RE: [ActiveDir] Error with group policy
Return Receipt Your RE: [ActiveDir] Error with group policy document : was Lucia Washaya/UNAMSIL received by: at: 28/10/2004 08:23:06 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
Return Receipt Your RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide document : was Lucia Washaya/UNAMSIL received by: at: 28/10/2004 08:23:10 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Delegation of group membership changes to add users and not to ad d other groups
Title: Delegation of group membership changes to add users and not to add other groups Hi Everyone, Our situation: OU Groups with all security groups OU Users with users OU Tasks with a taskgroup named TK_ChangeGroupMembership Helpdesk accounts are member of the group TK_ChangeGroupMembership The group TK_ChangeGroupMembership has been delegated the control to change group memberships of groups in the OU Groups. With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] test
test
Re: [ActiveDir] test
Doug Please see the FAQ #5 regarding test messages. http://www.activedir.org/List_FAQ.htm Tony -- Original Message -- From: DOUG E. HALE - 5594 [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Oct 2004 08:08:12 -0400 test Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups
Title: Delegation of group membership changes to add users and not to add other groups a) third party provisioning tools, Quest/Aelita/Similar b) run a scheduled script to strip out groups within groups every fifteen minutes c) publicly beat a helpdesk employee to make an example of them oops, dont we do that anymore ? ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 28 October 2004 12:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups Hi Everyone, Our situation: OU Groups with all security groups OU Users with users OU Tasks with a taskgroup named TK_ChangeGroupMembership Helpdesk accounts are member of the group TK_ChangeGroupMembership The group TK_ChangeGroupMembership has been delegated the control to change group memberships of groups in the OU Groups. With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups
Title: Delegation of group membership changes to add users and not to add other groups thanx.. We also thought about option C, but we would than ran out of helpdesk employees and have to change the group memberships our selves. ;- (very bli smile!) just kidding.. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: donderdag 28 oktober 2004 14:26To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups a) third party provisioning tools, Quest/Aelita/Similar b) run a scheduled script to strip out groups within groups every fifteen minutes c) publicly beat a helpdesk employee to make an example of them oops, dont we do that anymore ? ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: 28 October 2004 12:16 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups Hi Everyone, Our situation: OU "Groups" with all security groups OU "Users" with users OU "Tasks" with a taskgroup named "TK_ChangeGroupMembership" Helpdesk accounts are member of the group "TK_ChangeGroupMembership" The group "TK_ChangeGroupMembership" has been delegated the control to change group memberships of groups in the OU "Groups". With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
Return Receipt Your RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide document : was Lucia Washaya/UNAMSIL received by: at: 28/10/2004 12:41:30 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
Return Receipt Your RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide document : was Justin Leney/US/DCI received by: at: 10/28/2004 09:17:01 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
OT: RE: [ActiveDir] What attribute determines the Schema Master R ole?
That would make a great slogan right now in the US, wouldn't it? Buy our product and there'll be a rubber chicken in every data center. or something like that. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 27, 2004 7:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What attribute determines the Schema Master Role? A rubber chicken with long, nasty iron spikes sticking out of it! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, October 27, 2004 12:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What attribute determines the Schema Master Role? You forgot, comes with rubber chicken to beat Admins who change FSMO roles without telling AD Admin... Hehe Todd -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 2:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What attribute determines the Schema Master Role? product plug NetPro's ChangeAuditor for AD monitors all changes to AD configuration and produces a real-time change log detailing what the change was, the old and new value, who made the change, and when and where the change was made. You can define the types of changes that you should be alerted about. Changes to FSMO role owners are one of the 100s of types of changes CAAD keeps track of. You can find out more at http://www.netpro.com/products/changeauditor /product plug -gil Gil Kirkpatrick CTO, NetPro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Wednesday, October 27, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What attribute determines the Schema Master Role? Further roles can be found on the fSMORoleOwner attribute on the following partitions: Primary Domain Controller (PDC) FSMO: LDAP://DC=MICROSOFT,DC=COM RID Master FSMO: LDAP://CN=Rid Manager$,CN=System,DC=Domain,DC=COM Schema Master FSMO: LDAP://CN=Schema,CN=Configuration,DC= Domain,DC=Com Infrastructure Master FSMO: LDAP://CN=Infrastructure,DC= Domain,DC=Com Domain Naming Master FSMO: LDAP://CN=Partitions,CN=Configuration,DC= Domain,DC=Com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 27 October 2004 01:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] What attribute determines the Schema Master Role? Look for the fSMORoleOwner attribute (DN format) on the object in question, e.g. CN=Schema,CN=Configuration,DC=myco,DC=com fSMORoleOwner: CN=NTDS Settings,CN=Server1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=myco,DC =com; I don't know of an LDAP monitor as such, but you can set logging in such a way that it shows all searches. Have a look at Robbie Allen's AD Cookbook. Also, this presentation provides some good info. http://www.rallenhome.com/conferences/RAllen_LDAP_Searching.ppt Tony -- Original Message -- From: Sanz de Leon, Juan Carlos [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 27 Oct 2004 13:43:17 +0200 Dear gurus, We recently had a problem where the Schema Master ROLE was not recognized in the forest. Whenever we queried the DCs in our forest to indicate the Schema Master, the answer gave an error. To solve the issue we had to Seize the Schema Master role using ntdsutil. Now the question. What attribute in AD is the one that establishes who has the different roles of the forest or domain ? I know it is in the configuration partition, probably under NTDS settings... What I don´t know is the attribute in AD that decides who has which role. Anyone know of an LDAP monitor ? similar to regmon from sysinternals. Thanks in advance, Juan Carlos Sanz de León List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] Litlte OT: AD and exchange.
Dual hating? Pay particular attention to the way permissions are handled on folders. Should work, but that will be the one to watch most likely. Good luck, Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Wednesday, October 27, 2004 6:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Litlte OT: AD and exchange. Well I basically got a task for someone that is currently Dual hating and needs their office staff from one office to be able to edit their calendar that is on a different domain using their current accounts. Right now just gathering information. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, October 27, 2004 4:57 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Litlte OT: AD and exchange. Check out the docs on www.microsoft.com/exchange/library especially the ones about multi-domain, mutli-forest deployments (I think it's in the planning and deployment doc but it's been a while since I read them). Are you seeing any issues that you want to resolve or just fishing? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Wednesday, October 27, 2004 4:30 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Litlte OT: AD and exchange. Anyone have information about considerations that may or may not be needed to allow a different site/domain user be able to have edit access on another site/domain users exchange calendar. Both domains are in the same forest.
RE: [ActiveDir] Odd trust behavior
I would start with nltest /sc_query:nt4domainname Run on various 2k3 DCs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Odd trust behavior We've begun adding our first servers, all 2003, into our first AD domain (running in 2003 mode). This domain has a two-way trust with one of our NT4.0 domains. We need to add a global group from the NT4.0 domain into the Administrators group on the server. We're able to do this. However, when we go back into the Administrators group all we get is the SID and a question mark. This also results in the members of that group being unable to access the server. We can remove the group and readd the group but it still converts to just the SID and the question mark. We've also removed one of the servers with this problem from the domain, readded, and readded the group to Administrators, but no luck. I believe that there's something simple and obvious that we're missing. WINS checks out fine. We're able to map drives manually to each other from both the PDC of the trusted domain and from the server in question. Any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegates
They could also have FC over the user object directly or through a group... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, October 28, 2004 9:50 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Delegates Sounds like the user has too many rights for example the 'Send As' rights along with the send on behalf of. Can you verify the behavior with some test accounts and just follow this to grant send on behalf of rights and nothing else? http://support.microsoft.com/?kbid=327000 Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Wednesday, October 27, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Delegates I would have to ask, which permissions? (Since there are several places where the permissions are specified.) In ADUC Under mailbox rights (Exchange Advanced tab) - this person has full access. Under Delivery Options (Exchange General tab) - this person is specified in the grant this permission to: send on behalf of Under Security - this person has full control From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, October 27, 2004 2:19 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Delegates That header change occurs on the server and is displayed by clients that understand it properly. What type of permission does the originator have and where is it granted? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Wednesday, October 27, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Delegates Hey Group, One of our "users" reports that when they send a message on behalf of another person, it no longer states that in the header. I have checked both the outlook client, Office 2003 and the Exchange tabs within ADUC. Oh. It is on an Exchange 2003 server. Anyone have any ideas of what the problem may be? Thanks,S
RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups
Title: Delegation of group membership changes to add users and not to add other groups A is definitely the best answer in terms of a guarantee. C is the most fun. :o) For a quick workaround I would combine B wih C. A script that checks groups for nested groups and then if it finds them cleans them up, then sends a note to everyone who can change the membership the group that had the problem and what group had been nested in it. Basically give enough info so someone could chase help desk tickets and embaress someone. Make sure you catch the managers of the help desk staff as well as possibly the security group. Note that even with custom taskpads and such, people can manipulate groups with scripts and command line tools... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Thursday, October 28, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups thanx.. We also thought about option C, but we would than ran out of helpdesk employees and have to change the group memberships our selves. ;- (very bli smile!) just kidding.. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: donderdag 28 oktober 2004 14:26To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups a) third party provisioning tools, Quest/Aelita/Similar b) run a scheduled script to strip out groups within groups every fifteen minutes c) publicly beat a helpdesk employee to make an example of them oops, dont we do that anymore ? ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: 28 October 2004 12:16 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups Hi Everyone, Our situation: OU "Groups" with all security groups OU "Users" with users OU "Tasks" with a taskgroup named "TK_ChangeGroupMembership" Helpdesk accounts are member of the group "TK_ChangeGroupMembership" The group "TK_ChangeGroupMembership" has been delegated the control to change group memberships of groups in the OU "Groups". With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Delegates
Ok under the category of duh, sorry. I didn't read the full post... Under Security - this person has full control Full Control means a user has all permissions over an object. For some reason MS did the Send As functionality as a permission (instead of an attribute say like public delegates) so it isn't possible to query for who can do what but also you can have side effects. That is... if you have full control over some user object, you have every permission on that user object unless something otherwise denies it. Now I haven't specifically tested if Exchange will treat a FC granted Send As like a normal granted Send As I would be willing to bet that it does work that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 9:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Delegates They could also have FC over the user object directly or through a group... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, October 28, 2004 9:50 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Delegates Sounds like the user has too many rights for example the 'Send As' rights along with the send on behalf of. Can you verify the behavior with some test accounts and just follow this to grant send on behalf of rights and nothing else? http://support.microsoft.com/?kbid=327000 Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Wednesday, October 27, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Delegates I would have to ask, which permissions? (Since there are several places where the permissions are specified.) In ADUC Under mailbox rights (Exchange Advanced tab) - this person has full access. Under Delivery Options (Exchange General tab) - this person is specified in the grant this permission to: send on behalf of Under Security - this person has full control From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, October 27, 2004 2:19 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Delegates That header change occurs on the server and is displayed by clients that understand it properly. What type of permission does the originator have and where is it granted? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve ShaffSent: Wednesday, October 27, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Delegates Hey Group, One of our "users" reports that when they send a message on behalf of another person, it no longer states that in the header. I have checked both the outlook client, Office 2003 and the Exchange tabs within ADUC. Oh. It is on an Exchange 2003 server. Anyone have any ideas of what the problem may be? Thanks,S
RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups
Another option would be to provide a web tool that proxies the group membership management. The account that the tool runs under would have the necessary delegated permissions to manage the group membership, but the members of the TK_ChangeGroupMembership group would not. The tool could authenticate the logged in user against AD and determine whether the account has membership of the TK_ChangeGroupMembership group. This way you still have the required delegation in place, but no danger that nested groups will be created. Tony -- Original Message -- From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Oct 2004 10:02:07 -0400 A is definitely the best answer in terms of a guarantee. C is the most fun. :o) For a quick workaround I would combine B wih C. A script that checks groups for nested groups and then if it finds them cleans them up, then sends a note to everyone who can change the membership the group that had the problem and what group had been nested in it. Basically give enough info so someone could chase help desk tickets and embaress someone. Make sure you catch the managers of the help desk staff as well as possibly the security group. Note that even with custom taskpads and such, people can manipulate groups with scripts and command line tools... joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, October 28, 2004 8:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups thanx.. We also thought about option C, but we would than ran out of helpdesk employees and have to change the group memberships our selves. ;- (very bli smile!) just kidding.. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: donderdag 28 oktober 2004 14:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups a) third party provisioning tools, Quest/Aelita/Similar b) run a scheduled script to strip out groups within groups every fifteen minutes c) publicly beat a helpdesk employee to make an example of them - oops, don't we do that anymore ? ;) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 28 October 2004 12:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups Hi Everyone, Our situation: OU Groups with all security groups OU Users with users OU Tasks with a taskgroup named TK_ChangeGroupMembership Helpdesk accounts are member of the group TK_ChangeGroupMembership The group TK_ChangeGroupMembership has been delegated the control to change group memberships of groups in the OU Groups. With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40-29.57.709 * Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups
Yep. I considered that as A. I guess it should have been said as Third Party / Internally developed provisioning tool. Any time I think of a third party tool I figure I will see what I could write myself first. Usually you can write something that is more specific to your environment faster than you can configure a third party tool with lots of options. But sometimes those third party people pull off amazing things that just would take too long to duplicate. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 28, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups Another option would be to provide a web tool that proxies the group membership management. The account that the tool runs under would have the necessary delegated permissions to manage the group membership, but the members of the TK_ChangeGroupMembership group would not. The tool could authenticate the logged in user against AD and determine whether the account has membership of the TK_ChangeGroupMembership group. This way you still have the required delegation in place, but no danger that nested groups will be created. Tony -- Original Message -- From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Oct 2004 10:02:07 -0400 A is definitely the best answer in terms of a guarantee. C is the most fun. :o) For a quick workaround I would combine B wih C. A script that checks groups for nested groups and then if it finds them cleans them up, then sends a note to everyone who can change the membership the group that had the problem and what group had been nested in it. Basically give enough info so someone could chase help desk tickets and embaress someone. Make sure you catch the managers of the help desk staff as well as possibly the security group. Note that even with custom taskpads and such, people can manipulate groups with scripts and command line tools... joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, October 28, 2004 8:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups thanx.. We also thought about option C, but we would than ran out of helpdesk employees and have to change the group memberships our selves. ;- (very bli smile!) just kidding.. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: donderdag 28 oktober 2004 14:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups a) third party provisioning tools, Quest/Aelita/Similar b) run a scheduled script to strip out groups within groups every fifteen minutes c) publicly beat a helpdesk employee to make an example of them - oops, don't we do that anymore ? ;) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 28 October 2004 12:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation of group membership changes to add users and not to ad d other groups Hi Everyone, Our situation: OU Groups with all security groups OU Users with users OU Tasks with a taskgroup named TK_ChangeGroupMembership Helpdesk accounts are member of the group TK_ChangeGroupMembership The group TK_ChangeGroupMembership has been delegated the control to change group memberships of groups in the OU Groups. With this solution the helpdesk has the possibility to add a user to a group. OK..., but the helpdesk also has the possibility to add a group to another group (group nesting) AND WE DON NOT WANT THAT! So we created a taskpath view so that the helpdesk only sees the USERS OU. With the last solution the problem still exists because the helpdesk guys open the properties of a user in the USERS OU they still have the possibility to resquest the properties of the groups the users are a member of, and therefore they still can add a group to another group. I think I've tried everything, but no solution until now... Does any of you know how I could solve this? Thanx! Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40-29.57.709 * Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may
