Re: [ActiveDir] Redirecting Comps

2004-07-11 Thread Steve Patrick 
in 2003 you can use

redircmp.exe
or
redirusr.exe


C:\WINDOWS\system32redircmp.exe /?
Usage:

redircmp CONTAINER-DN

where CONTAINER-DN is the distinguished name of the container
that will become the default location for newly created computer objects

Note: The domain functional level must be at least Windows Server 2003




- Original Message - 
From: Brian Desmond [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, July 10, 2004 10:24 PM
Subject: [ActiveDir] Redirecting Comps


 In pt 8.12 of the AD Cookbook, Robbie talks about modifying the wellknown
value by hand. Does this work in a non 2003 native domain? Same with the
users CN

 --Brian
 .  .+-j!  0j! or yIV+v*

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Thought of the Day

2004-07-11 Thread Dean Wells 



Never sat down and checked them ... I would guess some of 
them are PAS enabled simply due to the fact that they're used on both common 
domain NC objects and those in the config. (and possibly the 
schema).

Maybe it took so much extra disk space to maintain the 
PAS=1 they decided against it :-) or "since they're already everywhere, 
why bother" may have crossed their minds.

Seriously, the primary reason has to be it serves no 
purpose since the GC maintains only those PAS enabled attributes populated on 
objects within the domain NC. Sure it's got a copy of the config. and 
schema but not because of its GC'ness.
-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Saturday, July 10, 2004 6:44 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Thought of the 
Day

How come all attributes of all objects that live entirely 
in the configuration NC and Schema NC aren't PAS 
enabled?

RE: [ActiveDir] Thought of the Day

2004-07-11 Thread joe 



Exactly... all of the info is on every GC already, why not 
letpeople query it through the GC port which is most controlled by what is 
set as PAS. Instead if you have a bind already to a GC port on a DC you 
have to open another bind to the LDAP port to search for attributes in the 
config Why? 

Actually I don't think it should be a matter of what is 
marked PAS for the schema and config NCs, they should be fully searchable 
through the GC port, there are a bunch of other special cases so that would 
simply fit in. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Sunday, July 11, 2004 9:42 AMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Thought of the 
Day

Never sat down and checked them ... I would guess some of 
them are PAS enabled simply due to the fact that they're used on both common 
domain NC objects and those in the config. (and possibly the 
schema).

Maybe it took so much extra disk space to maintain the 
PAS=1 they decided against it :-) or "since they're already everywhere, 
why bother" may have crossed their minds.

Seriously, the primary reason has to be it serves no 
purpose since the GC maintains only those PAS enabled attributes populated on 
objects within the domain NC. Sure it's got a copy of the config. and 
schema but not because of its GC'ness.
-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Saturday, July 10, 2004 6:44 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Thought of the 
Day

How come all attributes of all objects that live entirely 
in the configuration NC and Schema NC aren't PAS 
enabled?

RE: [ActiveDir] Thought of the Day

2004-07-11 Thread Dean Wells 



Yup, can't disagree with that, I would guess it's little 
more than an implementation specific side effect of the way they determine what 
responses a GC should give and those that it shouldn't. 
After all, a GC's response should be (loosely) consistent regardless of which GC 
the query was submitted to. Having said that though, and as you already 
implied, there are indeed cases whereby a response from one GC differs from 
another (unrelated to replication latency which is a given) generally due to the 
domain in which the GC exists ... but that really shouldn't have any baring on 
the forest wide NCs.
-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Sunday, July 11, 2004 11:40 AMTo: 
[EMAIL PROTECTED]; 'Send - AD mailing list'Subject: RE: 
[ActiveDir] Thought of the Day

Exactly... all of the info is on every GC already, why not 
letpeople query it through the GC port which is most controlled by what is 
set as PAS. Instead if you have a bind already to a GC port on a DC you 
have to open another bind to the LDAP port to search for attributes in the 
config Why? 

Actually I don't think it should be a matter of what is 
marked PAS for the schema and config NCs, they should be fully searchable 
through the GC port, there are a bunch of other special cases so that would 
simply fit in. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Sunday, July 11, 2004 9:42 AMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Thought of the 
Day

Never sat down and checked them ... I would guess some of 
them are PAS enabled simply due to the fact that they're used on both common 
domain NC objects and those in the config. (and possibly the 
schema).

Maybe it took so much extra disk space to maintain the 
PAS=1 they decided against it :-) or "since they're already everywhere, 
why bother" may have crossed their minds.

Seriously, the primary reason has to be it serves no 
purpose since the GC maintains only those PAS enabled attributes populated on 
objects within the domain NC. Sure it's got a copy of the config. and 
schema but not because of its GC'ness.
-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Saturday, July 10, 2004 6:44 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Thought of the 
Day

How come all attributes of all objects that live entirely 
in the configuration NC and Schema NC aren't PAS 
enabled?

RE: [ActiveDir] How to Query, identify delete the mail boxes which are not in u se for more than 3 months

2004-07-11 Thread joe 
Title: Message



Hmmm...

You would hope you could query the store and get this info, 
BUT, even if someone else looks at your calendar or I think if the system needs 
to look at the mailbox for some reason the store will have last logon updated to 
reflect that so you can't use the last logon time on the store for anything 
authoritative. This means everything falls on the shoulders of AD and you have 
the same normal question, how do I find unused accounts.

