RE: [ActiveDir] Remove orphaned account
As Joe already said there must be some break in the replication and try to fix that FIRST! See if one or more or all GCs are experiencing the problem. See that all GCs have an inbound replication partner that has that particular naming context (readable being another GC or writable being the DC of the domain) . If the GC is missing a replication partner for a certain naming context they're complaining about that in the event viewer (don't know exactly what the event id is) If replication seems to be OK, AND ONLY IF, there is a way to do a complete rebuild for a certain naming context on a GC. This simply throughs away the current naming context and rebuilds it from another replication partner by replicating it in. That replication partner MUST have a healthy naming context contents for that particular AD domain Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: woensdag 16 februari 2005 3:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You need to figure out where the break is. Look at the GC that you expect it at and chase back through the replication connections to determine how the change should get there from the domain. There has to be a break somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This has been since last week. (about 5 days). Is there anyway to force the delete to the other GC's? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account How long ago was this account deleted? If it has been longer than the tombstone period, you have a lingering object and you need to start worrying about what other bad things are going on. If it has been recently, you need to chase your replication and determine where the update stopped at. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:36 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account That's exactly the case, except its not in the child domain (child1.domain.com) but it exists everywhere else, (domain.com, child2.domain.com, child3.domain.com) When I try the admod command, it tries to contact the child domain (child1.domain.com) that is the owner of the account, but does not find it there. Some how, it seems that the deletion did not replication to all other GC's in the forest. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account That means your default GC has the object in its database but your default DC for that domain doesn't see it. You can tell which DCs are involved by doing this adfind -gc -b -s base dnshostname adfind -h domain.com -b -s base dnshostname If the object is in your default domain you can shorten the second command to adfind -b -s base dnshostname joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:13 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account When I try to remove the object, I get this: C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 DN Count: 1 Using server: server.domain.com Deleting specified objects... DN: cn=doe\, john,cn=users,dc=domain,dc=com...: [server.domain .com] Error 0x20 (32) - No Such Object ERROR: Too many errors encountered, terminating... The command did not complete successfully -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 3:55 PM To: ActiveDir@mail.activedir.org Cc: Harding, Devon Subject: RE: [ActiveDir] Remove orphaned account Resend and Update, list blocked because I responded from wrong account Almost, -del or -rm would delete the entire user object... But you need to use -dsq on adfind to output the quoted DN. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del Also if you want to just remove that address you could do adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod proxyaddresses:-:smtp:[EMAIL PROTECTED] Note that if that address is the primary SMTP Exchange may get grumpy if you don't set another address as primary. [UPDATE} Looking at Hunters Response, he makes sense. Instead of deleting the object or the attribute, consider clearing the Exchange attributes. adfind
[ActiveDir] OT: Exch2003 POP Connector
Hi All, Quick 1. Does anyone know if it possible to config the POP3 connector to leave mail on the server its pulling from for x number of days? Many thanks, Rob === Email security provided by Modrus using MessageLabs Email Security www.modrus.com ===
[ActiveDir] Time server in windows 2003 !!
Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'
RE: [ActiveDir] Time server in windows 2003 !!
Title: Message There is indeed a built in time sync service. Further reading here and elsewhere on microsoft.com. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: 16 February 2005 12:39To: Active directory groupSubject: [ActiveDir] Time server in windows 2003 !! Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR Do you Yahoo!?Yahoo! Search presents - Jib Jab's 'Second Term' == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Time server in windows 2003 !!
Windows2003 is automatically a time server.. when any 2000/XP client is a member of a domain it should automatically pull the time from the DC. Is this not happening? Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil Kumar Sent: 16 February 2005 12:39 To: Active directory group Subject: [ActiveDir] Time server in windows 2003 !! Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' === Scanned for virus infection by Messagelabs === === Email security provided by Modrus using MessageLabs Email Security www.modrus.com ===
Re: [ActiveDir] Time server in windows 2003 !!