RE: [ActiveDir] Delegates
That would make sense. I thought the permissions may have been the issue. Thanks for confirming that. S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 7:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegates Ok under the category of duh, sorry. I didn't read the full post... Under Security - this person has full control Full Control means a user has all permissions over an object. For some reason MS did the Send As functionality as a permission (instead of an attribute say like public delegates) so it isn't possible to query for who can do what but also you can have side effects. That is... if you have full control over some user object, you have every permission on that user object unless something otherwise denies it. Now I haven't specifically tested if Exchange will treat a FC granted Send As like a normal granted Send As I would be willing to bet that it does work that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 9:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegates They could also have FC over the user object directly or through a group... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, October 28, 2004 9:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delegates Sounds like the user has too many rights for example the 'Send As' rights along with the send on behalf of. Can you verify the behavior with some test accounts and just follow this to grant send on behalf of rights and nothing else? http://support.microsoft.com/?kbid=327000 Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, October 27, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delegates I would have to ask, which permissions? (Since there are several places where the permissions are specified.) In ADUC Under mailbox rights (Exchange Advanced tab) - this person has full access. Under Delivery Options (Exchange General tab) - this person is specified in the grant this permission to: send on behalf of Under Security - this person has full control From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 27, 2004 2:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delegates That header change occurs on the server and is displayed by clients that understand it properly. What type of permission does the originator have and where is it granted? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, October 27, 2004 5:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegates Hey Group, One of our users reports that when they send a message on behalf of another person, it no longer states that in the header. I have checked both the outlook client, Office 2003 and the Exchange tabs within ADUC. Oh. It is on an Exchange 2003 server. Anyone have any ideas of what the problem may be? Thanks, S
RE: [ActiveDir] Delegation of group membership changes to add use rs and not to ad d other groups
Return Receipt Your RE: [ActiveDir] Delegation of group membership changes to document add use rs and not to ad d other groups : was Lucia Washaya/UNAMSIL received by: at: 28/10/2004 14:28:18 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems Adding Computers to AD
Thanks, but nothing there really seems to help. It's strange. When we look at the computer account in the domain, it also ends up disabling it. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Check these two sources and see if they answer your questions. http://www.chicagotech.net/neterrors.htm http://hidev.com/Technical/neterrors.asp Todd Myrick -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems Adding Computers to AD We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Suggestions on group deployment
This is an old post but I didn't see any responses o I wouldn't recommend ACLing the share, ACL the folder under the share. Just leave the share open for everyone FC and lock down at the folder/file level for less issues in troubleshooting. o Don't do FC, do CHANGE and READ perms. GC grants people the ability to modify permissions so Admins can't easily see them when they need to. o Try to have as few shares sharedfor multiple users as possible. I.E. Have a home shareunique to everyone, but for data that is shared to groups (aproject share)consider having one share per server and then the project info is in folders under that share. What that does is reduce the number of driveletterspeoplehave to have and remember. For instance you could have the following layout Server Share1 folder Share2 folder Share3 folder Share4 folder And if someone needed access to folders in Share1,2,3, and 4, they have burned up 4 drive letters. I think a better solution is Server Share folder1 folder2 folder3 folder4 And then you would have DLGs specific to each folder. SRV-Folder1-R, SRV-Folder1-C, etc The biggest downside I can think of here is that if you have access to only folder2, you still see 1,3,4. You don't have that issue in Novell but MS has the issue. That sucks but I have found the benefits outweigh that problem. o Try to determine a group strategy and stick to it. Try to stay with as few scopes as possible because group scoping confused the crap out of people. If you pick one or maybe two groups to work with and say this is the way it is people can work within it though it may not be completely flexible it is generally more supportable. I personally like Domain Local Groups because when someone says where does this group have access, it tends to be considerably easier than it is for a universal or global group. It is still a pain, but at least you have a tighter scope of where to look in a multiple domain forest or if you have trusts. At the very least try to keep DLGs focused on resources. I.E. Resource based groups. Role based groups are fun and all but tend to grow in use outside of what they were intended for so when you want to clean up later, it is tougher. If you know a group is specific to a certain folder in a certain share, you know you can clean that up much easier because you simply ask, who needs access to that folder. Though if you do role groups, those will tend to be Uni's or globals. If you use UNIs, understand the limitations and that you have to have GCs available. Some large companies have implemented IgnoreGCFailure because they can't have GCs everywhere and can't have logons failing when a GC can't be found. This means Uni groups may not be in your token. Group caching is sort of an answer but I'll let Dean speak to issues with it if he feels like it. I don't ever recommend using UNI's for denies. It is possible that you not get a Uni in your token. It maynot be likely if you get one DC that has IgnoreGCFailures set and you hit it, you maynot get it. I actually don't recommend denies at all because theysuck and are confusing to the troubleshooting process but definitely don't do uni denies. o I am not a big fan of nesting groups into resource groups. Why? Because the person who controls access to the resource probably controls the membership of the resource group. If they had another group to that resource group, they may not control membership of that other group and someone could get added that shouldn't have access. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, September 07, 2004 7:45 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Suggestions on group deployment In an effort to improve file server security and group management as a wholeI find myself curious about what other folks do in similar situations. The environment: 1 File Server, 1 Win2k3 Forest, 3 domains, Exchange 2k Current config: A bunch of global security groups that are pretty much useless and many, many Universal Distribution Lists. How are permissions assigned to our shares you ask? Domain Users - Full Control, except in those instances where someone said, "hey, that's private, make me a group and remove everyone else's permissions!" So my current thought is the following: - Create Domain Local groups on a "per share/per perm" basis, i.e.: sales-share_FC, for the share called "Sales Share" and the access of Full Control, and give that group the proper perms on the share. Those groups would be populated with either users or mail-enabled Universal Security Groups (all UDGs would need to be converted to USGs). The result: The ACLs on all shares will only ever have groups, not users. - All mail-enabled groups will be mail-enabled Universal Security Groups - Global groups will be used if (1.) there's no need for this group to contain users from other domains, or
RE: [ActiveDir] Problems Adding Computers to AD
I have seen that with Windows Server 2003 AD if there aren't enough permissions delegated to the person/group actually doing the join in a disjointed namespace environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thanks, but nothing there really seems to help. It's strange. When we look at the computer account in the domain, it also ends up disabling it. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Check these two sources and see if they answer your questions. http://www.chicagotech.net/neterrors.htm http://hidev.com/Technical/neterrors.asp Todd Myrick -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems Adding Computers to AD We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policies
Another possible alternative is PSYNCH from
MTEC.
http://www.psynch.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, October 27, 2004 6:46
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
Password policies
We had the same needs and went with Passfilt Pro. It is
managed via Group Policy and they are coming out with a client side app the will
inform the user of the exact policynot just the generic one MS
provides.
http://www.altusnet.com/passfilt/
Holland + Knight Travis
Abrams MCSE, GCIH Systems
Engineer Holland Knight
LLP
NOTICE: This e-mail is from a law firm, Holland
Knight LLP ("HK"), and is intended solely for the use of the individual(s)
to whom it is addressed. If you believe you received this e-mail in error,
please notify the sender immediately, delete the e-mail from your computer and
do not copy or disclose it to anyone else. If you are not an existing
client of HK, do not construe anything in this e-mail to make you a client
unless it contains a specific statement to that effect and do not disclose
anything to HK in reply that you expect it to hold in confidence. If
you properly received this e-mail as a client, co-counsel or retained expert of
HK, you should maintain its contents in confidence in order to preserve the
attorney-client or work product privilege that may be available to protect
confidentiality.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
BairdSent: Wednesday, October 27, 2004 4:10 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Password
policies
Does anyone have experience
with a password policy product named Password Policy Enforcer made by
Anixis? http://www.anixis.com/default.htm
If not, does anyone have a
recommendation? We want to enforce complex passwords, but we only want the
users to have to meet two of the four complexity requirements.
Joe
Re: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
Figures. On Oct 27, 2004, at 7:57 PM, Za Vue wrote: Just wanted to mention that someone has already found a way to get around Microsoft's pop-up blockers. -Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Wednesday, October 27, 2004 6:48 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide The pop-up blocker in WinXP SP2 works like a champ for me. It blocks the automated pop-ups, but will still open a new windows if I click on a link. David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Wednesday, October 27, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide But does it really work? On Oct 27, 2004, at 3:08 PM, Salandra, Justin A. wrote: Windows XP SP 2 installs in IE 6 a pop-up blocker. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Wednesday, October 27, 2004 2:59 PM To: Active Directory Mailing List Subject: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide What are all of the the hard core administrators out there doing about the pop-ups and spyware? I need a good enterprise wide solution. Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing domain case?
I doubt anyone has really played with it. I expect from the example below it would possibly be dnsRoot that would be the culprit. I just changed the case of it on one of my test domains and it allowed it. Don't know if I broke anything, but ADUC still shows the old version of the name. Could be I need to reboot my DCs as that info may be cached which I don't have time for at the moment. I wouldn't worry about the dNSHostName on the server objects. I would say no matter what anyone says here, go into your lab and do it once and see if it works. If it does, do it again 2 more times to make sure. I had this same issue at one company. It was caused by the person doing the initial DCPROMO to upgrade the domain of typing the name in in CAPS. I did the initialpromo for all domains except this one and his last name interestingly enough was Capps. :o) It was annoying to look at but certainly didn't cause issues. Nothing was case sensitive concerning it except people looking at it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, October 27, 2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing domain case? Ive found a few places in adsiedit where CHILD4 domain name is in caps, where it wasnt in the others: CN=Configuration,DC=domain,DC=com CN=Partitions (right-click domain name + properties) dnsRoot nCName CN=Sites CN=Site Name CN=Server Name (right-click server name + properties) dnsHostName What are the repercussions in changing it here? -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, October 27, 2004 2:07 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Changing domain case? I honestly don't know of a way to change that safely. My understanding is that the display you see isthe DN of that domain which is owned by the system. I'd be interested to hear if you find a way outside of domainrename though. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, October 27, 2004 1:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing domain case? Mainly just the look. I'm trying to maintain structure here. Right now, my AD structure looks like this: - domain.com + child1.domain.com + child2.domain.com + child3.domain.com + CHILD4.DOMAIN.COM + child5.doamin.com + child6.domain.com I need CHILD4.DOMAIN.COM to be child4.domain.com -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, October 27, 2004 1:33 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Changing domain case? Devon, can you help me understand what the reasoning is for doing this? Are you just wanting to make it look a certain way to the admins? Or are there technical issues that this causes? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, October 27, 2004 1:01 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing domain case? Isn't there some sort of vb script that could do this just as the fixdomainsuffix.vbs script? http://support.microsoft.com/kb/257623/EN-US/ -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Wednesday, October 27, 2004 10:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing domain case? As far as I can remember This isn't possible under 2000 as it's basically the same as a domain name change. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: 27 October 2004 15:50To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing domain case? Anyone? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Tuesday, October 26, 2004 2:47 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Changing domain case? For some reason, someone in our org. upgraded an NT4 domain to a Windows 2000 child domain and used Capital Letters in the fully qualified domain name. All our other domain names are lower case. How can I change this domain to lower case to match the others? -Devon __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the
RE: [ActiveDir] Contract rates
I would say it depends on what you can get out of the customer that you are willing to do the work for. More importantly, do they have a complete AD design and you are just pointing and clicking? Do you have to come up with the whole design? Do you have to come up with the requirements? DR planning? Delegation planning? etc etc etc If you think you don't need any of those, you probably shouldn't be doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David LeeSent: Wednesday, October 27, 2004 12:10 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Contract rates This may be an odd question, but here goes.What is the current hourly contract rate to install a 3 DC active directory domain for approx 300 users across 3 different T1 subnets. There is no domain in place as yet, all client machines are in Workgroup.Thanks David D. LeeComputer Resource Specialist IIOffice of Undergraduate Admissions[EMAIL PROTECTED]2-6417
[ActiveDir] Remote DSL link
I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
The MS popup blocker is not a bad free tool for the smaller guy, but as Z.V. says it's a big target and they will always find ways around it. If you are an Enterprise and cash is not too much of an issue then you could look at something like WebSense Enterprise. This works on a number of fronts - popup blocking client, blocking the dodgy websites, etc. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: 28 October 2004 17:02 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide Figures. On Oct 27, 2004, at 7:57 PM, Za Vue wrote: Just wanted to mention that someone has already found a way to get around Microsoft's pop-up blockers. -Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Wednesday, October 27, 2004 6:48 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide The pop-up blocker in WinXP SP2 works like a champ for me. It blocks the automated pop-ups, but will still open a new windows if I click on a link. David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Wednesday, October 27, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide But does it really work? On Oct 27, 2004, at 3:08 PM, Salandra, Justin A. wrote: Windows XP SP 2 installs in IE 6 a pop-up blocker. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Wednesday, October 27, 2004 2:59 PM To: Active Directory Mailing List Subject: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide What are all of the the hard core administrators out there doing about the pop-ups and spyware? I need a good enterprise wide solution. Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Mark Orlando Systems Administrator I.T. Department Linden Public Schools List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems Adding Computers to AD
Thank you, Joe. We are implementing Windows Server 2003 AD. Here are the permissions we have assigned. Any clue as to what critical permission could be missing? This object and all child objects: Create Computer Objects Computer Objects: List Contents Read All Properties Write All Properties Read Permissions -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD I have seen that with Windows Server 2003 AD if there aren't enough permissions delegated to the person/group actually doing the join in a disjointed namespace environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thanks, but nothing there really seems to help. It's strange. When we look at the computer account in the domain, it also ends up disabling it. -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems Adding Computers to AD We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing domain case?
