[ActiveDir] Users file permission display on intranet page or to file
Title: RE: [ActiveDir] win98 Hello, I have a query here.I would like to track the permission ona specified folder for users ( Modify,Full Control, etc etc...) that can display on the intranet page or any other ways. Is that any Tools that can do this ? Would be great too if there is any ways that can put the data into a excel file. This is to know the person that modify the file/folders permission as well as would like toknow the latest file/folder permission that the users are having. Thanks. rgds, ken
RE: [ActiveDir] Users file permission display on intranet page or to file
Title: RE: [ActiveDir] win98 Lots of third party tools to do this I did exactly this for a client the other day using Quest Reporter published to HTML, excel, whatever automatically collected into a DB for auditing was an auditing requirement for a health provider. File/folder mods can be tracked using auditing on object access on the file/print box. Again used Reporter for this to store the logs audit requirement and report on them on an exception basis. Its not the only tool out there, but it fitted the clients requirement to a T no agents on any boxes, track file/foldershare ACLs and compare over time what was modified and by whom. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Lee Sent: 27 May 2004 10:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Users file permission display on intranet page or to file Hello, I have a query here.I would like to track the permission ona specified folder for users ( Modify,Full Control, etc etc...) that can display on the intranet page or any other ways. Is that any Tools that can do this ? Would be great too if there is any ways that can put the data into a excel file. This is to know the person that modify the file/folders permission as well as would like toknow the latest file/folder permission that the users are having. Thanks. rgds, ken
RE: [ActiveDir] lsass.exe process causing high CPU on DCs
Check out this MS KB article. 832539 Thank You, Kurt Canzoneri, MCSE Infrastructure Architect EIG Valassis / Operations 47585 Galleon Drive Plymouth, MI. 48170 Tel 734-354-2496 Fax 734-354-2694 [EMAIL PROTECTED] www.valassis.com This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -Original Message- From: Airhart, Cliff [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] lsass.exe process causing high CPU on DCs Hello Everyone, We have 2 Domain controllers running Windows2000 server with Active Directory that is running a high and low CPU pattern. The CPU flatlines at 100% for about 60 seconds then drops to 5% for about 30 seconds. This high and low cycle continues to repeat. When the CPU is high the lsass.exe process is the cause of the high CPU. From what I understand that is the Active Directory process. What Active Directory activity would cause this type of behavior? Thanks in advance for your help! Cliff Airhart Network Engineer Spectrolab List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Terminal Services for administration????
Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password set and enable account
Title: Sysvol Damaged Guido/Al, thanks for the help. I think I got what I need now. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Grillenmeier, GuidoSent: Monday, May 24, 2004 10:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and enable account here's a sample-batch that should help you get started /Guido set inputfile=%1if '%inputfile%'=='' goto ErrInput set logfile=.\%inputfile%_log.txt echo.echo Updating password settings for user listed in: %inputfile%echo Logfile: %logfile%echo. echo. %logfile%echo %logfile%echo Inputfile: %inputfile% %logfile%date /T %logfile%time /T %logfile%echo Step 1: setting PW to new value %logfile%echo %logfile%echo. %logfile% REM Read users from inputfile and execute UpdatePWsetting routineset /A count=1FOR /F "tokens=1-2 delims=;" %%i in (%inputfile%) DO set CurUser=%%i set newPW=%%j call :Sub_PWchangestart notepad %logfile% goto END :Sub_PWchangeecho now updating User%count%: %CurUser% PW:%newPW%echo User%count%: %CurUser% PW:%newPW% %logfile%dsquery user -samid %curUser%|dsmod user -pwd %newPW% %logfile%REM *** dsmod user -pwd only works on Win2k3 DCs= for Win2k "net user" cmd be used***REM net user %CurUser% %newPW% %logfile%set /A count=%count%+1GOTO :EOF :ErrInputecho.echo **echo ERROR: missing inputfile - script will quitecho.echo Syntax: update_pwChange.bat myUser-list.csvecho Format of input-file: username;newPWecho **echo.pause :END From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Montag, 24. Mai 2004 15:49To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and enable account Oh yeah, I guess I have to read the username from a file and pass it into the dsmod command also. Do I just want a list of users in a .txt file, .cvs??? And how do I read from that? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. LongSent: Monday, May 24, 2004 9:41 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password set and enable account Ok, so my task is to generate random passwords and enable the accounts for 3200 users. The user accounts and all attributes were first created with ldife, and I am now thinking about using the dsmod utility to do accomplish the password set and account enablement. I wish I knew vbs like you guys do, but I dont yet (this years resolution). So here is what I have for the password generation part: Function Password_GenPass( nNoChars, sValidChars )' nNoChars = length of generated password' sValidChars = valid characters. If zerolength-string ( "" )then' default is used: A-Z AND a-z AND 0-9 Const szDefault = "abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789"Dim nCountDim sRetDim nNumberDim nLength Randomize 'init random If sValidChars = "" ThensValidChars = szDefaultEnd IfnLength = Len( sValidChars ) For nCount = 1 To nNoCharsnNumber = Int((nLength * Rnd) + 1)sRet = sRet Mid( sValidChars, nNumber, 1 )NextPassword_GenPass = sRetEnd Function WScript.Echo "Your password: " Password_GenPass( 10, "" ) What is my next move? I am guessing I have to pass this password to a variable, instead of echo, and then somehow pass that into the dsmod command, but as I already said, I dont know vb script. Any help is highly appreciated.
RE: [ActiveDir] Terminal Services for administration????
It's convenient to use. There are things you can't do while you have a session open. Overall, it's adequate for us, all things considered. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 27, 2004 8:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services for administration Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Terminal Services for administration????
Tend to use TS on an everyday level... and also Dameware for emergencies. -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: 27 May 2004 14:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services for administration Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Terminal Services for administration????
I use TS for a lot of admin work, but we also use dameware, since it allows for a console session on W2K machines (which we have a lot of, as well as a few remaining NT 4 boxes). It's got some bugs, but it's easy to use and the dameware utilities allow a lot of centralized remote management. We use it for client work a lot too... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services for administration Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Pages Printed
Hello, Does everyone use any software to audit pages printed ?. Another solution ? Thanks.AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
RE: [ActiveDir] Terminal Services for administration????
I prefer to use remote tools from workstations. When you log directly into servers there is a higher probability of doing something bad by accident. There are some things you can't do remotely but they should be things you don't have to very often at all, like for instance recovery mode on a DC. If you have specific tasks you are interested in, you could probably post a list and people could say what remote tools to use. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 27, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services for administration Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Terminal Services for administration????
I use TS all the time. There is a console switch in Windows Server 2003, and supports the Remote Desktop Protocol (RDP) 5.1 feature set It also has the ability to remote the actual console session of the server. from the ms web site Joe brought up an interesting point, certain things should not be from a rdp session. Always run rdp in a window and you should avoid most of the issues. There is a version of rdp that runs on Linux as well and that makes it a convenient tool from anywhere. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Terminal Services for administration I prefer to use remote tools from workstations. When you log directly into servers there is a higher probability of doing something bad by accident. There are some things you can't do remotely but they should be things you don't have to very often at all, like for instance recovery mode on a DC. If you have specific tasks you are interested in, you could probably post a list and people could say what remote tools to use. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 27, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services for administration Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Pages Printed
Pcounter here http://www.andtechnologies.com. IT can pull the users from AD and do just about everything you need. The price was right as well Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Pages Printed Sensitivity: Private Hello, Does everyone use any software to audit pages printed ?. Another solution ? Thanks. AVISO LEGAL: Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
RE: [ActiveDir] Terminal Services for administration????
Stay native as much as possible here... TS unless TS is crapped out... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, May 27, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Terminal Services for administration Does everyone use terminal services for remote administration of all their DCs, Fileservers, Exchange Servers, or is there something else you like better? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Terminal Services for administration????
Return Receipt Your RE: [ActiveDir] Terminal Services for administration document : was Ryan McDonald/bankersbank received by: at: 05/27/2004 10:49:52 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] linked server error in SQL/AD query
Im trying to use the OLEDB provider to link AD to SQL server to run some add hoc queries. Its returning an error: Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO, Line 4 An error occurred while preparing a query for execution against OLE DB provider 'ADSDSOObject'. OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14]. There are numerous articles on this error, but they all seem to indicate syntax, but Im using the exact same syntax as the query they say works (as far as I can tell). After executing my sp_addlinkedserver statement, which works fine, I run the following: SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass = ''User''') Thats when I get the above error. Just thought Id check to see if anyone else has had success with this. Thanks! Mark Creamer Systems Engineer Cintas Corporation
[ActiveDir] Manual DC removal EventID
Good morning, Some days ago i had to manually remove a dead Win2000 DC from our network, according to Q216498 and http://www.winnetmag.com/Article/ArticleID/13414/13414.html. Removal semeed ok. Today i got the following event in my log. I believe it's an expected warning, however i'd just want to make sure that there's nothing to be concerned about. Thanks all Alex Event Type: Information Event Source: NTDS KCC Event Category: (1) Event ID: 1272 Date: 27/05/2004 Time: 10.59.52 User: N/A Computer: RMD01 Description: No nTDSConnection object exists for inbound replication from server CN=NTDS Settings DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02 DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG,CN=Sites,CN=C onfiguration,DC=acs,DC=local at address b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local. The partition CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password set and enable account
Title: Sysvol Damaged Below isa quick and dirty perl script to do it to give the perl viewpoint for anyone wondering, hey how do I do this in perl. :o) You will feed it the following command line args input file name. This is a file which one id per line like joe\joeuser output file name. This is where you want details sent base pwd length. How long is the shortest password? (i.e. min password length) random pwd length. How many possible random characters to add to base (i.e. max password length) You only have to feed it input file name and it will dump to console and use defaults of 8 and 6 for the other options. Note the password character sets are manipulated down in the GeneratePassword routine. The default sets are @sets[0]="abcdefghijkmnpqrstuvwxyz"; @sets[1]="ABCDEFGHJKLMNPQRSTUVWXYZ"; @sets[2]="23456789"; @sets[3]="-+~*%$#!"; The script will build a password (length allowing) of at least one character from every set. It will then take and randomly pick from the sets and add new characters until it reaches the specified password length. You can remove sets if you would like. Say you don't want set 3, you simply delete that line or comment it. If you don't want set 0, delete or comment it and renumber the other sets. Note that I do not use lowercase l (ell) and the number 1 (one). This is because they can be confused in many fonts. If you wanted all IDs to have a password length of 6 you would do something like bulkpwdrst infile outfile 6 0 Here is an example run ___TEST.TXT___ joe\joeusejoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuserjoe\joeuser ___SCREEN SHOT___ [Thu 05/27/2004 10:56:55.90]F:\DEV\Perl\PwdRstbulkpwdrst test.txt test.out BulkPwdRst V01.00.00pl Joe Richards ([EMAIL PROTECTED]) May 2004 Password BaseLength: 8Password MaxLength : 14Processing joe\joeuse...ERROR: Couldn't translate joe\joeuseProcessing joe\joeuser...Processing joe\joeuser...Processing joe\joeuser...Processing joe\joeuser...Processing joe\joeuser...Processing joe\joeuser...Processing joe\joeuser...Processing joe\joeuser... [Thu 05/27/2004 10:57:00.80]F:\DEV\Perl\PwdRst ___TEST.OUT___ ERROR: Couldn't translate joe\joeuseResetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to gA8*8j7-L+E29Resetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to qL5**2yRa3Resetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to gR7!2C66N79fResetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to rW7%KHfkD!VResetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to aZ4~wz7UF6~n3Resetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to rC5*iuUPResetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to bR9+~wL!6*ecResetting joe\joeuser (CN=joeuser,CN=Users,DC=joe,DC=com) to sP2%T!*7* ##* BulkPwdRst *#*==*#* Author : Joe Richards ([EMAIL PROTECTED]) *#* Version: V01.01.00 *#* Modification History: *#* V01.00.00 2004.05.27 joe Original Version *#*--*#* This file is a PERL script that resets passwords. *#*--*#* Notes: *## use Win32::OLE;use Win32::OLE::Enum; $infile=shift;$outfile=shift;$baselength=(shift or 8);$randlength=(shift or 6); $quiet=0;$randinit=0; print "\nBulkPwdRst V01.00.00pl Joe Richards ([EMAIL PROTECTED]) May 2004\n\n"; if (!$infile) {DisplayUsage()};open ifh,"$infile" or die("ERROR: Couldn't open input file: $infile - $!\n"); print "Password BaseLength: $baselength\n";print "Password MaxLength : ",$baselength+$randlength,"\n";if (!$outfile) { print "Writing output to Console...\n"; $outfile="CON:"; $quiet=1;}else {$outfile="$outfile"}; open ofh,"$outfile" or die("Error: Couldn't open output file: $outfile - $!\n"); foreach $thisid (ifh) { chomp $thisid; next unless $thisid; if (!$quiet) {print "Processing $thisid...\n"}; $userdn=TranslateNT4Name($thisid); if (!$userdn) { if (!$quiet) {print "ERROR: Couldn't translate $thisid\n"}; print ofh "ERROR: Couldn't translate $thisid\n"; next; } $password=GeneratePassword($thisid, $baselength, $randlength); print ofh "Resetting $thisid ($userdn) to $password\n"; $o=Win32::OLE-GetObject("LDAP://$userdn"); $lasterror = Win32::OLE-LastError(); if ($lasterror) {print ofh "$lasterror\n"} else { $o-setpassword($password); $lasterror = Win32::OLE-LastError(); if ($lasterror) {print ofh "$lasterror\n"} }} exit; sub DisplayUsage{ print "Usage: BulkPwdRst infile [outfile [baselength [randomlength]]]\n"; print "
RE: [ActiveDir] user script
Are these different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 26, 2004 4:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] user script would this script let me add users from domain A to universal group in domain B?- Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;) objGroup.PutEx ADS_PROPERTY_APPEND, member, _ Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net , _ cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _ cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net) objGroup.SetInfo i ran this from task scheduler and got an exit code of 0(sucess?), however when i look in the group, these users are not present. do i need to specify a GC for universal groups? and how? should I run the script on a GC? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and Exchange not sharing.