The answer to that is a couple:

1. Set up a password expiration policy and pop anyone who 
exceeds it by some value of X that you define.

2. Query every DC for last logon for every user and 
generate a list that way, if you have more than a few DCs or many users at all 
this really falls down quick.

3. With K3 in domain functional mode you have 
lastlogontimestamp which is nice.


However even with all three of those you don't really know 
if they are touching their mailbox, they could just be logging onto their 
account.


 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Saturday, July 10, 2004 1:04 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] How 
to Query, identify  delete the mail boxes which are not in u se for more 
than 3 months

Hello Folks,
I was wondering, if its possible to Query, identify  
delete the mail boxes which are not in use for more than 3 months  
email id which have never been accessed after its 
creation.

Exchange Server 5.5 SP3-BDC, Windows 2000 Domain 
Controller.

Can 
any one suggest me some scripts or tweaks to achieve this.

Thanks for your time!
Cheers,
Athif
- 

This email and any files transmitted with it are 
confidential and intended solely for the use of the individual or entity to 
whom/which they are addressed. If you have received this email in error please 
notify the system manager at the following email address: [EMAIL PROTECTED] 
. Please note that any views or opinions 
presented in this email are solely those of the author and do not necessarily 
represent those of Al Faisaliah Group. Internet communications cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, arrive late or contain viruses. The sender therefore does not 
accept liability for any errors or omissions in the context of this message, 
which arise as a result of Internet transmission. Finally, the recipient should 
check this email and any attachments for the presence of viruses. Al Faisaliah 
Group accepts no liability for any damage caused by any virus transmitted by 
this email. 
-

RE: [ActiveDir] Redirecting Comps

2004-07-11 Thread Robbie Allen 
Title: Re: [ActiveDir] Redirecting Comps



I tried this as well a while back and it didn't work for me 
on W2K.

Robbie Allen
http://www.rallenhome.com/

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Sunday, July 11, 2004 5:26 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Redirecting 
  Comps
  
  Only one real way to know for sure. 
  :oP
  
  I think I tried this though once and it wouldn't let me 
  do it... Definitely worth another try though. 
  
   joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Sunday, July 11, 2004 5:08 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Redirecting 
  Comps
  
  I'm aware of this. I'm trying to figure understand if the manual change 
  will work in 2k domains/dcs.
  
  --Brian
  
-Original Message- From: Steve Patrick 
[mailto:[EMAIL PROTECTED] Sent: Sun 7/11/2004 1:20 AM 
To: [EMAIL PROTECTED] Cc: 
Subject: Re: [ActiveDir] Redirecting Comps
in 2003 you can 
useredircmp.exeorredirusr.exeC:\WINDOWS\system32redircmp.exe 
/?Usage:redircmp CONTAINER-DN where 
CONTAINER-DN is the distinguished name of the 
container that will become the default location for 
newly created computer objects Note: The domain 
functional level must be at least Windows Server 
2003- Original Message -From: "Brian 
Desmond" [EMAIL PROTECTED]To: 
[EMAIL PROTECTED]Sent: Saturday, July 10, 2004 10:24 
PMSubject: [ActiveDir] Redirecting Comps In pt 8.12 of 
the AD Cookbook, Robbie talks about modifying the wellknownvalue by 
hand. Does this work in a non 2003 native domain? Same with theusers 
CN --Brian . .+-j!  0j! or 
yIV+v*List info : http://www.activedir.org/mail_list.htmList 
FAQ : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Redirecting Comps

2004-07-11 Thread Steve Patrick 
My apologies.. I missed that part.

In Win2k you will fail with a constraint violation, and in Win2k3 the OS
(not the tool)  does an explicit check for the domain functional level.

However - if you REALLY wanted to be unsupported for this scenario, you
could use Allow System Only Change and Win2k will then allow you to do
this -- I dont really advise you do this tho, I am  not sure of the
consequences.

-steve
`

- Original Message - 
From: Brian Desmond [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, July 11, 2004 2:07 PM
Subject: RE: [ActiveDir] Redirecting Comps


 I'm aware of this. I'm trying to figure understand if the manual change
will work in 2k domains/dcs.

 --Brian

 -Original Message- 
 From: Steve Patrick [mailto:[EMAIL PROTECTED]
 Sent: Sun 7/11/2004 1:20 AM
 To: [EMAIL PROTECTED]
 Cc:
 Subject: Re: [ActiveDir] Redirecting Comps



 in 2003 you can use

 redircmp.exe
 or
 redirusr.exe


 C:\WINDOWS\system32redircmp.exe /?
 Usage:

 redircmp CONTAINER-DN

 where CONTAINER-DN is the distinguished name of the container
 that will become the default location for newly created computer
objects

 Note: The domain functional level must be at least Windows Server 2003




 - Original Message -
 From: Brian Desmond [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Saturday, July 10, 2004 10:24 PM
 Subject: [ActiveDir] Redirecting Comps


  In pt 8.12 of the AD Cookbook, Robbie talks about modifying the
wellknown
 value by hand. Does this work in a non 2003 native domain? Same with the
 users CN
 
  --Brian
  .  .+-j!  0j! or yIV+v*

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/