This is EXACTLY what happened. Someone did a dcpromo and typed the domain in all CAPS. Im gonna try this on a test domain and see what happens. -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 12:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing domain case? I doubt anyone has really played with it. I expect from the example below it would possibly be dnsRoot that would be the culprit. I just changed the case of it on one of my test domains and it allowed it. Don't know if I broke anything, but ADUC still shows the old version of the name. Could be I need to reboot my DCs as that info may be cached which I don't have time for at the moment. I wouldn't worry about the dNSHostName on the server objects. I would say no matter what anyone says here, go into your lab and do it once and see if it works. If it does, do it again 2 more times to make sure. I had this same issue at one company. It was caused by the person doing the initial DCPROMO to upgrade the domain of typing the name in in CAPS. I did the initialpromo for all domains except this one and his last name interestingly enough was Capps. :o) It was annoying to look at but certainly didn't cause issues. Nothing was case sensitive concerning it except people looking at it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, October 27, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing domain case? Ive found a few places in adsiedit where CHILD4 domain name is in caps, where it wasnt in the others: CN=Configuration,DC=domain,DC=com CN=Partitions (right-click domain name + properties) dnsRoot nCName CN=Sites CN=Site Name CN=Server Name (right-click server name + properties) dnsHostName What are the repercussions in changing it here? -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 27, 2004 2:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Changing domain case? I honestly don't know of a way to change that safely. My understanding is that the display you see isthe DN of that domain which is owned by the system. I'd be interested to hear if you find a way outside of domainrename though. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, October 27, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing domain case? Mainly just the look. I'm trying to maintain structure here. Right now, my AD structure looks like this: - domain.com + child1.domain.com + child2.domain.com + child3.domain.com + CHILD4.DOMAIN.COM + child5.doamin.com + child6.domain.com I need CHILD4.DOMAIN.COM to be child4.domain.com -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 27, 2004 1:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Changing domain case? Devon, can you help me understand what the reasoning is for doing this? Are you just wanting to make it look a certain way to the admins? Or are there technical issues that this causes? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, October 27, 2004 1:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing domain case? Isn't there some sort of vb script that could do this just as the fixdomainsuffix.vbs script? http://support.microsoft.com/kb/257623/EN-US/ -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, October 27, 2004 10:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing domain case? As far as I can remember This isn't possible under 2000 as it's basically the same as a domain name change. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: 27 October 2004 15:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing domain case? Anyone? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, October 26, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Changing domain case? For some reason, someone in our org. upgraded an NT4 domain to a Windows 2000 child domain and used Capital Letters in the fully qualified domain name. All our other
[ActiveDir] Which is better
Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Which is better
Depends on what your objective is? Digital signing ensures that the hosts who are communicating are really who they claim to be. It doesn't keep anyone in the middle from intercepting and reading the communications however. Encryption makes it much more difficult to decipher the packets as they fly around the network... Encryption doesn't keep a malicious host from spoofing a known good host though... Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 2:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Which is better
Well what are you trying to achieve? Digitally sign just ensures to the receiving arty that the packet has not been tampered with. Digitally encrypt ensures that nobody in between can read the contents of the packet. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT:Exchange MU
Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problems Adding Computers to AD
Do you have a disjoint namespace? When they create the objects, what do they specify for who can join? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thank you, Joe. We are implementing Windows Server 2003 AD. Here are the permissions we have assigned. Any clue as to what critical permission could be missing? This object and all child objects: Create Computer Objects Computer Objects: List Contents Read All Properties Write All Properties Read Permissions -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD I have seen that with Windows Server 2003 AD if there aren't enough permissions delegated to the person/group actually doing the join in a disjointed namespace environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thanks, but nothing there really seems to help. It's strange. When we look at the computer account in the domain, it also ends up disabling it. -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems Adding Computers to AD We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ad partition rights
Another old post with no response. Permissions in AD are a great big it depends. It depends on schema mods. It depends on what has been applied. It depends on what DCs you work against. For instance... Anything that leverages a built in account will find different Admins of different domains having different rights on different DCs of different domains. Confused? Say you have an ACE that says BUILTIN\Administrators has DELETE CHILD (any) at the root of the config container. This would mean a domain admin of domainA could go to any domainA DC and attach to the config container and delete any object. However if they attached to a domainB DC they wouldn't be able to unnless there was an ACE for DomainA\Domain Admins or DomainA\Domain Admins has been added to DomainB\Administrators. I know there are some fun examples of this in DNS partitions. For your specific question on deleting DCs server objects from sites and services... You should find any DCs Server objects defined will have the Domain they are a member of Domain Admins Group has FC on the object and subobjects. Basically yes you need to look at the various containers and OUs and see what is there. Looking at the perms on the schema objects will show you what they will have by default when instantiated which is handy to know as well since it overrides anything inherited. Don't apologize for this question. Permissions are not so much as basic but CORE. The sad thing is I haven't met a lot of people who are really good with them. They are relatively complex and otherwise very bright admins will open glaring holes in AD because of not truly understanding permissioning and what they have delegated. The best practices with any ACLs (whether on AD, files, or any securableobject)are to keep a minimal set of ACES in them,keep them simple, don't use DENY, properly order ACLes and don't do funny things with ordering, etc. Of course some of us use Exchange and that is just one best practice that tends to go down the drain to make that a go... Microsoft had a great chance of making ACLing in AD really cool with property sets but they stopped a bit short of the goal. I'm sure there are some technical difficulties in there but if there weren't technical difficulties everywhere around what they do everyone would be doing it and they wouldn't be so special. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:00 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] ad partition rights Ok, Ive always been confused on this issue- It is my understanding that a domain admin only has rights on the domain naming context of his/her domain in AD and not the config or schema contexts. If this is so, how can I delete a dc thru AD sites and Services or ntdsutil? Isnt this in the config partition? Is ther a good document that specicifes all the rights a domain admin has to ad as opposed to say, and enterprise admin? Or do I need to parse thru the SDDL in the Schema to find this? Thanks. I know this is basic, so my apologies to the group.
RE: [ActiveDir] OT:Exchange MU
No. Thats why i emailed here. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU And neither of these applied? http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU; EvtID=1033ProdName=ExchangeLCID=1033ProdVer=6.5.6940.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:12 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:Exchange MU Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exchange MU
So at this point your permissions are properly set and the DC is responding as quickly as it needs to for the requests. Are you getting any entries on the DC's during the MU attempt? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU No. Thats why i emailed here. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU And neither of these applied? http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU; EvtID=1033ProdName=ExchangeLCID=1033ProdVer=6.5.6940.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:12 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:Exchange MU Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Running DCs in Virtual Server 2005 - whitepaper
FYI - interesting Whitepaper: http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en this is the first step to "branch office DC" running on a multi-purpose server: "With strict adherence to requirements described in this paper, domain controller virtual machines can also be used in production." so now it will be supported even prior to Longhorn ;-) /Guido
RE: [ActiveDir] Problems Adding Computers to AD
Actually, we don't have a disjointed namespace. They are specifying a group to which their userid is a member. Then, they go to the PC to change it's domain. From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Date: Thu, 28 Oct 2004 15:15:07 -0400 Do you have a disjoint namespace? When they create the objects, what do they specify for who can join? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thank you, Joe. We are implementing Windows Server 2003 AD. Here are the permissions we have assigned. Any clue as to what critical permission could be missing? This object and all child objects: Create Computer Objects Computer Objects: List Contents Read All Properties Write All Properties Read Permissions -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD I have seen that with Windows Server 2003 AD if there aren't enough permissions delegated to the person/group actually doing the join in a disjointed namespace environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thanks, but nothing there really seems to help. It's strange. When we look at the computer account in the domain, it also ends up disabling it. -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems Adding Computers to AD We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote DSL link
An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It will however work. I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] Running DCs in Virtual Server 2005 - whitepaper
I was chatting with ~Eric about this doc last night, if anyone finds any issues with it, pop them on the list here so we can get it all fed back up the chain. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, October 28, 2004 3:55 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Running DCs in Virtual Server 2005 - whitepaper FYI - interesting Whitepaper: http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en this is the first step to "branch office DC" running on a multi-purpose server: "With strict adherence to requirements described in this paper, domain controller virtual machines can also be used in production." so now it will be supported even prior to Longhorn ;-) /Guido
RE: [ActiveDir] Which is better
You also have to look at what each method doesn't do. 1. Digital signature Proves the message was sent by you Allows anyone to read the message 2. Digital envelope Only the desired recipient can read the message Doesn't prove the message was from you A truly secure transfer requires both techniques to be used but sometimes one step is all you need. A digital signature is similar to having your signature notarized on a loan application. Also, when you download a new device driver it could be digitally signed so you can be sure that you are actually getting a driver from your hardware vendor, not a hacker. However the message is now the equivalent of a postcard or a billboard by the side of the road. If you are placing a message into a portable storage media (floppy, usb key, portable hard disk, etc) that a courier is going to hand carry to the recipient then the digital envelope would keep the courier from looking at the contents of the message. If the courier switched your message with another one, you couldn't know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 28, 2004 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Well what are you trying to achieve? Digitally sign just ensures to the receiving arty that the packet has not been tampered with. Digitally encrypt ensures that nobody in between can read the contents of the packet. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link Take a look at Fotinets device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] OT:Exchange MU
no entries on any dc. thats why this error is driving me nuts. every dc is fine with no errors. on exchange,that is the only error logged. but, its gotta be affecting mail. it doesn't sound good -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU So at this point your permissions are properly set and the DC is responding as quickly as it needs to for the requests. Are you getting any entries on the DC's during the MU attempt? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU No. Thats why i emailed here. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU And neither of these applied? http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU; EvtID=1033ProdName=ExchangeLCID=1033ProdVer=6.5.6940.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:12 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:Exchange MU Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Which is better
Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link the site doesn't want to spend any money and they have no local IT support. we are in NYC and they are in Folrida.we use a cisco vpn concentrator but that would involve installing client sw and since XP already has it built in, I figured this would be the easiest route for the price and end user involvement and it intergrates with AD logons(I know the cisco does as well, but again,i gotta give and install the sw remotely). Thanks -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert RutherfordSent: Thursday, October 28, 2004 3:57 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, TomSent: Thu 28/10/2004 17:31To: ActiveDir (E-mail)Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site.We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients.Typically they use Termservices in APP mode to access Quick Books server and Outlook for email.Is this an ok config for ADSL? Or in general?can they just use the XP vpn client to hit the RRAS server and then log into the domain?Should i get a faster link?thanksList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/=== Scanned for virus infection by Messagelabs===
[ActiveDir] Only show policy settings that can be fully managed
Hi All, Since moving to XP I get really peeved that whenever I edit a Policy that has non Policy settings in the Administrative Template area I must go to View/Filtering' and unclick Only show policy settings that can be fully managed I found a Policy under System/Group Policy to Enforce show Policies Only but that is the opposite to what I want Is there a registry setting to make it behave like Windows 2000 so that it remembers the setting between sessions? Alternatively a policy which says Enforce show All Policies? Alan Cuthbertson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exchange MU
The indication is that it's either a permissions or performance error. I don't know your environment, so I have to ask. Is audit logging enabled for the security events? Also, any particular reason you're running in mixed mode AD vs. Native for the Exchange domain? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 4:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU no entries on any dc. thats why this error is driving me nuts. every dc is fine with no errors. on exchange,that is the only error logged. but, its gotta be affecting mail. it doesn't sound good -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU So at this point your permissions are properly set and the DC is responding as quickly as it needs to for the requests. Are you getting any entries on the DC's during the MU attempt? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU No. Thats why i emailed here. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU And neither of these applied? http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU; EvtID=1033ProdName=ExchangeLCID=1033ProdVer=6.5.6940.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:12 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:Exchange MU Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Which is better
Ok, and from what I can figure, both utilize AD Kerberos to sign or encrypt the data right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Thursday, October 28, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better You also have to look at what each method doesn't do. 1. Digital signature Proves the message was sent by you Allows anyone to read the message 2. Digital envelope Only the desired recipient can read the message Doesn't prove the message was from you A truly secure transfer requires both techniques to be used but sometimes one step is all you need. A digital signature is similar to having your signature notarized on a loan application. Also, when you download a new device driver it could be digitally signed so you can be sure that you are actually getting a driver from your hardware vendor, not a hacker. However the message is now the equivalent of a postcard or a billboard by the side of the road. If you are placing a message into a portable storage media (floppy, usb key, portable hard disk, etc) that a courier is going to hand carry to the recipient then the digital envelope would keep the courier from looking at the contents of the message. If the courier switched your message with another one, you couldn't know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 28, 2004 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Well what are you trying to achieve? Digitally sign just ensures to the receiving arty that the packet has not been tampered with. Digitally encrypt ensures that nobody in between can read the contents of the packet. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trusting Domain SIDs
Title: RE: [ActiveDir] Trusting Domain SIDs
Hey Joe Richards, how does ADFind know
which binary attributes are SIDs? I know Dmitri has some
kind of hard-coded lookup table for ldp.exe
to handle special conversions of some numeric and binary data,
but it is hard to solve the problem
generally. He doesnt have the securityIdentifier attribute for the
domainTrust
class in has table of binary attributes
that are SIDs either (at least on my build of ldp, which is higher than the
one that shipped with ADAM). This
problem is actually kind of a hard one to solve for all those trying to do AD
browsing, so I thought Id ask. It
goes beyond schema into semantics and tends to end up requiring lots of
hard-coding
and/or a rules engine for trying different
things (like 16 byte binary is probably a guid, etc.).