Sorry on the delay on this... I just wanted to say that RUS isresponsible for pulling things into and out of the GAL and updating A.L.'s , etc. If theuser objects arein the GAL at all, the RUS has done its job. The client should be calling out to get the rest of the info. Depending on the client version, it will either go through DSPROXY on the Exchange Server or go directly to the GCs. So if you have a user who isn't showing up in the GAL, look at RUSand/or look at AD replication. If you have a user who shouldn't be showing up in the GAL, look at the RUS and/or look at AD replication. If you have user who doesn't have all info showing up, chase how it gets that info. Could be cache issue, could be data not in AD issue, could possibly be but not sure how a DSPROXY issue. If you have an A.L. that isn't displaying users, look at the RUS and/or look at AD replication. If you have an A.L. that isn't displaying some users, look at the RUS (and specifically verify the filter works as expected and no, looking at the ESM will not tell you if the filter is working as expected) and/or look at AD replication. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Monday, May 24, 2004 5:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD and Exchange not sharing. RUS = Recipient Update Service. It runs on one or more of your Exchange servers and is responsible for updating recipients. Specifically, if you see problems with the GAL, it's often the culprit. When you checked the logs, did you check them on the Exchange server that has the RUS? You can find it via ESM in the Recipients | Recipient Update Services node. When you click on whichever one is for your domain that has the user accounts, it will give the properties which will tell you which server hosts it. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Monday, May 24, 2004 3:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. That couldn't be a RUS problem could it? ;) Sorry, but I don't know what RUS stands for. Have you checked the logs for the past 24-48 hours? What do you see (Check the Exchange server that has the RUS). Yes, I have checked the logs and there are only errors for disabled accounts that have not been deleted. What about topology? Do you have only W2K3 and E2K3 servers? All of our domain controllers are W2K3, as well as, the Exchange servers.. File servers are mixed. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Monday, May 24, 2004 2:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. Office 2003 running on Windows XP, some using cache and some are not. Domain is running under W2K3 servers, 2k native, with an Exchange 2003 Server. Thanks,S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony MurraySent: Monday, May 24, 2004 10:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD and Exchange not sharing. Hi Steve What sort of clients are you experiencing the problem with? Ifthe problem clientsare using Outlook 2000 in off-line mode or Outlook 2003 in cached mode then it is conceivable that they are configured with the "no details" mode in the download address book options. Maybe you could give us a few more details about the environment (versions,whether it is mixed or native mode, etc.). Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve ShaffSent: Montag, 24. Mai 2004 18:37To: [EMAIL PROTECTED]Subject: [ActiveDir] AD and Exchange not sharing.Importance: High It appears that Exchange and the AD are not syncing information. We have recently discovered that, Under the global address list (displayed in Outlook), user name properties, the address, phone, etc are blank. Even though, in ADUC the address, department, phone are listed. It seems only to be happening for a handful of people. Does anyone know how to fix this? Or what the problem may be? Thanks,S
RE: [ActiveDir] Manual DC removal EventID
Go in sites and services and delete any server objects relating to the deleted server. BR Rob -Original Message- From: J0mb [mailto:[EMAIL PROTECTED] Sent: 27 May 2004 15:53 To: [EMAIL PROTECTED] Subject: [ActiveDir] Manual DC removal EventID Good morning, Some days ago i had to manually remove a dead Win2000 DC from our network, according to Q216498 and http://www.winnetmag.com/Article/ArticleID/13414/13414.html. Removal semeed ok. Today i got the following event in my log. I believe it's an expected warning, however i'd just want to make sure that there's nothing to be concerned about. Thanks all Alex Event Type: Information Event Source: NTDS KCC Event Category: (1) Event ID: 1272 Date: 27/05/2004 Time: 10.59.52 User: N/A Computer: RMD01 Description: No nTDSConnection object exists for inbound replication from server CN=NTDS Settings DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02 DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG,CN=Sites, CN=C onfiguration,DC=acs,DC=local at address b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local. The partition CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD and Exchange not sharing.
I agree with Deji. These slow your server down considerably every time it is hit. Personally I think the issue is a stupid one but MS stands behind it. They assume that if the userid is disabled and the user object has mail information the only possible reason is that the mailbox is supposed to be tied to some other userid in some other forest/nt domain. Of course you could NEVER have just a disabled userid. It is fun because you could have normal user admins seriously impacting the functionality of Exchange. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 24, 2004 7:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange not sharing. Yes, I have checked the logs and there are only errors for disabled accounts that have not been deleted. I know that this is NOT the cause of your current problem, but I strongly advise you to NOT ignore these errors. The more of them you get, the more performance impact your Exchange server sees. See http://support.microsoft.com/?id=278966 on how to fix/prevent the errors. I got a tool (from PSS, I think) called NoMas.exe that goes through AD and associate unassociated disabled accounts appropriately. Next time you speak with PSS, mention your Event ID 9548 problem to them and request that they give you something like NoMas. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Steve Shaff Sent: Mon 5/24/2004 12:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange not sharing. That couldn't be a RUS problem could it? ;) Sorry, but I don't know what RUS stands for. Have you checked the logs for the past 24-48 hours? What do you see (Check the Exchange server that has the RUS). Yes, I have checked the logs and there are only errors for disabled accounts that have not been deleted. What about topology? Do you have only W2K3 and E2K3 servers? All of our domain controllers are W2K3, as well as, the Exchange servers.. File servers are mixed. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, May 24, 2004 2:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange not sharing. Office 2003 running on Windows XP, some using cache and some are not. Domain is running under W2K3 servers, 2k native, with an Exchange 2003 Server. Thanks, S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, May 24, 2004 10:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD and Exchange not sharing. Hi Steve What sort of clients are you experiencing the problem with? If the problem clients are using Outlook 2000 in off-line mode or Outlook 2003 in cached mode then it is conceivable that they are configured with the no details mode in the download address book options. Maybe you could give us a few more details about the environment (versions, whether it is mixed or native mode, etc.). Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Montag, 24. Mai 2004 18:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] AD and Exchange not sharing. Importance: High It appears that Exchange and the AD are not syncing information. We have recently discovered that, Under the global address list (displayed in Outlook), user name properties, the address, phone, etc are blank. Even though, in ADUC the address, department, phone are listed. It seems only to be happening for a handful of people. Does anyone know how to fix this? Or what the problem may be? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Imaged Computers
Exactly you can SYSPREP is driven by a file of configuration. From: Chris Blair [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Imaged Computers Date: Wed, 26 May 2004 09:56:07 -0500 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc10-f8.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 26 May 2004 08:06:16 -0700 Received: from fargomnus1.fargo.com [66.162.55.2] by mail.activedir.org (SMTPD32-8.11) id A00C23770120; Wed, 26 May 2004 10:56:12 -0400 Received: (qmail 29481 invoked by uid 104); 26 May 2004 14:56:08 - Received: from [EMAIL PROTECTED] by fargomnus1 with network-box scanner-1.10 (received+scanned in 1.167545 secs); 26 May 2004 14:56:08 - Received: from unknown (HELO fargont2.FARGO.COM) (206.152.208.134) by 10.1.210.1 with SMTP; 26 May 2004 14:56:07 - Received: from exchange01.mn.fargo.com ([206.152.208.3]) by fargont2.FARGO.COM (Post.Office MTA v3.5.3 release 223 ID# 0-63606U200L2S100V35) with ESMTP id COM for [EMAIL PROTECTED]; Wed, 26 May 2004 09:56:07 -0500 X-Message-Info: yilqo4+6kc4YmtTDON7T/Gk5bge+y/y4 X-Scanned-By-fargomnus1: Virus scan performed by network-box (www.network-box.com) X-Scanned-By-fargomnus1: Scanner file id is fargomnus1108558336751129467 X-Scanned-By-fargomnus1: No known viruses found in message (received+scanned in 1.167545 secs) X-Scanned-By-fargomnus1: Spam-Check-Result: No, Not Run X-Spam-Status: No Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Imaged Computers Thread-Index: AcRDMZDJG5XkmXLERpKjxdR861iD2Q== Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 26 May 2004 15:06:17.0089 (UTC) FILETIME=[FE86CF10:01C44332] Our testing group is imaging computers for testing. The problem is with the computer object and the SID. The PC was imaged as a member of our Domain. So when it is re-imaged the computer password are not synced. The only way I have found to fix this is Delete the computer object, remove the computer from the domain, and add it back again. So I am trying to figure out a better way to do this. If I use SYSPREP before the image is created, will I still need to add the PC to the domain or can the image then be created with the computer as a domain member? My other thought is creating an OU and giving them rights to add/remove computers from there only. Is that a good idea? I have not had much luck with NETDOM on the computer in question. But I believe that is due to the mixed up SIDs and computer passwords. If I use the SYSPREP, should I be able to use NETDOM to add the computer to the domain with out physically being there? _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] linked server error in SQL/AD query
Mark, I tried your SQL-statement with a linked server and it works perfectly. What account are you running the linked server as? Our experience is that if you change the account informationused forthe linked server, you should delete it, create a new and set the account info before you hit the OK-buttonto get best result. Hope that this tiny information can help you. Regards, /MS By the way: W2k Sp3, SQL 2000 sp3 was used From: Creamer, MarkSent: Thu 2004-05-27 16:49To: [EMAIL PROTECTED]Subject: [ActiveDir] linked server error in SQL/AD query Im trying to use the OLEDB provider to link AD to SQL server to run some add hoc queries. Its returning an error: Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO, Line 4 An error occurred while preparing a query for execution against OLE DB provider 'ADSDSOObject'. OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14]. There are numerous articles on this error, but they all seem to indicate syntax, but Im using the exact same syntax as the query they say works (as far as I can tell). After executing my sp_addlinkedserver statement, which works fine, I run the following: SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass = ''User''') Thats when I get the above error. Just thought Id check to see if anyone else has had success with this. Thanks! Mark Creamer Systems Engineer Cintas Corporation
[ActiveDir] Forest Integrated DNS Question
Hi List I have been lurking for about a year and have pulled a lot of knowledge and information from the list - thank you all. I do have a specific issue I wanted some opinions on regarding DNS. Our current configuration is a 10 domain AD 2003 functional forest, with 1 empty root and 9 child domains. We have about 100 domain controllers between the domains that are in about 85 sites (in other words, except for a few hub sites most locations have only 1 DC). The majority of the sites have 50 or more users with link speeds below 256kbs. There are 3 DCs in the empty root. Currently we have DNS on every domain controller - partly due to the slow link speeds and partly due to the unreliability of a lot of the links. Every server has a primary zone that is AD integrated for it's own domain, and a secondary zone for the root domain. The zone transfers were left at the default - every 15 minutes. This has led to 3 issues that have just started cropping up. 1) The root DC DNS servers are starting to be overwhelmed with requests, and some of the zone transfers are failing due to lack of resources. 2) Occasionally we will have a link go down for long enough to make the secondary zone stale. The DC then has problems getting a new copy of the zone, and cannot replicate properly until it gets the updated zone. This issue seems to have gone away since we went to 2K3 3) We have a security issue at the root. Our 3 root DCs are set to allow transfers to anybody - a relatively insecure setup. We have looked at only allowing transfers to specific partners but with over 100 DCs now, and another 400 to come online in the next 2 years the management of this list would become a full time position. The solution we are looking at is a forest integrated root zone. Microsoft does suggest making the msdcs zone forest integrated - which would help some. We also have a number of users that log in cross domain, and they need to lookup the delegation records to find the name servers for the other domains to either authenticate, or to access resources cross domain (ie. we have a number of sharepoint sites in different resources that are accessible by users in all domains).With a full forest integrated root zone we should be able to solve the zone transfer problem, the unreliable link problem, and the security issue. It also should allow users to make a cross domain request on their local DC without the query going to the root to find the delegation records - decreasing network traffic. We have run our test forest this way (20 DCs in 10 domains with 2 in the root) for 3 months with no problems. Anybody have any comments? Is anybody else doing this? Can anybody see a potential flaw in the plan? Thank you in advance; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Manual DC removal EventID
