your friend. We generally made AD
substantially faster and more scalable and you can truly do more with
less. I hope you don't take this as a sales pitch, I really don't mean
it as such. Rather, I'd just point out that if you have some DCs that
are very busy and you want to get a bit more bang for your buck out of
those same # of servers, the 2k03 upgrade might be helpful there. QP is
faster, can service requests faster, caches better, etc.

Feel free to come back with more questions, this is a discussion I'd
really like to continue should you see value in doing so. I hope this
has added some value in your thinking so far, so let's see where else I
might be able to add some thoughts. :)

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Thursday, May 27, 2004 12:23 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] NTDS perf counters

We have some DCs in locations that probably no longer justify a local
DC.  I'm trying to do some quantitative analysis to see just how busy
the DC is in those locations.  I'd like to dcpromo some of them down if
possible so the boxes can be used as member servers.  The business want
to install IIS on some of them for some training application, and I
don't want IIS on my DCs.

I figured I'd track some perfmon stats over time on each DC.  Problem
is, I don't fully understand what I should be looking for.  These sites
should be all Win2K workstations, but there may still be some NT4
workstations.  The DC is the only server in these sites. 

I thought I'd look at the following:
DS Directory Reads/sec
DS Directory Searches/sec
DS Directory Writes/sec
KDC AS Requests
KDC TGS Requests
NTLM Authentications

I purposely left out the DSA counters regarding replication, etc., as my
purpose is basically to find out how heavily the DC is being used in
that site.

Any others I should consider ?  Any pointers to good resources on this
topic ?  Most of what I find just gives a one-line description of the
counters, without telling me what to look for.

Dave Fugleberg
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] linked server error in SQL/AD query

2004-05-27 Thread Mikael Svennungsson 



Anytime ;-)

Glad that I could help you

/MS


From: Creamer, MarkSent: Thu 2004-05-27 20:28To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query


Mikael, that worked perfectly. What a huge help this is going to be. Thanks for your advice!!


mc
-Original Message-From: Mikael Svennungsson [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 2:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query



Mark,



Delete the linked server.

Create a new linked server using the Enterprise Manager.

Name it and choose datasource.

I tab Security, try "Be made using this security context" and enter domain\username and password.



Run your script in Query Analyzer.



Regards,



/MS





From: Creamer, MarkSent: Thu 2004-05-27 18:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query

Mikael, I wonder if I can get a little clarification. When you say what account am I running the linked server as  maybe I made an assumption about how it should work. What I did was log in to a test SQL server using the Query Analyzer on my own system. I used Windows Authentication to gain access to that server, then ran the sp_addlinkedserver. So I guess I ran the linked server as me. Is that what youre pointing to? Thanks a lot for your help on this!


mc
-Original Message-From: Mikael Svennungsson [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query



Mark,



I tried your SQL-statement with a linked server and it works perfectly.



What account are you running the linked server as?



Our experience is that if you change the account informationused forthe linked server, you should delete it, create a new and set the account info before you hit the OK-buttonto get best result.



Hope that this tiny information can help you.



Regards,



/MS



By the way: W2k Sp3, SQL 2000 sp3 was used








From: Creamer, MarkSent: Thu 2004-05-27 16:49To: [EMAIL PROTECTED]Subject: [ActiveDir] linked server error in SQL/AD query

Im trying to use the OLEDB provider to link AD to SQL server to run some add hoc queries. Its returning an error:
Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO, Line 4
An error occurred while preparing a query for execution against OLE DB provider 'ADSDSOObject'. 
OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14].

There are numerous articles on this error, but they all seem to indicate syntax, but Im using the exact same syntax as the query they say works (as far as I can tell).

After executing my sp_addlinkedserver statement, which works fine, I run the following:

SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass = ''User''')

Thats when I get the above error. Just thought Id check to see if anyone else has had success with this. Thanks!

Mark Creamer
Systems Engineer
Cintas Corporation

RE: [ActiveDir] NTDS perf counters

2004-05-27 Thread joe 
I knew ~Eric would be all over this thread...

The thing I would add would be is the DC also a DNS and/or WINS Server. If
so, take those things into account for WAN traffic. 

What you may want to do is force coverage of the site from the site you
think will pick up the requests once this DC goes away and then do a one or
two day test to see how it goes. Basically you will set up the coverage
(multiple ways to do this, both via modifying registries and making your own
DNS entries) and then shut down the DC so the other DC(s) take the coverage.
You can't just shut off the DC as the site coverage won't automatically
switch to the proper set of DCs, what will happen is any DC in the domain
will be used. And with Murphy running around, it will always be the least
wanted DC that does it.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, May 27, 2004 2:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] NTDS perf counters

Great question! And your approach is solid.

I'd probably encourage you to take a slightly different direction in terms
of coming to the answer. The answer isn't as much how busy is this DC so
much as it probably is what is the user impact if we remove this dc. That
is, we want to know user impact vs. cost of removing DC, not so much what is
the DC doing (although you do want to have some understanding of the latter
for sure).

That said, I usually take a two-pronged approach to such tasks:
1) Measure what this DC is doing
a) How busy is it and what is it doing (understand what it does
today)
b) Do my DCs elsewhere have the excess capacity to service the
requests they will see if this DC is removed
2) Measure user impact on removing DC
a) If user requires DC/GC connectivity over the wan, is latency
acceptable?
b) Are centralized DCs performant enough to service additional
requests while keeping user SLA under control?

With that you can start to make some really solid conclusions.

The largest complaint I've heard from end users in sites without a DC is
from network performance. That is, I perform an action, and the response is
slow as the network has an RTT of X ms and that is unacceptably slow.
That's something I would personally get a handle on before I yank DCs out of
the remote site. That could be ldap performance, authentication, name
resolution, etc.

In terms of specific counters, I think you have some solid metrics below. I
would also encourage you to measure perf on the DCs that would pick up the
load should the remove DCs in question (in AD speak, you'd say the DCs that
would cover this DC-less site). That is equally important really.

In terms of DC consolidation, 2003 is your friend. We generally made AD
substantially faster and more scalable and you can truly do more with less.
I hope you don't take this as a sales pitch, I really don't mean it as such.
Rather, I'd just point out that if you have some DCs that are very busy and
you want to get a bit more bang for your buck out of those same # of
servers, the 2k03 upgrade might be helpful there. QP is faster, can service
requests faster, caches better, etc.

Feel free to come back with more questions, this is a discussion I'd really
like to continue should you see value in doing so. I hope this has added
some value in your thinking so far, so let's see where else I might be able
to add some thoughts. :)

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Thursday, May 27, 2004 12:23 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] NTDS perf counters

We have some DCs in locations that probably no longer justify a local DC.
I'm trying to do some quantitative analysis to see just how busy the DC is
in those locations.  I'd like to dcpromo some of them down if possible so
the boxes can be used as member servers.  The business want to install IIS
on some of them for some training application, and I don't want IIS on my
DCs.

I figured I'd track some perfmon stats over time on each DC.  Problem is, I
don't fully understand what I should be looking for.  These sites should be
all Win2K workstations, but there may still be some NT4 workstations.  The
DC is the only server in these sites. 

I thought I'd look at the following:
DS Directory Reads/sec
DS Directory Searches/sec
DS Directory Writes/sec
KDC AS Requests
KDC TGS Requests
NTLM Authentications

I purposely left out the DSA counters regarding replication, etc., as my
purpose is basically to find out how heavily the DC is being used in that
site.

Any others I should consider ?  Any pointers to good resources on this topic
?  Most of what I find just gives a one-line description of the counters,
without telling me what to look for.

Dave Fugleberg
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:

RE: [ActiveDir] strange error on logon

2004-05-27 Thread joe 



I have never seen an error like that so once you nail down 
what is running that is throwing the error up, then we can go from 
there.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond 
McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] strange error on 
logon


I began receiving calls 
yesterday about a strange looking error that users were getting at logon. 
Here is the message:

Cannot find the file 
/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON (or one of its 
components).

I originally thought 
that it may be an issue with a script I was pushing through group policy, but 
that is not the case. I still need to look at the startup on the machines 
in question and see if there is anything there.


Thanks,Raymond 
McClinnis

RE: [ActiveDir] Manual DC removal EventID

2004-05-27 Thread joe 
I would say the DC is simply telling you it is cleaning up its topology, as
long as you went through and did the proper cleanup procedures I wouldn't be
worried.

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J0mb
Sent: Thursday, May 27, 2004 10:53 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Manual DC removal  EventID

Good morning,

Some days ago i had to manually remove a dead Win2000 DC from our network,
according to Q216498 and
http://www.winnetmag.com/Article/ArticleID/13414/13414.html.

Removal semeed ok. Today i got the following event in my log. I believe it's
an expected warning, however i'd just want to make sure that there's nothing
to be concerned about.

Thanks all

Alex


Event Type: Information
Event Source:   NTDS KCC
Event Category: (1)
Event ID:   1272
Date:   27/05/2004
Time:   10.59.52
User:   N/A
Computer:   RMD01
Description:
No nTDSConnection object exists for inbound replication from server CN=NTDS
Settings
DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02
DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG,CN=Sites,CN=C
onfiguration,DC=acs,DC=local at address
b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local.  The partition
CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from it.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe

2004-05-27 Thread Noah Eiger 
Blush! First, I belong to another list for Mac admins. On that one you are
supposed to post summaries after questions. I obviously posted to the wrong
list. 
 
That said, thank you for further responses. 
 
