RE: [ActiveDir] ADAM attribute value
Hi, Thanks a lot to all you guys for helping me out. It has worked by using the attribute supportedCapabilities of RootDSE . This is a wonderful group where almost everyone is eager to help and I hope it continues this spirit... Cheers, Harry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 13, 2004 2:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value Hi Harry, To get RootDSE via the LDAP API, you do a base level search with a null search root specified. RootDSE is kind of an ADSI thing to accomplish the same thing. You would need to use a filter such as (subschemaSubentry=*) or something because the RootDSE object doesn't have an objectClass, thus the default objectClass=* filter doesn't work. HTH, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harpreet_Kapoor Sent: Thursday, August 12, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value Hey Eric, I couldn't locate the file ntldap.h on my machine. So, I wrote the following code : nResult = ldap_compare_s (ld, dcRoot, supportedCapabilities,1.2.840.113556.1.4.1851;1.2.840.113556.1.4.1791 ); This again gives the error code 0x10 or decimal 16 which means that attribute is not present. Probably, this time its because of dcRoot which contains in my case dc=abcd,dc=com. However the RootDSE does not have this distinguished name. Do I need to set the distinguished name of RootDSE first. If yes, how do I do it? If no, how do I circumvent this situation? Thanks, Harry This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Creating an OU in ADAM
Hi guys, I am trying to create an OU named test in ADAM under the root dc=abcd,dc=com. For this ,I wrote the following code : LDAPMod cnmod, ocmod; LDAPMod *mods[3]; char *cnvals[2], *ocvals[3]; cnvals[0] = location; cnvals[1] = NULL; cnmod.mod_op = LDAP_MOD_ADD; cnmod.mod_type = ou; cnmod.mod_values = cnvals; ocvals[0]=organizationalUnit; ocvals[1]=top; ocvals[2]=NULL; ocmod.mod_op = 0; ocmod.mod_type = objectclass; ocmod.mod_values = ocvals; mods[0] = cnmod; mods[1] = ocmod; mods[2] = NULL; char *entry = ou=test,dc=abcd,dc=com; int error = ldap_add_s(ld, entry, mods ); The error code returned is 34 or 0x22 which means that the distinguished name has an invalid syntax. Do I not need to give in entry the string containing the entry to add? What is wrong with this code ? Thanks, Harry
Re:[ActiveDir] Creating an OU in ADAM
cnvals[0] = location; I think that needs to agree with your ou name i.e. cnvals[0] = test; Lee Flight List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] ADAM attribute value
Ok here it is. You go to a authorized DHCP server and you right click and start to make a new scope. During the wizard for configuring the scope it should have a page that prompts you Do you want to associate this subnet with a site in the AD for BALBAL domain?. What this would assure is that the DHCP subnets and AD sites and services subnet are logically link. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Thursday, August 12, 2004 2:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value Jon, Can you explain in a little more detail what you trying to do.. AD, ADAM or any LDAP programming? - http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes Active Directory Programming MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, August 12, 2004 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value Hey Eric; If really want to make Windows AD better make the DHCP scopes tie in to the AD. As follows. If you make a scope on the DHCP server prompt for Do want to define this subnet to a site in the AD It would save time and help some of us. Thanks Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, August 12, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value Even if you create an NC that is of type DomainDNS it doesn't assume that you have the DNS namespace or want to register in it. For example, in my environment here on my machine I have an NC that has the same name as an actual domain on the corporate network. I don't think the IT group would appreciate me registering in to their DNS zone. :) However that is not to say that you couldn't do something different. You're welcome to register SRV records for whatever you would like. We just don't do that for you today. In the future, who knows. There's always discussion around how to make these things better out of the box. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Thursday, August 12, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value Eric, SCPs are a realiable way to detect ADAM instances assuming that ADAM/AD are configured to allow the registration of them. However using SCPs assumes 1) ADAM is running in a domain that is =2k (not NT4) 2) ADAM service account is successfully registering those SCPs 3) You know what forest an instance is running in (further remember that not all instances have to run in the same forest). It assumes quite a bit the main one is that you connected to the network at installation of ADAM, if you are not then it obviously does not create the SCP's. The assumption that you have permissions to register the SCP's is also quite interesting as - The application that creates a connection point object, or any object, must have create child permissions for the object class to be created in the container where the object will be created. --- this assuming you are a Administrator or someone with similar power when installing ADAM. I am not saying my two methods are robust at all, I am just saying that the SCP's are not that great either. The lack of robust DSA discovery was an intentional tradeoff we made when we allowed you to create NCs that have no alignment with DNS in any