Windows 2000 and 2003 servers have a native time service that can be used by any client (windows or otherwise) http://www.ultratech-llc.com/KB/?File=TimeSync.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Wed, 16 Feb 2005 04:39:16 -0800 (PST), Senthil Kumar [EMAIL PROTECTED] wrote: Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove orphaned account
Well the break seems to from that specific child domain. When I run an ADfind against all other GC's the object exists; when I run it against that one child domain GC, the object is not found. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 9:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You need to figure out where the break is. Look at the GC that you expect it at and chase back through the replication connections to determine how the change should get there from the domain. There has to be a break somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This has been since last week. (about 5 days). Is there anyway to force the delete to the other GC's? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account How long ago was this account deleted? If it has been longer than the tombstone period, you have a lingering object and you need to start worrying about what other bad things are going on. If it has been recently, you need to chase your replication and determine where the update stopped at. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:36 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account That's exactly the case, except its not in the child domain (child1.domain.com) but it exists everywhere else, (domain.com, child2.domain.com, child3.domain.com) When I try the admod command, it tries to contact the child domain (child1.domain.com) that is the owner of the account, but does not find it there. Some how, it seems that the deletion did not replication to all other GC's in the forest. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account That means your default GC has the object in its database but your default DC for that domain doesn't see it. You can tell which DCs are involved by doing this adfind -gc -b -s base dnshostname adfind -h domain.com -b -s base dnshostname If the object is in your default domain you can shorten the second command to adfind -b -s base dnshostname joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:13 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account When I try to remove the object, I get this: C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 DN Count: 1 Using server: server.domain.com Deleting specified objects... DN: cn=doe\, john,cn=users,dc=domain,dc=com...: [server.domain .com] Error 0x20 (32) - No Such Object ERROR: Too many errors encountered, terminating... The command did not complete successfully -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 3:55 PM To: ActiveDir@mail.activedir.org Cc: Harding, Devon Subject: RE: [ActiveDir] Remove orphaned account Resend and Update, list blocked because I responded from wrong account Almost, -del or -rm would delete the entire user object... But you need to use -dsq on adfind to output the quoted DN. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del Also if you want to just remove that address you could do adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod proxyaddresses:-:smtp:[EMAIL PROTECTED] Note that if that address is the primary SMTP Exchange may get grumpy if you don't set another address as primary. [UPDATE} Looking at Hunters Response, he makes sense. Instead of deleting the object or the attribute, consider clearing the Exchange attributes. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | exchmbx -clear joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 3:35 PM To: ActiveDir@mail.activedir.org Cc: joe Subject: RE: [ActiveDir] Remove orphaned account Ok, now I'm getting somewhere. Correct me if I'm wrong. Would this be the correct command to find and remove that account that the SMTP address is associated with? Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] | admod -del -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
[ActiveDir] Strange Issue
I am not getting any errors but I have a computer in a child domain and a user in the root domain. When the user logs in they get all the policy settings applied except the ones that say that the My Computer Icon and the My Network Places Icon and the My Documents Icon are not removed from the desktop. I have each of these set to disable just like all my other policies and yet when this user logs in to the child domain PC those very specific settings do not get applied, but other parts of the policy do, like folder redirection and internet explorer settings. Any Ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
If you can afford it, it's best not to run any applications at all on a DC as new apps open up new ports and generally provide a larger attack surface to hit a DC with. You also have the potential problem of an application problem bringing down the DC. Of course, SBS will install everything on one box by default and many small businesses simply couldn't afford to split roles like that so I wouldn't worry too much about it. It's just one of those 'nice to haves' if you have a big enough budget. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: 16 February 2005 11:01 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
I collected most of the current information regarding Exchange and domain controllers into a single place a few weeks ago and put it all together. Take a look at: Exchange Server 2003 and Domain Controllers - A Summary http://blogs.brnets.com/michael/archive/2005/01/24/319.aspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 10:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC or not DC
Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange Issue
Check your policy to determine if these settings are in the Computer or User portion of the GPO. If they are set in the Computer portion, then the computer in the child domain won't get the policy settings from the parent domain. You would need to set the same policy items in the child domain's GPO. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 16, 2005 10:25 AM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Issue I am not getting any errors but I have a computer in a child domain and a user in the root domain. When the user logs in they get all the policy settings applied except the ones that say that the My Computer Icon and the My Network Places Icon and the My Documents Icon are not removed from the desktop. I have each of these set to disable just like all my other policies and yet when this user logs in to the child domain PC those very specific settings do not get applied, but other parts of the policy do, like folder redirection and internet explorer settings. Any Ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
Not only that, but if security is compromised on SQL server or Exchange you will give the attacker domain admin capabilities instead of just a local admin on a separate box. Joost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: woensdag 16 februari 2005 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange Issue
Settings are User settings in the parent domain where the user resides. The user is getting other policy settings with no problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Wednesday, February 16, 2005 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Issue Check your policy to determine if these settings are in the Computer or User portion of the GPO. If they are set in the Computer portion, then the computer in the child domain won't get the policy settings from the parent domain. You would need to set the same policy items in the child domain's GPO. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 16, 2005 10:25 AM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Issue I am not getting any errors but I have a computer in a child domain and a user in the root domain. When the user logs in they get all the policy settings applied except the ones that say that the My Computer Icon and the My Network Places Icon and the My Documents Icon are not removed from the desktop. I have each of these set to disable just like all my other policies and yet when this user logs in to the child domain PC those very specific settings do not get applied, but other parts of the policy do, like folder redirection and internet explorer settings. Any Ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the block inheritance option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got password never expires and user can not change password options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