Hmm which class is that -
domainTrust? Not familiar with it. Does adfind work correctly with
it?
I used to hard code it but
maintaining the table was a pain in the arse, I fixed that in December 2002
(V1.09.00). Now I pull part of the schema up front when adfind runs and pull out
GUIDs, SIDs, SDs, and other binary data so I can figure out how I want it
displayed. You should notice anything it can identify as a GUID displayed in the
pretty {xxx-xxx-xxx-xxx-xxx} format, SIDS should be displayed in their format
S-1-5-xx--xx-xxx, SDs will get displayed as {Security Descriptor}
unless the option to display the SDDL is turned on,and binary should be
displayed as a hex dump broken up into 4 bytes (if I recall correctly)a
chunk.
Anyway, I look at the attribute
syntax first. If it is 2.5.5.17, it is a SID. If it is 2.5.5.15 it is an
SD.If it is 2.5.5.10 and range upper and lower are 16 it probably a GUID.
Don't tell anyone how I do it. It
is an ancient joeware trick that I busted my bum trying to figure out because it
was not well documented... We'll just keep it a secret between all of us. I
figured I would put it in a book some day. So consider this email copyrighted.
:)
Oh yeah, I realized that some times
I wouldn't want that overhead so the -dloid option is available that tells it
not to load the schema first and then it falls back to a small hardcoded list.
joe
Copyright 2004 joeware.net
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, October 25, 2004 1:26
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
Trusting Domain SIDs
No reference yet
really, but here are a couple of pointers:
With S.DS, anything
stored as octet string in AD/ADAM is marshaled to .NET as a byte[]. This
means, to get the binary data, you would just do something like (from the
results of a search with DirectorySearcher):
Byte[] binarySid =
(byte[])
result.Properties(securityIdentifier)(0);
Im assuming you
already know how to use the DirectorySearcher to search for the trusts as Im
pretty sure I remember you talking about doing some of this stuff before.
If you need more details, please respond.
To convert to string
SID, you basically have to do a p/invoke to the API function (which is quite
easy) unless you are already on 2.0, which has a managed SID class (which I
havent used yet, but assume works fine).
The p/invoke wiki has
a nice ConvertSidToStringSid sample (www.pinvoke.net) or you can get a nice
managed library for all Win32 security functions and such here at
GotDotNet:
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
Im not sure which
method is going to get you there faster, especially if you are already done
using the adfind method J, but I do agree with
Joe that script simply isnt suitable for dealing with binary data in AD (or 8
byte integers for that matter).
Hey Joe Richards, how
does ADFind know which binary attributes are SIDs? I know Dmitri has some
kind of hard-coded lookup table for ldp.exe to handle special conversions of
some numeric and binary data, but it is hard to solve the problem
generally. He doesnt have the securityIdentifier attribute for the
domainTrust class in has table of binary attributes that are SIDs either (at
least on my build of ldp, which is higher than the one that shipped with
ADAM). This problem is actually kind of a hard one to solve for all those
trying to do AD browsing, so I thought Id ask. It goes beyond schema into
semantics and tends to end up requiring lots of hard-coding and/or a rules
engine for trying different things (like 16 byte binary is probably a guid,
etc.).
Just
curious
Joe
K.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brian
DesmondSent: Sunday, October
24, 2004 9:32 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Trusting Domain
SIDs
I'm up for that ...
I've never dealt with this stuff in S.DS before. Do you ahve any pointers on
SIDs w/ .net? I actually got hte info I needed with adfind, but I still
want to be able to
RE: [ActiveDir] Remote DSL link
Whats good about the Fortigate? I havent heard of them. I'm asking because Im genuinely interested. The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few of the boxes. Which is very useful when using ADSL. From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 28/10/2004 21:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Take a look at Fotinet's device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It will however work. I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] ad partition rights
thanks. i almost lost hope on this one... So far the best thing i've read about AD security/rights was Inside Active Directory,2nd ed. -Original Message-From: joe [mailto:[EMAIL PROTECTED]Sent: Thursday, October 28, 2004 3:37 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ad partition rights Another old post with no response. Permissions in AD are a great big it depends. It depends on schema mods. It depends on what has been applied. It depends on what DCs you work against. For instance... Anything that leverages a built in account will find different Admins of different domains having different rights on different DCs of different domains. Confused? Say you have an ACE that says BUILTIN\Administrators has DELETE CHILD (any) at the root of the config container. This would mean a domain admin of domainA could go to any domainA DC and attach to the config container and delete any object. However if they attached to a domainB DC they wouldn't be able to unnless there was an ACE for DomainA\Domain Admins or DomainA\Domain Admins has been added to DomainB\Administrators. I know there are some fun examples of this in DNS partitions. For your specific question on deleting DCs server objects from sites and services... You should find any DCs Server objects defined will have the Domain they are a member of Domain Admins Group has FC on the object and subobjects. Basically yes you need to look at the various containers and OUs and see what is there. Looking at the perms on the schema objects will show you what they will have by default when instantiated which is handy to know as well since it overrides anything inherited. Don't apologize for this question. Permissions are not so much as basic but CORE. The sad thing is I haven't met a lot of people who are really good with them. They are relatively complex and otherwise very bright admins will open glaring holes in AD because of not truly understanding permissioning and what they have delegated. The best practices with any ACLs (whether on AD, files, or any securableobject)are to keep a minimal set of ACES in them,keep them simple, don't use DENY, properly order ACLes and don't do funny things with ordering, etc. Of course some of us use Exchange and that is just one best practice that tends to go down the drain to make that a go... Microsoft had a great chance of making ACLing in AD really cool with property sets but they stopped a bit short of the goal. I'm sure there are some technical difficulties in there but if there weren't technical difficulties everywhere around what they do everyone would be doing it and they wouldn't be so special. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:00 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] ad partition rights Ok, Ive always been confused on this issue- It is my understanding that a domain admin only has rights on the domain naming context of his/her domain in AD and not the config or schema contexts. If this is so, how can I delete a dc thru AD sites and Services or ntdsutil? Isnt this in the config partition? Is ther a good document that specicifes all the rights a domain admin has to ad as opposed to say, and enterprise admin? Or do I need to parse thru the SDDL in the Schema to find this? Thanks. I know this is basic, so my apologies to the group.
RE: [ActiveDir] Problems Adding Computers to AD
Yeah the issue I saw was specific to disjoint namespaces and the new functionality in K3 AD that was verifying the domain names of the hosts. I would be curious though, just for test, not for final solution if you went back to the created object and gave the group you mention FC of the computer object and see if it allows the join ok. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 3:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Actually, we don't have a disjointed namespace. They are specifying a group to which their userid is a member. Then, they go to the PC to change it's domain. From: joe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Date: Thu, 28 Oct 2004 15:15:07 -0400 Do you have a disjoint namespace? When they create the objects, what do they specify for who can join? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 1:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thank you, Joe. We are implementing Windows Server 2003 AD. Here are the permissions we have assigned. Any clue as to what critical permission could be missing? This object and all child objects: Create Computer Objects Computer Objects: List Contents Read All Properties Write All Properties Read Permissions -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD I have seen that with Windows Server 2003 AD if there aren't enough permissions delegated to the person/group actually doing the join in a disjointed namespace environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker Sent: Thursday, October 28, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problems Adding Computers to AD Thanks, but nothing there really seems to help. It's strange. When we look at the computer account in the domain, it also ends up disabling it. -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problems Adding Computers to AD We've delegate the permission to add computer accounts to our AD environment to some admins. They can go into ADUC and add the computer account without problem. However, when they go to the PC to change it's domain membership, on some PC's they get an error about not enough storage space. But, some PC's work fine. We cannot determine why this is happening. Any ideas? _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Application Partition Replication
Title: [ActiveDir] Remote DSL link We started seeing strange problems with our Directory replication recently when bringing up new Windows 2003 DC in our Hub and Spoke Site design. Our network has a lot of firewalls, domains, and business units, and we have managed to coordinate most of the firewalls in the business units to allow full communications to the central site. The tech working on the problem says that MSFT says Application Partitions replicate differently than GCs and Domains. Adding further Application Partitions can sometimes choose different connections to replicate their data across. I dont necessarily believe the tech at this point, so I ask you all. Do application partitions replicate differently? Is there a way to force them to use hub and spoke topology, and not try to replicate outside the site links? Also do they use Preferred Bridge Head Servers as other partitions do? Thanks, Todd Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 10/28/2004 Time: 4:18:45 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: Description: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=DHHSSECURITY,DC=LOCAL There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
RE: [ActiveDir] Remote DSL link
Well you will have to protect the RRAS box with a firewall? Do you have one? The Drayteks are also firewalls... you could build a tunnel between a cisco and the Draytek very easily. From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 21:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link the site doesn't want to spend any money and they have no local IT support. we are in NYC and they are in Folrida. we use a cisco vpn concentrator but that would involve installing client sw and since XP already has it built in, I figured this would be the easiest route for the price and end user involvement and it intergrates with AD logons(I know the cisco does as well, but again, i gotta give and install the sw remotely). Thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It will however work. I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] OT:Exchange MU
i'm running exchange in native mode. AD in mixed. i still have an NT dc laying around and haven't gotten around to testing all apps in native mode. what should i audit? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 4:23 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU The indication is that it's either a permissions or performance error. I don't know your environment, so I have to ask. Is audit logging enabled for the security events? Also, any particular reason you're running in mixed mode AD vs. Native for the Exchange domain? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 4:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU no entries on any dc. thats why this error is driving me nuts. every dc is fine with no errors. on exchange,that is the only error logged. but, its gotta be affecting mail. it doesn't sound good -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU So at this point your permissions are properly set and the DC is responding as quickly as it needs to for the requests. Are you getting any entries on the DC's during the MU attempt? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU No. Thats why i emailed here. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU And neither of these applied? http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU; EvtID=1033ProdName=ExchangeLCID=1033ProdVer=6.5.6940.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:12 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:Exchange MU Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Exchange 2003 on DC
Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link Fortinet and Fortigate is the way to go -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link the site doesn't want to spend any money and they have no local IT support. we are in NYC and they are in Folrida.we use a cisco vpn concentrator but that would involve installing client sw and since XP already has it built in, I figured this would be the easiest route for the price and end user involvement and it intergrates with AD logons(I know the cisco does as well, but again,i gotta give and install the sw remotely). Thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link These devices dont have a ISDN backup built in, but offer a VPN solution that also scans at the gateway for viruses, allows you to put into place NIDS and NIPS and also acts as a firewall. All this for $1,500. Not bad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Whats good about the Fortigate? I havent heard of them. I'm asking because Im genuinely interested. The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few of the boxes. Which is very useful when using ADSL. From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 28/10/2004 21:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Take a look at Fotinets device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link how much does it go for? -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert RutherfordSent: Thursday, October 28, 2004 4:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link Whats good about the Fortigate? I havent heard of them. I'm asking because Im genuinely interested. The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few of the boxes. Which is very useful when using ADSL. From: [EMAIL PROTECTED] on behalf of Salandra, Justin A.Sent: Thu 28/10/2004 21:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link Take a look at Fotinets device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Thursday, October 28, 2004 3:57 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, TomSent: Thu 28/10/2004 17:31To: ActiveDir (E-mail)Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site.We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients.Typically they use Termservices in APP mode to access Quick Books server and Outlook for email.Is this an ok config for ADSL? Or in general?can they just use the XP vpn client to hit the RRAS server and then log into the domain?Should i get a faster link?thanksList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/=== Scanned for virus infection by Messagelabs==Scanned for virus infection by Messagelabs===
RE: [ActiveDir] install on logon, uninstall on logoff
Did you get an answer on this one Michael? We can hunt Robbie down for an anwer if not. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, September 07, 2004 10:09 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] install on logon, uninstall on logoff In Robbie Allen's book (Active Directory Second Edition) he mentions installing a new package on logon and then uninstalling that package on logoff using GP. (Chapter 7, page 96, top paragraph on the page.) Installing on logon is easy. Uninstalling on logoff - how? A logoff script is the only way I see. But the book implies another solution... What am I missing? Thanks, M
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link How much does the Draytek Vigor2600i cost? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Whats good about the Fortigate? I havent heard of them. I'm asking because Im genuinely interested. The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few of the boxes. Which is very useful when using ADSL. From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 28/10/2004 21:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Take a look at Fotinets device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] FW: KDC Errors--Help
ldp is a pain... To easy to blow the various options as they are in all sorts of different places. Try this adfind -gc -b "" -f "(objectcategory=computer)(servicePrincipalName=MSSQLSvc/ourserver.ourdomain.org:1523)" servicePrincipalName That will dump all objects (and SPNs)with that specific SPN. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, October 19, 2004 4:26 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] FW: KDC Errors--Help I believe I did it correct, but those are famous last words. Once I connectusing LDPI choose browse/search For my search entry I choose: Base DN: dc=mydomain,dc=com Filter: serviceprincipalname=MSSQLSvc/server.mydomain.org:1523 Scope: Subtree under options I had to add the "serviceprincipalname" under attributes. For the Matched DNs I get 0 entries. Can you see what I'm dong wrong?? Thanks so much for your help! -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407 -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 19, 2004 1:54 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] FW: KDC Errors--Help Yep. Seen it. If you're not finding it with LDP, you may just have the search criteria wrong. When you search, it should be starting from the root of the domainshould have a filter of something like: (serviceprincipalname=MSSQLSvc/ourserver.ourdomain.org:1523) That should return all accounts that have this entered. Do you still get different results? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Tuesday, October 19, 2004 1:47 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] FW: KDC Errors--Help Running Windows 2000 AD with SP 3. Since October 9th we have been getting event errors Source: KDC Event 11 There are multiple accounts with name MSSQLSvc/ourserver.ourdomain.org:1523 of type 10. This error has been happening on just one of our domain controllers. I installed setspn.exe on the problem server and it lists only one account. I also used LDP.exe which did displayed 0 results. I tried all the resolutions on 321044, but I got nada. Has anyone else had this issue? If anyone can explain why this would happen all of a sudden I would really appreciate it. Thanks! -ChristineChristine N. AllenCitrix/Windows 2000 EngineerBMC Healthnet PlanOne Design Center PlaceBoston, MA 02210Work: 617-748-6034Cell: 617-290-4407
RE: [ActiveDir] ad partition rights