way. The fact that domain NCs align with a DNS namespace and we manditate the registration of those records means we can assume that certain records (SRV, A, etc.) are present for DSAs in that domain. Since ADAM has no such mandate to give the administrator flexibility, we lost the ability to make that assumption. How about the wizard to Select NC's and select which type of record to set in the Domain's DNS. -- not that difficult. Always love these post :) C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, August 12, 2004 3:44 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value I just read what your code is trying to do (should have before I posted, not just reply's). An additional point above and beyond discovery is detection of the DSA once connected. For that the most reliable mechanism is looking at supportedCapabilities off of RootDSE. Through that you can figure out if it is AD vs. ADAM, and also what version of each (AD on 2000, 2003, etc.) ~Eric From: Eric Fleischman Sent: Thu 8/12/2004 8:37 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADAM attribute value It is worth noting that the detection of ADAM, even using mechanisms Carlos outlined, is not nearly as robust as AD. It is a much higher overhead and he is also making
RE: [ActiveDir] Creating an OU in ADAM
Thanks Lee, it has worked out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Flight, L. Sent: Friday, August 13, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: Re:[ActiveDir] Creating an OU in ADAM cnvals[0] = location; I think that needs to agree with your ou name i.e. cnvals[0] = test; Lee Flight List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
If you would have come to the summit you would have gotten to find out. Dean gave his one man forest destruction show. He hit me with the concept about 15 minutes after I got off the plane which instantly put me into shock (which prepared me for Jimmy's driving actually). Later he showed it to me in action and I said, Yep, I trusted you in the airport, can't we just forget that and I teach you perl?. Too late for you now. No soup for you. I 125% agree with Dean on his warning but hope he doesn't explain it on the list. This isn't info that should be readily and openly distributed just like my forest destruction idea. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Friday, August 13, 2004 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
To clarify, I should have said deliberate misuse. Inadvertent misuse would require so many convoluted steps that it would end up being nigh on deliberate. As I mentioned earlier on, I'd like to know the original poster's reason for doing this (having been prodded by somebody else to find out). With any luck, the nasty scenario has been mitigated by SP1 ... not tried myself as yet. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 13, 2004 8:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. If you would have come to the summit you would have gotten to find out. Dean gave his one man forest destruction show. He hit me with the concept about 15 minutes after I got off the plane which instantly put me into shock (which prepared me for Jimmy's driving actually). Later he showed it to me in action and I said, Yep, I trusted you in the airport, can't we just forget that and I teach you perl?. Too late for you now. No soup for you. I 125% agree with Dean on his warning but hope he doesn't explain it on the list. This isn't info that should be readily and openly distributed just like my forest destruction idea. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Friday, August 13, 2004 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE:
[ActiveDir] ActiveDir.org COM+ Object
Title: ActiveDir.org COM+ Object Hi everyone, For information: we posted a new ActiveX COM+ object on the downloads page (http://www.activedir.org/downloads.htm) which you may find usefull when Administering Active Directory. The object groups many common Active Directory functions together and is ideal for use with Scripting/ASP/VB Apps etc. We tried to cover most of the common functions in this release, more will be added in future updates. Any suggestions for improvement are always welcome. There are loads of sample scripts included in the package as well as full documentation as we like to make it easy to use ;-). There is also planned to have a .NET component offering the same functionality shortly. For more details you can download the package cscActiveDirectory COM Object from the downloads page and refer to the document ActiveDir.org cscActiveDirectory v1_0.doc Hope its of some use to you. Best regards, Matty
RE: [ActiveDir] Anonymous bind (here we go again)
Personally, I prefer the latter FWIW. Have the workstations update their own data in the BIND zone. It would be no more (or less) secure than if you pulled that data from Active Directory really, just more IP addrs to watch. Otherwise, I think the certs on the DC's are the wrong path to go down. But if you must, there is some docs out there about putting certs on DC's without installing PKI into the forest. It's not for the faint of heart from what I remember. It's handled for you with certificate services if you install it into the forest. If you don't, why not stand up a standalone CA and generate your certs that way? Not a great long term solution, but that's why I don't favor it. If you stood a server up in the forest and used it to grab the records and do the conversion, you have no more error probability than if you have the BIND server fetch the data itself that I can see. That's just a customized solution is all. Just a few thoughts. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 12, 2004 11:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I like the idea if having some Windows machine that is part of the domain run a task as the system or network service account and grab the info and jam it into your BIND setup. Do you allow unsecured dynamic updates? If so you could should be able to pretty easily do this with perl, adfind, and nsupdate without changing your AD security or trying to cobble certs together on the DC. Another possible solution is to take the workstations that are the issue themselves and have them run a script to update the foreign DNS. This assumes again open dynamic updates. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, August 12, 2004 7:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I have thought about that, but if you think about it, it only reverts the problem: now I need to either install some software on the DC to ensure secure connection/authentication with BIND box or do it in 3 steps: - get the data from AD and dump it into a flat file. - transfer the file to BIND machine - parse the file on BIND box Both approaches are rather cumbersome and error prone. I tend to prefer installing third party certificate on the DC. On this note, can anyone give me a hint how to generate CSR if I do not have IIS installed ? Is there any command line tool for that maybe ? I tried scripting it (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/htm l/certenrollment.asp), but it looks like I am doing something wrong: the CA has no problem signing the CSRs generated by IIS, but would not sign mine (script generated) Thanks, Guy On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: OK, understood. While the original idea does accomplish the desired outcome, I think there are still other alternatives. For example, why not create a script that runs based on a schedule on a machine that is a member of the forest, runs in or uses the proper security context to access the desired information in the OUs, writes that information into the zone files on the BIND server, and then completes the appropriate action to ensure that the data is available in BIND DNS (i.e. restarting the DNS daemon)? With this example, you do not need to modify the security around AD. If for some reason you can not perform the desired BIND tasks remotely, you can transfer a file containing the data to an appropriate location and allow a scheduled script on the BIND server to perform the import, etc. - Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 10:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) Well, I know where the hosts should be in AD, but those hosts can change. The idea is that if host resides in one of the OUs in question, it gets to get CNAME in company.com, but the hosts can come and go, so I do not know what records should get CNAMEs without looking in the OUs. Guy On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: Since you must already know what records you want to transform into CNAME records in the BIND environment, why not build your scripts on the linux system to query the AD hosted DNS servers and then create the CNAME records based on this DNS query instead of an LDAP query? - Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 2:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anonymous bind (here we go again) We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is a subset of workstations
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
Hmmm ... sorry about that. I would suggest giving the MS definitions of dynamic object and dynamic auxiliary class a read ... they're really pretty good. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 11:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. hahaha crud. I didn't understand one bit of that! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 11, 2004 10:36 AM To: [EMAIL PROTECTED]; 'Send - AD mailing list' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Ah. Oh yeah. Very good very good. Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 10:32 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you don't, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Creating an OU in ADAM
Couple things I see. LDAP_ADD_S (all of the LDAP calls) return a ULONG, not an INT. (assuming microsoft header library, other OS/Libs mileage may vary) What is the value of location? I assume "test"? You shouldn't have different values for the name of the OU and the cn of the OU. This can cause quite a bit of confusion as many equate cn and name in the Microsoft world. cnmod.mod_type should be set to "cn", not "ou". This is almost certainlygenerating your x22. objectclass values should be ok with just organizationalUnit, shouldn't need to specify top as well. For consistency your ocmod.mod_op should be set to LDAP_MOD_ADD instead of 0. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harpreet_KapoorSent: Friday, August 13, 2004 3:34 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Creating an OU in ADAM Hi guys, I am trying to create an OU named test in ADAM under the root dc=abcd,dc=com. For this ,I wrote the following code : LDAPMod cnmod, ocmod; LDAPMod *mods[3]; char *cnvals[2], *ocvals[3]; cnvals[0] = location; cnvals[1] = NULL; cnmod.mod_op = LDAP_MOD_ADD; cnmod.mod_type = "ou"; cnmod.mod_values = cnvals; ocvals[0]="organizationalUnit"; ocvals[1]="top"; ocvals[2]=NULL; ocmod.mod_op = 0; ocmod.mod_type = "objectclass"; ocmod.mod_values = ocvals; mods[0] = cnmod; mods[1] = ocmod; mods[2] = NULL; char *entry = "ou=test,dc=abcd,dc=com"; int error = ldap_add_s(ld, entry, mods ); The error code returned is 34 or 0x22 which means that the distinguished name has an invalid syntax. Do I not need to give in entry the string containing the entry to add? What is wrong with this code ? Thanks, Harry