[ActiveDir] HELP!!! Undelete required
Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove orphaned account
Yep you need to chase through all of the connections and find out where the replication is supposed to be getting into the rest of the forest from. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, February 16, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account Well the break seems to from that specific child domain. When I run an ADfind against all other GC's the object exists; when I run it against that one child domain GC, the object is not found. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 9:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You need to figure out where the break is. Look at the GC that you expect it at and chase back through the replication connections to determine how the change should get there from the domain. There has to be a break somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This has been since last week. (about 5 days). Is there anyway to force the delete to the other GC's? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account How long ago was this account deleted? If it has been longer than the tombstone period, you have a lingering object and you need to start worrying about what other bad things are going on. If it has been recently, you need to chase your replication and determine where the update stopped at. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:36 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account That's exactly the case, except its not in the child domain (child1.domain.com) but it exists everywhere else, (domain.com, child2.domain.com, child3.domain.com) When I try the admod command, it tries to contact the child domain (child1.domain.com) that is the owner of the account, but does not find it there. Some how, it seems that the deletion did not replication to all other GC's in the forest. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account That means your default GC has the object in its database but your default DC for that domain doesn't see it. You can tell which DCs are involved by doing this adfind -gc -b -s base dnshostname adfind -h domain.com -b -s base dnshostname If the object is in your default domain you can shorten the second command to adfind -b -s base dnshostname joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:13 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account When I try to remove the object, I get this: C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 DN Count: 1 Using server: server.domain.com Deleting specified objects... DN: cn=doe\, john,cn=users,dc=domain,dc=com...: [server.domain .com] Error 0x20 (32) - No Such Object ERROR: Too many errors encountered, terminating... The command did not complete successfully -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 3:55 PM To: ActiveDir@mail.activedir.org Cc: Harding, Devon Subject: RE: [ActiveDir] Remove orphaned account Resend and Update, list blocked because I responded from wrong account Almost, -del or -rm would delete the entire user object... But you need to use -dsq on adfind to output the quoted DN. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del Also if you want to just remove that address you could do adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod proxyaddresses:-:smtp:[EMAIL PROTECTED] Note that if that address is the primary SMTP Exchange may get grumpy if you don't set another address as primary. [UPDATE} Looking at Hunters Response, he makes sense. Instead of deleting the object or the attribute, consider clearing the Exchange attributes. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | exchmbx -clear joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 3:35 PM To:
[ActiveDir] userenv bug in w2k3?
Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
I think you're going to need to do an authorative restore unfortunately, my friend. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 16 February 2005 18:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Quick one joe, What if I recreate the group..it is a security group, how can I repopulate the members of the group with names...ie import names into a group membership... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP query question
I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object(LDAP:// distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set "user can not change password", if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Wednesday, February 16, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the "block inheritance" option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got "password never expires" and "user can not change password" options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] HELP!!! Undelete required
Indeed.. painful meaning: An authoritative restore from backup. You might not want to follow that option, but it's the only one leading to your desired solution in this scenario. Of course, depending on the situation, you might want to choose for recreating the group, including its memberships and links.. There is a way. And it leads to Restoreville. Regards, Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
WE WOULDN'T HAVE TO IF joe WOULD JUST QUIT FOOLIN' AROUND AND BUILD SOMETHING FOR US! Cmon joe. I promise I'll go to www.joeware.net and buy that thong for my wife I told you I would. YMYMYM RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required I think you're going to need to do an authorative restore unfortunately, my friend. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 16 February 2005 18:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Q840001 outlines most of the issues and recovery steps for this one. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Joe, Out of curiousity, what do you define as the painful versus really painful option in 2K3? Now I'm curious. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT:IIS 5.0
Hi, i'm running IIS 5.0 on win2k sp3 and i'm trying to get the change password functionality working with no sucess. I created the vir iisadmpwd dir with read and script permissions. i allow anyomous access to this dir. i edited the metabase with adsutil.vbs to allow password change on non-secire ports(just for testing right now). In app mappings the .htr ext is mapped to ism.dll. however, when i browse to the site from anywhere(including the webserver itself), i get http 403 forbidden error. I understand that with sp4, MS changed the functionality of this to use asp instead of isapi for good security reasons and the app mapping changed to asp.dll, but the webserver i have is on sp 3(and while i plan on installing sp4 and going the asp path, i figured since i can't even get it to work using ism.dll, i shouldn't throw more software at the problem till i get this resolved). I know this is OT, but could someone direct me as to what i'm screwqing up here? thanks. p.s.- as i said, i am going to use asp for this and ssl and i realize the security risks of running ism.dll as local system but i'm just trying to get this to work in the defaults for testing before i go live with the other features. thanks again List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
[ActiveDir] Help!!! - Urgent Issue...