Yep. Sakari and Mika did a good job with that book and the first version. I think permissions are chapter 4... I recall reading the first edition and stopping cold on that chapter for a good month or two and then started telling everyone they needed to read that book. Don't feel bad for not knowingperms though. I expect that most people don't really understand them and this includes MS as well. It can be a complicated subject. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Thursday, October 28, 2004 4:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ad partition rights thanks. i almost lost hope on this one... So far the best thing i've read about AD security/rights was Inside Active Directory,2nd ed. -Original Message-From: joe [mailto:[EMAIL PROTECTED]Sent: Thursday, October 28, 2004 3:37 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ad partition rights Another old post with no response. Permissions in AD are a great big it depends. It depends on schema mods. It depends on what has been applied. It depends on what DCs you work against. For instance... Anything that leverages a built in account will find different Admins of different domains having different rights on different DCs of different domains. Confused? Say you have an ACE that says BUILTIN\Administrators has DELETE CHILD (any) at the root of the config container. This would mean a domain admin of domainA could go to any domainA DC and attach to the config container and delete any object. However if they attached to a domainB DC they wouldn't be able to unnless there was an ACE for DomainA\Domain Admins or DomainA\Domain Admins has been added to DomainB\Administrators. I know there are some fun examples of this in DNS partitions. For your specific question on deleting DCs server objects from sites and services... You should find any DCs Server objects defined will have the Domain they are a member of Domain Admins Group has FC on the object and subobjects. Basically yes you need to look at the various containers and OUs and see what is there. Looking at the perms on the schema objects will show you what they will have by default when instantiated which is handy to know as well since it overrides anything inherited. Don't apologize for this question. Permissions are not so much as basic but CORE. The sad thing is I haven't met a lot of people who are really good with them. They are relatively complex and otherwise very bright admins will open glaring holes in AD because of not truly understanding permissioning and what they have delegated. The best practices with any ACLs (whether on AD, files, or any securableobject)are to keep a minimal set of ACES in them,keep them simple, don't use DENY, properly order ACLes and don't do funny things with ordering, etc. Of course some of us use Exchange and that is just one best practice that tends to go down the drain to make that a go... Microsoft had a great chance of making ACLing in AD really cool with property sets but they stopped a bit short of the goal. I'm sure there are some technical difficulties in there but if there weren't technical difficulties everywhere around what they do everyone would be doing it and they wouldn't be so special. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:00 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] ad partition rights Ok, Ive always been confused on this issue- It is my understanding that a domain admin only has rights on the domain naming context of his/her domain in AD and not the config or schema contexts. If this is so, how can I delete a dc thru AD sites and Services or ntdsutil? Isnt this in the config partition? Is ther a good document that specicifes all the rights a domain admin has to ad as opposed to say, and enterprise admin? Or do I need to parse thru the SDDL in the Schema to find this? Thanks. I know this is basic, so my apologies to the group.
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link i have a Watchguard firebox X -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert RutherfordSent: Thursday, October 28, 2004 4:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link Well you will have to protect theRRAS boxwith a firewall? Do you have one? The Drayteks are also firewalls... you could build a tunnel between a cisco and the Draytek very easily. From: [EMAIL PROTECTED] on behalf of Kern, TomSent: Thu 28/10/2004 21:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link the site doesn't want to spend any money and they have no local IT support. we are in NYC and they are in Folrida.we use a cisco vpn concentrator but that would involve installing client sw and since XP already has it built in, I figured this would be the easiest route for the price and end user involvement and it intergrates with AD logons(I know the cisco does as well, but again,i gotta give and install the sw remotely). Thanks -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert RutherfordSent: Thursday, October 28, 2004 3:57 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, TomSent: Thu 28/10/2004 17:31To: ActiveDir (E-mail)Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site.We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients.Typically they use Termservices in APP mode to access Quick Books server and Outlook for email.Is this an ok config for ADSL? Or in general?can they just use the XP vpn client to hit the RRAS server and then log into the domain?Should i get a faster link?thanksList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/=== Scanned for virus infection by Messagelabs==Scanned for virus infection by Messagelabs===
[ActiveDir] Auto LinkIDs - Bad vendors stop making up your own linkids...
Hey, I wanted to post a link to this great blog by ~Eric concerning Auto-LinkIDs. VENDORS [1] TAKE NOTE OF THIS BLOG ENTRY http://blogs.msdn.com/efleis/archive/2004/10/12/241219.aspx Basically ~Eric is the first on the block to document functionality built into Windows AD 2003 and AD/AM to allow you to link attributes without specifying LinkIDs. This is huge especially for the people who are making up their own linkids on the fly and causing issues for everyone else. joe In case the blog gets blown up or MS decides that info shouldn't be out on the net, I will also copy it to here so it lands in everyone's inbox. == Uniqueness in the schemawhat a pain! (By little ~Eric Fleischman) For a variety of reasons, several elements of the schema in AD and ADAM must be defined as globally unique. For example, Object Identifiers (OIDs) are assigned by a central authority, and everyone needs to have a unique OID for every element in their schema. When you purchase applications that extend the schema, the application vendor has (hopefully! :)) obtained their OIDs properly such that you will never overlap with another application. We (Microsoft) hand out OIDs to anyone that might need them over the web. One of the AD/ADAM-specific schema elements which must be unique are link IDs. Link IDs are defined at creation of a schema element, and are used in link valued attributes, aka link value pairs. When one creates a link valued attribute they typically create tthem in pairs: one is the forward link and one is the backlink. You (the user/administrator) create and delete forward links and AD maintains the backlinks for you. It's magic. :) (As time goes on we'll definitely spend a lot more time talking about the schema) Just like OIDs, one can obtain link IDs from Microsoft. Obtaining your own link IDs for custom schema extensions ensures that you never overlap with anyone else. Of course, everyone and anyone can get all of the link IDs they might want here. That said, it would be nice if this concern were not at all something that application developers needed to think about. That is, wouldn't it be nice if AD auto-generated your link IDs for you, and you could then read them out of the schema if you would like (it is worth noting that most applications never need to know their own link IDs..therefore even though we might generate them for you, your application probably does not even care what they are, so long as they are unique and work!). Well, we heard you. :) As of the release of Server 2003, AD can generate link IDs for you without a problem. It's actually pretty easy, and requires a minor modification to your existing schema extensions. So when we create the attributes, here's the general flow of what we'll do: - create forward link - Update schema cache - Create back link - Update schema cache Now the trick, of course, is how to create the forward and back links properly. Let's say you want to create an attribute ericIsVeryCoolForward and -Back. Here is what your ldif might look like partial of course): ldapDisplayName: ericIsVeryCoolForward OID: your forward link OID here LinkID: 1.2.840.113556.1.2.50 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - ldapDisplayName: ericIsVeryCoolBack OID: your back link OID here LinkID: ericIsVeryCoolForward dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - Note that the back link attribute has the link ID of ericIsVeryCoolForward. In place of that you could also use the OID of the forward (the OID you use where I placed your forward link OID here). Of course, use OIDs of your own or that were properly given to you by a proper authority. Also, note that I did a schemaUpdateNow in the middle of the. That is also required as otherwise the second element may be unable to find the first when it goes to use it during extension as the first element is not yet in the schema cache. Happy extending! === [1] Or anyone else out there writing schema mods with linking... schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink schema extension attributes linking linkid backlink forwardlink List info :
RE: [ActiveDir] Which is better
Not actually, Digital Signatures, Digital Envelopes, and Kerberos all use what Asymmetric Cryptography (aka Public/Private Keys). But the techniques are used for different purposes. The term AD Kerberos is meaningless. AD is the database that contains the actual usernames and passwords (among other data). Kerberos is the primary authentication protocol used by Windows 200x. Kerberos uses digital signatures to verify that both ends of the process are properly identified. IPSEC can be used to set up encrypted paths for data transfer. More on Kerberos: http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx http://www.windowsitlibrary.com/Content/617/06/6.html More on IPSEC: http://www.techonline.com/community/tech_topic/21194 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Ok, and from what I can figure, both utilize AD Kerberos to sign or encrypt the data right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Thursday, October 28, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better You also have to look at what each method doesn't do. 1. Digital signature Proves the message was sent by you Allows anyone to read the message 2. Digital envelope Only the desired recipient can read the message Doesn't prove the message was from you A truly secure transfer requires both techniques to be used but sometimes one step is all you need. A digital signature is similar to having your signature notarized on a loan application. Also, when you download a new device driver it could be digitally signed so you can be sure that you are actually getting a driver from your hardware vendor, not a hacker. However the message is now the equivalent of a postcard or a billboard by the side of the road. If you are placing a message into a portable storage media (floppy, usb key, portable hard disk, etc) that a courier is going to hand carry to the recipient then the digital envelope would keep the courier from looking at the contents of the message. If the courier switched your message with another one, you couldn't know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 28, 2004 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Which is better Well what are you trying to achieve? Digitally sign just ensures to the receiving arty that the packet has not been tampered with. Digitally encrypt ensures that nobody in between can read the contents of the packet. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, October 28, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Which is better Digitally sign communications Or Digitally encrypt secure channel data Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message Um, SBS users don't have a choice... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] Remote DSL link
Title: [ActiveDir] Remote DSL link Fortigate goes for $1500, how much does the Draytek Vigor 2600i go for? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 4:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link how much does it go for? -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Whats good about the Fortigate? I havent heard of them. I'm asking because Im genuinely interested. The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few of the boxes. Which is very useful when using ADSL. From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 28/10/2004 21:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Take a look at Fotinets device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It willhowever work.I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] OT:Exchange MU
I'd say in this case, at least failures (logon events) but success would be handy as well I'm guessing. Be sure you leave enough room for the event log and you set it to wrap vs. shutting down etc. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 4:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU i'm running exchange in native mode. AD in mixed. i still have an NT dc laying around and haven't gotten around to testing all apps in native mode. what should i audit? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 4:23 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU The indication is that it's either a permissions or performance error. I don't know your environment, so I have to ask. Is audit logging enabled for the security events? Also, any particular reason you're running in mixed mode AD vs. Native for the Exchange domain? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 4:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU no entries on any dc. thats why this error is driving me nuts. every dc is fine with no errors. on exchange,that is the only error logged. but, its gotta be affecting mail. it doesn't sound good -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:53 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU So at this point your permissions are properly set and the DC is responding as quickly as it needs to for the requests. Are you getting any entries on the DC's during the MU attempt? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:Exchange MU No. Thats why i emailed here. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:Exchange MU And neither of these applied? http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU; EvtID=1033ProdName=ExchangeLCID=1033ProdVer=6.5.6940.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 28, 2004 3:12 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:Exchange MU Hi, I tried googling and posting this error on the exchange mailling list,but no luck, so I'm posting here. My apologies in advance. I'm running win2ksp4 AD in mixed mode with Exchange2k sp3. Lately i've been getting event id 1033 logged constantly on my exchange server from metabase update. It goes like this- Event ID: 1033, Source ExchangeMU, Text: The default recipient policy cannot be found. SMTP virtual servers and HTTP-DAV virtual servers and virtual directories will not work properly. I'm also experiencing a email latency of about 2-3hrs. I have a default policy and I ran a rebuild on it and still i get this error. any insight would be great. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] install on logon, uninstall on logoff
Robbie and I chat just about every day. :-P Robbiesaid that that was a section that Alistair wrote, but that as far as he knew, a logoff script was the only way to do it. I messed around with it a little bit and found that it's non-obvious, and somewhat slow, but it surely can be done. Thanks for following up, M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 4:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] install on logon, uninstall on logoff Did you get an answer on this one Michael? We can hunt Robbie down for an anwer if not. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, September 07, 2004 10:09 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] install on logon, uninstall on logoff In Robbie Allen's book (Active Directory Second Edition) he mentions installing a new package on logon and then uninstalling that package on logoff using GP. (Chapter 7, page 96, top paragraph on the page.) Installing on logon is easy. Uninstalling on logoff - how? A logoff script is the only way I see. But the book implies another solution... What am I missing? Thanks, M
RE: [ActiveDir] FW: Exchange 2003 on DC
MeOW! I was asking for documentation for my customer file, thank you! :-) M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 4:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] Remote DSL link
I can buy a 2900i (with ISDN backup) for £155, so say $90 or so. An absolute bargain. I have used them and know of many others who have used them for years. Check the draytek website. I'm not completely bias as I'm big into Checkpoint and also know Watchguard and Sonicwall. The Drayteks are just great for the money. From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 21:54 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link how much does it go for? -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Whats good about the Fortigate? I havent heard of them. I'm asking because Im genuinely interested. The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few of the boxes. Which is very useful when using ADSL. From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 28/10/2004 21:10 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link Take a look at Fotinet's device called Fortigate. I use it and it is great for a VPN connection over DSL Lines! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote DSL link An ADSL line should easily cover this amount of users. I have run remote sites of 15 odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL with 10+ users and TS with no real problems. You must of course take into account that ADSL lines dont typically come with any sort of SLA. I would advise backup lines of some sort, either DSL from another provider or ISDN backups. Ive used it without but just be prepared I personally wouldnt use Windows VPN for such an exercise. It will however work. I would use some sort of VPN device. I have used Draytek boxes which are good choice for such a setup. They only cost a couple of hundred dollars a piece and will plug straight in the wall. A LAN-LAN VPN would be a cleaner alternative to VPN clients. BR Rob From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Thu 28/10/2004 17:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Remote DSL link I have 10 users in a remote site. We want to connect them to our domain via a dsl link and Windows RRAS. They are all windows XP sp1 clients. Typically they use Termservices in APP mode to access Quick Books server and Outlook for email. Is this an ok config for ADSL? Or in general? can they just use the XP vpn client to hit the RRAS server and then log into the domain? Should i get a faster link? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] Application Partition Replication