I believe i already did it, i followed the article step-by-step. That's why i was worried i might have forgotten something. i'll have another check tomorrow, now i am out of office. Thank you. Go in sites and services and delete any server objects relating to the deleted server. BR Rob -Original Message- From: J0mb [mailto:[EMAIL PROTECTED] Sent: 27 May 2004 15:53 To: [EMAIL PROTECTED] Subject: [ActiveDir] Manual DC removal EventID Good morning, Some days ago i had to manually remove a dead Win2000 DC from our network, according to Q216498 and http://www.winnetmag.com/Article/ArticleID/13414/13414.html. Removal semeed ok. Today i got the following event in my log. I believe it's an expected warning, however i'd just want to make sure that there's nothing to be concerned about. Thanks all Alex Event Type: Information Event Source: NTDS KCC Event Category: (1) Event ID: 1272 Date: 27/05/2004 Time: 10.59.52 User: N/A Computer: RMD01 Description: No nTDSConnection object exists for inbound replication from server CN=NTDS Settings DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02 DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG ,CN=Sites, CN=C onfiguration,DC=acs,DC=local at address b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local. The partition CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] linked server error in SQL/AD query
Mikael, I wonder if I can get a little clarification. When you say what account am I running the linked server as maybe I made an assumption about how it should work. What I did was log in to a test SQL server using the Query Analyzer on my own system. I used Windows Authentication to gain access to that server, then ran the sp_addlinkedserver. So I guess I ran the linked server as me. Is that what youre pointing to? Thanks a lot for your help on this! mc -Original Message- From: Mikael Svennungsson [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] linked server error in SQL/AD query Mark, I tried your SQL-statement with a linked server and it works perfectly. What account are you running the linked server as? Our experience is that if you change the account informationused forthe linked server, you should delete it, create a new and set the account info before you hit the OK-buttonto get best result. Hope that this tiny information can help you. Regards, /MS By the way: W2k Sp3, SQL 2000 sp3 was used From: Creamer, Mark Sent: Thu 2004-05-27 16:49 To: [EMAIL PROTECTED] Subject: [ActiveDir] linked server error in SQL/AD query Im trying to use the OLEDB provider to link AD to SQL server to run some add hoc queries. Its returning an error: Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO, Line 4 An error occurred while preparing a query for execution against OLE DB provider 'ADSDSOObject'. OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14]. There are numerous articles on this error, but they all seem to indicate syntax, but Im using the exact same syntax as the query they say works (as far as I can tell). After executing my sp_addlinkedserver statement, which works fine, I run the following: SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass = ''User''') Thats when I get the above error. Just thought Id check to see if anyone else has had success with this. Thanks! Mark Creamer Systems Engineer Cintas Corporation
[ActiveDir] strange error on logon
I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file /idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks, Raymond McClinnis
RE: [ActiveDir] user script
no. same forest, 2 diff. domains. child to root. i read in robbie allen's book(ad cookbook) that the member of attribute will only list the user's domain not other domains. is this the issue? do i need access to a gc to do this? do i need to use member? how does one manipulate info on a gc? do i need to run a script as local system on a dc? is this possible? is universal groups the problem? a lot of questions, i know. sorry. thanks -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] user script Are these different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 26, 2004 4:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] user script would this script let me add users from domain A to universal group in domain B?- Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;) objGroup.PutEx ADS_PROPERTY_APPEND, member, _ Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net , _ cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _ cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net) objGroup.SetInfo i ran this from task scheduler and got an exit code of 0(sucess?), however when i look in the group, these users are not present. do i need to specify a GC for universal groups? and how? should I run the script on a GC? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user script
no. same forest, 2 diff. domains. child to root. i read in robbie allen's book(ad cookbook) that the member of attribute will only list the user's domain not other domains. is this the issue? do i need access to a gc to do this? do i need to use member? how does one manipulate info on a gc? do i need to run a script as local system on a dc? is this possible? is universal groups the problem? a lot of questions, i know. sorry. thanks -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] user script Are these different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 26, 2004 4:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] user script would this script let me add users from domain A to universal group in domain B?- Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;) objGroup.PutEx ADS_PROPERTY_APPEND, member, _ Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net , _ cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _ cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net) objGroup.SetInfo i ran this from task scheduler and got an exit code of 0(sucess?), however when i look in the group, these users are not present. do i need to specify a GC for universal groups? and how? should I run the script on a GC? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange 2003 SP1
Has anyone installed SP1 for Exchange 2003? Did you have any problems, quirkiness or issues on your exchange server, domain or the Active Directory? I am just looking for some input. Thanks, S
[ActiveDir] NTDS perf counters
We have some DCs in locations that probably no longer justify a local DC. I'm trying to do some quantitative analysis to see just how busy the DC is in those locations. I'd like to dcpromo some of them down if possible so the boxes can be used as member servers. The business want to install IIS on some of them for some training application, and I don't want IIS on my DCs. I figured I'd track some perfmon stats over time on each DC. Problem is, I don't fully understand what I should be looking for. These sites should be all Win2K workstations, but there may still be some NT4 workstations. The DC is the only server in these sites. I thought I'd look at the following: DS Directory Reads/sec DS Directory Searches/sec DS Directory Writes/sec KDC AS Requests KDC TGS Requests NTLM Authentications I purposely left out the DSA counters regarding replication, etc., as my purpose is basically to find out how heavily the DC is being used in that site. Any others I should consider ? Any pointers to good resources on this topic ? Most of what I find just gives a one-line description of the counters, without telling me what to look for. Dave Fugleberg List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user script
OK, the reason I thought that was the way the DNs were specified below. Memberof is a funny attribute, first off it is a link to the group attribute member. Depending on what port and machine you query in a multidomain environment, you could get different responses as it is based on what group memberships are kept on that DC, versus anything else. For instance if you query memberof on a GC of domain1 for user domain2\user you will see user's group memberships from domain1 and any universal groups he/she is in. You will want to bind to the universal group in whatever domain it lives in, you can't write to a GC so don't worry about the GC aspect for the update, just do your LDAP:// bind to the group object and you are where you need to be to update. Now that that is done, you do the update. Now assuming the DNs you specify for the user are correct, I would expect this script to work fine. Run it from the regular command line and get AT out of it and make sure it works normally. Depending on where you look, it may take a bit for the membership to show up. Also if you are looking at the group with ADUC and this is 2003, watch out, you may be getting bit by a bug (MS feature) where by default they hide the Uni group membership from other domains to be consistent in case you look on a NON-GC DC. Best thing to do to check membership would be to use a good ol command line tool to look at the group on a DC that hosts the group... Something like this might work Adfind -b cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain -s base -f * member Like for example [Thu 05/27/2004 13:37:41.19] F:\DEV\Perl\PwdRstAdfind -b cn=schema admins,cn=users,dc=joe,dc=com -s base -f * member AdFind V01.15.00cpp Joe Richards ([EMAIL PROTECTED]) April 2004 Using server: 2k3dc01.joe.com dn:cn=schema admins,cn=users,dc=joe,dc=com member: CN=$jricha34,CN=Users,DC=joe,DC=com member: CN=Administrator,CN=Users,DC=joe,DC=com 1 Objects returned [Thu 05/27/2004 13:44:27.63] F:\DEV\Perl\PwdRst -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] user script no. same forest, 2 diff. domains. child to root. i read in robbie allen's book(ad cookbook) that the member of attribute will only list the user's domain not other domains. is this the issue? do i need access to a gc to do this? do i need to use member? how does one manipulate info on a gc? do i need to run a script as local system on a dc? is this possible? is universal groups the problem? a lot of questions, i know. sorry. thanks -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] user script Are these different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 26, 2004 4:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] user script would this script let me add users from domain A to universal group in domain B?- Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;) objGroup.PutEx ADS_PROPERTY_APPEND, member, _ Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net , _ cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _ cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net) objGroup.SetInfo i ran this from task scheduler and got an exit code of 0(sucess?), however when i look in the group, these users are not present. do i need to specify a GC for universal groups? and how? should I run the script on a GC? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user script
no. same forest, 2 diff. domains. child to root. i read in robbie allen's book(ad cookbook) that the member of attribute will only list the user's domain not other domains. is this the issue? do i need access to a gc to do this? do i need to use member? how does one manipulate info on a gc? do i need to run a script as local system on a dc? is this possible? is universal groups the problem? a lot of questions, i know. sorry. thanks -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] user script Are these different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 26, 2004 4:44 PM To: ActiveDir (E-mail) Subject: [ActiveDir] user script would this script let me add users from domain A to universal group in domain B?- Const ADS_PROPERTY_APPEND = 3 Set objGroup = GetObject _ (LDAP://cn=Universalgroup,cn=Users,dc=parentdomain,dc=rootdomain;) objGroup.PutEx ADS_PROPERTY_APPEND, member, _ Array(cn=username1,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net , _ cn=username2,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net, _ cn=username3,ou=ouname,dc=childdomain,dc=parentdomaint,rootdomain=net) objGroup.SetInfo i ran this from task scheduler and got an exit code of 0(sucess?), however when i look in the group, these users are not present. do i need to specify a GC for universal groups? and how? should I run the script on a GC? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS perf counters
