RE: [ActiveDir] backup script
We had the same problem and solved it using a query to the eventlog to see if the backup has finished and then proceed with the rest of the script. BR//Bart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, January 20, 2005 23:21 To: Send - AD mailing list Subject: RE: [ActiveDir] backup script CORRECTION - Having taken a look at this now, I'd go with Deji on this one ... the script shouldn't proceed until NTBACKUP has exited ... something else methinks. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 20, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] backup script Are you sure that the service is not auto-restarting itself? Look at the service's properties. The NTBACKUP line should finish ALL the backup before going to the next line. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 1/20/2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] backup script Yeah, but I'm also backing up another set of folders. So the steps are (roughly)... Stop service A Backup various folders + AD Restart Service A What's happening is Service A restarts before Backup has completed, causing a few files in the folder to be locked and not backed up. I want the service restart to wait until ntbackup has exited. I'm looking now at the START command with /WAIT switch. Am I on the right track? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 20, 2005 4:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] backup script If you are doing the backup through a batch script, then after the backup is completed, it should return to the next line in the batch script. Is that what you are asking? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 1/20/2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup script In my test lab, I have NTBackup running a nightly backup of the test AD via a script. I would like to add additional steps to the script, but I'm not sure how to capture that NTBackup has completed and exited before the next command runs. Anyone know how to do that? Thanks! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Loose vs strict replication consistency
Title: Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt loose as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Loose vs strict replication consistency
Title: Loose vs strict replication consistency Hi Neil, I think the following kb provides with the requested info. http://support.microsoft.com/kb/317097 Cheers, John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: vrijdag 21 januari 2005 11:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt loose as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Loose vs strict replication consistency
Title: Message With respect, I would argue that this article, like many others, explains what the *terms* means and how they affect the behaviour on the DC in question, but *not* what the default behaviour is across the various versions and SPs. :) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ReijndersSent: 21 January 2005 11:08To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Loose vs strict replication consistency Hi Neil, I think the following kb provides with the requested info. http://support.microsoft.com/kb/317097 Cheers, John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: vrijdag 21 januari 2005 11:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt "loose" as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.== == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] LDAP export pros/cons
Title: RE: [ActiveDir] LDAP export pros/cons I'll take a hard look at this option. I do have an ISA server on the intranet/dmz segment that I could add another NIC to and route that NIC on theextranet segment.To answer your question i do have internal network connectivity withthe third partyvia a fiber connection in the same building separated by a Cisco PIX on our end. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 3:42 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons The crazy thing here, is that they'd have to have the password too in order to make this a single or simplified-sign-on solution. I'd see that as a major issue. A trust has likely more access than you would want. Have you looked at what RADIUS solutions can do for you? Something along the lines of this http://www.isaserver.org/tutorials/ISA2004-RADIUS-Authentication-Web-Publishing-Rules-Part1.htmlwith a little creativity might give you what you want. The third-party host would use your reverse-proxy to permit or deny access. You'd have to allow access via the network at some point but the RADIUS server could be in the extranet/dmz to help off-set some possible concerns. I don't know as I'd use a regular trust for them however. I think this is a case of best tool for the job. Unless you have network connectivity with them already? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 4:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is thebest practice for having users authenticate to a third party web portal.Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution. The only thing we are trying to do is to allow our users to log into the third party web portalwithout having to learn an additional user name password. I do not want to give out any more information than that about my users. Thanks for the quick responses. R- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 2:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons not sure there are any documented risks. Risks being relational to the entity taking them. However, as a disinterested third party I'd have to point out that the risk is not technical in nature but rather about the information you're sharing. I suppose the information you give out is far mare important to the conversation, but it seems you don't know these folks nor trust them really. If that's the case, then it's possible you could be giving out the account information to a non-trusted source. The questions you need to ask are "what can they do with the information I provide and can I take any action to protect myself?" Some folks wouldn't have a problem giving out that information. Others would. You'll need to assess that risk based on the information you plan to give out. Email addresses are a unique identifier by the way. And usually public knowledge. From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons That's correct. Looking for risks associated From: [EMAIL PROTECTED] on behalf of Mulnick, AlSent: Thu 1/20/2005 2:05 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons Are you looking for risks associated with giving your directory away to asemi-trusted third party? Did I paraphrase that correctly?Al-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:01 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP export pros/consCan someone point me to a white paper or article that gives the pros andcons and security implications of allowing a semi-trusted third-party toaccess our AD with an LDAP export to an RSA server?We are being asked to allow our users to authenticate to a third party webportal using their current Windows 2003 AD accounts. The third party wantsan LDAP export to their RSA server and an account that has appropriateaccess to allow authentication to the AD box. This is in an extra-netenvironment.Any guidance or advice would be appreciated.RobertThe information contained in this e-mail transmittal, including any attacheddocument(s) is confidential. The information is intended only for the use ofthe named recipient. If you are not the named
RE: [ActiveDir] LDAP export pros/cons
Maybe I'm not see the big picture of how this can be done with website redirection. Is it just a matter of making one mutual user account on both my web server and the third party portal server that is trusted by both machines and using that account to pass the web traffic after the users authenticate to my site? My ultimate goal is to keep my risk and exposure of user names/ passwords/ authentication to the bare minimum and still get the desired affect of not maintaining two user names/passwords per user. It's not that the third party isn't trusted as much as they aren't careful or vigilant in their security configurations and we have no control over that situation. We are trying to keep the attack surface coming from their side as small as possible because we are required to make the portal work for our users. I think I have a grasp on how a reverse proxy web publishing can achieve this and still keep everything encrypted and semi secure using certificates. R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Friday, January 21, 2005 3:30 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP export pros/cons Not worked that much on the 3rd party integrations.but have an idea Can you try do Authentication re-directions to that site - i mean instead of people going to 3rd party site for authentication -- can they come to your own website and get authenticated through your ldap or RSA server and get re-directed to the desired locations. Regards, Chandra On Thu, 20 Jan 2005 23:54:28 -0500, joe [EMAIL PROTECTED] wrote: Ditto. Whomever is running that web site gets to see all of the clear text passwords for every user that authenticates. I would say that is giving out a bit more info to the third party than you would normally like to supply. Heck I don't even like doing that on intranet sites run by people in the same company let alone someone outside of the company. Sort of on par with saying, hi, here are my most sensitive parts and giving them to a third party and asking them to be nice to them. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 20, 2005 6:54 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] LDAP export pros/cons Interesting. I may just not understand what you have in mind. I would agree, but I'm leery of ldap bind for authentication in this scenario. In addition, it seems that it would not really provide the full amount of usefulness to the solution since the user has to also remember a different set of creds if they use this portal with dual id. Am I just misunderstanding, or were you thinking of something different?? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, January 20, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons Here's a common scenario, where an application like the web portal outsources authentication to an external directory but retains authorizationyour user hits the web portal and gets a prompt for her login ID and password. She enters that information and hits the OK button, and your portal then attempts to do an authenticated bind to the user's object in the LDAP directory, using the submitted ID and password. If the bind is successful, then the LDAP directory returns a successful acknowledgement to the portal. The portal hears that the user ID and password are correct, so the portal can then present the user with the appropriate content based on the portal permissions assigned to her account. The key here is that there has to be a common identifier in the portal and LDAP directory, so that the user gets the right stuff (based on the authorization in the portal) as a result of successful LDAP login (based on the LDAP authentication). Typically the common identifier is the logon ID, so that the portal knows that a successful LDAP bind to jane.doe should be associated with the jane.doe object in the portal. It would be a good idea to ask what specific attributes the portal is looking for, or even the syntax of the LDAP queries they hope to issue. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Thursday, January 20, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is the best practice for having users authenticate to a third party web portal. Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution. The only thing we are trying
[ActiveDir] FW: Viewing Password Expiration History
Good morning everyone! (I guess that depends on where you are.) Long time lurker here so Id first like to thank everyone for all the info Ive absorbed from this group. OK my question: Is there anyway to view when a users PW had expired once they have set a new one? Long story so I wont get into it but this info would have come in handy a few times. I havent done extensive research but I have searched, plus I have viewed the users properties in ADSI and LDP to no avail. I am not an expert by any means with ADSI and LDP so it is quite possible I have missed something. Thanks for any input. Windows 2003 Domain Native p.s. You might receive this message twice since I screwed up and sent it to ActiveDir-owner first.. sorry! *** Paul A Simpsen Information Technology Infrastructure Services Team University of Oklahoma Health Sciences Center 405-271-2262 x 50230 Fax:405-271-2181 *** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] FW: Viewing Password Expiration History
Let me play it back to be sure I have it correctly. You want to be able to go back and look at a current Directory object after they were forced to change their password and look to see when the user's password expired which then forced them to change the password? If so, to my knowledge, this information is no longer available (relevant?) once they have reset their password. No field such as passwordLastExpired or anything like that. You could use auditing to find out, but you'd have to rely on them trying to login and being forced to change the password. More likely: you could run daily polls to find out who's passwords are going to expire and keep that data in separate reporting db. Could be scripted pretty quickly I would imagine. I'm curious though, what good would that data do? Can you give some more detail? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Friday, January 21, 2005 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FW: Viewing Password Expiration History Good morning everyone! (I guess that depends on where you are) Long time lurker here so I'd first like to thank everyone for all the info I've absorbed from this group. OK my question: Is there anyway to view when a users PW had expired once they have set a new one? Long story so I won't get into it but this info would have come in handy a few times. I haven't done extensive research but I have searched, plus I have viewed the user's properties in ADSI and LDP to no avail. I am not an expert by any means with ADSI and LDP so it is quite possible I have missed something. Thanks for any input. Windows 2003 Domain - Native p.s. You might receive this message twice since I screwed up and sent it to ActiveDir-owner first. sorry! *** Paul A Simpsen Information Technology Infrastructure Services Team University of Oklahoma Health Sciences Center 405-271-2262 x 50230 Fax:405-271-2181 *** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
RE: [ActiveDir] LimitLogon
I have had some experience of testing the Beta of this product. I found in a root/child environment issues with the actual control/logging of logins. I managed to make the system work if the IIS component of the product was running on a DC but this in itself had other implications. It consists of a client component/AD integration (schema update)/IIS service and login scripts (vbs). If I remember correctly it worked in a single domain but again this could have been on a DC. It was a quick test environment initially! Once taken into the model office I had lots of fun. The last time I was in contact with Microsoft was around October of last year where they were still looking into the issues. At that stage they had no planned release date. We have since looked at continuing using Cconnect (currently used in the NT4 environment). This has initially been tested in the child domain (Windows 2003) to control user access via a central SQL server and appears to be working OK. We made much progress through the initial testing so things may have moved on again since then. Jacqui -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 20 January 2005 21:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LimitLogon Join the Beta and find out. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Matt Brown Sent: Thu 1/20/2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LimitLogon Anybody heard anything on LimitLogon and when it may be released? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, January 20, 2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] backup script In my test lab, I have NTBackup running a nightly backup of the test AD via a script. I would like to add additional steps to the script, but I'm not sure how to capture that NTBackup has completed and exited before the next command runs. Anyone know how to do that? Thanks! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LDAP export pros/cons
Precisely..unless i am dreaming ;-) On Fri, 21 Jan 2005 07:41:11 -0600, Robert N. Leali [EMAIL PROTECTED] wrote: Maybe I'm not see the big picture of how this can be done with website redirection. Is it just a matter of making one mutual user account on both my web server and the third party portal server that is trusted by both machines and using that account to pass the web traffic after the users authenticate to my site? My ultimate goal is to keep my risk and exposure of user names/ passwords/ authentication to the bare minimum and still get the desired affect of not maintaining two user names/passwords per user. It's not that the third party isn't trusted as much as they aren't careful or vigilant in their security configurations and we have no control over that situation. We are trying to keep the attack surface coming from their side as small as possible because we are required to make the portal work for our users. I think I have a grasp on how a reverse proxy web publishing can achieve this and still keep everything encrypted and semi secure using certificates. R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Friday, January 21, 2005 3:30 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP export pros/cons Not worked that much on the 3rd party integrations.but have an idea Can you try do Authentication re-directions to that site - i mean instead of people going to 3rd party site for authentication -- can they come to your own website and get authenticated through your ldap or RSA server and get re-directed to the desired locations. Regards, Chandra On Thu, 20 Jan 2005 23:54:28 -0500, joe [EMAIL PROTECTED] wrote: Ditto. Whomever is running that web site gets to see all of the clear text passwords for every user that authenticates. I would say that is giving out a bit more info to the third party than you would normally like to supply. Heck I don't even like doing that on intranet sites run by people in the same company let alone someone outside of the company. Sort of on par with saying, hi, here are my most sensitive parts and giving them to a third party and asking them to be nice to them. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 20, 2005 6:54 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] LDAP export pros/cons Interesting. I may just not understand what you have in mind. I would agree, but I'm leery of ldap bind for authentication in this scenario. In addition, it seems that it would not really provide the full amount of usefulness to the solution since the user has to also remember a different set of creds if they use this portal with dual id. Am I just misunderstanding, or were you thinking of something different?? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, January 20, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons Here's a common scenario, where an application like the web portal outsources authentication to an external directory but retains authorizationyour user hits the web portal and gets a prompt for her login ID and password. She enters that information and hits the OK button, and your portal then attempts to do an authenticated bind to the user's object in the LDAP directory, using the submitted ID and password. If the bind is successful, then the LDAP directory returns a successful acknowledgement to the portal. The portal hears that the user ID and password are correct, so the portal can then present the user with the appropriate content based on the portal permissions assigned to her account. The key here is that there has to be a common identifier in the portal and LDAP directory, so that the user gets the right stuff (based on the authorization in the portal) as a result of successful LDAP login (based on the LDAP authentication). Typically the common identifier is the logon ID, so that the portal knows that a successful LDAP bind to jane.doe should be associated with the jane.doe object in the portal. It would be a good idea to ask what specific attributes the portal is looking for, or even the syntax of the LDAP queries they hope to issue. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Thursday, January 20, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is the best practice for having users authenticate to a third party web portal. Is it
RE: [ActiveDir] LDAP export pros/cons
Title: RE: [ActiveDir] LDAP export pros/cons In our case, it's a PeopleSoft portal that is using AD as the authentication provider via the LDAP bind. My logon IDs match in PeopleSoft and AD, so that's how PS correlates a successful AD bind to a PS user. No argument that using LDAP as an authentication method isn't nearly as secure as kerberos, but we sufficiently trust our in-house PeopleSoft folks to not get ulcers over the setup, along with some other technical and policy measures to reduce our risk exposure. There are other groups in our organization with whom we would not do something like this. Those groups probably don't trust us either :-) Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 4:54 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons Interesting. I may just not understand what you have in mind. I would agree, but I'm leery of ldap bind for authentication in this scenario. In addition, it seems that it would not really provide the full amount of usefulness to the solution since the user has to also remember a different set of creds if they use this portal with dual id.Am I just misunderstanding, or were you thinking of something different?? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Thursday, January 20, 2005 4:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons Here's a common scenario, where an application like the web portal outsources authentication to an external directory but retains authorizationyour user hits the web portal and gets a prompt for her login ID and password. She enters that information and hits the OK button, and your portal then attempts to do an authenticated bind to the user's object in the LDAP directory, using the submitted ID and password. If the bind is successful, then the LDAP directory returns a successful acknowledgement to the portal. The portalhears that the user ID and password are correct, so the portal can then present the user with the appropriate content based on the portal permissions assigned to her account. The key here is that there has to be a common identifier in the portal and LDAP directory, so that the user gets the right stuff (based on the authorization in the portal) as a result of successful LDAP "login" (based on the LDAP authentication). Typically the common identifier is the logon ID, so that the portal knows that a successful LDAP bind to jane.doe should be associated with the jane.doe object in the portal. It would be a good idea to ask what specific attributes the portal is looking for, or even the syntax of the LDAP queries they hope to issue. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons I understand what you are saying and agree. On the same topic, what do you suggest is thebest practice for having users authenticate to a third party web portal.Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution. The only thing we are trying to do is to allow our users to log into the third party web portalwithout having to learn an additional user name password. I do not want to give out any more information than that about my users. Thanks for the quick responses. R- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, January 20, 2005 2:27 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] LDAP export pros/cons not sure there are any documented risks. Risks being relational to the entity taking them. However, as a disinterested third party I'd have to point out that the risk is not technical in nature but rather about the information you're sharing. I suppose the information you give out is far mare important to the conversation, but it seems you don't know these folks nor trust them really. If that's the case, then it's possible you could be giving out the account information to a non-trusted source. The questions you need to ask are "what can they do with the information I provide and can I take any action to protect myself?" Some folks wouldn't have a problem giving out that information. Others would. You'll need to assess that risk based on the information you plan to give out. Email addresses are a unique identifier by the way. And usually public knowledge. From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. LealiSent: Thursday, January 20, 2005 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP export pros/cons That's correct. Looking for risks associated From: [EMAIL PROTECTED] on behalf of Mulnick,
RE: [ActiveDir] Loose vs strict replication consistency
Title: Loose vs strict replication consistency Hi Neil, W2K DC all SPs: loose Yes. W2K DC upgraded to W2k3: loose Yes. w2k3 DC fresh built into new forest: strict Yes. w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value "Strict Replication Consistency" in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). NB. Independent of lingering object detectionand independent of the strict/loose consistency settingWindows Server 2003 always quarantines a source domain controllers partition (i.e., source replica) if replication has not succeeded for more than a tombstone lifetime (default 60 days). If you consequently use the Replicate Now operation of the Sites and Services snap-in, you will get the error cannot replicate because the time since the last replication has exceeded the tombstone lifetime. You would also probably get an error with the event ID 2042 in your event log. To recover from this error, first delete any lingering objects with repadmin /removelingeringobjects. Next, if DC2 did quarantine DC1, force the replication with a command such as the following: repadmin /repl DC2 DC1 DC=sanao,DC=com /force This fixes the problem for one partition, but when you try Replicate Now again, you may get the same error, but this time referring to thenext partition. At worst, you must issue the command also for the configuration and schema partitions, ForestDnsZones and DomainDnsZones, for any other application partitions, and in the case of a global catalog server, for each other domain in the forest. There is also a registry setting to turn this check off, but it's safer to use the repadmin command, so that the next time this would happen, the protection would still be on. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, January 21, 2005 12:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt "loose" as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] LDAP export pros/cons
I'd be more concerned about malicious users inside your network being able to sniff that traffic and obtain usernames/passwords pretty easily. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, January 21, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons In our case, it's a PeopleSoft portal that is using AD as the authentication provider via the LDAP bind. My logon IDs match in PeopleSoft and AD, so that's how PS correlates a successful AD bind to a PS user. No argument that using LDAP as an authentication method isn't nearly as secure as kerberos, but we sufficiently trust our in-house PeopleSoft folks to not get ulcers over the setup, along with some other technical and policy measures to reduce our risk exposure. There are other groups in our organization with whom we would not do something like this. Those groups probably don't trust us either :-) Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Viewing Password Expiration History