Title: [ActiveDir] Remote DSL link As with the well-known 3 partitions, app. partitions, their connection objects and the resulting replica links are handled by the KCC, ISTG and DRA. Site structure is taken into account, in short they're treated the same as the domain NC with the possible noteworthy exception that their content is ignored by GCs when sourcing partial replicas. As for the bridgeheadinging aspect; yes, preferred b'heads will be used if they hold a replica of the partition in question. If the list of preferred b'heads for a particular site does not include a DC in possession of an app. partition then the ISTG will bark, tell you you're a fool and assign one for you (a behavior new to 2003). It is also worth mentioning that the ISTG must be running on a 2003 DC within a particular site in order for app. partitions to get a topology built for them but since 2003 DCs steal the ISTG role when added to a site containing no other 2003 DCs that isn't really a problem (especially since you have to have at least one 2003 DC within a site in order for an app. partition to be present there in the first place). There are, of course, other behavioral differences 'tween app. partitions and their domain counterparts but I can't think of any that warrant mentioning in this context. Specific to your error, have you disabled site link bridging? A description of your site topology, the DCs within those sites and which of those DCs are or were running 2003's DNS service would be most useful? -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, October 28, 2004 4:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Application Partition Replication We started seeing strange problems with our Directory replication recently when bringing up new Windows 2003 DC in our Hub and Spoke Site design. Our network has a lot of firewalls, domains, and business units, and we have managed to coordinate most of the firewalls in the business units to allow full communications to the central site. The tech working on the problem says that MSFT says Application Partitions replicate differently than GCs and Domains. Adding further Application Partitions can sometimes choose different connections to replicate their data across. I dont necessarily believe the tech at this point, so I ask you all. Do application partitions replicate differently? Is there a way to force them to use hub and spoke topology, and not try to replicate outside the site links? Also do they use Preferred Bridge Head Servers as other partitions do? Thanks, Todd Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 10/28/2004 Time: 4:18:45 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: Description: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=DHHSSECURITY,DC=LOCAL There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
RE: [ActiveDir] groups vs attributes
Title: groups vs attributes I just wanted to point out on this post that user isn't an objectcategory, this would get changed to be objectcategory=person. For all intents and purposes for this specific filter, it would be just as efficient but could hurt you in other queries. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou VegaSent: Tuesday, October 19, 2004 10:28 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] groups vs attributes I may be missing something in the reading, but why not just query AD based on the username and determine if that user object is a member of the group in question instead of returning a list of all users for a given group? Another possibility (one you may well have thought of already but didnt mention) is that you can filter your search [searcher.Filter = "((objectCategory=user)(sAMAccountName=" Trim(userName) "))"] r/ Lou
RE: [ActiveDir] script logic question
Thanks Joe...that's surprisingly clear to me. Scary...I must be finally absorbing some wisdom. No more deer-in-the-headlights for me (well, maybe not as much) Thanks also to the other folks who commented on this issue, as always. Y'all are awesome Now on to the script editor. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] script logic question I would Generate a list of all users in the list. Depending on how you do this it could be a map, a hash, a dictionary, blah blah woof woof. Whatever... It is an associative array that has for its key, the userid. This list should be generated by recursing up through any nesting as well assuming you allow this via nesting. This would be done with an LDAP call to the group for the member attribute and chase recursively as needed. Now that you have that I would then do a query against all users for the employeetype=s. i.e. (objectcategory=person)(samaccountname=*)(employeetype=s) Now that you have the S employees and the membership you can loop through the S employees and looking them up in the hash. If only S employees are supposed to be in the group then when you look people up in the hash, you mark the value as OK. If they aren't in that group, you flag them as missing. Then you loop through the hash and look at all of the values and any that don't have OK shouldn't be in the group and you flag them. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, October 26, 2004 1:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] script logic question I need to make sure all users where the value of attribute employeeType is S are members of a given group. Right now I only want to report on it, not actually change the group membership. Logically, what is the most efficient way to achieve this? 1. do I place the membership of the group into an array and then loop through all the users to see if they are in the array 2. do I loop through all the users and check each one's memberOf for the existence of the group? I think option 1 seems better than 2, but I'm willing to bet someone has a much better idea. Thanks! Mark List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message Just because there is a passing similarity to Windows Server, SBS is really another product entirely. :-) :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Thursday, October 28, 2004 5:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] groups vs attributes
Title: groups vs attributes This thread went all over the place so I came back to the original post. Right off I am assuming LDAP based apps not running on MS Platform. If they are running on MS, have them look at the azman stuff. I would ask the developers specifically what are they doing. Most likely they aren't doing it correctly. I hit this on a nearweekly basis at one of my previous gigs. You have had several answers along this line already and they are right. Make the developers show you specifically how they are doing what they are doing and you will probably see why it is slower. For the specific purpose you outline below, to verify if a specific user can access an app, querying the group membership for the user should be trivial unless you allow nesting at which point it could get painful. It could also be painful if you have to check various DLGs in different domains. If they are gathering a list of all users who have access to an app, make sure they are querying the group's member attribute instead of the memberof of the users. I had some websphere folks do that once and their app was pretty slow from it as you can imagine I can see the advantage of having your own attrib for app. However as others have mentioned, this will get out of control. If they truly need this, push it to an entry linked in an AD/AM or possibly have a single indexed MV attribute and have each app have a unique value they can have in that attribute. Of course security on that is fun because you can have someone who can manipulate it or not manipulate it, they can't just add one value. That is when provisioning systems come into play. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, October 19, 2004 9:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] groups vs attributes As our developers (as well as our 3rd party vendors) continue to create apps that leverage AD, the question comes up frequently which is a better solutionto search AD for a group membership, or for the value of a given attribute, when validating a users access to a custom application? Our standard has been to use universal groups for this sort of thing, that is, UserA can access the application, if he is a member of the appropriate universal group. However, our developers have discovered in their ad hoc queries that returning a list of users that have a given value assigned to a custom attribute is much faster that returning a list of users that are members of a universal group. So they are asking, shouldnt we be adding a custom attribute when an application requires a validation that a user can access the application, rather than using a group membership? Any notes from the field would be much appreciated! Mark Creamer Systems Engineer Cintas Corporation The Service Professionals
RE: [ActiveDir] groups vs attributes
I don't know if I like this as a generic solution Gil. o Most people have issue enumerating/understanding ACLs to start with. o You can't really query it. o Only viable from Windows. o Resolving SIDS to names for all of the ACEs would be on the slow side. o No auto cleanup if someone were deleted. o If you have an app with a lot of users (thousands or tens of thousands) I would expect you could run into the ceiling on the size of the SD which means you start using groups which is the current solution anyway, why not use it directly? That is off the top of my head. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, October 19, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes A very clean way to manage access rights for apps is to create new extended access rights objects in the Extended-Rights container that represent the different categories of access to your app, then create an object that represents the application in the CN=Services container, and create object-ACEs in the SD for the application object for each security principal that is allowed to access the application. Its clean, flexible, extensible, provides any level of granularity you might want, and you can use the Windows access control APIs to determine access level. We've used this strategy in a couple of our applications and are very happy with it. That's what the extended rights objects are there for anyway :) -gil Gil Kirkpatrick CTO, NetPro Got DEC? _ From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Tue 10/19/2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes I guess they've indexed their attribute? Either way, it shouldn't be any faster than querying group membership. The only danger I see with the custom attribute approach is that it could be the thin end of the wedge. The more applications that use this approach the more custom attributes you will have. You could end up with a messy schema. Unless of course you use a single attribute and make it multi-valued. But then you're still no different to using group membership. If the developers think the group membership lookup is slow they could include a cache mechanism in the application and set a cache refresh interval for the queries against AD. Tony -- Original Message -- From: Creamer, Mark [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 19 Oct 2004 10:44:36 -0400 Sorry, I didn't word that very well. You're right, Lou, that is what they do. I guess their main point is that querying an attribute that we create for the purpose seems faster than when they check the group membership. I don't know how valid that is... mc _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Tuesday, October 19, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] groups vs attributes I may be missing something in the reading, but why not just query AD based on the username and determine if that user object is a member of the group in question instead of returning a list of all users for a given group? Another possibility (one you may well have thought of already but didn't mention) is that you can filter your search [searcher.Filter = ((objectCategory=user)(sAMAccountName= Trim(userName) ))] r/ Lou Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
RE: [ActiveDir] FW: Exchange 2003 on DC
Humour! I wonder if I could slip that by as an MVP Community KB... Do we need a passport to submit? Michael, what's your password ID and password... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, October 28, 2004 5:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC MeOW! I was asking for documentation for my customer file, thank you! :-) M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 4:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Thursday, October 28, 2004 5:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] Application Partition Replication
Title: [ActiveDir] Remote DSL link I usually tackle such issues by first turning up KCC logging to 4 or 5 and seeing if that clues me in. If you dont see it from that, send me the DS event log after turning KCC logging to 5 and running KCC once + ldif dump of your config NC. With those two I can probably take a good swing at what the issue is. (send me config offline as Im sure it is a large attachment) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 28, 2004 4:50 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Application Partition Replication As with the well-known 3 partitions, app. partitions, their connection objects and the resulting replica links are handled by the KCC, ISTG and DRA. Site structure is taken into account, in short they're treated the same as the domain NC with the possible noteworthy exception that their content is ignored by GCs when sourcing partial replicas. As for the bridgeheadinging aspect; yes, preferred b'heads will be used if they hold a replica of the partition in question. If the list of preferred b'heads for a particular site does not include a DC in possession of an app. partition then the ISTG will bark, tell you you're a fool and assign one for you (a behavior new to 2003). It is also worth mentioning that the ISTG must be running on a 2003 DC within a particular site in order for app. partitions to get a topology built for them but since 2003 DCs steal the ISTG role when added to a site containing no other 2003 DCs that isn't really a problem (especially since you have to have at least one 2003 DC within a site in order for an app. partition to be present there in the first place). There are, of course, other behavioral differences 'tween app. partitions and their domain counterparts but I can't think of any that warrant mentioning in this context. Specific to your error, have you disabled site link bridging? A description of your site topology, the DCs within those sites and which of those DCs are or were running 2003's DNS service would be most useful? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, October 28, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Application Partition Replication We started seeing strange problems with our Directory replication recently when bringing up new Windows 2003 DC in our Hub and Spoke Site design. Our network has a lot of firewalls, domains, and business units, and we have managed to coordinate most of the firewalls in the business units to allow full communications to the central site. The tech working on the problem says that MSFT says Application Partitions replicate differently than GCs and Domains. Adding further Application Partitions can sometimes choose different connections to replicate their data across. I dont necessarily believe the tech at this point, so I ask you all. Do application partitions replicate differently? Is there a way to force them to use hub and spoke topology, and not try to replicate outside the site links? Also do they use Preferred Bridge Head Servers as other partitions do? Thanks, Todd Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 10/28/2004 Time: 4:18:45 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: Description: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=DHHSSECURITY,DC=LOCAL There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
RE: [ActiveDir] Application Partition Replication
Title: [ActiveDir] Remote DSL link Yeah so basically for replication[1]... App partitions are different because they don't replicateinto "the GC". Another arguable difference is thatyou explicitly pick which machines have the partition. I say that is arguable because you do pick which domain controllers get which domain partitions, you promote them into the specific domain you want the partition of... It is a bit of a stronger pick, but you are picking. Other than that, it is the same. For replication you want to think of each partition all on its own. An App partition is just another partition. If you havea connection between a couple of sites and the servers involved (current BH's for the sites) don't have the partition that needs to replicate between the sites, another connection will be made. Itis the whole you can have multiple bridgeheads for a site thing based on the partitions that has always been there. Think about if you had two sites with 2 DCs in each site (each from a different domain). One BH DC in each site can not service both domains so new connections will be made. joe [1] Only responding because Dean used ISTG more than 3 times in a single email. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, October 28, 2004 5:50 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Application Partition Replication As with the well-known 3 partitions, app. partitions, their connection objects and the resulting replica links are handled by the KCC, ISTG and DRA. Site structure is taken into account, in short they're treated the same as the domain NC with the possible noteworthy exception that their content is ignored by GCs when sourcing partial replicas. As for the bridgeheadinging aspect; yes, preferred b'heads will be used if they hold a replica of the partition in question. If the list of preferred b'heads for a particular site does not include a DC in possession of an app. partition then the ISTG will bark, tell you you're a fool and assign one for you (a behavior new to 2003). It is also worth mentioning that the ISTG must be running on a 2003 DC within a particular site in order for app. partitions to get a topology built for them but since 2003 DCs steal the ISTG role when added to a site containing no other 2003 DCs that isn't really a problem (especially since you have to have at least one 2003 DC within a site in order for an app. partition to be present there in the first place). There are, of course, other behavioral differences 'tween app. partitions and their domain counterparts but I can't think of any that warrant mentioning in this context. Specific to your error, have you disabled site link bridging? A description of your site topology, the DCs within those sites and which of those DCs are or were running 2003's DNS service would be most useful? -- Dean Wells MSEtechnology* Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, October 28, 2004 4:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Application Partition Replication We started seeing strange problems with our Directory replication recently when bringing up new Windows 2003 DC in our Hub and Spoke Site design. Our network has a lot of firewalls, domains, and business units, and we have managed to coordinate most of the firewalls in the business units to allow full communications to the central site. The tech working on the problem says that MSFT says Application Partitions replicate differently than GCs and Domains. Adding further Application Partitions can sometimes choose different connections to replicate their data across. I dont necessarily believe the tech at this point, so I ask you all. Do application partitions replicate differently? Is there a way to force them to use hub and spoke topology, and not try to replicate outside the site links? Also do they use Preferred Bridge Head Servers as other partitions do? Thanks, Todd Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 10/28/2004 Time: 4:18:45 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: Description: The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: DC=ForestDnsZones,DC=DHHSSECURITY,DC=LOCAL There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. User Action Use Active Directory Sites and Services to perform one of the following actions: - Publish sufficient site connectivity information so that
RE: [ActiveDir] Trusting Domain SIDs
Title: RE: [ActiveDir] Trusting Domain SIDs
Thats a good approach, especially
for those particular types. The problem is basically impossible to solve in
general, but you can make some good guesses in some cases.