As for Danny's point about the home directory issue in the demo: during the
web cast on AD integration (at www.macoxlabs.org http://www.macoxlabs.org/
), I recall that one of the presenters discusses how to get the AD user
account home directory to appear as the user's Mac OS home directory (rather
than a mounted volume on the desktop).
 
nme
 
  _  

From: McCann, Danny [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 2:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe
 

 - Can XServe volumes be managed by Active Directory? That is, can you add
 and XServe as a member server of an AD domain?

Yes, you can use the active directory plugin in 10.3.3 to add xserves to an
active directory domain, and some creative vi'ing on the /etc/smb.conf file
to manage authentication via kerberos.

 - Would love to hear real-world experiences with the new AD Plug-in for
 10.3.3.

The 10.3.3 plugin is not bad, but the 10.3.4(due to be released the end of
this week) goes a little bit farther.  There is still an issue gaining a
kerberos ticket if you have a particular set of circumstances, but apple has
been notified of the issue and is currently working on the problem.

 - I consider some services like RIS to be pretty essential to speeding
 deployment and recovery in a Windows environment. Are there similar
 applications or services that require OD for Macs?

Check out netboot for this purpose, it doesn't have any direct hooks into OD
and isn't required to do your imaging.

http://docs.info.apple.com/article.html?artnum=107912

And download System Imaging Administration


 
Hi
 
I attended a demo of all of the above today and everything ran very
smoothly.
Only issue was that they claimed to be able to map AD user account home
directories, by mounting them as share points on the desktop, but coundn't
demonstrate this as one of the scripts needed some work. Aparently :)
Apple are also looking into a method of accessing DFS from the Mac.
 
Cheers
 
Danny
attachment: winmail.dat

RE: [ActiveDir] W2K SP3 Pro can't login

2004-05-27 Thread joe 
Title: Message



This may be obvious but I would still be wary of the disk 
on that machine... Get the vendors low level test tools and run it against the 
disk to see if it should be replaced. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Monday, May 24, 2004 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro 
can't login


It appears that the 
ADF.sys got corrupted, I copied over from a similar machine and now they can 
login.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Salandra, Justin 
A.Sent: Monday, May 24, 2004 
11:31 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't 
login

There were 
several errors in the system log saying that the ntfrs and other areas of the 
disk were corrupted. I am thinking it is a bad drive. I am currently 
running chkdks /f /r.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 24, 2004 11:06 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't 
login


Cool, 
Okk now let them start the Netlogon service and check for exact error and event 
id. May be he shuld be a local admin.



Regards, Mohammed 
Athif Khaleel Asst.Network Engineer 
AlFaisaliah Group Information 
Technology Tel.: +966-1-461-0077 
x.209 Moble.: +966-509774015 
Email: 
[EMAIL PROTECTED] "Save 
Internet, Keep all the systems patched" Web: http://alfaisaliah.com 


  -Original 
  Message-From: Salandra, 
  Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, 24 May 2004 5:59 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro 
  can't login
  They are 
  able to login locally.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Salandra, Justin 
  A.Sent: Monday, May 24, 2004 
  10:29 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro 
  can't login
  
  I am in 
  the mist of having the local person do this. Changing the cable, logging 
  on locally and so forth. I have not heard back yet.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, May 24, 2004 10:24 
  AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro 
  can't login
  
  Did you try to logon locally?? If this works, you can 
  troubleshoot NETLOGON too. If you are unable to ping, check the problems from 
  PHYSICAL LAYER 
  Regards, Mohammed Athif Khaleel Asst.Network Engineer 
  AlFaisaliah Group 
  Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 
  Email: 
  [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
  Web: http://alfaisaliah.com 
  
  -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, 24 
  May 2004 5:17 PM To: [EMAIL PROTECTED] 
  Subject: [ActiveDir] W2K SP3 
  Pro can't login 
  
  One of my machines is getting the following 
  errors 
  Unable to log you on because the netlogon service is 
  not running on this machine 
  And I am unable to ping the workstation, however the 
  lights are working on the NIC Card and the switches. I am not in the 
  same location as the PC so I can't sit down in front of it and troubleshoot, I 
  have someone doing it for me that I have to talk thru it 
  with.
  Justin A. Salandra, MCSE Senior Network Engineer 
  Catholic Healthcare 
  System 212.752.7300 - office 917.455.0110 - cell 
  [EMAIL PROTECTED] 
  
  List info : http://www.activedir.org/mail_list.htm 
  List FAQ : http://www.activedir.org/list_faq.htm 
  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  
  
  - 
  This email and 
  any files transmitted with it are confidential and intended solely for the use 
  of the individual or entity to whom/which they are addressed. If you have 
  received this email in error please notify the system manager at the following 
  email address: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]. 
  Please note that any views or opinions presented in this email are solely 
  those of the author and do not necessarily represent those of Al Faisaliah 
  Group. Internet communications cannot be guaranteed to be secure or error-free 
  as information could be intercepted, corrupted, lost, arrive late or contain 
  viruses. The sender therefore does not accept liability for any errors or 
  omissions in the context of this message, which arise as a result of Internet 
  transmission. Finally, the recipient should check this email and any 
  attachments for the presence of viruses. Al Faisaliah Group accepts no 
  liability for any damage caused by any virus transmitted by this email. 
  
  - 
  
- 

This email and any files transmitted with it are

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Mulnick, Al 



Just a guess.

Check the registry on the workstation. That file 
error throws some hits on the net referring to shell 
startup.
This maybe the key. You can search the registry and 
find a reference to the idlist portion of your error. I wouldn't rule out 
GPO just yet either as it could be something that got locked down 
inadvertently. Or maybe folder redirection? Seen some reference to 
Norton, but...

HKCR\Folder\shell\rootexplore = "Explore From 
Here" command = "Explorer.exe /e,/root,/idlist,%I"




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, May 27, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon

I have never seen an error like that so once you nail down 
what is running that is throwing the error up, then we can go from 
there.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond 
McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] strange error on 
logon


I began receiving calls 
yesterday about a strange looking error that users were getting at logon. 
Here is the message:

Cannot find the file 
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its 
components).

I originally thought 
that it may be an issue with a script I was pushing through group policy, but 
that is not the case. I still need to look at the startup on the machines 
in question and see if there is anything there.


Thanks,Raymond 
McClinnis

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Mulnick, Al 



Oh yeah, one other thing that is *possible* 


http://www.jsiinc.com/SUBP/tip7500/rh7557.htm


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, May 27, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon

I have never seen an error like that so once you nail down 
what is running that is throwing the error up, then we can go from 
there.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond 
McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] strange error on 
logon


I began receiving calls 
yesterday about a strange looking error that users were getting at logon. 
Here is the message:

Cannot find the file 
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its 
components).

I originally thought 
that it may be an issue with a script I was pushing through group policy, but 
that is not the case. I still need to look at the startup on the machines 
in question and see if there is anything there.


Thanks,Raymond 
McClinnis

RE: [ActiveDir] NTDS perf counters

2004-05-27 Thread Fugleberg, David A 
Thanks for the comments.  You're absolutely correct that we're looking for the user 
impact - knowing the busyness of the DC is just part of the equation.  I'm also 
looking at the number/type of workstations, usage patterns, etc.

I intend to track the metrics I mentioned on all DCs (not just the remote DCs) using 
BMC Patrol.  That will give me a basis of comparison and a better feel for how busy 
the central site DCs are.  If I have to add capacity at the central site, so be it.

As far as site coverage goes, we have a hub/spoke topology, and 'spoke' DCs are 
configured to NOT register domain-wide SRV records, so clients will only find DCs at 
the hub site.  Each spoke site has one site link (to the hub site), and site link 
transitivity is turned off.  Shouldn't that ensure that my DC-less sites are properly 
covered ?

Finally, we're already on the upgrade path to W2K03 - we've added a few 2K03 DCs to 
our 2K native-mode domain.  The remaining DCs will be upgraded over the next several 
months.

One thing I will need to address (thanks for the catch, Joe) is the fact that the DCs 
are also AD-integrated DNS servers, and the clients in those sites are pointed at them 
for DNS.  I could always leave DNS out there sans the AD-integrated zones, or make it 
a secondary for those zones, but I don't think DNS over the WAN will be a big deal 
from these sites.  I guess I could track how many requests those DNS servers are 
takling from clients while I'm at it...

Thanks for the feedback guys !
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Eric Fleischman
Sent: Thursday, May 27, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] NTDS perf counters


Great question! And your approach is solid.

I'd probably encourage you to take a slightly different direction in
terms of coming to the answer. The answer isn't as much how busy is
this DC so much as it probably is what is the user impact if we remove
this dc. That is, we want to know user impact vs. cost of removing DC,
not so much what is the DC doing (although you do want to have some
understanding of the latter for sure).

That said, I usually take a two-pronged approach to such tasks:
1) Measure what this DC is doing
a) How busy is it and what is it doing (understand what it does
today)
b) Do my DCs elsewhere have the excess capacity to service the
requests they will see if this DC is removed
2) Measure user impact on removing DC
a) If user requires DC/GC connectivity over the wan, is latency
acceptable?
b) Are centralized DCs performant enough to service additional
requests while keeping user SLA under control?

With that you can start to make some really solid conclusions.

The largest complaint I've heard from end users in sites without a DC is
from network performance. That is, I perform an action, and the response
is slow as the network has an RTT of X ms and that is unacceptably slow.
That's something I would personally get a handle on before I yank DCs
out of the remote site. That could be ldap performance, authentication,
name resolution, etc.

In terms of specific counters, I think you have some solid metrics
below. I would also encourage you to measure perf on the DCs that would
pick up the load should the remove DCs in question (in AD speak, you'd
say the DCs that would cover this DC-less site). That is equally
important really.