Not exactly when they were forced to, the user just did BECAUSE she thought it had expired. Over winter break she was having problems with her account locking out so she assumed her PW had expired so she reset it. She is now complaining that PEWA had never alerted her that her PW had expired. Our theory is that her account was being locked because she was trying to log onto WebCT with her WebCT PW instead of her Windows PW, and the authentication method had been changed during the break to use LDAP and domain account. The users were notified. The userids are the same but PWs are different. Im not that familiar with the process since I am not involved with WebCT management. Apparently the logs on the WebCT boxes dont show anything and the DC logs have been overwritten, and we only save a few weeks worth due to the size. But it looks like you answered my question with If so, to my knowledge, this information is no longer available (relevant?) once they have reset their password. No field such as passwordLastExpired or anything like that. So it was just basically trying to prove her wrong since PEWA seems to be running with no problems. It is sending out 2-3 hundred warning messages a day. Thanks for the info! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 21, 2005 9:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] FW: Viewing Password Expiration History Let me play it back to be sure I have it correctly. You want to be able to go back and look at a current Directory object after they were forced to change their password and look to see when the user's password expired which then forced them to change the password? If so, to my knowledge, this information is no longer available (relevant?) once they have reset their password. No field such as passwordLastExpired or anything like that. You could use auditing to find out, but you'd have to rely on them trying to login and being forced to change the password. More likely: you could run daily polls to find out who's passwords are going to expire and keep that data in separate reporting db. Could be scripted pretty quickly I would imagine. I'm curious though, what good would that data do? Can you give some more detail? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Friday, January 21, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FW: Viewing Password Expiration History Good morning everyone! (I guess that depends on where you are) Long time lurker here so I'd first like to thank everyone for all the info I've absorbed from this group. OK my question: Is there anyway to view when a users PW had expired once they have set a new one? Long story so I won't get into it but this info would have come in handy a few times. I haven't done extensive research but I have searched, plus I have viewed the user's properties in ADSI and LDP to no avail. I am not an expert by any means with ADSI and LDP so it is quite possible I have missed something. Thanks for any input. Windows 2003 Domain - Native p.s. You might receive this message twice since I screwed up and sent it to ActiveDir-owner first. sorry! *** Paul A Simpsen Information Technology Infrastructure Services Team University of Oklahoma Health Sciences Center 405-271-2262 x 50230 Fax:405-271-2181 *** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
[ActiveDir] Finding User account if know SID
Title: Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID Joeware. http://www.joeware.net/win/free/tools/sidtoname.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] Loose vs strict replication consistency
Title: Loose vs strict replication consistency w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value Strict Replication Consistency in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). I checked two w2k3 DCs that were both fresh installs into an existing forest (same forest, two different domains) and neither one had the registry value Strict Replication Consistency present. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Friday, January 21, 2005 7:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Loose vs strict replication consistency Hi Neil, W2K DC all SPs: loose Yes. W2K DC upgraded to W2k3: loose Yes. w2k3 DC fresh built into new forest: strict Yes. w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value Strict Replication Consistency in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). NB. Independent of lingering object detectionand independent of the strict/loose consistency settingWindows Server 2003 always quarantines a source domain controllers partition (i.e., source replica) if replication has not succeeded for more than a tombstone lifetime (default 60 days). If you consequently use the Replicate Now operation of the Sites and Services snap-in, you will get the error cannot replicate because the time since the last replication has exceeded the tombstone lifetime. You would also probably get an error with the event ID 2042 in your event log. To recover from this error, first delete any lingering objects with repadmin /removelingeringobjects. Next, if DC2 did quarantine DC1, force the replication with a command such as the following: repadmin /repl DC2 DC1 DC=sanao,DC=com /force This fixes the problem for one partition, but when you try Replicate Now again, you may get the same error, but this time referring to the next partition. At worst, you must issue the command also for the configuration and schema partitions, ForestDnsZones and DomainDnsZones, for any other application partitions, and in the case of a global catalog server, for each other domain in the forest. There is also a registry setting to turn this check off, but it's safer to use the repadmin command, so that the next time this would happen, the protection would still be on. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, January 21, 2005 12:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt loose as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] email disappearing
Check with the user and see if they tried to set up an OL profile on another machine somewhere (if they'll admit it). Perhaps another machine is grabbing the messages and downloading them to a PST. Perhaps the logs on the exchange server can provide a clue about which machine is pulling the mail? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing No filtersno rules..view= messages..hmmm PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Schorr Sent: Tuesday, January 18, 2005 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Check to see if you have a filter applied. -Ben- Ben M. Schorr, MCP, MVP, CNA Operations Coordinator Stockholm/KSG - Honolulu Phone: (808) 535-1500 Mobile: (808) 351-5084 http://www.scgab.com http://www.scgab.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Yes its delivering to inbox. They come in, but soon disappear. No rules defined. hmmm PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 18, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Tools, email accounts, view/change existing email.. It's on the next page, saying deliver to the following location. Rules can do this to you as well. Be a good idea to check the rules. To troubleshoot, you may want to turn the client off and use OWA to see if it's staying in the inbox. If it's not, it may be a server side rule or a client left on somewhere other than the machine you're currently using. POP clients such as PDA's, Outlook Express, etc are known to do such things. -ajm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Where would I check to see if I was routing mail to pst? PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 09:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] email disappearing I think I remember a thread of this subject. Anyway email is leaving the inbox and going? When I leave outlook alone for a while the inbox clears out?? Don't know where they are going, but im used to going through a hundred emails a daynow just a few and they disappearing. Anyone? Ive done some searching on google, but cant seem to get a grip on it. PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID There is a utility that Joe created for this at http://www.joeware.net/win/free/tools/sidtoname.htm - Original Message - From: Chris Flesher To: ActiveDir@mail.activedir.org Sent: Friday, January 21, 2005 11:31 AM Subject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] LDAP export pros/cons
The browser sessions are within SSL connections, and the PS-AD piece runs over LDAP/SSL, so the network exposure isn't bad. Our largest risk is the sticky notes with passwords on monitors or under keyboards, combined with trivial social engineering exploits that would be successful against the majority of our users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, January 21, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons I'd be more concerned about malicious users inside your network being able to sniff that traffic and obtain usernames/passwords pretty easily. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, January 21, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP export pros/cons In our case, it's a PeopleSoft portal that is using AD as the authentication provider via the LDAP bind. My logon IDs match in PeopleSoft and AD, so that's how PS correlates a successful AD bind to a PS user. No argument that using LDAP as an authentication method isn't nearly as secure as kerberos, but we sufficiently trust our in-house PeopleSoft folks to not get ulcers over the setup, along with some other technical and policy measures to reduce our risk exposure. There are other groups in our organization with whom we would not do something like this. Those groups probably don't trust us either :-) Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Moving profiles.