Hi, Not able to add PC's to thedomaini get the DNS error ...lookedup the link poped up to find this http://www.microsoft.com/windows2000/dns/tshoot/dns_tshoot2A.asp#Join_RR Checked all (DNS and also AD - both on the same server) and everything works fine..any quick help please... Regards, Chandra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Creating a new group (security) and populating the members will not allow the members to access resources the original group was granted permissions to. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Quick one joe, What if I recreate the group..it is a security group, how can I repopulate the members of the group with names...ie import names into a group membership... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Hi Aramide. By recreating it you get a different SID. Any permissions based on the group name are really based on the SID and would be gone. The same would apply for any groups that that group is a membership. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Aramide Adebanjo | | | [EMAIL PROTECTED]| | | ria.com | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/16/2005 08:01 PM CET| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] HELP!!! Undelete required | --| Quick one joe, What if I recreate the group..it is a security group, how can I repopulate the members of the group with names...ie import names into a group membership... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Strange Issue
Sandra, The best way to check this out is to activate detailed logging by setting the following registry key on the client:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserEnvDebugLevel = 65538 (Dword) After loginng on again, check out the log in %windir%\Debug\UserMode\userenv.log. It is a bit messy so we offer a free tool that assists you to view it. You may find that the ADM extension is not applying for some reason. http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml If you still have problems, mail me the log offline and I will look at it for you. Also check the Event log for any issues Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, February 17, 2005 4:53 AM Subject: RE: [ActiveDir] Strange Issue Settings are User settings in the parent domain where the user resides. The user is getting other policy settings with no problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Wednesday, February 16, 2005 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Issue Check your policy to determine if these settings are in the Computer or User portion of the GPO. If they are set in the Computer portion, then the computer in the child domain won't get the policy settings from the parent domain. You would need to set the same policy items in the child domain's GPO. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 16, 2005 10:25 AM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Issue I am not getting any errors but I have a computer in a child domain and a user in the root domain. When the user logs in they get all the policy settings applied except the ones that say that the My Computer Icon and the My Network Places Icon and the My Documents Icon are not removed from the desktop. I have each of these set to disable just like all my other policies and yet when this user logs in to the child domain PC those very specific settings do not get applied, but other parts of the policy do, like folder redirection and internet explorer settings. Any Ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query question
Initial thought - string substitution, escape it with (ironically) a backslash "\" ?? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Wednesday, February 16, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object("LDAP://" distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Time server in windows 2003 !!
Hi, Windows 2000 and Windows 2003 DCs provide time services for all clients and servers in the AD domain/forest. TIME plays a very important role in kerberos authentication. There is no need to configure your clients or servers. The configuration is automagically when their are joined to the AD domain. There may be one configuration needed though and that's the configuration of a reliable time source for the PDC emulator of the forest root AD domain (the first AD domain ever created in a AD forest). That reliable time source could be an external time server or an internal time server (another server or an atomic clock) For more info see: * http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techre f/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techre f/en-us/W2K3TR_times_intro.asp * http://support.microsoft.com/kb/816042 * http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time -Service.html Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: Active directory group Sent: 2/16/2005 1:39 PM Subject: [ActiveDir] Time server in windows 2003 !! Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR _ Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' http://us.rd.yahoo.com/evt=30648/*http://movies.yahoo.com/movies/featur e/jibjabinaugural.html This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices I used to agree with Joe on topic 2 until I actually ran into a problem in my forest. I needed to make a change to the password complexity setting on one domain and the change wasnt happening. The problem was that the block inheritance setting was checked on the domain controllers OU. Once the checkbox was cleared, the new account policy took affect. This was a Windows 2000 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 10:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set user can not change password, if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the block inheritance option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got password never expires and user can not change password options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] DC or not DC
Couple of issues. No Microsoft products are supported by MS on VMWARE, you have to duplicate the problem on physical hardware which may be feasible sometimes, but not all of the time and maybe not even most of the time. MS doesn't support Exchange in any virtual environment, including their own. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Wednesday, February 16, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the