In terms of DC consolidation, 2003 is your friend. We generally made AD
substantially faster and more scalable and you can truly do more with
less. I hope you don't take this as a sales pitch, I really don't mean
it as such. Rather, I'd just point out that if you have some DCs that
are very busy and you want to get a bit more bang for your buck out of
those same # of servers, the 2k03 upgrade might be helpful there. QP is
faster, can service requests faster, caches better, etc.

Feel free to come back with more questions, this is a discussion I'd
really like to continue should you see value in doing so. I hope this
has added some value in your thinking so far, so let's see where else I
might be able to add some thoughts. :)

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Thursday, May 27, 2004 12:23 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] NTDS perf counters

We have some DCs in locations that probably no longer justify a local
DC.  I'm trying to do some quantitative analysis to see just how busy
the DC is in those locations.  I'd like to dcpromo some of them down if
possible so the boxes can be used as member servers.  The business want
to install IIS on some of them for some training application, and I
don't want IIS on my DCs.

I figured I'd track some perfmon stats over time on each DC.  Problem
is, I don't fully understand what I should be looking for.  These sites
should be all Win2K workstations, but there may still be some NT4
workstations.  The DC

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Eric Fleischman 








Have you seen:



824204 You receive an Error at logon:
Cannot find the file... error message

http://support.microsoft.com/?id=824204















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mulnick, Al
Sent: Thursday, May 27, 2004 2:51 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] strange
error on logon





Just a guess.



Check the registry on the
workstation. That file error throws some hits on the net referring to
shell startup.

This maybe the key. You can search
the registry and find a reference to the idlist portion of your error. I
wouldn't rule out GPO just yet either as it could be something that got locked
down inadvertently. Or maybe folder redirection? Seen some
reference to Norton, but...



HKCR\Folder\shell\rootexplore = Explore From Here
 command = Explorer.exe /e,/root,/idlist,%I




















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 27, 2004 3:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] strange
error on logon

I have never seen an error like that so
once you nail down what is running that is throwing the error up, then we can
go from there.



 joe









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis
Sent: Thursday, May 27, 2004 12:41 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] strange error
on logon

I began receiving calls yesterday about a
strange looking error that users were getting at logon. Here is the
message:



Cannot find the file
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components).



I originally thought that it may be an
issue with a script I was pushing through group policy, but that is not the
case. I still need to look at the startup on the machines in question and
see if there is anything there.





Thanks,

Raymond McClinnis

[ActiveDir] OT: Exchange 2003 SP1 documentation

2004-05-27 Thread Michael Wassell 




Has anyone managed 
to find complete documentation of all of the changes made with Exchange 2003 
SP1? The release notes fall short of mentioning exactly what 
updates/changes were made although I have looked briefly and there seems to be 
more control available to the user through OWA (Options category) and the icons 
shown in System Manager seem to have been sharpened (:-P). The issue with 
Exchange services hanging during a shutdown without being stopped beforehand 
still seems to be a problem so I guess the hopes for a resolve are still 
"pending".

As far as interface 
changes I can't imagine much more has been changed, but possibly a list of hot 
fixes which were previously unpublished except maybe to MVP's? Any 
idea?

Although, the 
package is 100mb~ and it did take a few minutes to complete the update 
procedures which required stopping all Exchange, IISand related services 
(including third-party components), all went well.

TIA!

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Raymond McClinnis 








AL,

Thank
you, Thank you, Thank you!!!



Were
in the process of removing a dead SMS 2.0 server and a number of users had
smsls.bat as their logon script. I used Hyena to remove the logon, bu I
must have typed a space into the field instead. I spear though I looked
for just /idlist and didnt come up with anything.



Again
THANK YOU AL





Thanks,

Raymond 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, May 27, 2004 12:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] strange error on logon





Oh
yeah, one other thing that is *possible* 



http://www.jsiinc.com/SUBP/tip7500/rh7557.htm









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 27, 2004 3:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] strange error on logon

I
have never seen an error like that so once you nail down what is running that
is throwing the error up, then we can go from there.




joe









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond
McClinnis
Sent: Thursday, May 27, 2004 12:41 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] strange error on logon

I
began receiving calls yesterday about a strange looking error that users were
getting at logon. Here is the message:



Cannot
find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its
components).



I
originally thought that it may be an issue with a script I was pushing through
group policy, but that is not the case. I still need to look at the
startup on the machines in question and see if there is anything there.





Thanks,

Raymond McClinnis

RE: [ActiveDir] NTDS perf counters

2004-05-27 Thread Eric Fleischman 
Or if 2k03, you could probably do stub zones. I've only done stub zones
out in the field as ad-integrated stub zones, but I would assume that
they can be done as standalone too.

It always comes down to cost benefitlarge enough user base in a site
justifies the DC.

As you start to get data feel free to bring it back to the list for
discussion. There are other counters you could watch too (DNS has some
logging, you could watch some of the ese/ntdsa counters for ad perf if
you're interested, etc.) but the ones you have below will probably give
you a good overview as to what is going on today.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Thursday, May 27, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] NTDS perf counters

Thanks for the comments.  You're absolutely correct that we're looking
for the user impact - knowing the busyness of the DC is just part of
the equation.  I'm also looking at the number/type of workstations,
usage patterns, etc.

I intend to track the metrics I mentioned on all DCs (not just the
remote DCs) using BMC Patrol.  That will give me a basis of comparison
and a better feel for how busy the central site DCs are.  If I have to
add capacity at the central site, so be it.

As far as site coverage goes, we have a hub/spoke topology, and 'spoke'
DCs are configured to NOT register domain-wide SRV records, so clients
will only find DCs at the hub site.  Each spoke site has one site link
(to the hub site), and site link transitivity is turned off.  Shouldn't
that ensure that my DC-less sites are properly covered ?

Finally, we're already on the upgrade path to W2K03 - we've added a few
2K03 DCs to our 2K native-mode domain.  The remaining DCs will be
upgraded over the next several months.

One thing I will need to address (thanks for the catch, Joe) is the fact
that the DCs are also AD-integrated DNS servers, and the clients in
those sites are pointed at them for DNS.  I could always leave DNS out
there sans the AD-integrated zones, or make it a secondary for those
zones, but I don't think DNS over the WAN will be a big deal from these
sites.  I guess I could track how many requests those DNS servers are
takling from clients while I'm at it...

Thanks for the feedback guys !
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Eric Fleischman
Sent: Thursday, May 27, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] NTDS perf counters


Great question! And your approach is solid.

I'd probably encourage you to take a slightly different direction in
terms of coming to the answer. The answer isn't as much how busy is
this DC so much as it probably is what is the user impact if we remove
this dc. That is, we want to know user impact vs. cost of removing DC,
not so much what is the DC doing (although you do want to have some
understanding of the latter for sure).

That said, I usually take a two-pronged approach to such tasks:
1) Measure what this DC is doing
a) How busy is it and what is it doing (understand what it does
today)
b) Do my DCs elsewhere have the excess capacity to service the
requests they will see if this DC is removed
2) Measure user impact on removing DC
a) If user requires DC/GC connectivity over the wan, is latency
acceptable?
b) Are centralized DCs performant enough to service additional
requests while keeping user SLA under control?

With that you can start to make some really solid conclusions.

The largest complaint I've heard from end users in sites without a DC is
from network performance. That is, I perform an action, and the response
is slow as the network has an RTT of X ms and that is unacceptably slow.
That's something I would personally get a handle on before I yank DCs
out of the remote site. That could be ldap performance, authentication,
name resolution, etc.

In terms of specific counters, I think you have some solid metrics
below. I would also encourage you to measure perf on the DCs that would
pick up the load should the remove DCs in question (in AD speak, you'd
say the DCs that would cover this DC-less site). That is equally
important really.

In terms of DC consolidation, 2003 is your friend. We generally made AD
substantially faster and more scalable and you can truly do more with
less. I hope you don't take this as a sales pitch, I really don't mean
it as such. Rather, I'd just point out that if you have some DCs that
are very busy and you want to get a bit more bang for your buck out of
those same # of servers, the 2k03 upgrade might be helpful there. QP is
faster, can service requests faster, caches better, etc.

Feel free to come back with more questions, this is a discussion I'd
really like to continue should you see value in doing so. I hope this
has added some value in your thinking so far, so let's see where else I
might be able to add some thoughts. :)

~Eric

Re: [ActiveDir] OT: Exchange 2003 SP1 documentation

2004-05-27 Thread Missy Koslosky 



It's my understanding that this information will be 
released ASAP. I know that it was definitely in the works last 
night. 

Missy Koslosky
Exchange MVP

  - Original Message - 
  From: 
  Michael Wassell 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, May 27, 2004 4:14 
PM
  Subject: [ActiveDir] OT: Exchange 2003 
  SP1 documentation
  
  
  Has anyone managed 
  to find complete documentation of all of the changes made with Exchange 2003 
  SP1? The release notes fall short of mentioning exactly what 
  updates/changes were made although I have looked briefly and there seems to be 
  more control available to the user through OWA (Options category) and the 
  icons shown in System Manager seem to have been sharpened (:-P). The 
  issue with Exchange services hanging during a shutdown without being stopped 
  beforehand still seems to be a problem so I guess the hopes for a resolve are 
  still "pending".
  
  As far as 
  interface changes I can't imagine much more has been changed, but possibly a 
  list of hot fixes which were previously unpublished except maybe to 
  MVP's? Any idea?
  
  Although, the 
  package is 100mb~ and it did take a few minutes to complete the update 
  procedures which required stopping all Exchange, IISand related services 
  (including third-party components), all went well.
  
  TIA!

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Mulnick, Al 



For you? No problem ;)

Glad it worked out (never know when a shot in the dark 
might be helpful).