Do you try to parse the abstract schema
(CN=Aggregate,CN=Schema.) or read the individual attribute entries?
Joe K.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 28, 2004
3:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusting
Domain SIDs
Hey Joe Richards, how does ADFind
know which binary attributes are SIDs? I know Dmitri has some
kind of hard-coded lookup table for
ldp.exe to handle special conversions of some numeric and binary data,
but it is hard to solve the problem
generally. He doesnt have the securityIdentifier attribute for the
domainTrust
class in has table of binary
attributes that are SIDs either (at least on my build of ldp, which is higher
than the
one that shipped with ADAM).
This problem is actually kind of a hard one to solve for all those trying to do
AD
browsing, so I thought Id
ask. It goes beyond schema into semantics and tends to end up requiring
lots of hard-coding
and/or a rules engine for trying
different things (like 16 byte binary is probably a guid, etc.).
Hmm which class is that - domainTrust? Not
familiar with it. Does adfind work correctly with it?
I used to hard code it but maintaining the
table was a pain in the arse, I fixed that in December 2002 (V1.09.00). Now I
pull part of the schema up front when adfind runs and pull out GUIDs, SIDs,
SDs, and other binary data so I can figure out how I want it displayed. You
should notice anything it can identify as a GUID displayed in the pretty
{xxx-xxx-xxx-xxx-xxx} format, SIDS should be displayed in their format
S-1-5-xx--xx-xxx, SDs will get displayed as {Security Descriptor}
unless the option to display the SDDL is turned on,and binary should be
displayed as a hex dump broken up into 4 bytes (if I recall correctly)a
chunk.
Anyway, I look at the attribute syntax
first. If it is 2.5.5.17, it is a SID. If it is 2.5.5.15 it is an SD.If
it is 2.5.5.10 and range upper and lower are 16 it probably a GUID.
Don't tell anyone how I do it. It is an
ancient joeware trick that I busted my bum trying to figure out because it was
not well documented... We'll just keep it a secret between all of us. I figured
I would put it in a book some day. So consider this email copyrighted. :)
Oh yeah, I realized that some times I wouldn't
want that overhead so the -dloid option is available that tells it not to load
the schema first and then it falls back to a small hardcoded list.
joe
Copyright 2004 joeware.net
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 25, 2004
1:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusting
Domain SIDs
No reference yet really, but here are a
couple of pointers:
With S.DS, anything stored as octet
string in AD/ADAM is marshaled to .NET as a byte[]. This means, to get
the binary data, you would just do something like (from the results of a search
with DirectorySearcher):
Byte[] binarySid = (byte[])
result.Properties(securityIdentifier)(0);
Im assuming you already know how
to use the DirectorySearcher to search for the trusts as Im pretty sure
I remember you talking about doing some of this stuff before. If you need
more details, please respond.
To convert to string SID, you basically
have to do a p/invoke to the API function (which is quite easy) unless you are
already on 2.0, which has a managed SID class (which I havent used yet,
but assume works fine).
The p/invoke wiki has a nice
ConvertSidToStringSid sample (www.pinvoke.net)
or you can get a nice managed library for all Win32 security functions and such
here at GotDotNet:
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
Im not sure which method is going
to get you there faster, especially if you are already done using the adfind
method J, but I do agree with Joe that script simply isnt suitable
for dealing with binary data in AD (or 8 byte integers for that matter).
Hey Joe Richards, how does ADFind know
which binary attributes are SIDs? I know Dmitri has some kind of
hard-coded lookup table for ldp.exe to handle special conversions of some
numeric and binary data, but it is hard to solve the problem generally.
He doesnt have the securityIdentifier attribute for the domainTrust class
in has table of binary attributes that are SIDs either (at least on my build of
ldp, which is higher than the one that shipped with ADAM). This problem
is actually kind of a hard one to solve for all those trying to do AD browsing,
so I thought Id ask. It goes beyond schema into semantics and
tends to end up requiring lots of hard-coding and/or a rules
RE: [ActiveDir] install on logon, uninstall on logoff
A logoff script is likely the only way this is going to work. Mostly because there is nothing in policy processing that runs at logoff (other than a logoff script of course and that actually runs outside of policy processing). One thing you could do, if you don't really need to remove the whole app, is just remove the "presence" of the app. You could setup the package so that things like shortcuts, file extension associations and COM ProgIDs are part of a separate feature and then just remove that feature with an msiexec command-line call in your logoff script. That way, even though the app is still installed, the user would have to hunt pretty hard to run it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, October 28, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] install on logon, uninstall on logoff Robbie and I chat just about every day. :-P Robbiesaid that that was a section that Alistair wrote, but that as far as he knew, a logoff script was the only way to do it. I messed around with it a little bit and found that it's non-obvious, and somewhat slow, but it surely can be done. Thanks for following up, M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 4:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] install on logon, uninstall on logoff Did you get an answer on this one Michael? We can hunt Robbie down for an anwer if not. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, September 07, 2004 10:09 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] install on logon, uninstall on logoff In Robbie Allen's book (Active Directory Second Edition) he mentions installing a new package on logon and then uninstalling that package on logoff using GP. (Chapter 7, page 96, top paragraph on the page.) Installing on logon is easy. Uninstalling on logoff - how? A logoff script is the only way I see. But the book implies another solution... What am I missing? Thanks, M
RE: [ActiveDir] FW: Exchange 2003 on DC
You can use your own, Mr. HumorExpress! :-) M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 6:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Humour! I wonder if I could slip that by as an MVP Community KB... Do we need a passport to submit? Michael, what's your password ID and password... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, October 28, 2004 5:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC MeOW! I was asking for documentation for my customer file, thank you! :-) M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 4:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M
RE: [ActiveDir] Application Partition Replication
Title: [ActiveDir] Remote DSL link Thanks Dean, I figured as much. The explanation offered by the AD team was that MSFT said application partitions are replicated differently and have special requirements in 2K3. I think the reason we are having the issues is because 2003 AD is a little more sensitive to spanning trees that arent closed, and warns you a lot more about them. So if your Site Design is a little off, you will see these types of problems. What happen was we disabled Site Link Bridging by default and created a hub and spoke design and created a manual site link bridge that linked all the sites. For the most part this worked pretty well (The Bridge heads established , but slowly one of the business units started enabling firewalls between their remote sites, and the hub, so we started seeing connection objects appear on the remote sites. Working with PSS they said that if we wanted to enforce the Hub and Spoke replication architecture and not have the connection objects spring up when connectivity issues arise, to get rid of the Site Link Bridge that bridged all the sites. So we removed it. Replication and the KCC looked good, then about a week later we started getting reports that replication was not working in one of our Business Units Domains. So the AD Backup Admin decided to create two site link bridges to just include the sites that Business Units Domains (Supposedly as a temporary fix until they could negotiate the firewall ports to be open). The temporary SLBs still havent been removed, and there are still issues with firewalls and that Business Unit. I hope this gets resolved, but I have transferred from the Central Operations Group to one of the major BUs at NIH to assist them with AD consolidation efforts, and upgrading to AD 2003. So my direct involvement is limited at this time. To be honest: Firewalls and fragmented BUs in a Single Forest are a lot of work. Think hard before considering Single Forest in this scenario. Todd Myrick From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 5:50 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Application Partition Replication As with the well-known 3 partitions, app. partitions, their connection objects and the resulting replica links are handled by the KCC, ISTG and DRA. Site structure is taken into account, in short they're treated the same as the domain NC with the possible noteworthy exception that their content is ignored by GCs when sourcing partial replicas. As for the bridgeheadinging aspect; yes, preferred b'heads will be used if they hold a replica of the partition in question. If the list of preferred b'heads for a particular site does not include a DC in possession of an app. partition then the ISTG will bark, tell you you're a fool and assign one for you (a behavior new to 2003). It is also worth mentioning that the ISTG must be running on a 2003 DC within a particular site in order for app. partitions to get a topology built for them but since 2003 DCs steal the ISTG role when added to a site containing no other 2003 DCs that isn't really a problem (especially since you have to have at least one 2003 DC within a site in order for an app. partition to be present there in the first place). There are, of course, other behavioral differences 'tween app. partitions and their domain counterparts but I can't think of any that warrant mentioning in this context. Specific to your error, have you disabled site link bridging? A description of your site topology, the DCs within those sites and which of those DCs are or were running 2003's DNS service would be most useful? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, October 28, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Application Partition Replication We started seeing strange problems with our Directory replication recently when bringing up new Windows 2003 DC in our Hub and Spoke Site design. Our network has a lot of firewalls, domains, and business units, and we have managed to coordinate most of the firewalls in the business units to allow full communications to the central site. The tech working on the problem says that MSFT says Application Partitions replicate differently than GCs and Domains. Adding further Application Partitions can sometimes choose different connections to replicate their data across. I dont necessarily believe the tech at this point, so I ask you all. Do application partitions replicate differently? Is there a way to force them to use hub and spoke topology, and not try to replicate outside the site links? Also do they use Preferred Bridge Head Servers as other partitions do? Thanks, Todd Event Type: Error Event Source: NTDS KCC Event Category: Knowledge
RE: [ActiveDir] AD replication impact from inserting OU in the middle?
Hmmm, interesting question. I think it would just have to send the new DNs around to everything. If you have any change in security in that new level that could cause some work for the DCs as well. I don't think I would be as concerned about replication as I would about hard coded DNs in non-linked attributes or in applications. I have seen LDAP based LOB apps fail spectacularly with mass moves of objects from one location to another in AD. Once had a finance app that assumed users would be in a specific place even though we said over and over again they would be subject to moving and it wouldn't be announced since the moves would be driven by local admins for putting users in specific GPO OUs but still the finance app assumed a specific structure and sure enough, a mass of users were moved and their app blew up horribly. What was worse they had no one who had any clue what the app was really doing so I ended up troubleshooting their perl to find the issue. This is actually a decent sized problem in any medium to fairly large environment because anyone can write or integrate an LDAP app into your architecture without DA/EA involvement. You usually don't find out about them until you take down a DC that they hard coded to or change the structure of the directory that you hard coded to or something else that breaks them based on their assumptions on what would always be. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, October 18, 2004 2:45 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD replication impact from inserting OU in the middle? We might want to insert an OU placeholder in the middle of our Active Directory structure, i.e., changing cn=abc,.,ou=def,dc=xyz,dc=com to cn=abc,.,ou=def,ou=GHI,dc=xyz,dc=com. Can anyone give me an idea of what impact this will cause on replication? We have multiple root DCs with one on a slow link. I contend that every object below the new OU structure will at least have its Distinguished Name rewritten (other attributes also?). Some discussion has ensued. Any comments are appreciated! Thanks! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Exchange 2003 on DC
*Rob snuggles up close to SBS2003 and puts his arm around her* *He whispers * 'It's OK... you may not be the most secure system but I still think your kinda sexy' From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 28/10/2004 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, October 28, 2004 5:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs when because they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem, remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in the real world. This problem was first corrected when people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, October 20, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] Trusting Domain SIDs
Title: RE: [ActiveDir] Trusting Domain SIDs
trustedDomain.
The attribute is securityIdentifier syntax is SID. There is another
documented attribute domainIdentifier. But it seems to be null on the 356 (give
or take a few) incoming NT4/W2k/W2k3 trusts I have. I ended up just sending an
adfind dump. It satisfied the requirement.