Im in the process of consolidating 2 domains and I was wondering if anyone knows a way (or could point me to a good scriptJ) that will copy the users profiles over as well once I migrate the accounts. Thanks in advance! Mike
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] Loose vs strict replication consistency
Title: Message So you've all reached the same conclusion as me :) i.e. 'not sure' The registry key is not exposed so hence my question. Any offers? ~Eric? neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: 21 January 2005 16:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Loose vs strict replication consistency w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value "Strict Replication Consistency" in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). I checked two w2k3 DCs that were both fresh installs into an existing forest (same forest, two different domains) and neither one had the registry value "Strict Replication Consistency" present. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari KoutiSent: Friday, January 21, 2005 7:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Loose vs strict replication consistency Hi Neil, W2K DC all SPs: loose Yes. W2K DC upgraded to W2k3: loose Yes. w2k3 DC fresh built into new forest: strict Yes. w2k3 DC fresh built into existing forest: loose Not sure. If someone reading this list has such a DC (the last case I'm not sure of), he or she could check the registry value "Strict Replication Consistency" in HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NTDS, Parameters to see if it is 1 (strict) or 0 (loose). NB. Independent of lingering object detection-and independent of the strict/loose consistency setting-Windows Server 2003 always quarantines a source domain controller's partition (i.e., source replica) if replication has not succeeded for more than a tombstone lifetime (default 60 days). If you consequently use the Replicate Now operation of the Sites and Services snap-in, you will get the error "cannot replicate because the time since the last replication has exceeded the tombstone lifetime." You would also probably get an error with the event ID 2042 in your event log. To recover from this error, first delete any lingering objects with repadmin /removelingeringobjects. Next, if DC2 did quarantine DC1, force the replication with a command such as the following: repadmin /repl DC2 DC1 DC=sanao,DC=com /force This fixes the problem for one partition, but when you try Replicate Now again, you may get the same error, but this time referring to thenext partition. At worst, you must issue the command also for the configuration and schema partitions, ForestDnsZones and DomainDnsZones, for any other application partitions, and in the case of a global catalog server, for each other domain in the forest. There is also a registry setting to turn this check off, but it's safer to use the repadmin command, so that the next time this would happen, the protection would still be on. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, January 21, 2005 12:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt "loose" as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID Works great. Thanks for all the help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim HinesSent: Friday, January 21, 2005 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Finding User account if know SID There is a utility that Joe created for this at http://www.joeware.net/win/free/tools/sidtoname.htm - Original Message - From: Chris Flesher To: ActiveDir@mail.activedir.org Sent: Friday, January 21, 2005 11:31 AM Subject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
Re: [ActiveDir] Moving profiles.
ADMT can migrate profiles, for more info see http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadmt.mspx - Original Message - From: Mike Hogenauer To: ActiveDir@mail.activedir.org Sent: Friday, January 21, 2005 11:55 AM Subject: [ActiveDir] Moving profiles. Im in the process of consolidating 2 domains and I was wondering if anyone knows a way (or could point me to a good scriptJ) that will copy the users profiles over as well once I migrate the accounts. Thanks in advance! Mike
RE: [ActiveDir] Moving profiles.
Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Friday, January 21, 2005 9:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving profiles. ADMT can migrate profiles, for more info see http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadmt.mspx - Original Message - From: Mike Hogenauer To: ActiveDir@mail.activedir.org Sent: Friday, January 21, 2005 11:55 AM Subject: [ActiveDir] Moving profiles. Im in the process of consolidating 2 domains and I was wondering if anyone knows a way (or could point me to a good scriptJ) that will copy the users profiles over as well once I migrate the accounts. Thanks in advance! Mike
RE: [ActiveDir] File System Permissions in GPO
If you redirect the desktop to a readonly share, what happens when you push out software like office to users through GPO and want to have the icons auto appear on the desktop? Will you end up with 100's of icons? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, January 20, 2005 5:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File System Permissions in GPO Justin- I would avoid using file system permission policy to do this. What I've done in the past is just set up folder redirection of Desktop to a read-only share. That usually does the trick without having to manage individual permissions on each profile. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, January 20, 2005 10:46 AM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] File System Permissions in GPO Can I configure a setting within the File System container of the Computer Configuration section of a GPO to utilize %username%\desktop and prohibit write and modify access to the desktop or is there another way to do this that is easier and more effective? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f "((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))" objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 11:59 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID That's correct .and a great point ... but who uses 2000 anymore ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 1:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f "((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))" objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 11:59 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
[ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups
I need to create about 3400 user accounts, create home folders and assign the appropriate user and group permissions to the home drives automagically. We are using Windows Server 2003 and AD with a single domain. I know how to create the user accounts and home folders but not sure the best approach to assign the permissions. Any suggestions on doing all three or at least the permissions part. Thanks - Brian CAPISTRANO UNIFIED SCHOOL DISTRICT DISCLAIMER: This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws.
[ActiveDir] OT:outlook 2003
is there an issue with outlook 2003 and opening another users calender in a different trusted(same forest) domain? I have a user that was upgraded from outlook 2000 and can no longer open up the users calaender. she can open up users in her domain and she has full mailbox rights to the other users mailbox. any thoughts? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Creating user accounts, home folders and assignin g permissions to user and groups
Have you looked at what subinacl can do for you? It's a reskit utility that deals with permissions. Scripts would be an easy way to deal with the creation of accounts. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L.Sent: Friday, January 21, 2005 3:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups I need to create about 3400 user accounts, create home folders and assign the appropriate user and group permissions to the home drives automagically. We are using Windows Server 2003 and AD with a single domain. I know how to create the user accounts and home folders but not sure the best approach to assign the permissions. Any suggestions on doing all three or at least the permissions part. Thanks - Brian CAPISTRANO UNIFIED SCHOOL DISTRICT DISCLAIMER: This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws.