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond 
McClinnisSent: Thursday, May 27, 2004 4:23 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon


AL,
Thank you, Thank you, 
Thank you!!!

We're in the process of 
removing a dead SMS 2.0 server and a number of users had smsls.bat as their 
logon script. I used Hyena to remove the logon, bu I must have typed a 
space into the field instead. I spear though I looked for just "/idlist" 
and didn't come up with anything.

Again THANK YOU 
AL


Thanks,Raymond 





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Thursday, May 27, 2004 12:52 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] strange error on logon

Oh yeah, one other 
thing that is *possible* 

http://www.jsiinc.com/SUBP/tip7500/rh7557.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, May 27, 2004 3:20 PMTo: 
[EMAIL PROTECTED]Subject: RE: 
[ActiveDir] strange error on logon
I have never seen an 
error like that so once you nail down what is running that is throwing the error 
up, then we can go from there.

 
joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond 
McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: 
[EMAIL PROTECTED]Subject: 
[ActiveDir] strange error on logon
I began receiving calls 
yesterday about a strange looking error that users were getting at logon. 
Here is the message:

Cannot find the file 
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its 
components).

I originally thought 
that it may be an issue with a script I was pushing through group policy, but 
that is not the case. I still need to look at the startup on the machines 
in question and see if there is anything there.


Thanks,Raymond 
McClinnis

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Mulnick, Al 



That support search engine must have missed it 
:)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Thursday, May 27, 2004 4:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon


Have you seen:

824204 You receive an "Error at logon: 
Cannot find the file..." error message
http://support.microsoft.com/?id=824204







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Thursday, May 27, 
2004 2:51 
PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on 
logon

Just a 
guess.

Check the registry on 
the workstation. That file error throws some hits on the net referring to 
shell startup.
This maybe the 
key. You can search the registry and find a reference to the idlist 
portion of your error. I wouldn't rule out GPO just yet either as it could 
be something that got locked down inadvertently. Or maybe folder 
redirection? Seen some reference to Norton, 
but...

HKCR\Folder\shell\rootexplore = "Explore From 
Here" command = "Explorer.exe 
/e,/root,/idlist,%I"







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, May 27, 
2004 3:20 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon
I have never seen an 
error like that so once you nail down what is running that is throwing the error 
up, then we can go from there.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Raymond 
McClinnisSent: Thursday, 
May 27, 
2004 12:41 
PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] strange error on 
logon
I began receiving calls 
yesterday about a strange looking error that users were getting at logon. 
Here is the message:

Cannot find the file 
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its 
components).

I originally thought 
that it may be an issue with a script I was pushing through group policy, but 
that is not the case. I still need to look at the startup on the machines 
in question and see if there is anything there.


Thanks,Raymond 
McClinnis

RE: [ActiveDir] strange error on logon

2004-05-27 Thread Eric Fleischman 








Searching KB is an art, so you can call me
Picasso. ;)













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, May 27, 2004 4:01
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] strange
error on logon





That support search engine must have
missed it :)









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, May 27, 2004 4:04
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] strange
error on logon

Have you seen:



824204 You receive an Error at logon:
Cannot find the file... error message

http://support.microsoft.com/?id=824204















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mulnick, Al
Sent: Thursday, May 27, 2004
2:51 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] strange
error on logon





Just a guess.



Check the registry on the workstation.
That file error throws some hits on the net referring to shell startup.

This maybe the key. You can search
the registry and find a reference to the idlist portion of your error. I
wouldn't rule out GPO just yet either as it could be something that got locked
down inadvertently. Or maybe folder redirection? Seen some
reference to Norton, but...



HKCR\Folder\shell\rootexplore = Explore From Here
 command = Explorer.exe /e,/root,/idlist,%I




















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 27, 2004
3:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] strange
error on logon

I have never seen an error like that so
once you nail down what is running that is throwing the error up, then we can
go from there.



 joe









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis
Sent: Thursday, May 27, 2004
12:41 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] strange error
on logon

I began receiving calls yesterday about a
strange looking error that users were getting at logon. Here is the
message:



Cannot find the file
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components).



I originally thought that it may be an
issue with a script I was pushing through group policy, but that is not the
case. I still need to look at the startup on the machines in question and
see if there is anything there.





Thanks,

Raymond McClinnis

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

2004-05-27 Thread joe 
As I read through this whole thread there was a couple of other things I
noticed if you don't mind if I ramble for a bit...


Objectcategory=user doesn't exist, that will be converted to
objectcategory=person, see below on what that will do for you.

ObjectClass=user is even worse. What happens with that is that it becomes an
object by object comparison through the entire search scope. So for instance
doing this on a small test domain with like 280 users in it and a couple of
machine accounts and a couple of groups the STATS control shows me it had to
chase through 3562 objects to return 280. Your mileage will vary but I don't
expect it would get much better than that. 

There is a way to help with this last issue, index objectclass
(searchFlags=9). Test in your lab but the growth of the DIT shouldn't be
much, I have seen 10% in the past. All of the crappy objectclass queries
only coming through will perform better. I think MS probably made a mistake
in not indexing objectclass out of the box. But that is simply my opinion.
The nice thing in doing that simple thing is that anyone that comes at you
with an app with crappy objectclass based ldap filters cough cough, they
will not impact AD as hard. I just wish there was as simple a solution for
finding all group memberships across a forest. 

  joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 26, 2004 2:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all use
rs in AD?

Hi Al. :o)



(objectcategory=person)(objectclass=user) is a good filter though it
wouldn't catch inetorgpersons. Slightly better may be
(objectcategory=person)(samaccountname=*) if you have contact objects or
you have inetorgpersons you want to catch as well as user objects. If you
have no contacts and no inetorgpersons, either of those filters should
perform the same. 

Just doing objectcategory=person will get you objectclasses:

dn:CN=Organizational-Person,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=Contact,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com


So let's put it this way, say you have 100k users and 200k contacts in your
directory. If you just do 

Objectcategory=person

You will get back 300k objects.

If you do

((objectcategory=person)(objectclass=user))

You will get back 100k objects though it would have to chase through 300k
objects (assuming objectclass has not been indexed in that forest).


If you do 

((objectcategory=person)(objectclass=samaccountname=*))

You will get back 100k objects and will only chase through 100k objects.


If you add inetorgperson into the mix, you will catch them on the first
filter and the third, but not the second. So if your mix was 100k users,
200k contacts, 50k inetorgpersons you would see


First filter
350k objects returned

Second filter
100k objects returned, 350k objects checked


Third filter 

150k objects returned, 150k objects checked.



Now to just get the ones with an email address you add in email=* but note
that that may not necessarily be people with Exchange mailboxes... That you
would need to go after something like home MDB. Note that mail is indexed so
that is a nice attribute to use. Home MDB I don't believe is. 

On the script that was posted (I think by Tom), it would be just as
efficient as you say if there was only a single container BUT ALSO if it
only contained user objects. If there were for instance many computer or
group objects in the same container it would bog down chasing through those.





  joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 26, 2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all use
rs in AD?

The -l params is a nice touch but curious why you want to find objectClass
objects.  That's an inefficient query IIRC.  Plus, if you return each person
in the directory (you should start at a higher node to supply an answer to
his request which is to find ALL users in the domain;  if he had them in one
OU or container, he could use that script that as posted quite easily
wihtout much mod.)you're potentially bringing back way more than he wanted,
which again is inefficient right?  
It's a best practice to narrow the search as much as possible prior to
execution to prevent overloading the dc with query traffic.  ObjectClass is
not usually recommended nor is both user and person (they're redundant
mostly)in the same query.   Correct me if I'm wrong though.  I hate to be
wrong thinking I'm right ;)

Narrow it down to just users in the domain that have mail attributes and
return the mail and proxyaddresses attributes (forgot about the list of
attributes to post before in my haste to rush

RE: [ActiveDir] strange error on logon

2004-05-27 Thread joe 



Yep, too bad so manyWindows folks are pushed to the 
limit with Spirographs Picasso :o)

Just buy google already... Petty cash, whip it out. Let 
people beat on MS for a while for using linux machines to find content at MS 
while it getsassimilated. 

 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Thursday, May 27, 2004 5:28 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon


Searching KB is an art, 
so you can call me Picasso. ;)






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Thursday, May 27, 2004 
4:01 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on 
logon

That support search 
engine must have missed it :)




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Thursday, May 
27, 2004 4:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon
Have you seen:

824204 You receive an "Error at logon: 
Cannot find the file..." error message
http://support.microsoft.com/?id=824204







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Thursday, May 27, 
2004 2:51 
PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on 
logon

Just a 
guess.

Check the registry on 
the workstation. That file error throws some hits on the net referring to 
shell startup.
This maybe the 
key. You can search the registry and find a reference to the idlist 
portion of your error. I wouldn't rule out GPO just yet either as it could 
be something that got locked down inadvertently. Or maybe folder 
redirection? Seen some reference to Norton, 
but...

HKCR\Folder\shell\rootexplore = "Explore From 
Here" command = "Explorer.exe 
/e,/root,/idlist,%I"







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, May 27, 
2004 3:20 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on 
logon
I have never seen an 
error like that so once you nail down what is running that is throwing the error 
up, then we can go from there.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Raymond 
McClinnisSent: Thursday, 
May 27, 
2004 12:41 
PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] strange error on 
logon
I began receiving calls 
yesterday about a strange looking error that users were getting at logon. 
Here is the message:

Cannot find the file 
'/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its 
components).

I originally thought 
that it may be an issue with a script I was pushing through group policy, but 
that is not the case. I still need to look at the startup on the machines 
in question and see if there is anything there.