--Brian
Thanks.
--Brian
Desmond
[EMAIL PROTECTED]
Payton on the
web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 28, 2004
3:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusting
Domain SIDs
Hey Joe Richards, how does ADFind
know which binary attributes are SIDs? I know Dmitri has some
kind of hard-coded lookup table for
ldp.exe to handle special conversions of some numeric and binary data,
but it is hard to solve the problem
generally. He doesnt have the securityIdentifier attribute for the
domainTrust
class in has table of binary
attributes that are SIDs either (at least on my build of ldp, which is higher
than the
one that shipped with ADAM).
This problem is actually kind of a hard one to solve for all those trying to do
AD
browsing, so I thought Id
ask. It goes beyond schema into semantics and tends to end up requiring
lots of hard-coding
and/or a rules engine for trying
different things (like 16 byte binary is probably a guid, etc.).
Hmm which class is that - domainTrust? Not
familiar with it. Does adfind work correctly with it?
I used to hard code it but maintaining the
table was a pain in the arse, I fixed that in December 2002 (V1.09.00). Now I
pull part of the schema up front when adfind runs and pull out GUIDs, SIDs,
SDs, and other binary data so I can figure out how I want it displayed. You
should notice anything it can identify as a GUID displayed in the pretty
{xxx-xxx-xxx-xxx-xxx} format, SIDS should be displayed in their format
S-1-5-xx--xx-xxx, SDs will get displayed as {Security Descriptor}
unless the option to display the SDDL is turned on,and binary should be
displayed as a hex dump broken up into 4 bytes (if I recall correctly)a
chunk.
Anyway, I look at the attribute syntax
first. If it is 2.5.5.17, it is a SID. If it is 2.5.5.15 it is an SD.If
it is 2.5.5.10 and range upper and lower are 16 it probably a GUID.
Don't tell anyone how I do it. It is an
ancient joeware trick that I busted my bum trying to figure out because it was
not well documented... We'll just keep it a secret between all of us. I figured
I would put it in a book some day. So consider this email copyrighted. :)
Oh yeah, I realized that some times I
wouldn't want that overhead so the -dloid option is available that tells it not
to load the schema first and then it falls back to a small hardcoded list.
joe
Copyright 2004 joeware.net
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 25, 2004
1:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusting
Domain SIDs
No reference yet really, but here are a
couple of pointers:
With S.DS, anything stored as octet
string in AD/ADAM is marshaled to .NET as a byte[]. This means, to get
the binary data, you would just do something like (from the results of a search
with DirectorySearcher):
Byte[] binarySid = (byte[])
result.Properties(securityIdentifier)(0);
Im assuming you already know how
to use the DirectorySearcher to search for the trusts as Im pretty sure
I remember you talking about doing some of this stuff before. If you need
more details, please respond.
To convert to string SID, you basically
have to do a p/invoke to the API function (which is quite easy) unless you are
already on 2.0, which has a managed SID class (which I havent used yet,
but assume works fine).
The p/invoke wiki has a nice
ConvertSidToStringSid sample (www.pinvoke.net)
or you can get a nice managed library for all Win32 security functions and such
here at GotDotNet:
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
Im not sure which method is going
to get you there faster, especially if you are already done using the adfind
method J, but I do agree with Joe that script simply isnt suitable
for dealing with binary data in AD (or 8 byte integers for that matter).
Hey Joe Richards, how does ADFind know
which binary attributes are SIDs? I know Dmitri has some kind of
hard-coded lookup table for ldp.exe to handle special conversions of some
numeric and binary data, but it is hard to solve the problem generally.
He doesnt have the securityIdentifier attribute for the domainTrust
class in has table of binary attributes that are SIDs either (at least on my
build of ldp, which is higher than the one that shipped with ADAM). This
problem is actually kind of a hard one to solve for all those trying to do
RE: [ActiveDir] install on logon, uninstall on logoff
I never use user assigned SW. Is there an Uninstall SW when it falls out of the scope of mgmt checkbox for user assigned sutff? This tells a PC to uninstlal the SW if the GPO no longer applies. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] install on logon, uninstall on logoff Did you get an answer on this one Michael? We can hunt Robbie down for an anwer if not. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, September 07, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] install on logon, uninstall on logoff In Robbie Allen's book (Active Directory Second Edition) he mentions installing a new package on logon and then uninstalling that package on logoff using GP. (Chapter 7, page 96, top paragraph on the page.) Installing on logon is easy. Uninstalling on logoff - how? A logoff script is the only way I see. But the book implies another solution... What am I missing? Thanks, M
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message Ew. Too much information! That picture is going to be stuck in my head for the rest of the day. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Thursday, October 28, 2004 4:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC *Rob snuggles up close to SBS2003 and puts his arm around her* *He whispers * 'It's OK... you may not be the most secure system but I still think your kinda sexy' From: [EMAIL PROTECTED] on behalf of joeSent: Thu 28/10/2004 23:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Thursday, October 28, 2004 5:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, October 20, 2004 7:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M ===Scanned for virus infection by Messagelabs===
RE: [ActiveDir] FW: Exchange 2003 on DC
Title: Message *He whispers * 'It's OK... you may not be the most secure system but I still think your kinda sexy' So are you saying SBS sleeps around? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 6:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC *Rob snuggles up close to SBS2003 and puts his arm around her* *He whispers * 'It's OK... you may not be the most secure system but I still think your kinda sexy' From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 28/10/2004 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, October 28, 2004 5:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs whenbecause they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem,remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in thereal world. This problem was first correctedwhen people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, October 20, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M === Scanned for virus infection by Messagelabs ===
Re: [ActiveDir] FW: Exchange 2003 on DC
Title: Re: [ActiveDir] FW: Exchange 2003 on DC OK, now youre frightening me... On 10/28/04 7:03 PM, Robert Rutherford [EMAIL PROTECTED] wrote: *Rob snuggles up close to SBS2003 and puts his arm around her* *He whispers * 'It's OK... you may not be the most secure system but I still think your kinda sexy' From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 28/10/2004 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, October 28, 2004 5:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs when because they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem, remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in the real world. This problem was first corrected when people started treating the DCs like a KDC and not a regular server. APPLIES TO All versions of Windows that run as Domain Controllers :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, October 20, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] FW: Exchange 2003 on DC
Oh that hurts my stomach laughing that hard... You could take that all over the place with innuendo... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, October 28, 2004 7:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC *Rob snuggles up close to SBS2003 and puts his arm around her* *He whispers * 'It's OK... you may not be the most secure system but I still think your kinda sexy' _ From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 28/10/2004 23:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Ack, you said SBS... as joe scurries back to the light... I await the day that someone writes a bad virus that targets Domain Controllers. I figure that the SBS machines will be the first to get hit with something like that since there are so many vectors to the security bastion on that product. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, October 28, 2004 5:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Um, SBS users don't have a choice... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 28, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Exchange 2003 on DC Don't install Exchange on a Domain Controller, even you Michael B. Smith Article ID : 994678345 Last Review : October 28, 2004 Revision : 1.0 This article was previously published under Q994678345 SYMPTOMS In a Windows 2000 domain some people like to install Exchange on a Domain Controller. They also like to use them for file and print as well or for other not authentication/authorization services. They sometimes find they run into security and/or stability issues. CAUSE This behavior occurs typically occurs when because they installed products on a domain controller which is supposed to be the bastion of your enterprise security, not handling menial services such as exchange and file sharing et alii. RESOLUTION To resolve this problem, remove the non authentication/authorization related services from the domain controller. STATUS Microsoft has confirmed that this is a problem in the real world. This problem was first corrected when people started treating the DCs like a KDC and not a regular server. _ APPLIES TO All versions of Windows that run as Domain Controllers :o) joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, October 20, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FW: Exchange 2003 on DC I've run across a couple of KB articles regarding the issues of promoting/demoting a DC under Exchange 2003 (on the same box). Shame on me, I didn't bookmark them. Does anyone have those handy? My google-fu is not up-to-par today apparently...the one's I've found (plus summary) are: 822179 - don't change DC status after Exchange is installed 305504 - impact of making DC a GC with Exchange installed 305065 - impact of removing a GC from a DC with Exchange installed 829361 - long shut down time on a DC when Exchange is installed 822575 - DS2MB stops running when DC status is removed and Exchange is installed The only one I've found that directly affects the search I'm on is the last (822575). Thanks, M === Scanned for virus infection by Messagelabs === attachment: winmail.dat
RE: [ActiveDir] install on logon, uninstall on logoff
Yes, you can use that option foruser-assigned softwarebut then of course it presumes the user has indeed fallen out scope, which means you either have to move the user or the GP scope. Probably not practical. Also, the uninstall for this is only done during foreground (i.e. user logon) processing, not at logoff, but maybe that is ok too. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, October 28, 2004 4:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] install on logon, uninstall on logoff I never use user assigned SW. Is there an Uninstall SW when it falls out of the scope of mgmt checkbox for user assigned sutff? This tells a PC to uninstlal the SW if the GPO no longer applies. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 28, 2004 3:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] install on logon, uninstall on logoff Did you get an answer on this one Michael? We can hunt Robbie down for an anwer if not. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, September 07, 2004 10:09 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] install on logon, uninstall on logoff In Robbie Allen's book (Active Directory Second Edition) he mentions installing a new package on logon and then uninstalling that package on logoff using GP. (Chapter 7, page 96, top paragraph on the page.) Installing on logon is easy. Uninstalling on logoff - how? A logoff script is the only way I see. But the book implies another solution... What am I missing? Thanks, M
RE: [ActiveDir] Trusting Domain SIDs
Title: RE: [ActiveDir] Trusting Domain SIDs
Ah ok, I wondered if that was the one that was being
discussed, I didn't want to assume it was something that Iknew. That one does
work for sure in ADFIND I know. :o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Thursday, October 28, 2004 7:14 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Trusting Domain
SIDs
trustedDomain.
The attribute is securityIdentifier syntax is SID. There is another documented
attribute domainIdentifier. But it seems to be null on the 356 (give or take a
few) incoming NT4/W2k/W2k3 trusts I have. I ended up just sending an adfind
dump. It satisfied the requirement.
--Brian
Thanks.
--Brian
Desmond
[EMAIL PROTECTED]
Payton on
the web! www.wpcp.org
v -
773.534.0034
x135
f -
773.534.8101
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Thursday, October 28, 2004 3:28
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Trusting Domain
SIDs
Hey Joe
Richards, how does ADFind know which binary attributes are SIDs? I know
Dmitri has some
kind of
hard-coded lookup table for ldp.exe to handle special conversions of some
numeric and binary data,
but it is hard
to solve the problem generally. He doesnt have the securityIdentifier
attribute for the domainTrust
class in has
table of binary attributes that are SIDs either (at least on my build of ldp,
which is higher than the
one that shipped
with ADAM). This problem is actually kind of a hard one to solve for all
those trying to do AD
browsing, so I
thought Id ask. It goes beyond schema into semantics and tends to end up
requiring lots of hard-coding
and/or a rules
engine for trying different things (like 16 byte binary is probably a guid,
etc.).
Hmm which class is that
- domainTrust? Not familiar with it. Does adfind work correctly with
it?
I used to hard code it
but maintaining the table was a pain in the arse, I fixed that in December 2002
(V1.09.00). Now I pull part of the schema up front when adfind runs and pull out
GUIDs, SIDs, SDs, and other binary data so I can figure out how I want it
displayed. You should notice anything it can identify as a GUID displayed in the
pretty {xxx-xxx-xxx-xxx-xxx} format, SIDS should be displayed in their format
S-1-5-xx--xx-xxx, SDs will get displayed as {Security Descriptor}
unless the option to display the SDDL is turned on,and binary should be
displayed as a hex dump broken up into 4 bytes (if I recall correctly)a
chunk.
Anyway, I look at the
attribute syntax first. If it is 2.5.5.17, it is a SID. If it is 2.5.5.15 it is
an SD.If it is 2.5.5.10 and range upper and lower are 16 it probably a
GUID.
Don't tell anyone how I
do it. It is an ancient joeware trick that I busted my bum trying to figure out
because it was not well documented... We'll just keep it a secret between all of
us. I figured I would put it in a book some day. So consider this email
copyrighted. :)
Oh yeah, I realized
that some times I wouldn't want that overhead so the -dloid option is available
that tells it not to load the schema first and then it falls back to a small
hardcoded list.
joe
Copyright 2004
joeware.net
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Monday, October 25, 2004 1:26
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Trusting Domain
SIDs
No reference yet
really, but here are a couple of pointers:
With S.DS, anything
stored as octet string in AD/ADAM is marshaled to .NET as a byte[]. This
means, to get the binary data, you would just do something like (from the
results of a search with DirectorySearcher):
Byte[] binarySid =
(byte[])
result.Properties(securityIdentifier)(0);
Im assuming you
already know how to use the DirectorySearcher to search for the trusts as Im
pretty sure I remember you talking about doing some of this stuff before.
If you need more details, please respond.
To convert to string
SID, you basically have to do a p/invoke to the API function (which is quite
easy) unless you are already on 2.0, which has a managed SID class (which I
havent used yet, but assume works fine).
The p/invoke wiki has
a nice ConvertSidToStringSid sample (www.pinvoke.net) or you can get a nice
managed library for all Win32 security functions and such here at
GotDotNet:
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
Im not sure which
method is going to get you there faster, especially if you are already done
using the adfind method J, but I do agree with
Joe that script simply isnt suitable for dealing with binary data in AD (or 8
byte integers for that matter).
Hey Joe Richards, how
does ADFind know which binary attributes are SIDs? I know Dmitri has some
kind of hard-coded lookup table for ldp.exe to handle special conversions of
some numeric and binary