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} What the hell is that?!! Is that documented somewhere? What other kinds of goofy tricks are there to avoid octet string encoding like \01\05\00..? And while you are at it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500 Are there any tricks for GUIDs too? Also, I cant get objectSID={{SID:S-1-5-21-861567501-413027322-18016}} this to work for, though this objectSID=S-1-5-21-861567501-413027322-1801674531-109764 does on Win2K3. Are you just making that up? J I love stupid LDAP tricks! Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 21, 2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f ((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f ((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}})) objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, January 21, 2005 11:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l objectSID -f con -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, January 21, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Loose vs strict replication consistency
For your 3rd scenario, I assume you mean ...into an existing 2k3 forest that had been upgraded from w2k and the 4th to mean ...into a new 2k3 forest. If so... Your assumption should be correct as long as the NTDS\Parameters key gets wiped out as part of a demotion (which I believe happens, but I don't think I've ever actually verified it personally, especially if a custom Registry entry had been created there.) A freshly built 2K3 Forest gets a particular operations GUID object (Domain\System\DomainUpdates\) that an upgraded Forest does not get. This is how the new 2K3 DC's know to enable Strict Replication Consistency by default or not. Theoretically, you could probably create the GUID object yourself, though you'd probably have to test everything to make sure it behaves as intended. Also, for your 1st scenario, there's a minor caveat in that there was a post-SP2 QFE that changed the default behavior to enable Strict Replication Consistency. That was un-done with SP3 and greater. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, January 21, 2005 04:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loose vs strict replication consistency OK, so I understand what loose and strict repl. consistency *mean* and how a DC behaves in both scenarios, but am unsure which default behaviour is adopted by various OS and SP levels. Is the following summary correct? - W2K DC all SPs: loose - W2K DC upgraded to W2k3: loose - w2k3 DC fresh built into existing forest: loose - w2k3 DC fresh built into new forest: strict I assume therefore, that if I demote/rebuild as w2k3/promote my w2k DCs in my forest, then they will adopt loose as the default behaviour. Lingering objects may occur and can be removed as and when detected. I referenced http://www.microsoft.com/resources/documentation/WindowsServ/2 003/all/techref/en-us/Default.asp?url=/Resources/Documentation /windowsserv/2003/all/techref/en-us/W2K3TR_repup_how.asp http://www.microsoft.com/resources/documentation/WindowsServ/ 2003/all/techref/en-us/Default.asp?url=/Resources/Documentatio n/windowsserv/2003/all/techref/en-us/W2K3TR_repup_how.asp Thanks, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID Heh, most of the Enterprise class customers I talk to Many of them wouldn't consider deploying any OS due to the pre-SP1 "rule". When you say that K3 is like 2K SP7 they still won't budge. Plus many of them have to spend a great deal of time testing and certifying things in case they break one of many thousands of LOB apps. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 2:41 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID That's correct .and a great point ... but who uses 2000 anymore ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 1:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f "((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))" objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 11:59 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID This ... objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} ... is likely Joe's and ADfind's way of handling SIDs and removing that sometimes nasty command line interpretation of angled brackets (they can be prefixed by ^ of course). As for "And while you are at it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500" ... the DSA was written to understand it since it's a relatively common query ... nothing more complex than that. As for GUIDs, yes there is ... simple example is to use an angle bracketed SID=x or GUID= as the base DN of a query or use - ldifde -d ^SID=S-1-5-21-2000478354-492114223-854115398-1113^ -l "1.1" -f con Replacing "SID=" with "GUID=" and a valid GUID value will also work. Regarding your very last question, possibly me since I'm speed reading but aren't you missing a few bits ... "74531-109764"? Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, January 21, 2005 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} What the hell is that?!! Is that documented somewhere? What other kinds of goofy tricks are there to avoid octet string encoding like \01\05\00..? And while you are at it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500 Are there any tricks for GUIDs too? Also, I cant get objectSID={{SID:S-1-5-21-861567501-413027322-18016}} this to work for, though this objectSID=S-1-5-21-861567501-413027322-1801674531-109764 does on Win2K3. Are you just making that up? J I love stupid LDAP tricks! Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f "((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))" objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 11:59 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups
Will this do? http://www.readymaids.com/Portals/1/userprof-xcacls.txt Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Stockbrugger, Brian L. Sent: Fri 1/21/2005 12:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups I need to create about 3400 user accounts, create home folders and assign the appropriate user and group permissions to the home drives automagically. We are using Windows Server 2003 and AD with a single domain. I know how to create the user accounts and home folders but not sure the best approach to assign the permissions. Any suggestions on doing all three or at least the permissions part. Thanks - Brian CAPISTRANO UNIFIED SCHOOL DISTRICT DISCLAIMER: This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID The {{}} format isn't an LDAP thing, it is a joeware thing. Combined with -binenc tells adfind to parse the input parameter differently and replace the nice string name with a binary encoded version. I had the option of just automatically trying to figure it out if it was needed or having the user specify that it needed to be done. I preferred to have the user specify it so I didn't have to ask questions like how come I can use LDIFDE to look up sids in 2K3 but not in 2K, adfind can do it in both. -binenc will also work with GUIDs like so: F:\DEV\cpp\SecTokadfind -default -f "objectGUID={{GUID:B07DDAC0-895E-4323-865C-571AB4852449}}" -binenc objectsid objectguid AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Transformed Filter: objectGUID=\C0\DA\7D\B0\5E\89\23C\86\5CW\1A\B4\85\24IUsing server: 2k3dc02.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:CN=Administrator,CN=Users,DC=joe,DC=comobjectGUID: {B07DDAC0-895E-4323-865C-571AB4852449}objectSid: S-1-5-21-1862701446-4008382571-2198042679-500 1 Objects returned Again that will work against 2k and K3 AD. Lots of tricks in adfind, I think myself, the guys I trained at my previous employeer, and maybe Robbie are the only ones using most of the tricks though. Dean would know the tricks but he is an OS purist and won't use things unless MS ships it to him on his CD. Personally I think MS should just break down and give me a couple of million dollars and buy my joeware utilities from me. On the why does the objectsid thing work, it is because MS made it work. They made a change in the parsing routine on the DC to recognize the format of the SID and to convert it to the proper format. Sort of like allowing multiple versions of logon ID for authentication. I don't recall ever seeing that documented anywhere, I stumbled upon it on accident once when working on the -binenc option. I had set the option without specifying the {{SID}} and it worked still, I was like WTF? I don't believe it will do it for GUIDs. Also not sure what attributes it will work with, for instance I have never tried that format against the sidHistory attribute or custom attributes someone has added that use a SID format. Oh yeah, the astute will note the version of adfind above is higher than anything released. I found out that an SP1 fix actually causes something to be reported incorrectly in adfind so I had to update it even though I wasn't ever going to update the version 1.x.x series again. Say la vee (that was for Sir ~Eric), it was a pretty simply fix but I am looking at adding some other things as well as long as I am going to release a new version. So far I have added in the ability to exclude the DNs from the output (lots of people have recently asked for that) as well as adding the ability to not output the attribute labels. So you can actually do something like: F:\DEV\cpp\SecTok..\adfind\adfind -default -f objectcategory=computer name -nodn -nolabel AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc02.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com 2K3DC012K3DC022K3WEB012K3EXC012K3UTL01fastmofoHP-MLtestComputer2K3EXC02 9Objects returned The command completed successfully. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, January 21, 2005 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} What the hell is that?!! Is that documented somewhere? What other kinds of goofy tricks are there to avoid octet string encoding like \01\05\00..? And while you are at it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500 Are there any tricks for GUIDs too? Also, I cant get objectSID={{SID:S-1-5-21-861567501-413027322-18016}} this to work for, though this objectSID=S-1-5-21-861567501-413027322-1801674531-109764 does on Win2K3. Are you just making that up? J I love stupid LDAP tricks! Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f
RE: [ActiveDir] Creating user accounts, home folders and assigning permissions touser and groups
---BeginMessage--- Hi Brian, For the permissions, have a look at http://support.microsoft.com/kb/180464/EN-US/ Cheers, William From: [EMAIL PROTECTED] on behalf of Stockbrugger, Brian L. Sent: Fri 21/01/2005 20:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Creating user accounts, home folders and assigning permissions touser and groups I need to create about 3400 user accounts, create home folders and assign the appropriate user and group permissions to the home drives automagically. We are using Windows Server 2003 and AD with a single domain. I know how to create the user accounts and home folders but not sure the best approach to assign the permissions. Any suggestions on doing all three or at least the permissions part. Thanks - Brian CAPISTRANO UNIFIED SCHOOL DISTRICT DISCLAIMER: This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. winmail.dat---End Message--- This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.