Thanks,Raymond 
McClinnis

RE: [ActiveDir] Ad forest migration

2004-05-27 Thread joe 
I didn't see any responses on re-acling so I would say take a look at subinacl.

  joe
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, May 25, 2004 11:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Ad forest migration

any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange 
migration wizard that i should be aware of from the get go?

also, i assume going this route over Aleita/quest is the support and nice gui.

and finally, how would i re-acl everyting on the servers in the new forest? any tool 
or script for that?

thanks(lot of questions, i know. but i'll let you know how it went and if i crashed 
and burned my enterprise!!).

-Original Message-
From: Missy Koslosky [mailto:[EMAIL PROTECTED]
Sent: Monday, May 24, 2004 10:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Ad forest migration


The Exchange Migration Wizard.
http://support.microsoft.com/default.aspx?scid=kb;en-us;328871
- Original Message -
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 24, 2004 7:13 PM
Subject: RE: [ActiveDir] Ad forest migration


 i'm sorry if this is obvious but, whats a good exchange migration tool
that comes with exchange2k/2k3?
 and how does it differ from using exmerge to migrate mailboxes to pst's
and then import them into the new server/forest?
 thanks

 -Original Message- 
 From: Mulnick, Al [mailto:[EMAIL PROTECTED]
 Sent: Mon 5/24/2004 5:07 PM
 To: '[EMAIL PROTECTED]'
 Cc:
 Subject: RE: [ActiveDir] Ad forest migration



 Probably wouldn't use exmerge in favor of Exchange migration tools
included
 with Exchange.  And it would be worth it to use Exchange 2003 (tools at
 least), but otherwise it can be done.  Aelita is just nicer and easier to
 work with.  Both work.

 al

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Monday, May 24, 2004 4:24 PM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Ad forest migration

 I'm on a serious budget and my IT dept doesn't have/want the money to
spend
 on Alieta migration tools.
 we are looking to migrate our child domain into our own forest with
exchange
 2k and still synch our gals.

 how much hubris would it be to do most of this with free tools like
 ADMTv2,MIIS, and exmerge?
 am I insane?

 thanks
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
.+-w i 0g-+Yb mPi 0 -+b f.+-j! 0j! or yIV+v* 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] silly question

2004-05-27 Thread Kern, Tom 
If you cannot have universal security groups in a mixed mode AD forest, how is the 
Enterprise Admins a universal security group and what functionality does it lose in 
mixed mode as opposed to native mode?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] adding a group to the RDP permissions

2004-05-27 Thread joe 
Title: Message



Hmmm theoretically eg, the permissions are probably 
stored in the registry The most likely place would be someplace say 
like

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 
Server\WinStations\RDP-Tcp

possibly in the Security value. 

Now theoretically if you used a domain group or a built-in 
group with a specific SID that doesn't change machine to machine (like I 
wouldn't recommend using a local group on a server) you could theoretically take 
that value from one machine and copy to another and have those permissions 
applied to that other machine. Theoretically you could make this even part of a 
server build process or have it in some setup script...

Also theoretically it may or may not require a reboot to 
make it kick in.

Just chatting theoretically of course.

If I was to chat some more theoretically someone looking to 
write some code to muck with that may theoretically finethatthat 
binary format is a type of standard security definition 
format.


 joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Wednesday, May 26, 2004 1:03 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] adding a group 
to the RDP permissions


Thanks 
Ken! Even if I cant use this on the 2K machines, itll help a bunch in a couple 
of months. Many of our TS machines are about to be upgraded and/or installed. I 
appreciate it


mc
-Original 
Message-From: Ken Cornetet 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 12:50 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] adding a group to 
the RDP permissions


Here's 
some Perl WMI code for adding a local group to the RDP security. However, if 
memory serves, W2K doesn't support WMI TS stuff - only 
2k3



Anyway, 
maybe it will work...



sub 
TerminalServerSecurity {



my 
$host = shift;

my 
$RemoteGroup = shift;



my 
$wmi = 
Win32::OLE-GetObject("winmgmts:{impersonationLevel=impersonate}!$host\\root\\cimv2")or 
die "WMI error: $^E";



my 
$accounts = $wmi-ExecQuery("Select * from Win32_TSPermissionsSetting" 
)or die "WMI GetObject: " . 
WmiError("Win32_TSPermissionsSetting");



# Add 
local group giving full control



foreach my $a (in 
$accounts ) {print "Adding access to ", $a-TerminalName, 
"\n";$a-AddAccount("$host\\$RemoteGroup", 
2);}





  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Creamer, 
  MarkSent: Wednesday, May 26, 
  2004 9:20 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] adding a group to 
  the RDP permissions
  Anybody 
  know a good way to add a group programmatically (or GPO, etc.) to the RDP 
  properties visible when you go to Terminal Services 
  Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote 
  administration mode servers that I want to add a group of night operators to. 
  Thanks
  
  Mark 
  Creamer
  Systems 
  Engineer
  Cintas 
  Corporation
  Honesty and 
  Integrity in Everything We Do

RE: [ActiveDir] Test Lab Creation

2004-05-27 Thread Santhosh Sivarajan 
Title: Message








This article might help!



http://briandesmond.com/blog/archive/2003/11/25/251.aspx















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Wednesday, May 26, 2004 6:30
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Test Lab
Creation







Hi Guys,











Thinking. any experiences out there on
the below?











I'd like to have a testlab to directly
match my production AD in terms of OUs, GPOs, Objects, etc, etc. The thing is
that I'd like the test domain to be phyically separate from my production
environement.











Any ideas on how or tools that would
enable me 




This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the sender
immediately and delete the material from any computer. Unless you are the
intended recipient, you should not copy this e-mail for any purpose, or
disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst the
MCPS-PRS Alliance monitors all communications for potential viruses, we accept
no responsibility for any loss or damage caused by this e-mail and the
information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under
company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.

RE: [ActiveDir] Anonymous bind

2004-05-27 Thread joe 
Nothing free. :oP

However Vintela and other companies are working on making this A LOT easier
for a price. I expect in another year or so *nix machines will hardly be any
more hassle to manage in an Enterprise than Windows machines. 

I doubt anyone will do something in this arena for free. It isn't exactly
the kind of thing the Open Source people really care do to I don't think.
More of a corporate thing and I don't visualize any company going through
writing this up for themselves and then giving it away. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Tuesday, May 25, 2004 7:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anonymous bind

LDAP with SSL/TLS is way better than NIS.

As for environment, it's two W2K3 forests with Kerberos forest trust.
Forest A has several child domains and holds user accounts.
Forest B is where my hosts are (We are relatively small organization in the
enterprise, but we are RD and want to have control at least over the
hosts).

So users can come from any child domain of forest A and logon to hosts in
forest B. Now Linux does not play well, when the host is in one realm, and
users are from several other realms... The only workaround is to map uid to
Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is
not an option, and it's quite reasonable considering the small size of our
division.

So here I am, stuck with LDAP authentication ...
If you have any better idea, I am all ears ;)

Guy

On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote:
 Just for curiousity...
 
 You don't want to use NIS because it's less secure, yet you are going 
 to use LDAP for authentication?  Isn't that a counter?
 
 Can you give an overview of your topology and what you're wanting to 
 accomplish in the end?  I think we tried to help with the original 
 post without all of the topology information.
 
 Sounds like an interesting problem though...
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
 Teverovsky
 Sent: Friday, May 21, 2004 7:01 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Anonymous bind
 
 If you excuse me, I will break the inline pattern ;). It got too
unreadable.
 
 I have seen the interoperability doc. I have also read the whole doc 
 mentioned in the post. It's a very good reference, but is lacking any 
 description of Kerberos deployments in multi-realm environments.
 Personally I had to choose LDAP authentication instead of Kerberos 
 because my hosts are in one forest, while user accounts are from a 
 child domain of another forest. If someone is aware of a workaround 
 for that, monthly beer supply is on me ;)
 
 SFU is nice, but it tries to emulate NIS and with all do respect to 
 NIS, it's time is gone. There are just too many security issues with NIS.
 
 As for having more than one directory, see my reply to joe. I wish I 
 could put it all in one place, but it's not always possible.
 
 Guy
 
 On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote:
  A few bits more.
  
  [Guy] I know that I am speculating here but all I wanted to do is to 
  point the finger to the interoperability issue. Setting up a 
  heterogeneous environment is a pain. Putting *nix clients (or
  services) into the AD mix is not easy. One would blame the marketing 
  attitude, the other would blame the maturity level of the other OSes.
  The truth, I believe, is somewhere in between. So here we go:
  
  [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? 
  And just about anything around SFU (which might I point out again 
  won best
 app at Linux world)? 
  I think we've done a great job of interop. Can we do better? Always! 
  And
 we continue to work on it. 
  But we're doing a *lot* in this space.
  We have doc's out there that go down to even walk you through how to 
  set
 up the pam modules! 
  We have a lot out there. Here's one of my fav docs, but there are
 others
  this is from a post to this very DL: 
  http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.ht
  ml
  
  
  1) You are right. Nobody mentioned schema extensions, but the truth 
  is that if you are considering the integration of open source 
  services, you probably do have some Linux boxes around. NIS sucks 
  big time. NIS+ is a pain to configure and both do not give you SSO. 
  AD is great, but does not have out-of-the-box capabilities to absorb 
  non-MS clients. So what is left for those that can not afford VAS ? 
  Either tweak the schema (Linux client will have hard time without 
  posixAccount and posixGroup
  objectClasses) or have a cut down functionality (sendmail LDAP mail 
  routing is great, but I would not extend the AD's schema just to 
  make sendmail happy). And if you are still short on the $$$, you are 
  starting to improvise (talking about OpenLDAP...). SMBs are somewhat 
  neglected in this area.
  