Great question! And your approach is solid. I'd probably encourage you to take a slightly different direction in terms of coming to the answer. The answer isn't as much how busy is this DC so much as it probably is what is the user impact if we remove this dc. That is, we want to know user impact vs. cost of removing DC, not so much what is the DC doing (although you do want to have some understanding of the latter for sure). That said, I usually take a two-pronged approach to such tasks: 1) Measure what this DC is doing a) How busy is it and what is it doing (understand what it does today) b) Do my DCs elsewhere have the excess capacity to service the requests they will see if this DC is removed 2) Measure user impact on removing DC a) If user requires DC/GC connectivity over the wan, is latency acceptable? b) Are centralized DCs performant enough to service additional requests while keeping user SLA under control? With that you can start to make some really solid conclusions. The largest complaint I've heard from end users in sites without a DC is from network performance. That is, I perform an action, and the response is slow as the network has an RTT of X ms and that is unacceptably slow. That's something I would personally get a handle on before I yank DCs out of the remote site. That could be ldap performance, authentication, name resolution, etc. In terms of specific counters, I think you have some solid metrics below. I would also encourage you to measure perf on the DCs that would pick up the load should the remove DCs in question (in AD speak, you'd say the DCs that would cover this DC-less site). That is equally important really. In terms of DC consolidation, 2003 is your friend. We generally made AD substantially faster and more scalable and you can truly do more with less. I hope you don't take this as a sales pitch, I really don't mean it as such. Rather, I'd just point out that if you have some DCs that are very busy and you want to get a bit more bang for your buck out of those same # of servers, the 2k03 upgrade might be helpful there. QP is faster, can service requests faster, caches better, etc. Feel free to come back with more questions, this is a discussion I'd really like to continue should you see value in doing so. I hope this has added some value in your thinking so far, so let's see where else I might be able to add some thoughts. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, May 27, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] NTDS perf counters We have some DCs in locations that probably no longer justify a local DC. I'm trying to do some quantitative analysis to see just how busy the DC is in those locations. I'd like to dcpromo some of them down if possible so the boxes can be used as member servers. The business want to install IIS on some of them for some training application, and I don't want IIS on my DCs. I figured I'd track some perfmon stats over time on each DC. Problem is, I don't fully understand what I should be looking for. These sites should be all Win2K workstations, but there may still be some NT4 workstations. The DC is the only server in these sites. I thought I'd look at the following: DS Directory Reads/sec DS Directory Searches/sec DS Directory Writes/sec KDC AS Requests KDC TGS Requests NTLM Authentications I purposely left out the DSA counters regarding replication, etc., as my purpose is basically to find out how heavily the DC is being used in that site. Any others I should consider ? Any pointers to good resources on this topic ? Most of what I find just gives a one-line description of the counters, without telling me what to look for. Dave Fugleberg List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] linked server error in SQL/AD query
Anytime ;-) Glad that I could help you /MS From: Creamer, MarkSent: Thu 2004-05-27 20:28To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query Mikael, that worked perfectly. What a huge help this is going to be. Thanks for your advice!! mc -Original Message-From: Mikael Svennungsson [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 2:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query Mark, Delete the linked server. Create a new linked server using the Enterprise Manager. Name it and choose datasource. I tab Security, try "Be made using this security context" and enter domain\username and password. Run your script in Query Analyzer. Regards, /MS From: Creamer, MarkSent: Thu 2004-05-27 18:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query Mikael, I wonder if I can get a little clarification. When you say what account am I running the linked server as maybe I made an assumption about how it should work. What I did was log in to a test SQL server using the Query Analyzer on my own system. I used Windows Authentication to gain access to that server, then ran the sp_addlinkedserver. So I guess I ran the linked server as me. Is that what youre pointing to? Thanks a lot for your help on this! mc -Original Message-From: Mikael Svennungsson [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] linked server error in SQL/AD query Mark, I tried your SQL-statement with a linked server and it works perfectly. What account are you running the linked server as? Our experience is that if you change the account informationused forthe linked server, you should delete it, create a new and set the account info before you hit the OK-buttonto get best result. Hope that this tiny information can help you. Regards, /MS By the way: W2k Sp3, SQL 2000 sp3 was used From: Creamer, MarkSent: Thu 2004-05-27 16:49To: [EMAIL PROTECTED]Subject: [ActiveDir] linked server error in SQL/AD query Im trying to use the OLEDB provider to link AD to SQL server to run some add hoc queries. Its returning an error: Server: Msg 7321, Level 16, State 2, Procedure vw_AD_USER_INFO, Line 4 An error occurred while preparing a query for execution against OLE DB provider 'ADSDSOObject'. OLE DB error trace [OLE/DB Provider 'ADSDSOObject' ICommandPrepare::Prepare returned 0x80040e14]. There are numerous articles on this error, but they all seem to indicate syntax, but Im using the exact same syntax as the query they say works (as far as I can tell). After executing my sp_addlinkedserver statement, which works fine, I run the following: SELECT * FROM OpenQuery(ADSI, 'SELECT sAMAccountName, givenName, sn, physicalDeliveryOfficeName FROM ''LDAP://cn=users,dc=iput,dc=myrealdomain,dc=here'' where objectClass = ''User''') Thats when I get the above error. Just thought Id check to see if anyone else has had success with this. Thanks! Mark Creamer Systems Engineer Cintas Corporation
RE: [ActiveDir] NTDS perf counters
I knew ~Eric would be all over this thread... The thing I would add would be is the DC also a DNS and/or WINS Server. If so, take those things into account for WAN traffic. What you may want to do is force coverage of the site from the site you think will pick up the requests once this DC goes away and then do a one or two day test to see how it goes. Basically you will set up the coverage (multiple ways to do this, both via modifying registries and making your own DNS entries) and then shut down the DC so the other DC(s) take the coverage. You can't just shut off the DC as the site coverage won't automatically switch to the proper set of DCs, what will happen is any DC in the domain will be used. And with Murphy running around, it will always be the least wanted DC that does it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, May 27, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NTDS perf counters Great question! And your approach is solid. I'd probably encourage you to take a slightly different direction in terms of coming to the answer. The answer isn't as much how busy is this DC so much as it probably is what is the user impact if we remove this dc. That is, we want to know user impact vs. cost of removing DC, not so much what is the DC doing (although you do want to have some understanding of the latter for sure). That said, I usually take a two-pronged approach to such tasks: 1) Measure what this DC is doing a) How busy is it and what is it doing (understand what it does today) b) Do my DCs elsewhere have the excess capacity to service the requests they will see if this DC is removed 2) Measure user impact on removing DC a) If user requires DC/GC connectivity over the wan, is latency acceptable? b) Are centralized DCs performant enough to service additional requests while keeping user SLA under control? With that you can start to make some really solid conclusions. The largest complaint I've heard from end users in sites without a DC is from network performance. That is, I perform an action, and the response is slow as the network has an RTT of X ms and that is unacceptably slow. That's something I would personally get a handle on before I yank DCs out of the remote site. That could be ldap performance, authentication, name resolution, etc. In terms of specific counters, I think you have some solid metrics below. I would also encourage you to measure perf on the DCs that would pick up the load should the remove DCs in question (in AD speak, you'd say the DCs that would cover this DC-less site). That is equally important really. In terms of DC consolidation, 2003 is your friend. We generally made AD substantially faster and more scalable and you can truly do more with less. I hope you don't take this as a sales pitch, I really don't mean it as such. Rather, I'd just point out that if you have some DCs that are very busy and you want to get a bit more bang for your buck out of those same # of servers, the 2k03 upgrade might be helpful there. QP is faster, can service requests faster, caches better, etc. Feel free to come back with more questions, this is a discussion I'd really like to continue should you see value in doing so. I hope this has added some value in your thinking so far, so let's see where else I might be able to add some thoughts. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, May 27, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] NTDS perf counters We have some DCs in locations that probably no longer justify a local DC. I'm trying to do some quantitative analysis to see just how busy the DC is in those locations. I'd like to dcpromo some of them down if possible so the boxes can be used as member servers. The business want to install IIS on some of them for some training application, and I don't want IIS on my DCs. I figured I'd track some perfmon stats over time on each DC. Problem is, I don't fully understand what I should be looking for. These sites should be all Win2K workstations, but there may still be some NT4 workstations. The DC is the only server in these sites. I thought I'd look at the following: DS Directory Reads/sec DS Directory Searches/sec DS Directory Writes/sec KDC AS Requests KDC TGS Requests NTLM Authentications I purposely left out the DSA counters regarding replication, etc., as my purpose is basically to find out how heavily the DC is being used in that site. Any others I should consider ? Any pointers to good resources on this topic ? Most of what I find just gives a one-line description of the counters, without telling me what to look for. Dave Fugleberg List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] strange error on logon
I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file /idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] Manual DC removal EventID
I would say the DC is simply telling you it is cleaning up its topology, as long as you went through and did the proper cleanup procedures I wouldn't be worried. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Thursday, May 27, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Manual DC removal EventID Good morning, Some days ago i had to manually remove a dead Win2000 DC from our network, according to Q216498 and http://www.winnetmag.com/Article/ArticleID/13414/13414.html. Removal semeed ok. Today i got the following event in my log. I believe it's an expected warning, however i'd just want to make sure that there's nothing to be concerned about. Thanks all Alex Event Type: Information Event Source: NTDS KCC Event Category: (1) Event ID: 1272 Date: 27/05/2004 Time: 10.59.52 User: N/A Computer: RMD01 Description: No nTDSConnection object exists for inbound replication from server CN=NTDS Settings DEL:b02867ed-f892-474b-b7bc-a1c15399333b,CN=RMD02 DEL:b0c96017-b5ab-4145-84e8-f6c7d2970db5,CN=Servers,CN=Acs-SG,CN=Sites,CN=C onfiguration,DC=acs,DC=local at address b02867ed-f892-474b-b7bc-a1c15399333b._msdcs.acs.local. The partition CN=Schema,CN=Configuration,DC=acs,DC=local is no longer replicated from it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe
Blush! First, I belong to another list for Mac admins. On that one you are supposed to post summaries after questions. I obviously posted to the wrong list. That said, thank you for further responses. As for Danny's point about the home directory issue in the demo: during the web cast on AD integration (at www.macoxlabs.org http://www.macoxlabs.org/ ), I recall that one of the presenters discusses how to get the AD user account home directory to appear as the user's Mac OS home directory (rather than a mounted volume on the desktop). nme _ From: McCann, Danny [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe - Can XServe volumes be managed by Active Directory? That is, can you add and XServe as a member server of an AD domain? Yes, you can use the active directory plugin in 10.3.3 to add xserves to an active directory domain, and some creative vi'ing on the /etc/smb.conf file to manage authentication via kerberos. - Would love to hear real-world experiences with the new AD Plug-in for 10.3.3. The 10.3.3 plugin is not bad, but the 10.3.4(due to be released the end of this week) goes a little bit farther. There is still an issue gaining a kerberos ticket if you have a particular set of circumstances, but apple has been notified of the issue and is currently working on the problem. - I consider some services like RIS to be pretty essential to speeding deployment and recovery in a Windows environment. Are there similar applications or services that require OD for Macs? Check out netboot for this purpose, it doesn't have any direct hooks into OD and isn't required to do your imaging. http://docs.info.apple.com/article.html?artnum=107912 And download System Imaging Administration Hi I attended a demo of all of the above today and everything ran very smoothly. Only issue was that they claimed to be able to map AD user account home directories, by mounting them as share points on the desktop, but coundn't demonstrate this as one of the scripts needed some work. Aparently :) Apple are also looking into a method of accessing DFS from the Mac. Cheers Danny attachment: winmail.dat
RE: [ActiveDir] W2K SP3 Pro can't login
Title: Message This may be obvious but I would still be wary of the disk on that machine... Get the vendors low level test tools and run it against the disk to see if it should be replaced. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, May 24, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't login It appears that the ADF.sys got corrupted, I copied over from a similar machine and now they can login. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, May 24, 2004 11:31 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't login There were several errors in the system log saying that the ntfrs and other areas of the disk were corrupted. I am thinking it is a bad drive. I am currently running chkdks /f /r. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, May 24, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't login Cool, Okk now let them start the Netlogon service and check for exact error and event id. May be he shuld be a local admin. Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com -Original Message-From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, 24 May 2004 5:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't login They are able to login locally. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, May 24, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't login I am in the mist of having the local person do this. Changing the cable, logging on locally and so forth. I have not heard back yet. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, May 24, 2004 10:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] W2K SP3 Pro can't login Did you try to logon locally?? If this works, you can troubleshoot NETLOGON too. If you are unable to ping, check the problems from PHYSICAL LAYER Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Monday, 24 May 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] W2K SP3 Pro can't login One of my machines is getting the following errors Unable to log you on because the netlogon service is not running on this machine And I am unable to ping the workstation, however the lights are working on the NIC Card and the switches. I am not in the same location as the PC so I can't sit down in front of it and troubleshoot, I have someone doing it for me that I have to talk thru it with. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. - - This email and any files transmitted with it are