[ActiveDir] (hopefully) quick syntax question
Guys, Im stuck on something thats probably easyIm doing a DC startup script, and it uses the WScript Exec method. The command includes a string with a space, so from a command line, I would normally type: Command my string Since the syntax of the Exec method is ws.exec(command), I dont know how to deal with the quotes. This doesnt seem to work: Ws.exec(command my string) How do I build that line properly? Thanks! Mark
RE: [ActiveDir] (hopefully) quick syntax question
How aboutthis? vbQuote=chr(34)str="command " + vbQuote + "something" + vbQuotewscript.echo str [Fri 08/13/2004 10:21:00.95]C:\temptestMicrosoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. command "something" [Fri 08/13/2004 10:21:08.35]C:\temp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, August 13, 2004 10:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] (hopefully) quick syntax question Guys, Im stuck on something thats probably easyIm doing a DC startup script, and it uses the WScript Exec method. The command includes a string with a space, so from a command line, I would normally type: Command my string Since the syntax of the Exec method is ws.exec(command), I dont know how to deal with the quotes. This doesnt seem to work: Ws.exec(command my string) How do I build that line properly? Thanks! Mark
RE: [ActiveDir] Creating an OU in ADAM
Thanks Joeit has worked for me.. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 13, 2004 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating an OU in ADAM Couple things I see. LDAP_ADD_S (all of the LDAP calls) return a ULONG, not an INT. (assuming microsoft header library, other OS/Libs mileage may vary) What is the value of location? I assume test? You shouldn't have different values for the name of the OU and the cn of the OU. This can cause quite a bit of confusion as many equate cn and name in the Microsoft world. cnmod.mod_type should be set to cn, not ou. This is almost certainlygenerating your x22. objectclass values should be ok with just organizationalUnit, shouldn't need to specify top as well. For consistency your ocmod.mod_op should be set to LDAP_MOD_ADD instead of 0. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harpreet_Kapoor Sent: Friday, August 13, 2004 3:34 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Creating an OU in ADAM Hi guys, I am trying to create an OU named test in ADAM under the root dc=abcd,dc=com. For this ,I wrote the following code : LDAPMod cnmod, ocmod; LDAPMod *mods[3]; char *cnvals[2], *ocvals[3]; cnvals[0] = location; cnvals[1] = NULL; cnmod.mod_op = LDAP_MOD_ADD; cnmod.mod_type = ou; cnmod.mod_values = cnvals; ocvals[0]=organizationalUnit; ocvals[1]=top; ocvals[2]=NULL; ocmod.mod_op = 0; ocmod.mod_type = objectclass; ocmod.mod_values = ocvals; mods[0] = cnmod; mods[1] = ocmod; mods[2] = NULL; char *entry = ou=test,dc=abcd,dc=com; int error = ldap_add_s(ld, entry, mods ); The error code returned is 34 or 0x22 which means that the distinguished name has an invalid syntax. Do I not need to give in entry the string containing the entry to add? What is wrong with this code ? Thanks, Harry
RE: [ActiveDir] (hopefully) quick syntax question
Thank you Joe! Youre a gentleman and a code-king mc From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 13, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] (hopefully) quick syntax question How aboutthis? vbQuote=chr(34) str=command + vbQuote + something + vbQuote wscript.echo str [Fri 08/13/2004 10:21:00.95] C:\temptest Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. command something [Fri 08/13/2004 10:21:08.35] C:\temp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, August 13, 2004 10:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] (hopefully) quick syntax question Guys, Im stuck on something thats probably easyIm doing a DC startup script, and it uses the WScript Exec method. The command includes a string with a space, so from a command line, I would normally type: Command my string Since the syntax of the Exec method is ws.exec(command), I dont know how to deal with the quotes. This doesnt seem to work: Ws.exec(command my string) How do I build that line properly? Thanks! Mark
RE: [ActiveDir] Anonymous bind (here we go again)
Thank you all for your replies. Unfortunately our BIND does not accept dynamic updates. Digging some more I have found the following article about third party certs on DC: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx Indeed not for the faint of heart, though doable. I'll catch a chat with our BIND guru and see where we go from here. Thanks for the ideas. Guy On Fri, 2004-08-13 at 16:26, Mulnick, Al wrote: Personally, I prefer the latter FWIW. Have the workstations update their own data in the BIND zone. It would be no more (or less) secure than if you pulled that data from Active Directory really, just more IP addrs to watch. Otherwise, I think the certs on the DC's are the wrong path to go down. But if you must, there is some docs out there about putting certs on DC's without installing PKI into the forest. It's not for the faint of heart from what I remember. It's handled for you with certificate services if you install it into the forest. If you don't, why not stand up a standalone CA and generate your certs that way? Not a great long term solution, but that's why I don't favor it. If you stood a server up in the forest and used it to grab the records and do the conversion, you have no more error probability than if you have the BIND server fetch the data itself that I can see. That's just a customized solution is all. Just a few thoughts. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 12, 2004 11:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I like the idea if having some Windows machine that is part of the domain run a task as the system or network service account and grab the info and jam it into your BIND setup. Do you allow unsecured dynamic updates? If so you could should be able to pretty easily do this with perl, adfind, and nsupdate without changing your AD security or trying to cobble certs together on the DC. Another possible solution is to take the workstations that are the issue themselves and have them run a script to update the foreign DNS. This assumes again open dynamic updates. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, August 12, 2004 7:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I have thought about that, but if you think about it, it only reverts the problem: now I need to either install some software on the DC to ensure secure connection/authentication with BIND box or do it in 3 steps: - get the data from AD and dump it into a flat file. - transfer the file to BIND machine - parse the file on BIND box Both approaches are rather cumbersome and error prone. I tend to prefer installing third party certificate on the DC. On this note, can anyone give me a hint how to generate CSR if I do not have IIS installed ? Is there any command line tool for that maybe ? I tried scripting it (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/htm l/certenrollment.asp), but it looks like I am doing something wrong: the CA has no problem signing the CSRs generated by IIS, but would not sign mine (script generated) Thanks, Guy On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: OK, understood. While the original idea does accomplish the desired outcome, I think there are still other alternatives. For example, why not create a script that runs based on a schedule on a machine that is a member of the forest, runs in or uses the proper security context to access the desired information in the OUs, writes that information into the zone files on the BIND server, and then completes the appropriate action to ensure that the data is available in BIND DNS (i.e. restarting the DNS daemon)? With this example, you do not need to modify the security around AD. If for some reason you can not perform the desired BIND tasks remotely, you can transfer a file containing the data to an appropriate location and allow a scheduled script on the BIND server to perform the import, etc. - Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 10:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) Well, I know where the hosts should be in AD, but those hosts can change. The idea is that if host resides in one of the OUs in question, it gets to get CNAME in company.com, but the hosts can come and go, so I do not know what records should get CNAMEs without looking in the OUs. Guy On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: Since you must already know what records you want to transform into
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
No apologies man. I'm still trying to learn this stuff... :) I'll earmark your post for whenever I read your suggestions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 13, 2004 9:35 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Hmmm ... sorry about that. I would suggest giving the MS definitions of dynamic object and dynamic auxiliary class a read ... they're really pretty good. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 11:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. hahaha crud. I didn't understand one bit of that! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 11, 2004 10:36 AM To: [EMAIL PROTECTED]; 'Send - AD mailing list' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Ah. Oh yeah. Very good very good. Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 10:32 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you don't, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La
Re: [ActiveDir]GROUP Policy
Hi, I am just guessing here really, but it sounds like the user/machine does not have access to the object in Active Directory, not the SysVol. Maybe you need to see how your security is set up on the offending object in Active Directory?Sounds like the error message doesn't tell you what the object is. If you enable GPO logging and look at the UserEnv.log it may give you a hint. Key: Software\Microsoft\Windows NT\CurrentVersion\WinlogonSetting: UserenvDebugLevel = x10002 (65538)Log File: %WinDir%\Debug\UserMode\userenv.log If you post the log we may be able to give you more info. Alan CuthbertsonPolicy Management Software:- http://www.sysprosoft.com/pol_summary.shtmlADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: Za Vue To: [EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 12:11 AM Subject: RE: [ActiveDir]GROUP Policy For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.new here so I am sorry if this question has been asked many times before. My network: Three Windows 2000 servers and 200 W2k/XP workstations. Below is the error I am getting with Group Policy. I have looked in many places, but I cant seem to solve this problem. Administrators(full access), USERS, and all computers have at least READ/WRITE access to SYSVOL. Anyone run into this issue before? Good morning everyone. I am Event Type: Error Event Source: Userenv Event Category: None Event ID: 1101 Date: 8/3/2004 Time: 6:37:33 AM User: NT AUTHORITY\SYSTEM Computer: BH-005C Description: Windows cannot access the the object DC=%,DC=%,DC=% in Active Directory. The access to the object may be denied. Group Policy processing aborted. Thank you, Z.V.