  2) Small *heterogeneous*

RE: [ActiveDir] DC not replicating out

2004-05-27 Thread joe 
I doubt the GPO is it, could be wrong, but doubt it. However what did you
change in the GPO?

What does repadmin /showreps say on the DC trying to pull?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Wednesday, May 26, 2004 11:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DC not replicating out

Both come up clean, despite the fact that the A record for the DC initially
didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead
of BAD_DC$. I adjusted that manually and the change replicated to all DCs.
Still the netdiag and dcdiag do not show any DNS related problems - only FRS
and AD outbound replication is failing. All other tests are fine.

Other DCs that participate in the replication with bad DC come up with KCC
errors (eventid 1311: there is insufficient site connectivity,
blabla...) - it's the only DC at site.  

It looks almost like island DNS, but it's W2K3 and that should not happen.

Guy

On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote:
 Would be relatively easy to check DNS.  DCDIAG and NETDIAG would be 
 two tools to use to check to see that all is well from the bad dc and 
 good dc perspectives. I'd say go the easy part first.
 
 Invalid Checksum?  Hmmm...  Anything in the security logs that gives 
 an indication?
 
 Al
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
 Teverovsky
 Sent: Tuesday, May 25, 2004 6:02 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] DC not replicating out
 
 
 I am banging my head against the wall the whole day.
 
 In pilot environment we applied a GPO to replace the Default DC GPO.
 Apparently one of the DCs had some issues when the GPO was applied.
 The result was: the inbound replication on the DC works, but no other 
 DC can pull from the sick one.
 Closer examination showed total WMI repository corruption. I have 
 rebuilt it and it looks that WMI is back (not sure it's related, but 
 worth mentioning)
 
 Since than, the new GPO has been unlinked and replaced with default 
 (and as the inbound replication on the DC in question is working, it 
 has replicated to it). But that has not resolved the issue.
 
 From faulty DC issued:
 repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com 
 /force
 
 Traced the session with network monitor from the good DC...
 What I see is:
 - LDAP bind
 - some searches performed and answered correctly
 - MSRPC session initiated
 - RPC request from good DC, RPC response from bad DC
 - RPC bind request from good DC and RCP Bind Ack from bad DC
 - again RPC request from good DC, RPC response from bad DC
 - again RPC bind request from good DC and RPC Bind Nack from bad DC 
 with Provider Reject Reason: Invalid checksum
 
 I was about to blame the DNS till I got this Invalid checksum in the 
 trace...
 
 Now the question is: am I complicating the whole thing and should look 
 closer into DNS or this is something else ?
 
 Thanks,
 Guy
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Discontinue Mail Membership

2004-05-27 Thread joe 



I love how Tony can kill a thread by contributing. 
:o)

 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Sunday, May 23, 2004 10:21 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

In general, yes. Althoughwe do generally 
havereservations about deleting people (read it 
again).Subscribed addressesmaybe, but not people. We 
reserve that treatment only for occasions where people continue dead or 
off-topic threads longer than is absolutely necessary 
;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Sonntag, 23. Mai 2004 01:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

aren't those the rules that apply to post to this 
list? ;-))


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Freitag, 21. Mai 2004 15:32To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

I like the 
etiquette rules, especially useful reminder: 
"We have the 
right to exploite, humilate, delete, ignore, or coddle any person at anytime for 
no other reason than Our Own amusement."
and what's up 
with those pink...errmm..stuff, you reguire to wear while reading FeMail? That's 
mean!
Lana


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 21 May 2004 14:19To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

That is hilarious... go through FAQ on the left if you 
haven't



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Friday, May 21, 2004 7:30 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

Hmmm..googled 
FeMail and got - "Totally new, 
cool and fast feMail system utilizes the newest technology available! 
"http://www.femail.sissify.com/
A replacement for 
ActiveDir? The most important - it promises "No 
more fretting about system administrators at your 
workplace!"
Lana 

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: 21 May 2004 11:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership


that's spelled FEMAIL ;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Donnerstag, 20. Mai 2004 15:25To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership


Please continue FEMALE membership 
J 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike 
WelbornSent: Thursday, May 20, 
2004 8:51 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Discontinue Mail 
Membership

Please 
remove [EMAIL PROTECTED] from the 
Activedir.org mailing list.

Thanks 
you
Michael 
Welborn

RE: [ActiveDir] hidding users

2004-05-27 Thread joe 
Hiding the user from the ADUC and other LDAP based tools would be fairly
trivial, you just have to throw the users into an OU with locked down perms
(like only let the admin groups and system have access) and then strip the
perms on the user objects themselves of everything but administrators.

However, the problem is going to be with anyone using legacy API calls (NET
USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT
Provider). I believe that is all processed by the Domain Controller as
localsystem so it would bypass all of the delegation. I could be wrong on
that assessment but I don't think so. You can't lock the IDs out from
localsystem access. I mean you could try and if it actually let you and
worked I would expect you would have some serious issues. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 20, 2004 2:00 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] hidding users

is there an attribute i can set in adsiedit,ldp,etc to hide a user from
appearing in the usual admin gui utlilties like aduc?
also when you look in group memebership, to not have s(he) appear there as
well?
thanls
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Domain Controller Security...

2004-05-27 Thread Brent Westmoreland 
Yeah, I love/hate that guy


 From: joe [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Thu, 27 May 2004 19:22:10 -0400
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
 Nope but it doesn't matter. If they can install a service (or replace a file
 a service uses) they have too much power, let alone schedule a task. Heck
 when you get down to it, physical access to the box is all that is needed
 but we try to forget that one or else no one would ever put a DC anywhere
 but within their eyesight and then only in a sealed room with 4 locks on
 steel doors. 
 
 The whole thing as we have pointed out time and again is trust and
 compensating controls. You will never be 100% secure, what you do is try to
 make as few concessions as you possibly can. Not allowing people normal
 interactive access or the ability to write to the disk system is one layer
 that I absolutely recommend for Domain Controllers. Also don't recommend
 giving hardly anyone access to AD via builtin groups such as acc op and
 admin and dom admin, etc. Again, this can be compromised but it does require
 even more intent and knowledge to pull off. Also you don't accidently get
 viruses and other things running on DCs you shouldn't have there.
 
 I am actually waiting for the offline password editor dude who makes the
 bootable floppy/cd to do the next logical step to help get onto 2K+ Domain
 Controllers. That guy is bright, I am actually surprised he hasn't gone
 ahead and done it already.
 
   joe
 
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
 Sent: Monday, May 24, 2004 6:26 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
 You can restrict access to Task Scheduler using GPO (Admin Templates\Windows
 Components\Task Scheduler) and by changing permissions on %SYSTEMROOT%\Tasks
 folder, but there are other ways around.
 
 BTW, I remember reading somewhere that at command uses old style API which
 is not enforced by GPO, and therefore the only way around is to change the
 ACL on Tasks folder. Anyone remembers the details ?
 
 Guy
 
 On Mon, 2004-05-24 at 14:44, Roger Seielstad wrote:
 The problem, as you're most likely aware, is that server admins have
 access to the Task Scheduler, which means they can kick things off as
 LocalSystem, which means the DC is then 0wn3d.(owned)
 
 Not sure what I'd do in your shoes. I'm fortunate enough to have
 really good IT folk in my remote locations with DCs. I'm also
 fortunate enough to be 6'5 tall, built like an NFL lineman, and have
 an expense account with which I can purchase plane tickets to their
 location to engage in what my ex-Army junior admin refers to as wall to
 wall counseling.
 
 Roger
 --
 Roger D. Seielstad - MTS MCSE MS-MVP
 Sr. Systems Administrator
 Inovis Inc.
  
 
 -Original Message-
 From: Chris Lynch [mailto:[EMAIL PROTECTED]
 Sent: Friday, May 21, 2004 5:11 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
  
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I know.  I agree that this isn't good security practice.  I wouldn't
 recommend this as well.  But, for the lack of space in most
 locations (and we are only talking about 4 locations), we would just
 like to give the local tech access to that DC only and no other DC
 in the domain.  I can restrict them to log onto that DC local to
 them only (via GPO).  I might just give them Server Operators
 rights, restrict them to log onto that DC only, and call it a day.
 
 Thanks,
 
 Chris
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Roger
 Seielstad
 Sent: Friday, May 21, 2004 10:19 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
 True... I musta read half the question (again).
 
 
 --
 Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator
 Inovis Inc.
  
 
 -Original Message-
 From: joe [mailto:[EMAIL PROTECTED]
 Sent: Friday, May 21, 2004 12:41 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
 I am not sure that fits his requirements for this one...
 
 Sounds like he is file sharing from the DC (not something I
 personally
 recommend) and obviously it would be a bit much to dcpromo down
 and  back up to add a new share.
 
   joe
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Roger
 Seielstad
 Sent: Friday, May 21, 2004 11:54 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
 I like Joe Richard's option - DCPromo it out, let the tech
 work on it,
 and DCPromo it back in
 
 
 --
 Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator
 Inovis Inc.

RE: [ActiveDir] OT, How to change wording on screen when computer is locked

2004-05-27 Thread joe 



Yeah deploy this in production and depend on it, then roll 
out a hotfix or SP that overwrites the gina bins and bam, you've lost your 
functionality. 

bginfo is very cool. I've seen something similar that I 
thought was from MS running on Exchange Servers before too... Possibly part of 
some Exchange feature pack or reskit or something.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Saturday, May 22, 2004 6:50 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT, How to 
change wording on screen when computer is locked

it's called Resource Hacker (reshacker.exe) and is 
available at: http://www.users.on.net/johnson/resourcehacker/

Quite nice - I've also used it - but only for lab-purposes 
to easily distinguish machines at logon time. However, we've moved to 
bginfo from sysinternals, which is obviously much simpler to use forthis 
purpose...