RE: [ActiveDir] strange error on logon
Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = "Explore From Here" command = "Explorer.exe /e,/root,/idlist,%I" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] strange error on logon
Oh yeah, one other thing that is *possible* http://www.jsiinc.com/SUBP/tip7500/rh7557.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] NTDS perf counters
Thanks for the comments. You're absolutely correct that we're looking for the user impact - knowing the busyness of the DC is just part of the equation. I'm also looking at the number/type of workstations, usage patterns, etc. I intend to track the metrics I mentioned on all DCs (not just the remote DCs) using BMC Patrol. That will give me a basis of comparison and a better feel for how busy the central site DCs are. If I have to add capacity at the central site, so be it. As far as site coverage goes, we have a hub/spoke topology, and 'spoke' DCs are configured to NOT register domain-wide SRV records, so clients will only find DCs at the hub site. Each spoke site has one site link (to the hub site), and site link transitivity is turned off. Shouldn't that ensure that my DC-less sites are properly covered ? Finally, we're already on the upgrade path to W2K03 - we've added a few 2K03 DCs to our 2K native-mode domain. The remaining DCs will be upgraded over the next several months. One thing I will need to address (thanks for the catch, Joe) is the fact that the DCs are also AD-integrated DNS servers, and the clients in those sites are pointed at them for DNS. I could always leave DNS out there sans the AD-integrated zones, or make it a secondary for those zones, but I don't think DNS over the WAN will be a big deal from these sites. I guess I could track how many requests those DNS servers are takling from clients while I'm at it... Thanks for the feedback guys ! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Fleischman Sent: Thursday, May 27, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NTDS perf counters Great question! And your approach is solid. I'd probably encourage you to take a slightly different direction in terms of coming to the answer. The answer isn't as much how busy is this DC so much as it probably is what is the user impact if we remove this dc. That is, we want to know user impact vs. cost of removing DC, not so much what is the DC doing (although you do want to have some understanding of the latter for sure). That said, I usually take a two-pronged approach to such tasks: 1) Measure what this DC is doing a) How busy is it and what is it doing (understand what it does today) b) Do my DCs elsewhere have the excess capacity to service the requests they will see if this DC is removed 2) Measure user impact on removing DC a) If user requires DC/GC connectivity over the wan, is latency acceptable? b) Are centralized DCs performant enough to service additional requests while keeping user SLA under control? With that you can start to make some really solid conclusions. The largest complaint I've heard from end users in sites without a DC is from network performance. That is, I perform an action, and the response is slow as the network has an RTT of X ms and that is unacceptably slow. That's something I would personally get a handle on before I yank DCs out of the remote site. That could be ldap performance, authentication, name resolution, etc. In terms of specific counters, I think you have some solid metrics below. I would also encourage you to measure perf on the DCs that would pick up the load should the remove DCs in question (in AD speak, you'd say the DCs that would cover this DC-less site). That is equally important really. In terms of DC consolidation, 2003 is your friend. We generally made AD substantially faster and more scalable and you can truly do more with less. I hope you don't take this as a sales pitch, I really don't mean it as such. Rather, I'd just point out that if you have some DCs that are very busy and you want to get a bit more bang for your buck out of those same # of servers, the 2k03 upgrade might be helpful there. QP is faster, can service requests faster, caches better, etc. Feel free to come back with more questions, this is a discussion I'd really like to continue should you see value in doing so. I hope this has added some value in your thinking so far, so let's see where else I might be able to add some thoughts. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, May 27, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] NTDS perf counters We have some DCs in locations that probably no longer justify a local DC. I'm trying to do some quantitative analysis to see just how busy the DC is in those locations. I'd like to dcpromo some of them down if possible so the boxes can be used as member servers. The business want to install IIS on some of them for some training application, and I don't want IIS on my DCs. I figured I'd track some perfmon stats over time on each DC. Problem is, I don't fully understand what I should be looking for. These sites should be all Win2K workstations, but there may still be some NT4 workstations. The DC
RE: [ActiveDir] strange error on logon
Have you seen: 824204 You receive an Error at logon: Cannot find the file... error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 27, 2004 2:51 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = Explore From Here command = Explorer.exe /e,/root,/idlist,%I From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Thursday, May 27, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks, Raymond McClinnis
[ActiveDir] OT: Exchange 2003 SP1 documentation
Has anyone managed to find complete documentation of all of the changes made with Exchange 2003 SP1? The release notes fall short of mentioning exactly what updates/changes were made although I have looked briefly and there seems to be more control available to the user through OWA (Options category) and the icons shown in System Manager seem to have been sharpened (:-P). The issue with Exchange services hanging during a shutdown without being stopped beforehand still seems to be a problem so I guess the hopes for a resolve are still "pending". As far as interface changes I can't imagine much more has been changed, but possibly a list of hot fixes which were previously unpublished except maybe to MVP's? Any idea? Although, the package is 100mb~ and it did take a few minutes to complete the update procedures which required stopping all Exchange, IISand related services (including third-party components), all went well. TIA!
RE: [ActiveDir] strange error on logon
AL, Thank you, Thank you, Thank you!!! Were in the process of removing a dead SMS 2.0 server and a number of users had smsls.bat as their logon script. I used Hyena to remove the logon, bu I must have typed a space into the field instead. I spear though I looked for just /idlist and didnt come up with anything. Again THANK YOU AL Thanks, Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 27, 2004 12:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon Oh yeah, one other thing that is *possible* http://www.jsiinc.com/SUBP/tip7500/rh7557.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Thursday, May 27, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks, Raymond McClinnis
RE: [ActiveDir] NTDS perf counters
Or if 2k03, you could probably do stub zones. I've only done stub zones out in the field as ad-integrated stub zones, but I would assume that they can be done as standalone too. It always comes down to cost benefitlarge enough user base in a site justifies the DC. As you start to get data feel free to bring it back to the list for discussion. There are other counters you could watch too (DNS has some logging, you could watch some of the ese/ntdsa counters for ad perf if you're interested, etc.) but the ones you have below will probably give you a good overview as to what is going on today. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, May 27, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NTDS perf counters Thanks for the comments. You're absolutely correct that we're looking for the user impact - knowing the busyness of the DC is just part of the equation. I'm also looking at the number/type of workstations, usage patterns, etc. I intend to track the metrics I mentioned on all DCs (not just the remote DCs) using BMC Patrol. That will give me a basis of comparison and a better feel for how busy the central site DCs are. If I have to add capacity at the central site, so be it. As far as site coverage goes, we have a hub/spoke topology, and 'spoke' DCs are configured to NOT register domain-wide SRV records, so clients will only find DCs at the hub site. Each spoke site has one site link (to the hub site), and site link transitivity is turned off. Shouldn't that ensure that my DC-less sites are properly covered ? Finally, we're already on the upgrade path to W2K03 - we've added a few 2K03 DCs to our 2K native-mode domain. The remaining DCs will be upgraded over the next several months. One thing I will need to address (thanks for the catch, Joe) is the fact that the DCs are also AD-integrated DNS servers, and the clients in those sites are pointed at them for DNS. I could always leave DNS out there sans the AD-integrated zones, or make it a secondary for those zones, but I don't think DNS over the WAN will be a big deal from these sites. I guess I could track how many requests those DNS servers are takling from clients while I'm at it... Thanks for the feedback guys ! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Fleischman Sent: Thursday, May 27, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] NTDS perf counters Great question! And your approach is solid. I'd probably encourage you to take a slightly different direction in terms of coming to the answer. The answer isn't as much how busy is this DC so much as it probably is what is the user impact if we remove this dc. That is, we want to know user impact vs. cost of removing DC, not so much what is the DC doing (although you do want to have some understanding of the latter for sure). That said, I usually take a two-pronged approach to such tasks: 1) Measure what this DC is doing a) How busy is it and what is it doing (understand what it does today) b) Do my DCs elsewhere have the excess capacity to service the requests they will see if this DC is removed 2) Measure user impact on removing DC a) If user requires DC/GC connectivity over the wan, is latency acceptable? b) Are centralized DCs performant enough to service additional requests while keeping user SLA under control? With that you can start to make some really solid conclusions. The largest complaint I've heard from end users in sites without a DC is from network performance. That is, I perform an action, and the response is slow as the network has an RTT of X ms and that is unacceptably slow. That's something I would personally get a handle on before I yank DCs out of the remote site. That could be ldap performance, authentication, name resolution, etc. In terms of specific counters, I think you have some solid metrics below. I would also encourage you to measure perf on the DCs that would pick up the load should the remove DCs in question (in AD speak, you'd say the DCs that would cover this DC-less site). That is equally important really. In terms of DC consolidation, 2003 is your friend. We generally made AD substantially faster and more scalable and you can truly do more with less. I hope you don't take this as a sales pitch, I really don't mean it as such. Rather, I'd just point out that if you have some DCs that are very busy and you want to get a bit more bang for your buck out of those same # of servers, the 2k03 upgrade might be helpful there. QP is faster, can service requests faster, caches better, etc. Feel free to come back with more questions, this is a discussion I'd really like to continue should you see value in doing so. I hope this has added some value in your thinking so far, so let's see where else I might be able to add some thoughts. :) ~Eric
Re: [ActiveDir] OT: Exchange 2003 SP1 documentation
It's my understanding that this information will be released ASAP. I know that it was definitely in the works last night. Missy Koslosky Exchange MVP - Original Message - From: Michael Wassell To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 4:14 PM Subject: [ActiveDir] OT: Exchange 2003 SP1 documentation Has anyone managed to find complete documentation of all of the changes made with Exchange 2003 SP1? The release notes fall short of mentioning exactly what updates/changes were made although I have looked briefly and there seems to be more control available to the user through OWA (Options category) and the icons shown in System Manager seem to have been sharpened (:-P). The issue with Exchange services hanging during a shutdown without being stopped beforehand still seems to be a problem so I guess the hopes for a resolve are still "pending". As far as interface changes I can't imagine much more has been changed, but possibly a list of hot fixes which were previously unpublished except maybe to MVP's? Any idea? Although, the package is 100mb~ and it did take a few minutes to complete the update procedures which required stopping all Exchange, IISand related services (including third-party components), all went well. TIA!