RE: [ActiveDir] email disappearing
I happened to be the user...not the case, but I installes VMWare Workstation and configured a 98 and linux virtual...experimenting. also installed a mapi toolbox, never configured (very busy here at work with ERP implementation.) uninstalled both apps to try and get a handle on problem. Apps are gone, but problem still exists. ??. the mail arrives in my inbox, but within momentsgone, I do have archive pst's for a lot of folder, but not routing to any folders... I am now routing to a personal folder. It's the only way I can retain mail. PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, January 21, 2005 08:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Check with the user and see if they tried to set up an OL profile on another machine somewhere (if they'll admit it). Perhaps another machine is grabbing the messages and downloading them to a PST. Perhaps the logs on the exchange server can provide a clue about which machine is pulling the mail? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing No filtersno rules..view= messages..hmmm PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Schorr Sent: Tuesday, January 18, 2005 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Check to see if you have a filter applied. -Ben- Ben M. Schorr, MCP, MVP, CNA Operations Coordinator Stockholm/KSG - Honolulu Phone: (808) 535-1500 Mobile: (808) 351-5084 http://www.scgab.com http://www.scgab.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Yes its delivering to inbox. They come in, but soon disappear. No rules defined. hmmm PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 18, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Tools, email accounts, view/change existing email.. It's on the next page, saying deliver to the following location. Rules can do this to you as well. Be a good idea to check the rules. To troubleshoot, you may want to turn the client off and use OWA to see if it's staying in the inbox. If it's not, it may be a server side rule or a client left on somewhere other than the machine you're currently using. POP clients such as PDA's, Outlook Express, etc are known to do such things. -ajm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Where would I check to see if I was routing mail to pst? PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 09:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] email disappearing I think I remember a thread of this subject. Anyway email is leaving the inbox and going? When I leave outlook alone for a while the inbox clears out?? Don't know where they are going, but im used to going through a hundred emails a daynow just a few and they disappearing. Anyone? Ive done some searching on google, but cant seem to get a grip on it. PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID Gotcha. I thought you were doing LDAP magic that I didnt know about. I hate LDAP magic I dont know about. J This bit: objectSID=S-1-5-21-2000478354-411894773-854245398-500 was totally new to me though for filter syntax. I was down with the other DN syntaxes GUID= and SID= and the two formats they accept, but I thought filters had to be pure octet binary. They should update the MSDN docs on that. As much as I like your tools too, Im a bit like Dean. I tend to use ldp.exe for everything. It definitely isnt a replacement for CLI stuff, but I use it mostly for testing queries, binds and doing the occasional mod or add. It also (now) has a nice SD editor. Im probably pretty different from most people around here in that I have 2 instances of VS open nearly all the time and couldnt diagnose a replication problem if you begged me. J Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 21, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Finding User account if know SID The {{}} format isn't an LDAP thing, it is a joeware thing. Combined with -binenc tells adfind to parse the input parameter differently and replace the nice string name with a binary encoded version. I had the option of just automatically trying to figure it out if it was needed or having the user specify that it needed to be done. I preferred to have the user specify it so I didn't have to ask questions like how come I can use LDIFDE to look up sids in 2K3 but not in 2K, adfind can do it in both. -binenc will also work with GUIDs like so: F:\DEV\cpp\SecTokadfind -default -f objectGUID={{GUID:B07DDAC0-895E-4323-865C-571AB4852449}} -binenc objectsid objectguid AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Transformed Filter: objectGUID=\C0\DA\7D\B0\5E\89\23C\86\5CW\1A\B4\85\24I Using server: 2k3dc02.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=Administrator,CN=Users,DC=joe,DC=com objectGUID: {B07DDAC0-895E-4323-865C-571AB4852449} objectSid: S-1-5-21-1862701446-4008382571-2198042679-500 1 Objects returned Again that will work against 2k and K3 AD. Lots of tricks in adfind, I think myself, the guys I trained at my previous employeer, and maybe Robbie are the only ones using most of the tricks though. Dean would know the tricks but he is an OS purist and won't use things unless MS ships it to him on his CD. Personally I think MS should just break down and give me a couple of million dollars and buy my joeware utilities from me. On the why does the objectsid thing work, it is because MS made it work. They made a change in the parsing routine on the DC to recognize the format of the SID and to convert it to the proper format. Sort of like allowing multiple versions of logon ID for authentication. I don't recall ever seeing that documented anywhere, I stumbled upon it on accident once when working on the -binenc option. I had set the option without specifying the {{SID}} and it worked still, I was like WTF? I don't believe it will do it for GUIDs. Also not sure what attributes it will work with, for instance I have never tried that format against the sidHistory attribute or custom attributes someone has added that use a SID format. Oh yeah, the astute will note the version of adfind above is higher than anything released. I found out that an SP1 fix actually causes something to be reported incorrectly in adfind so I had to update it even though I wasn't ever going to update the version 1.x.x series again. Say la vee (that was for Sir ~Eric), it was a pretty simply fix but I am looking at adding some other things as well as long as I am going to release a new version. So far I have added in the ability to exclude the DNs from the output (lots of people have recently asked for that) as well as adding the ability to not output the attribute labels. So you can actually do something like: F:\DEV\cpp\SecTok..\adfind\adfind -default -f objectcategory=computer name -nodn -nolabel AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc02.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com 2K3DC01 2K3DC02 2K3WEB01 2K3EXC01 2K3UTL01 fastmofo HP-ML testComputer 2K3EXC02 9Objects returned The command completed successfully. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 21, 2005 4:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Finding User account if know SID objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} What the hell is that?!! Is that documented somewhere? What other kinds of goofy tricks are there to avoid octet string encoding like \01\05\00..? And while you are at it, why does this work in 2K3?