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Sonntag, 23. Mai 2004 
00:39To: [EMAIL PROTECTED]Subject: Re: 
[ActiveDir] OT, How to change wording on screen when computer is 
locked

I used a great little program called Hacker.EXE 
(excuse the name) that was great for modifying the Gina to change any of the 
messages, imagesetc, but can't seem to find a site for it now. Maybe 
someone else has experience.

In the end, we didn't use it 'cos management was a 
little nervous, but it seemed to work well when I played with it on my 
machine.



Alan Cuthbertson

Policy Management Software:-http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml



  - Original Message - 
  From: 
  joe 

  To: [EMAIL PROTECTED] 
  
  Sent: Saturday, May 22, 2004 1:05 
AM
  Subject: RE: [ActiveDir] OT, How to 
  change wording on screen when computer is locked
  
  Well there are two ways to modify the GINA. 
  
  
  1. Hack it with a binary editor
  2. Replace it with one you write
  
  Obviously #2 is the supported method, you can find sample 
  code at 
  
  http://msdn.microsoft.com/library/default.asp?url="">
  
  You may possibly be able to do something with the GINA 
  stub functionality, see this
  
  http://msdn.microsoft.com/library/default.asp?url="">
  
   joe
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, May 21, 2004 10:43 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] OT, How to change wording on screen when computer is 
  locked
  Do you know of a good software for 
  making modifications to the GINA? Ryan McDonaldSystems Administrator
  


  "joe" 
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
05/21/2004 09:35 AM 

  
  

  Please respond 
  to[EMAIL PROTECTED]
  

  
  

  To
[EMAIL PROTECTED] 
  

  cc

  

  Subject
RE: [ActiveDir] OT, 
  How to change wording on screen when computer is 
  locked

  
  

I don't believe that message is tuneable without 
  modification of the GINA.   joe 
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Thursday, May 20, 2004 5:24 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  OT, How to change wording on screen when computer is lockedWhat I am looking to do 
  is change the wording on the screen when a computer is locked where it says 
  "This computer is in use and has been locked". I have it when the user log's 
  in but I want to change it when it's locked as well but I can not find out 
  where to do this for the life of me. Any help would be great or links or 
  anything. Ryan McDonaldSystems Administrator

RE: [ActiveDir] OT: Exchange 2003 SP1

2004-05-27 Thread joe 
Yep, good thing to publish. Another cool thing, something I actually was
involved in a lot of the testing over the last year or so is 

http://www.microsoft.com/downloads/details.aspx?FamilyId=3D0884E6-C603-491D-
BF57-ACF03E046BFEdisplaylang=en

This is the autoaccept agent for conference rooms. You give your conference
rooms mailboxes in exchange and then use this tool and it will process the
meeting requests for you. That way you can have automated calendar
management of conference rooms (or other resources say you have a projector
or generic laptop or whatever) without people fighting over the conference
room and deleting each others entries This could put some people out of
work as I know there are some folks whose whole job in life is to manage
calendars like that. 

You used to do this with scripts, that of course was on the slow side. I
recall seeing a busy server taking 10-20 minutes to respond when running
with a script but the agent is dot net code that rock and rolls and the
response is in your inbox about as fast as you hit send on the request.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, May 25, 2004 10:47 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] OT: Exchange 2003 SP1

Also continuing the OT note, it seems that the long-awaited server-side spam
filtering system (IMF) is available too:
http://www.microsoft.com/exchange/downloads/2003/imf/default.asp

Apologies if this has already been posted.

Cheers
Ken

~~
From: Tony Murray [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Exchange 2003 SP1


: Is now out.
:
: http://tinyurl.com/35ddy
:
: Tony

~~

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] silly question

2004-05-27 Thread joe 
It is a global group until the root domain goes to native mode. Ditto for
the schema admins group.

Functionality lost would be that you couldn't place users from any domain
other than the root into the group until you go native.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 27, 2004 6:10 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] silly question

If you cannot have universal security groups in a mixed mode AD forest, how
is the Enterprise Admins a universal security group and what functionality
does it lose in mixed mode as opposed to native mode?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] task pads

2004-05-27 Thread joe 
Title: task pads



Yeah first thing I thought was script the move and have it 
done via a web page... You have full tracking and don't have to delegate 
anything - just let the web site have the perms.


 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, 
RickSent: Tuesday, May 25, 2004 1:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] task 
pads


Thanks for the ideas. I 
think I am going to probably script the move. I was trying to make this as 
simple for the help desk personnel as possible.


Rick 
Gasper 
Manager Network 
Services 
King's 
College 
Wilkes-Barre PA 
18711 [EMAIL PROTECTED] 
PH: 
570-208-5845 
Fax: 
570-208-6072 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Passo, 
LarrySent: Tuesday, May 25, 
2004 12:34 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] task 
pads

If youre always going 
to move the computer accounts to a specific OU, you could also do a simple 
script. It would be simple to modify this one to include the computer name as an 
argument.

http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx






From: Gasper, 
Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 9:18 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] task 
pads

We want to have the 
first level support person move the machine into an OU so that office 2003 can 
be installed via group policy.


Rick 
Gasper 
Manager Network 
Services 
King's 
College 
Wilkes-Barre PA 
18711 [EMAIL PROTECTED] 
PH: 
570-208-5845 
Fax: 
570-208-6072 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Tuesday, May 25, 2004 
10:30 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] task 
pads

? You want to give some 
sort of secretary a MMC? Sure, why not? Works out well. 

You'll want to give 
permissions over computer objects as well for both the current and destination 
OU's it sounds like.

Not sure why somebody 
would be moving a computer account though? Is that some sort of tracking 
mechanism for you?

Al




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gasper, 
RickSent: Tuesday, May 25, 
2004 9:53 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] task 
pads
Hi 
all,
I need to 
give a non admin IT user access to aduc. Our plan is to use gpo to push out 
office 2k3. The non admin IT user is to move the machine to the deployment 
OU.
Is this 
possible? I am thinking creating a task pad will do this, but I have not ever 
done that.
Rick 
Gasper
Manager Network 
Services
King's 
College
Wilkes-Barre PA 18711
[EMAIL PROTECTED]
PH: 
570-208-5845
Fax: 
570-208-6072

Re: [ActiveDir] hitting users

2004-05-27 Thread Brent Westmoreland 
Title: Re: [ActiveDir] hitting users



Alternatively, you could just delete all the users. It would have about the same effect as removing localsytem access, but I find it to be a cleaner solution. This would also solve the problem of those nasty little legacy API calls. ; )

But maybe what you really want, Tom, is to provide a view into your directory for your delegated admins? I don't think you ever actually said why you want to do this. If my assumption is correct, there are tons of example web apps that can give those admins a view into the directory to see their users and no one elses. Then you could just setup a group policy to keep the various and sundry admin tools from being executable unless on a pre-designated admin workstation. 


 From: joe [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Thu, 27 May 2004 19:32:56 -0400
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] hidding users
 
 Hiding the user from the ADUC and other LDAP based tools would be fairly
 trivial, you just have to throw the users into an OU with locked down perms
 (like only let the admin groups and system have access) and then strip the
 perms on the user objects themselves of everything but administrators.
 
 However, the problem is going to be with anyone using legacy API calls (NET
 USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT
 Provider). I believe that is all processed by the Domain Controller as
 localsystem so it would bypass all of the delegation. I could be wrong on
 that assessment but I don't think so. You can't lock the IDs out from
 localsystem access. I mean you could try and if it actually let you and
 worked I would expect you would have some serious issues. 
 
 joe
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Thursday, May 20, 2004 2:00 PM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] hidding users
 
 is there an attribute i can set in adsiedit,ldp,etc to hide a user from
 appearing in the usual admin gui utlilties like aduc?
 also when you look in group memebership, to not have s(he) appear there as
 well?
 thanls
 List info : http://www.activedir.org/mail_list.htm
 List FAQ : http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info : http://www.activedir.org/mail_list.htm
 List FAQ : http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Sent using the Microsoft Entourage 2004 for Mac Test Drive.