RE: [ActiveDir] strange error on logon
For you? No problem ;) Glad it worked out (never know when a shot in the dark might be helpful). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 4:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon AL, Thank you, Thank you, Thank you!!! We're in the process of removing a dead SMS 2.0 server and a number of users had smsls.bat as their logon script. I used Hyena to remove the logon, bu I must have typed a space into the field instead. I spear though I looked for just "/idlist" and didn't come up with anything. Again THANK YOU AL Thanks,Raymond From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 12:52 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Oh yeah, one other thing that is *possible* http://www.jsiinc.com/SUBP/tip7500/rh7557.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] strange error on logon
That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 4:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an "Error at logon: Cannot find the file..." error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 2:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = "Explore From Here" command = "Explorer.exe /e,/root,/idlist,%I" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] strange error on logon
Searching KB is an art, so you can call me Picasso. ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 27, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, May 27, 2004 4:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an Error at logon: Cannot find the file... error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 27, 2004 2:51 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = Explore From Here command = Explorer.exe /e,/root,/idlist,%I From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Thursday, May 27, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks, Raymond McClinnis
RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?
As I read through this whole thread there was a couple of other things I noticed if you don't mind if I ramble for a bit... Objectcategory=user doesn't exist, that will be converted to objectcategory=person, see below on what that will do for you. ObjectClass=user is even worse. What happens with that is that it becomes an object by object comparison through the entire search scope. So for instance doing this on a small test domain with like 280 users in it and a couple of machine accounts and a couple of groups the STATS control shows me it had to chase through 3562 objects to return 280. Your mileage will vary but I don't expect it would get much better than that. There is a way to help with this last issue, index objectclass (searchFlags=9). Test in your lab but the growth of the DIT shouldn't be much, I have seen 10% in the past. All of the crappy objectclass queries only coming through will perform better. I think MS probably made a mistake in not indexing objectclass out of the box. But that is simply my opinion. The nice thing in doing that simple thing is that anyone that comes at you with an app with crappy objectclass based ldap filters cough cough, they will not impact AD as hard. I just wish there was as simple a solution for finding all group memberships across a forest. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 26, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD? Hi Al. :o) (objectcategory=person)(objectclass=user) is a good filter though it wouldn't catch inetorgpersons. Slightly better may be (objectcategory=person)(samaccountname=*) if you have contact objects or you have inetorgpersons you want to catch as well as user objects. If you have no contacts and no inetorgpersons, either of those filters should perform the same. Just doing objectcategory=person will get you objectclasses: dn:CN=Organizational-Person,CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=Contact,CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com So let's put it this way, say you have 100k users and 200k contacts in your directory. If you just do Objectcategory=person You will get back 300k objects. If you do ((objectcategory=person)(objectclass=user)) You will get back 100k objects though it would have to chase through 300k objects (assuming objectclass has not been indexed in that forest). If you do ((objectcategory=person)(objectclass=samaccountname=*)) You will get back 100k objects and will only chase through 100k objects. If you add inetorgperson into the mix, you will catch them on the first filter and the third, but not the second. So if your mix was 100k users, 200k contacts, 50k inetorgpersons you would see First filter 350k objects returned Second filter 100k objects returned, 350k objects checked Third filter 150k objects returned, 150k objects checked. Now to just get the ones with an email address you add in email=* but note that that may not necessarily be people with Exchange mailboxes... That you would need to go after something like home MDB. Note that mail is indexed so that is a nice attribute to use. Home MDB I don't believe is. On the script that was posted (I think by Tom), it would be just as efficient as you say if there was only a single container BUT ALSO if it only contained user objects. If there were for instance many computer or group objects in the same container it would bog down chasing through those. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, May 26, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD? The -l params is a nice touch but curious why you want to find objectClass objects. That's an inefficient query IIRC. Plus, if you return each person in the directory (you should start at a higher node to supply an answer to his request which is to find ALL users in the domain; if he had them in one OU or container, he could use that script that as posted quite easily wihtout much mod.)you're potentially bringing back way more than he wanted, which again is inefficient right? It's a best practice to narrow the search as much as possible prior to execution to prevent overloading the dc with query traffic. ObjectClass is not usually recommended nor is both user and person (they're redundant mostly)in the same query. Correct me if I'm wrong though. I hate to be wrong thinking I'm right ;) Narrow it down to just users in the domain that have mail attributes and return the mail and proxyaddresses attributes (forgot about the list of attributes to post before in my haste to rush
RE: [ActiveDir] strange error on logon
Yep, too bad so manyWindows folks are pushed to the limit with Spirographs Picasso :o) Just buy google already... Petty cash, whip it out. Let people beat on MS for a while for using linux machines to find content at MS while it getsassimilated. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Searching KB is an art, so you can call me Picasso. ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 4:01 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 4:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an "Error at logon: Cannot find the file..." error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 2:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = "Explore From Here" command = "Explorer.exe /e,/root,/idlist,%I" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] Ad forest migration
I didn't see any responses on re-acling so I would say take a look at subinacl. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, May 25, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Ad forest migration any known gotchas(i know everything has gotchas) with admtv2,miis,and exchange migration wizard that i should be aware of from the get go? also, i assume going this route over Aleita/quest is the support and nice gui. and finally, how would i re-acl everyting on the servers in the new forest? any tool or script for that? thanks(lot of questions, i know. but i'll let you know how it went and if i crashed and burned my enterprise!!). -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Ad forest migration The Exchange Migration Wizard. http://support.microsoft.com/default.aspx?scid=kb;en-us;328871 - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 24, 2004 7:13 PM Subject: RE: [ActiveDir] Ad forest migration i'm sorry if this is obvious but, whats a good exchange migration tool that comes with exchange2k/2k3? and how does it differ from using exmerge to migrate mailboxes to pst's and then import them into the new server/forest? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mon 5/24/2004 5:07 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Ad forest migration Probably wouldn't use exmerge in favor of Exchange migration tools included with Exchange. And it would be worth it to use Exchange 2003 (tools at least), but otherwise it can be done. Aelita is just nicer and easier to work with. Both work. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, May 24, 2004 4:24 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Ad forest migration I'm on a serious budget and my IT dept doesn't have/want the money to spend on Alieta migration tools. we are looking to migrate our child domain into our own forest with exchange 2k and still synch our gals. how much hubris would it be to do most of this with free tools like ADMTv2,MIIS, and exmerge? am I insane? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-w i 0g-+Yb mPi 0 -+b f.+-j! 0j! or yIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] silly question
If you cannot have universal security groups in a mixed mode AD forest, how is the Enterprise Admins a universal security group and what functionality does it lose in mixed mode as opposed to native mode? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] adding a group to the RDP permissions
Title: Message Hmmm theoretically eg, the permissions are probably stored in the registry The most likely place would be someplace say like HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp possibly in the Security value. Now theoretically if you used a domain group or a built-in group with a specific SID that doesn't change machine to machine (like I wouldn't recommend using a local group on a server) you could theoretically take that value from one machine and copy to another and have those permissions applied to that other machine. Theoretically you could make this even part of a server build process or have it in some setup script... Also theoretically it may or may not require a reboot to make it kick in. Just chatting theoretically of course. If I was to chat some more theoretically someone looking to write some code to muck with that may theoretically finethatthat binary format is a type of standard security definition format. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Wednesday, May 26, 2004 1:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] adding a group to the RDP permissions Thanks Ken! Even if I cant use this on the 2K machines, itll help a bunch in a couple of months. Many of our TS machines are about to be upgraded and/or installed. I appreciate it mc -Original Message-From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 12:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] adding a group to the RDP permissions Here's some Perl WMI code for adding a local group to the RDP security. However, if memory serves, W2K doesn't support WMI TS stuff - only 2k3 Anyway, maybe it will work... sub TerminalServerSecurity { my $host = shift; my $RemoteGroup = shift; my $wmi = Win32::OLE-GetObject("winmgmts:{impersonationLevel=impersonate}!$host\\root\\cimv2")or die "WMI error: $^E"; my $accounts = $wmi-ExecQuery("Select * from Win32_TSPermissionsSetting" )or die "WMI GetObject: " . WmiError("Win32_TSPermissionsSetting"); # Add local group giving full control foreach my $a (in $accounts ) {print "Adding access to ", $a-TerminalName, "\n";$a-AddAccount("$host\\$RemoteGroup", 2);} -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Wednesday, May 26, 2004 9:20 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] adding a group to the RDP permissions Anybody know a good way to add a group programmatically (or GPO, etc.) to the RDP properties visible when you go to Terminal Services Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote administration mode servers that I want to add a group of night operators to. Thanks Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Test Lab Creation
Title: Message This article might help! http://briandesmond.com/blog/archive/2003/11/25/251.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Wednesday, May 26, 2004 6:30 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Test Lab Creation Hi Guys, Thinking. any experiences out there on the below? I'd like to have a testlab to directly match my production AD in terms of OUs, GPOs, Objects, etc, etc. The thing is that I'd like the test domain to be phyically separate from my production environement. Any ideas on how or tools that would enable me This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] Anonymous bind
Nothing free. :oP However Vintela and other companies are working on making this A LOT easier for a price. I expect in another year or so *nix machines will hardly be any more hassle to manage in an Enterprise than Windows machines. I doubt anyone will do something in this arena for free. It isn't exactly the kind of thing the Open Source people really care do to I don't think. More of a corporate thing and I don't visualize any company going through writing this up for themselves and then giving it away. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind LDAP with SSL/TLS is way better than NIS. As for environment, it's two W2K3 forests with Kerberos forest trust. Forest A has several child domains and holds user accounts. Forest B is where my hosts are (We are relatively small organization in the enterprise, but we are RD and want to have control at least over the hosts). So users can come from any child domain of forest A and logon to hosts in forest B. Now Linux does not play well, when the host is in one realm, and users are from several other realms... The only workaround is to map uid to Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is not an option, and it's quite reasonable considering the small size of our division. So here I am, stuck with LDAP authentication ... If you have any better idea, I am all ears ;) Guy On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote: Just for curiousity... You don't want to use NIS because it's less secure, yet you are going to use LDAP for authentication? Isn't that a counter? Can you give an overview of your topology and what you're wanting to accomplish in the end? I think we tried to help with the original post without all of the topology information. Sounds like an interesting problem though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 21, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind If you excuse me, I will break the inline pattern ;). It got too unreadable. I have seen the interoperability doc. I have also read the whole doc mentioned in the post. It's a very good reference, but is lacking any description of Kerberos deployments in multi-realm environments. Personally I had to choose LDAP authentication instead of Kerberos because my hosts are in one forest, while user accounts are from a child domain of another forest. If someone is aware of a workaround for that, monthly beer supply is on me ;) SFU is nice, but it tries to emulate NIS and with all do respect to NIS, it's time is gone. There are just too many security issues with NIS. As for having more than one directory, see my reply to joe. I wish I could put it all in one place, but it's not always possible. Guy On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote: A few bits more. [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? And just about anything around SFU (which might I point out again won best app at Linux world)? I think we've done a great job of interop. Can we do better? Always! And we continue to work on it. But we're doing a *lot* in this space. We have doc's out there that go down to even walk you through how to set up the pam modules! We have a lot out there. Here's one of my fav docs, but there are others this is from a post to this very DL: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.ht ml 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without posixAccount and posixGroup objectClasses) or have a cut down functionality (sendmail LDAP mail routing is great, but I would not extend the AD's schema just to make sendmail happy). And if you are still short on the $$$, you are starting to improvise (talking about OpenLDAP...). SMBs are somewhat neglected in this area. 2) Small *heterogeneous*
RE: [ActiveDir] DC not replicating out