RE: [ActiveDir] email disappearing
Check the exchange server security logs for the Event ID 540; should give you a workstation name for the machine. Another thing you can do is try changing your password. If it's a profile on another machine somewhere, the pw change will prevent the other machine from authenticating. If that solves the problem, you'll know there's a MAPI profile somewhere causing the problem. If that doesn't fix it, then I would blow away the OL profile, reboot, and rebuild the profile. Linux; eh? Was anything configured for mail on that VM? If so, try shutting down that VM and see what happens... Or did you just say you uninstalled VMWare? Can't quite tell... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Friday, January 21, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing I happened to be the user...not the case, but I installes VMWare Workstation and configured a 98 and linux virtual...experimenting. also installed a mapi toolbox, never configured (very busy here at work with ERP implementation.) uninstalled both apps to try and get a handle on problem. Apps are gone, but problem still exists. ??. the mail arrives in my inbox, but within momentsgone, I do have archive pst's for a lot of folder, but not routing to any folders... I am now routing to a personal folder. It's the only way I can retain mail. PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, January 21, 2005 08:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Check with the user and see if they tried to set up an OL profile on another machine somewhere (if they'll admit it). Perhaps another machine is grabbing the messages and downloading them to a PST. Perhaps the logs on the exchange server can provide a clue about which machine is pulling the mail? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 12:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing No filtersno rules..view= messages..hmmm PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Schorr Sent: Tuesday, January 18, 2005 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Check to see if you have a filter applied. -Ben- Ben M. Schorr, MCP, MVP, CNA Operations Coordinator Stockholm/KSG - Honolulu Phone: (808) 535-1500 Mobile: (808) 351-5084 http://www.scgab.com http://www.scgab.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Yes its delivering to inbox. They come in, but soon disappear. No rules defined. hmmm PERFORMANCE MATERIALS CORPORATION Dan Morentin Network Administrator 805-482-1722 x231 cell: 818-445-7834 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, January 18, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Tools, email accounts, view/change existing email.. It's on the next page, saying deliver to the following location. Rules can do this to you as well. Be a good idea to check the rules. To troubleshoot, you may want to turn the client off and use OWA to see if it's staying in the inbox. If it's not, it may be a server side rule or a client left on somewhere other than the machine you're currently using. POP clients such as PDA's, Outlook Express, etc are known to do such things. -ajm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Morentin Sent: Tuesday, January 18, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] email disappearing Where would I check to see if I was routing mail to pst? PERFORMANCE MATERIALS
RE: [ActiveDir] Finding User account if know SID - O/T
Title: Finding User account if know SID I'm guessing you missed the intended humor ... dude ... which part of ";-)" wasn't clear? I even left off the question mark :-) note the smiley sarcasmFor clarity, I am also teasing in this email ... and I am still way funnier (but not looking) than you! :-p /sarcasm --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 4:48 PMTo: ActiveDir@mail.activedir.org; 'Send - AD mailing list'Subject: RE: [ActiveDir] Finding User account if know SID Heh, most of the Enterprise class customers I talk to Many of them wouldn't consider deploying any OS due to the pre-SP1 "rule". When you say that K3 is like 2K SP7 they still won't budge. Plus many of them have to spend a great deal of time testing and certifying things in case they break one of many thousands of LOB apps. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 2:41 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID That's correct .and a great point ... but who uses 2000 anymore ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 1:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f "((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))" objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 11:59 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris FlesherSent: Friday, January 21, 2005 11:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Finding User account if know SID I thought I could do this with just dsquery, but I'm having trouble doing this. Is there a way to find the user account that matches a particular SID if I know the SID? Chris Flesher
RE: [ActiveDir] Finding User account if know SID
Title: Finding User account if know SID Ah the angle brackets don't bother me, just throw the parameter in quotes and they are like handling kittens. "blah". No carrots nor carets needed. Adfind will obviously also work with the SID= and GUID= formats since that is all handled by AD on the server side. In fact, you can easily tell adfind to return the extended names of objects by adding -extname switch. F:\DEV\cpp\SecTokadfind -default -f name=administrator -extname objectsid objectguid AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:GUID=c0da7db05e892343865c571ab4852449;SID=0105000515008691066f6b10ebee37780383f401;CN=Administrator,CN=Users,DC=joe,DC=comobjectGUID: {B07DDAC0-895E-4323-865C-571AB4852449}objectSid: S-1-5-21-1862701446-4008382571-2198042679-500 1 Objects returned The command completed successfully. I don't consider the SID= and GUID= binding formats the same as the objectsid=s-... example because you are binding to a specific object versus searching for the SID or GUID. The difference comes into play with attributes other than objectsid and objectguid such as sIDHistory, schemaIDGUID, attributeSecurityGUID, rightsGuid, etc. Hey Dean do you know if the auto SID conversion for the filter will work for sIDHistory? I don't currently have any sIDHistories to test with. I would rather ask then create some. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 4:49 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID This ... objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} ... is likely Joe's and ADfind's way of handling SIDs and removing that sometimes nasty command line interpretation of angled brackets (they can be prefixed by ^ of course). As for "And while you are at it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500" ... the DSA was written to understand it since it's a relatively common query ... nothing more complex than that. As for GUIDs, yes there is ... simple example is to use an angle bracketed SID=x or GUID= as the base DN of a query or use - ldifde -d ^SID=S-1-5-21-2000478354-492114223-854115398-1113^ -l "1.1" -f con Replacing "SID=" with "GUID=" and a valid GUID value will also work. Regarding your very last question, possibly me since I'm speed reading but aren't you missing a few bits ... "74531-109764"? Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, January 21, 2005 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} What the hell is that?!! Is that documented somewhere? What other kinds of goofy tricks are there to avoid octet string encoding like \01\05\00..? And while you are at it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500 Are there any tricks for GUIDs too? Also, I cant get objectSID={{SID:S-1-5-21-861567501-413027322-18016}} this to work for, though this objectSID=S-1-5-21-861567501-413027322-1801674531-109764 does on Win2K3. Are you just making that up? J I love stupid LDAP tricks! Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 21, 2005 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Finding User account if know SID I think that only works against 2k3 AD though Dean. sidtoname willwork against NT or 2K or K3 or XP. As an aside, if someone wants to do it through LDAP, adfind will do it too, even against W2K... If you know your directory is 2K3 you can use the same filter as below adfind -b dc=mine,dc=local -f "((objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))" objectsid if you know it is Windows 2000 or you don't know what it is you can do adfind -b dc=mine,dc=local -bitenc -f "((objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))" objectsid joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, January 21, 2005 11:59 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Finding User account if know SID Joe's tools will work well ...if you're restricted to tools from the base media, try - C:\ldifde -d dc=mine,dc=local -r (^(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500)) -l "objectSID" -f con --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
RE: [ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups
Shelling cacls is by far the easiest. You could do some ADSI permission magic, but, that's a nightmare (as-is Win32 ACL fun). --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Stockbrugger, Brian L. Sent: Fri 1/21/2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Creating user accounts, home folders and assigning permissions to user and groups I need to create about 3400 user accounts, create home folders and assign the appropriate user and group permissions to the home drives automagically. We are using Windows Server 2003 and AD with a single domain. I know how to create the user accounts and home folders but not sure the best approach to assign the permissions. Any suggestions on doing all three or at least the permissions part. Thanks - Brian CAPISTRANO UNIFIED SCHOOL DISTRICT DISCLAIMER: This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. winmail.dat