[ActiveDir] OT:EXCHANGE weirdness

2004-05-27 Thread Kern, Tom 
i have a user(blackberry service account) who has full exchange admin rights on our 
admin group, now suddenly(i know there is no now suddenly, but nothing changed, 
honest), blackberry service wont start and when i open exchange manager, i can't  see 
any admin group logged in as the blackberry account.
when i log in as another account, i can see everything. i put the bb account into 
domain admins, and still same thing.
why?
and more importantly, how do permissions and roles get lost like that?
I'm running a win2k ad mixed mode and exchange 2k native mode.
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] hitting users

2004-05-27 Thread joe 
Title: Re: [ActiveDir] hitting users



Hmmm. I hadn't thought of that method. Very easy to 
implement. I like it. Should cut down on password issues as well. "I can't log 
on..." " Of course you can't." :o)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Thursday, May 27, 2004 8:13 PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] hitting 
users
Alternatively, you could just delete all the users. 
It would have about the same effect as removing localsytem access, but I 
find it to be a cleaner solution. This would also solve the problem of 
those nasty little legacy API calls. ; )But maybe what you really want, 
Tom, is to provide a view into your directory for your delegated admins? I 
don't think you ever actually said why you want to do this. If my 
assumption is correct, there are tons of example web apps that can give those 
admins a view into the directory to see their users and no one elses. 
Then you could just setup a group policy to keep the various and sundry 
admin tools from being executable unless on a pre-designated admin workstation. 
 From: joe 
[EMAIL PROTECTED] Reply-To: 
[EMAIL PROTECTED] Date: Thu, 27 May 2004 19:32:56 
-0400 To: [EMAIL PROTECTED] Subject: RE: 
[ActiveDir] hidding users  Hiding the user from the ADUC and 
other LDAP based tools would be fairly trivial, you just have to throw 
the users into an OU with locked down perms (like only let the admin 
groups and system have access) and then strip the perms on the user 
objects themselves of everything but administrators.  However, 
the problem is going to be with anyone using legacy API calls (NET USER, 
NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT Provider). 
I believe that is all processed by the Domain Controller as localsystem 
so it would bypass all of the delegation. I could be wrong on that 
assessment but I don't think so. You can't lock the IDs out from 
localsystem access. I mean you could try and if it actually let you and 
worked I would expect you would have some serious issues.   
joe-Original 
Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kern, Tom Sent: Thursday, May 20, 2004 2:00 PM To: 
ActiveDir (E-mail) Subject: [ActiveDir] hidding users  
is there an attribute i can set in adsiedit,ldp,etc to hide a user from 
appearing in the usual admin gui utlilties like aduc? also when you look 
in group memebership, to not have s(he) appear there as well? 
thanls List info : http://www.activedir.org/mail_list.htm 
List FAQ : http://www.activedir.org/list_faq.htm 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
 List info : http://www.activedir.org/mail_list.htm 
List FAQ : http://www.activedir.org/list_faq.htm 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/Sent 
using the Microsoft Entourage 2004 for Mac Test 
Drive.

RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe

2004-05-27 Thread Noah Eiger 
Title: Re: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe








That is good news. I see that 10.3.4 is
available via Software Update.



So, with the volumes, were the Macs using
SMB just for testing (since AFP worked fine)? Or is SMB standard regardless of
the server OS and you used AFT just to test? 











From: Brent
Westmoreland [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 27, 2004 4:56 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] SUMMARY:
Mixed network PC and Mac - AD or XServe





Hi Noah,

FYI

1. I just
finished up my 10.3.4 testing for the ADPlugin and it appears to resolve all of
my previous issues with obtaining a TGT at login. I would say that the ADPlug
is now ready for prime time. 

2. Entourage
2004 fixes a lot of the previous issues connecting to an exchange server for
mail and shared calendaring. I would say it is ready for primetime
too.(although a little slow) 

3. A newly
discovered issue has me scratching my head with Mac Clients connecting to smb:
volumes that are larger than X terabytes. Unfortunately, I do not know
what X is but when I raid 50d the xserve raid for 2.7tb all the mac
clients couldnt handle the volume size via smb: When I broke it up
into the default 1.36tb chunks they were able to read it just fine. The
windows clients worked flawlessly no matter what size the volume. It is worth
mentioning that AFP worked fine. (yes, I am convinced that all of this
happened because I was bitching about afp the other day.)









From: Noah Eiger
[EMAIL PROTECTED]
Organization: PRBO Conservation
Science
Reply-To: [EMAIL PROTECTED]
Date: Thu, 27 May 2004 15:31:54
-0400
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SUMMARY:
Mixed network PC and Mac - AD or XServe

Blush! First, I belong to another list for Mac
admins. On that one you are supposed to post summaries after questions. I
obviously posted to the wrong list. 

That said, thank you for further responses. 

As for Dannys point about the home directory issue in the demo: during
the web cast on AD integration (at www.macoxlabs.org http://www.macoxlabs.org/ ), I
recall that one of the presenters discusses how to get the AD user account home
directory to appear as the users Mac OS home directory (rather than a
mounted volume on the desktop).

nme








From: McCann,
Danny [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 2:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SUMMARY:
Mixed network PC and Mac - AD or XServe




- Can XServe volumes be managed by Active Directory? That is, can you add
 and XServe as a member server of an AD domain?

Yes, you can use the active directory plugin in 10.3.3 to add xserves to an
active directory domain, and some creative vi'ing on the /etc/smb.conf file
to manage authentication via kerberos.

 - Would love to hear real-world experiences with the new AD Plug-in for
 10.3.3.

The 10.3.3 plugin is not bad, but the 10.3.4(due to be released the end of
this week) goes a little bit farther. There is still an issue gaining a
kerberos ticket if you have a particular set of circumstances, but apple has
been notified of the issue and is currently working on the problem.

 - I consider some services like RIS to be pretty essential to speeding
 deployment and recovery in a Windows environment. Are there similar
 applications or services that require OD for Macs?

Check out netboot for this purpose, it doesn't have any direct hooks into OD
and isn't required to do your imaging.

http://docs.info.apple.com/article.html?artnum=107912

And download System Imaging Administration





Hi



I attended a demo of
all of the above today and everything ran very smoothly.

Only issue was that
they claimed to be able to map AD user account home directories, by mounting
them as share points on the desktop, but coundn't demonstrate this as one
of the scripts needed some work. Aparently :)

Apple are also
looking into a method of accessing DFS from the Mac.



Cheers



Danny


Sent using the Microsoft Entourage 2004 for Mac Test Drive.

Re: [ActiveDir] Users file permission display on intranet page or to file

2004-05-27 Thread Kenny Lee 
Title: RE: [ActiveDir] win98



Thanks Nicholas. I will try that out.

- Original Message - 

  From: 
  Nicolas Blank 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, May 27, 2004 4:55 
PM
  Subject: RE: [ActiveDir] Users file 
  permission display on intranet page or to file
  
  
  Lots of third party 
  tools to do this – I did exactly this for a client the other day using Quest 
  Reporter – published to HTML, excel, whatever automatically  collected 
  into a DB for auditing – was an auditing requirement for a health 
  provider.
  File/folder mods can 
  be tracked using auditing on object access on the file/print box. Again used 
  Reporter for this to store the logs – audit requirement – and report on them 
  on an exception basis. It’s not the only tool out there, but it fitted the 
  clients requirement to a “T” – no agents on any boxes, track 
  file/foldershare ACL’s and compare over time what was modified and by 
  whom.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kenny 
  LeeSent: 27 May 2004 10:23 
  AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Users file 
  permission display on intranet page or to file
  
  
  Hello, 
  
   I have a query 
  here.I would like to track the permission ona specified folder for 
  users ( Modify,Full Control, etc etc...) that can display on the intranet page 
  or any other ways. Is that any Tools that can do this ? Would be great too if 
  there is any ways that can put the data into a excel file. This is to know the 
  person that modify the file/folders permission as well as would like 
  toknow the latest file/folder permission that the users are 
  having.
  
  Thanks.
  
  
  
  rgds,
  
  ken

Re: [ActiveDir] Users and Computers

2004-05-27 Thread Brent Westmoreland 
Install adminpak.msi available in the C:\windows\system directory of any server, also it is available on the server cd. 


On May 27, 2004, at 9:12 PM, Caple, Andrew wrote:

 
I'm sure this is an easy one  I'm currently setting up some Support Desk PC's and need to give them access to Users and Computers locally (so that they don't need to RDP into a DC all the time). How do you add the snap-in into a MMC with a computer that doesn't have AD installed on it?
 

 

 

Andrew Caple
 

x-tad-smallerInfrastructure Engineer/x-tad-smallerx-tad-smaller /x-tad-smallerx-tad-smallerPhone: +61 3 9861 5425/x-tad-smallerx-tad-smallerFacsimile: +61 3 9861 5510/x-tad-smallerx-tad-smaller[EMAIL PROTECTED]/x-tad-smallerx-tad-smaller  105 Camberwell Road, Hawthorn East, Vic 3123/x-tad-smaller 
 
image.tiff>image.tiff>image.tiff>image.tiff>
 

RE: [ActiveDir] Users and Computers

2004-05-27 Thread Passo, Larry 
Title: Message



Install Adminpak.msi (you'll find it in the i386 folder on the 
Windows200x Server CD). It will install of the admin snapins
Make 
sure that you use the 2003 version for XP clients

  -Original Message-From: Caple, Andrew 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, May 27, 2004 
  6:12 PMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Users and Computers
  
  I'm sure this is an easy one 
  I'm currently setting up some 
  Support Desk PC's and need to give them access to Users and Computers locally (so that they don't need to RDP into a DC 
  all the time). How do you add the snap-in into a MMC with a computer that 
  doesn't have AD installed on it?
  
  
  
  
  
  Andrew 
  Caple
  
  
  
  Infrastructure 
  Engineer
  
  
  Phone:+61 3 9861 
  5425
  
  
  Facsimile:+61 3 9861 
  5510
  
  [EMAIL PROTECTED]
  
  
  


  

  
105 Camberwell Road,Hawthorn 
East, Vic 
  3123

RE: [ActiveDir] silly question

2004-05-27 Thread Eric Fleischman 
Right, the salient point here is that it is not the forest that has
mixed/native mode associated with it, it is the domain that has a
functionality level tied in.

Until 2k03 there is no concept of forest functional level, and then in
2k03 we don't called it mixed vs. native, it is either 0 (nt4, 2k or
2k03 DCs), 1 (nt4 or 2k03 DCs, aka 2k03 interim mode) or 2 (2k03 DCs
only, aka 2003 forest functional level).

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 27, 2004 6:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] silly question

It is a global group until the root domain goes to native mode. Ditto
for
the schema admins group.

Functionality lost would be that you couldn't place users from any
domain
other than the root into the group until you go native.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 27, 2004 6:10 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] silly question

If you cannot have universal security groups in a mixed mode AD forest,
how
is the Enterprise Admins a universal security group and what
functionality
does it lose in mixed mode as opposed to native mode?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/