I doubt the GPO is it, could be wrong, but doubt it. However what did you change in the GPO? What does repadmin /showreps say on the DC trying to pull? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, May 26, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC not replicating out Both come up clean, despite the fact that the A record for the DC initially didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead of BAD_DC$. I adjusted that manually and the change replicated to all DCs. Still the netdiag and dcdiag do not show any DNS related problems - only FRS and AD outbound replication is failing. All other tests are fine. Other DCs that participate in the replication with bad DC come up with KCC errors (eventid 1311: there is insufficient site connectivity, blabla...) - it's the only DC at site. It looks almost like island DNS, but it's W2K3 and that should not happen. Guy On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote: Would be relatively easy to check DNS. DCDIAG and NETDIAG would be two tools to use to check to see that all is well from the bad dc and good dc perspectives. I'd say go the easy part first. Invalid Checksum? Hmmm... Anything in the security logs that gives an indication? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 6:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DC not replicating out I am banging my head against the wall the whole day. In pilot environment we applied a GPO to replace the Default DC GPO. Apparently one of the DCs had some issues when the GPO was applied. The result was: the inbound replication on the DC works, but no other DC can pull from the sick one. Closer examination showed total WMI repository corruption. I have rebuilt it and it looks that WMI is back (not sure it's related, but worth mentioning) Since than, the new GPO has been unlinked and replaced with default (and as the inbound replication on the DC in question is working, it has replicated to it). But that has not resolved the issue. From faulty DC issued: repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force Traced the session with network monitor from the good DC... What I see is: - LDAP bind - some searches performed and answered correctly - MSRPC session initiated - RPC request from good DC, RPC response from bad DC - RPC bind request from good DC and RCP Bind Ack from bad DC - again RPC request from good DC, RPC response from bad DC - again RPC bind request from good DC and RPC Bind Nack from bad DC with Provider Reject Reason: Invalid checksum I was about to blame the DNS till I got this Invalid checksum in the trace... Now the question is: am I complicating the whole thing and should look closer into DNS or this is something else ? Thanks, Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Discontinue Mail Membership
I love how Tony can kill a thread by contributing. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Sunday, May 23, 2004 10:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership In general, yes. Althoughwe do generally havereservations about deleting people (read it again).Subscribed addressesmaybe, but not people. We reserve that treatment only for occasions where people continue dead or off-topic threads longer than is absolutely necessary ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Sonntag, 23. Mai 2004 01:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership aren't those the rules that apply to post to this list? ;-)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Freitag, 21. Mai 2004 15:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership I like the etiquette rules, especially useful reminder: "We have the right to exploite, humilate, delete, ignore, or coddle any person at anytime for no other reason than Our Own amusement." and what's up with those pink...errmm..stuff, you reguire to wear while reading FeMail? That's mean! Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 21 May 2004 14:19To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership That is hilarious... go through FAQ on the left if you haven't From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Friday, May 21, 2004 7:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership Hmmm..googled FeMail and got - "Totally new, cool and fast feMail system utilizes the newest technology available! "http://www.femail.sissify.com/ A replacement for ActiveDir? The most important - it promises "No more fretting about system administrators at your workplace!" Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: 21 May 2004 11:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership that's spelled FEMAIL ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Donnerstag, 20. Mai 2004 15:25To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership Please continue FEMALE membership J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WelbornSent: Thursday, May 20, 2004 8:51 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Discontinue Mail Membership Please remove [EMAIL PROTECTED] from the Activedir.org mailing list. Thanks you Michael Welborn
RE: [ActiveDir] hidding users
Hiding the user from the ADUC and other LDAP based tools would be fairly trivial, you just have to throw the users into an OU with locked down perms (like only let the admin groups and system have access) and then strip the perms on the user objects themselves of everything but administrators. However, the problem is going to be with anyone using legacy API calls (NET USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT Provider). I believe that is all processed by the Domain Controller as localsystem so it would bypass all of the delegation. I could be wrong on that assessment but I don't think so. You can't lock the IDs out from localsystem access. I mean you could try and if it actually let you and worked I would expect you would have some serious issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 20, 2004 2:00 PM To: ActiveDir (E-mail) Subject: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Domain Controller Security...
Yeah, I love/hate that guy From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 27 May 2004 19:22:10 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... Nope but it doesn't matter. If they can install a service (or replace a file a service uses) they have too much power, let alone schedule a task. Heck when you get down to it, physical access to the box is all that is needed but we try to forget that one or else no one would ever put a DC anywhere but within their eyesight and then only in a sealed room with 4 locks on steel doors. The whole thing as we have pointed out time and again is trust and compensating controls. You will never be 100% secure, what you do is try to make as few concessions as you possibly can. Not allowing people normal interactive access or the ability to write to the disk system is one layer that I absolutely recommend for Domain Controllers. Also don't recommend giving hardly anyone access to AD via builtin groups such as acc op and admin and dom admin, etc. Again, this can be compromised but it does require even more intent and knowledge to pull off. Also you don't accidently get viruses and other things running on DCs you shouldn't have there. I am actually waiting for the offline password editor dude who makes the bootable floppy/cd to do the next logical step to help get onto 2K+ Domain Controllers. That guy is bright, I am actually surprised he hasn't gone ahead and done it already. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, May 24, 2004 6:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... You can restrict access to Task Scheduler using GPO (Admin Templates\Windows Components\Task Scheduler) and by changing permissions on %SYSTEMROOT%\Tasks folder, but there are other ways around. BTW, I remember reading somewhere that at command uses old style API which is not enforced by GPO, and therefore the only way around is to change the ACL on Tasks folder. Anyone remembers the details ? Guy On Mon, 2004-05-24 at 14:44, Roger Seielstad wrote: The problem, as you're most likely aware, is that server admins have access to the Task Scheduler, which means they can kick things off as LocalSystem, which means the DC is then 0wn3d.(owned) Not sure what I'd do in your shoes. I'm fortunate enough to have really good IT folk in my remote locations with DCs. I'm also fortunate enough to be 6'5 tall, built like an NFL lineman, and have an expense account with which I can purchase plane tickets to their location to engage in what my ex-Army junior admin refers to as wall to wall counseling. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Lynch [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I know. I agree that this isn't good security practice. I wouldn't recommend this as well. But, for the lack of space in most locations (and we are only talking about 4 locations), we would just like to give the local tech access to that DC only and no other DC in the domain. I can restrict them to log onto that DC local to them only (via GPO). I might just give them Server Operators rights, restrict them to log onto that DC only, and call it a day. Thanks, Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, May 21, 2004 10:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... True... I musta read half the question (again). -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... I am not sure that fits his requirements for this one... Sounds like he is file sharing from the DC (not something I personally recommend) and obviously it would be a bit much to dcpromo down and back up to add a new share. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, May 21, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... I like Joe Richard's option - DCPromo it out, let the tech work on it, and DCPromo it back in -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
RE: [ActiveDir] OT, How to change wording on screen when computer is locked
Yeah deploy this in production and depend on it, then roll out a hotfix or SP that overwrites the gina bins and bam, you've lost your functionality. bginfo is very cool. I've seen something similar that I thought was from MS running on Exchange Servers before too... Possibly part of some Exchange feature pack or reskit or something. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, May 22, 2004 6:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT, How to change wording on screen when computer is locked it's called Resource Hacker (reshacker.exe) and is available at: http://www.users.on.net/johnson/resourcehacker/ Quite nice - I've also used it - but only for lab-purposes to easily distinguish machines at logon time. However, we've moved to bginfo from sysinternals, which is obviously much simpler to use forthis purpose... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sonntag, 23. Mai 2004 00:39To: [EMAIL PROTECTED]Subject: Re: [ActiveDir] OT, How to change wording on screen when computer is locked I used a great little program called Hacker.EXE (excuse the name) that was great for modifying the Gina to change any of the messages, imagesetc, but can't seem to find a site for it now. Maybe someone else has experience. In the end, we didn't use it 'cos management was a little nervous, but it seemed to work well when I played with it on my machine. Alan Cuthbertson Policy Management Software:-http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: joe To: [EMAIL PROTECTED] Sent: Saturday, May 22, 2004 1:05 AM Subject: RE: [ActiveDir] OT, How to change wording on screen when computer is locked Well there are two ways to modify the GINA. 1. Hack it with a binary editor 2. Replace it with one you write Obviously #2 is the supported method, you can find sample code at http://msdn.microsoft.com/library/default.asp?url=""> You may possibly be able to do something with the GINA stub functionality, see this http://msdn.microsoft.com/library/default.asp?url=""> joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, May 21, 2004 10:43 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT, How to change wording on screen when computer is locked Do you know of a good software for making modifications to the GINA? Ryan McDonaldSystems Administrator "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/21/2004 09:35 AM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT, How to change wording on screen when computer is locked I don't believe that message is tuneable without modification of the GINA. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, May 20, 2004 5:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT, How to change wording on screen when computer is lockedWhat I am looking to do is change the wording on the screen when a computer is locked where it says "This computer is in use and has been locked". I have it when the user log's in but I want to change it when it's locked as well but I can not find out where to do this for the life of me. Any help would be great or links or anything. Ryan McDonaldSystems Administrator
RE: [ActiveDir] OT: Exchange 2003 SP1
Yep, good thing to publish. Another cool thing, something I actually was involved in a lot of the testing over the last year or so is http://www.microsoft.com/downloads/details.aspx?FamilyId=3D0884E6-C603-491D- BF57-ACF03E046BFEdisplaylang=en This is the autoaccept agent for conference rooms. You give your conference rooms mailboxes in exchange and then use this tool and it will process the meeting requests for you. That way you can have automated calendar management of conference rooms (or other resources say you have a projector or generic laptop or whatever) without people fighting over the conference room and deleting each others entries This could put some people out of work as I know there are some folks whose whole job in life is to manage calendars like that. You used to do this with scripts, that of course was on the slow side. I recall seeing a busy server taking 10-20 minutes to respond when running with a script but the agent is dot net code that rock and rolls and the response is in your inbox about as fast as you hit send on the request. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, May 25, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Exchange 2003 SP1 Also continuing the OT note, it seems that the long-awaited server-side spam filtering system (IMF) is available too: http://www.microsoft.com/exchange/downloads/2003/imf/default.asp Apologies if this has already been posted. Cheers Ken ~~ From: Tony Murray [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2003 SP1 : Is now out. : : http://tinyurl.com/35ddy : : Tony ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] silly question
It is a global group until the root domain goes to native mode. Ditto for the schema admins group. Functionality lost would be that you couldn't place users from any domain other than the root into the group until you go native. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 6:10 PM To: ActiveDir (E-mail) Subject: [ActiveDir] silly question If you cannot have universal security groups in a mixed mode AD forest, how is the Enterprise Admins a universal security group and what functionality does it lose in mixed mode as opposed to native mode? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] task pads
Title: task pads Yeah first thing I thought was script the move and have it done via a web page... You have full tracking and don't have to delegate anything - just let the web site have the perms. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Tuesday, May 25, 2004 1:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] task pads Thanks for the ideas. I think I am going to probably script the move. I was trying to make this as simple for the help desk personnel as possible. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Tuesday, May 25, 2004 12:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] task pads If youre always going to move the computer accounts to a specific OU, you could also do a simple script. It would be simple to modify this one to include the computer name as an argument. http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm33.mspx From: Gasper, Rick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 9:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] task pads We want to have the first level support person move the machine into an OU so that office 2003 can be installed via group policy. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, May 25, 2004 10:30 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] task pads ? You want to give some sort of secretary a MMC? Sure, why not? Works out well. You'll want to give permissions over computer objects as well for both the current and destination OU's it sounds like. Not sure why somebody would be moving a computer account though? Is that some sort of tracking mechanism for you? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Tuesday, May 25, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] task pads Hi all, I need to give a non admin IT user access to aduc. Our plan is to use gpo to push out office 2k3. The non admin IT user is to move the machine to the deployment OU. Is this possible? I am thinking creating a task pad will do this, but I have not ever done that. Rick Gasper Manager Network Services King's College Wilkes-Barre PA 18711 [EMAIL PROTECTED] PH: 570-208-5845 Fax: 570-208-6072
Re: [ActiveDir] hitting users
Title: Re: [ActiveDir] hitting users Alternatively, you could just delete all the users. It would have about the same effect as removing localsytem access, but I find it to be a cleaner solution. This would also solve the problem of those nasty little legacy API calls. ; ) But maybe what you really want, Tom, is to provide a view into your directory for your delegated admins? I don't think you ever actually said why you want to do this. If my assumption is correct, there are tons of example web apps that can give those admins a view into the directory to see their users and no one elses. Then you could just setup a group policy to keep the various and sundry admin tools from being executable unless on a pre-designated admin workstation. From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 27 May 2004 19:32:56 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hidding users Hiding the user from the ADUC and other LDAP based tools would be fairly trivial, you just have to throw the users into an OU with locked down perms (like only let the admin groups and system have access) and then strip the perms on the user objects themselves of everything but administrators. However, the problem is going to be with anyone using legacy API calls (NET USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT Provider). I believe that is all processed by the Domain Controller as localsystem so it would bypass all of the delegation. I could be wrong on that assessment but I don't think so. You can't lock the IDs out from localsystem access. I mean you could try and if it actually let you and worked I would expect you would have some serious issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 20, 2004 2:00 PM To: ActiveDir (E-mail) Subject: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive.
[ActiveDir] OT:EXCHANGE weirdness
i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no now suddenly, but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain admins, and still same thing. why? and more importantly, how do permissions and roles get lost like that? I'm running a win2k ad mixed mode and exchange 2k native mode. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hitting users
Title: Re: [ActiveDir] hitting users Hmmm. I hadn't thought of that method. Very easy to implement. I like it. Should cut down on password issues as well. "I can't log on..." " Of course you can't." :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Thursday, May 27, 2004 8:13 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] hitting users Alternatively, you could just delete all the users. It would have about the same effect as removing localsytem access, but I find it to be a cleaner solution. This would also solve the problem of those nasty little legacy API calls. ; )But maybe what you really want, Tom, is to provide a view into your directory for your delegated admins? I don't think you ever actually said why you want to do this. If my assumption is correct, there are tons of example web apps that can give those admins a view into the directory to see their users and no one elses. Then you could just setup a group policy to keep the various and sundry admin tools from being executable unless on a pre-designated admin workstation. From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 27 May 2004 19:32:56 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hidding users Hiding the user from the ADUC and other LDAP based tools would be fairly trivial, you just have to throw the users into an OU with locked down perms (like only let the admin groups and system have access) and then strip the perms on the user objects themselves of everything but administrators. However, the problem is going to be with anyone using legacy API calls (NET USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT Provider). I believe that is all processed by the Domain Controller as localsystem so it would bypass all of the delegation. I could be wrong on that assessment but I don't think so. You can't lock the IDs out from localsystem access. I mean you could try and if it actually let you and worked I would expect you would have some serious issues. joe-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 20, 2004 2:00 PM To: ActiveDir (E-mail) Subject: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/Sent using the Microsoft Entourage 2004 for Mac Test Drive.
RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe
Title: Re: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe That is good news. I see that 10.3.4 is available via Software Update. So, with the volumes, were the Macs using SMB just for testing (since AFP worked fine)? Or is SMB standard regardless of the server OS and you used AFT just to test? From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 4:56 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe Hi Noah, FYI 1. I just finished up my 10.3.4 testing for the ADPlugin and it appears to resolve all of my previous issues with obtaining a TGT at login. I would say that the ADPlug is now ready for prime time. 2. Entourage 2004 fixes a lot of the previous issues connecting to an exchange server for mail and shared calendaring. I would say it is ready for primetime too.(although a little slow) 3. A newly discovered issue has me scratching my head with Mac Clients connecting to smb: volumes that are larger than X terabytes. Unfortunately, I do not know what X is but when I raid 50d the xserve raid for 2.7tb all the mac clients couldnt handle the volume size via smb: When I broke it up into the default 1.36tb chunks they were able to read it just fine. The windows clients worked flawlessly no matter what size the volume. It is worth mentioning that AFP worked fine. (yes, I am convinced that all of this happened because I was bitching about afp the other day.) From: Noah Eiger [EMAIL PROTECTED] Organization: PRBO Conservation Science Reply-To: [EMAIL PROTECTED] Date: Thu, 27 May 2004 15:31:54 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe Blush! First, I belong to another list for Mac admins. On that one you are supposed to post summaries after questions. I obviously posted to the wrong list. That said, thank you for further responses. As for Dannys point about the home directory issue in the demo: during the web cast on AD integration (at www.macoxlabs.org http://www.macoxlabs.org/ ), I recall that one of the presenters discusses how to get the AD user account home directory to appear as the users Mac OS home directory (rather than a mounted volume on the desktop). nme From: McCann, Danny [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe - Can XServe volumes be managed by Active Directory? That is, can you add and XServe as a member server of an AD domain? Yes, you can use the active directory plugin in 10.3.3 to add xserves to an active directory domain, and some creative vi'ing on the /etc/smb.conf file to manage authentication via kerberos. - Would love to hear real-world experiences with the new AD Plug-in for 10.3.3. The 10.3.3 plugin is not bad, but the 10.3.4(due to be released the end of this week) goes a little bit farther. There is still an issue gaining a kerberos ticket if you have a particular set of circumstances, but apple has been notified of the issue and is currently working on the problem. - I consider some services like RIS to be pretty essential to speeding deployment and recovery in a Windows environment. Are there similar applications or services that require OD for Macs? Check out netboot for this purpose, it doesn't have any direct hooks into OD and isn't required to do your imaging. http://docs.info.apple.com/article.html?artnum=107912 And download System Imaging Administration Hi I attended a demo of all of the above today and everything ran very smoothly. Only issue was that they claimed to be able to map AD user account home directories, by mounting them as share points on the desktop, but coundn't demonstrate this as one of the scripts needed some work. Aparently :) Apple are also looking into a method of accessing DFS from the Mac. Cheers Danny Sent using the Microsoft Entourage 2004 for Mac Test Drive.
Re: [ActiveDir] Users file permission display on intranet page or to file
Title: RE: [ActiveDir] win98 Thanks Nicholas. I will try that out. - Original Message - From: Nicolas Blank To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 4:55 PM Subject: RE: [ActiveDir] Users file permission display on intranet page or to file Lots of third party tools to do this I did exactly this for a client the other day using Quest Reporter published to HTML, excel, whatever automatically collected into a DB for auditing was an auditing requirement for a health provider. File/folder mods can be tracked using auditing on object access on the file/print box. Again used Reporter for this to store the logs audit requirement and report on them on an exception basis. Its not the only tool out there, but it fitted the clients requirement to a T no agents on any boxes, track file/foldershare ACLs and compare over time what was modified and by whom. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny LeeSent: 27 May 2004 10:23 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users file permission display on intranet page or to file Hello, I have a query here.I would like to track the permission ona specified folder for users ( Modify,Full Control, etc etc...) that can display on the intranet page or any other ways. Is that any Tools that can do this ? Would be great too if there is any ways that can put the data into a excel file. This is to know the person that modify the file/folders permission as well as would like toknow the latest file/folder permission that the users are having. Thanks. rgds, ken
Re: [ActiveDir] Users and Computers
Install adminpak.msi available in the C:\windows\system directory of any server, also it is available on the server cd. On May 27, 2004, at 9:12 PM, Caple, Andrew wrote: I'm sure this is an easy one I'm currently setting up some Support Desk PC's and need to give them access to Users and Computers locally (so that they don't need to RDP into a DC all the time). How do you add the snap-in into a MMC with a computer that doesn't have AD installed on it? Andrew Caple x-tad-smallerInfrastructure Engineer/x-tad-smallerx-tad-smaller /x-tad-smallerx-tad-smallerPhone: +61 3 9861 5425/x-tad-smallerx-tad-smallerFacsimile: +61 3 9861 5510/x-tad-smallerx-tad-smaller[EMAIL PROTECTED]/x-tad-smallerx-tad-smaller 105 Camberwell Road, Hawthorn East, Vic 3123/x-tad-smaller image.tiff>image.tiff>image.tiff>image.tiff>
RE: [ActiveDir] Users and Computers
Title: Message Install Adminpak.msi (you'll find it in the i386 folder on the Windows200x Server CD). It will install of the admin snapins Make sure that you use the 2003 version for XP clients -Original Message-From: Caple, Andrew [mailto:[EMAIL PROTECTED]Sent: Thursday, May 27, 2004 6:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users and Computers I'm sure this is an easy one I'm currently setting up some Support Desk PC's and need to give them access to Users and Computers locally (so that they don't need to RDP into a DC all the time). How do you add the snap-in into a MMC with a computer that doesn't have AD installed on it? Andrew Caple Infrastructure Engineer Phone:+61 3 9861 5425 Facsimile:+61 3 9861 5510 [EMAIL PROTECTED] 105 Camberwell Road,Hawthorn East, Vic 3123
RE: [ActiveDir] silly question
Right, the salient point here is that it is not the forest that has mixed/native mode associated with it, it is the domain that has a functionality level tied in. Until 2k03 there is no concept of forest functional level, and then in 2k03 we don't called it mixed vs. native, it is either 0 (nt4, 2k or 2k03 DCs), 1 (nt4 or 2k03 DCs, aka 2k03 interim mode) or 2 (2k03 DCs only, aka 2003 forest functional level). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 6:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] silly question It is a global group until the root domain goes to native mode. Ditto for the schema admins group. Functionality lost would be that you couldn't place users from any domain other than the root into the group until you go native. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 6:10 PM To: ActiveDir (E-mail) Subject: [ActiveDir] silly question If you cannot have universal security groups in a mixed mode AD forest, how is the Enterprise Admins a universal security group and what functionality does it lose in mixed mode as opposed to native mode? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/