Re: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic
James - this little program (EPAL.exe) is GREAT! Even though I had it resolved, I tried this program and it worked as well: very cool "fix" for the issue, and the fact that it's integrated with AD makes it all the better. Anyone else who has similar permissions issues for apps, EPAL.exe should help. There's not much documentation about it on the net (google returns about 10 links, and half are not in english), but the link below gave me enough info to get it running and working. --Jason - Original Message - From: Blair, James To: ActiveDir@mail.activedir.org Sent: Tuesday, February 15, 2005 11:45 PM Subject: RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic Jason, Have your tried Microsofts Elevated Privelage Application Launcher?: http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/epal.mspx James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, 16 February 2005 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic So. the other option is to take a little bit of your time and do some investigation. Go grab Regmon and Filemon from Sysinternals (both free) and watch what the app is trying to access. Chances are its doing something in %systemroot%\system32 or in the registry that is generally not accessible to non-PU style users. I'd be willing to guess that with the addition of a few changes (via a GPO) the issue is solved without starting a war, and you look like a hero. Roger SeielstadE-mail Geek MS-MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Tuesday, February 15, 2005 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic Ah..."the business". It's a prettywild circle huh? - IT doesn't want apps that aren't written properly, but... - "the business" doesn't care and wants it anyway, so... - IT can't put the kind of pressure they would like upon the company developing the bad apps, so... - bad company makes their money anyway, and... - "business" is happy, because... - IT"made it work" So we all three [groups] still have jobs. Hmm... By the way...love the "smoldering pile of crap" adjective. Beautiful! -DaveC Reuters America From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, February 15, 2005 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic Dave- Hallelujah! I'm with you here. Can we start some kind of movement? I'm thinking a web site like dontwritestupidwindowsapps.org? Maybe hold some rallies outside of offending software company's headquarters where we burn their shrinkwrap? I'm serious. This used to bug the holy heck out of me when I lived in the IT world. But of course "the business" would always say, "well we absolutely must have this huge smoldering pile of crap application and there is only one vendor in UpperEast Moldoria that provides it so we don't care if its not 'Windows compliant'." Darren "Logo or Die" Mar-Elia From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Tuesday, February 15, 2005 8:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to install an MSI package - Slightly Off Topic You guys gave some great suggestions to this tough question, and made some good points. For what it's worth, mine is a bit less realistic -STOP purchasing software from a company that can't get this right (regardless ofexcuse or reason). Perhaps the same can be said of applications that use NetBIOS calls. If we ever really want to get that out of the Windows world (do we?), then the application providers need to STOP using it. If we don't buy it, they can't make it...right? Sorry if this is a bit simplistic! -DaveC ReutersAmerica From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason BSent: Tuesday, February 15, 2005 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using GPO to install an MSI package Okay, our environment is that all our clients are running Windows XP SP2, and our servers are Windows 2003. The situation is that our Accounting department uses Quickbooks, and about 70 of our employees need to use an application that comes with Quickbooks called "QB Timer". It's free for use for our employees
RE: [ActiveDir] HELP!!! Undelete required
LOL. I have been thinking about some stuff around K3, not thinking about 2K at all. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, February 16, 2005 2:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required WE WOULDN'T HAVE TO IF joe WOULD JUST QUIT FOOLIN' AROUND AND BUILD SOMETHING FOR US! Cmon joe. I promise I'll go to www.joeware.net and buy that thong for my wife I told you I would. YMYMYM RH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required I think you're going to need to do an authorative restore unfortunately, my friend. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 16 February 2005 18:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query question
ADSI is so lame. Try escaping the slash in the DN with "\2f", e.g. "cn=foo\2fbar,cn=user,dc=domain,dc=com". If this is C or some variant, don't forget to escape the backslash itself. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Wednesday, February 16, 2005 12:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object("LDAP://" distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Remove orphaned account
This is killing me. I am able to search through adsiedit and find the account in GC mode (3268) but cannot delete. When I switch to ldap mode (389), I cannot find the object. HELP!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, February 16, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account Well the break seems to from that specific child domain. When I run an ADfind against all other GC's the object exists; when I run it against that one child domain GC, the object is not found. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 9:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You need to figure out where the break is. Look at the GC that you expect it at and chase back through the replication connections to determine how the change should get there from the domain. There has to be a break somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This has been since last week. (about 5 days). Is there anyway to force the delete to the other GC's? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account How long ago was this account deleted? If it has been longer than the tombstone period, you have a lingering object and you need to start worrying about what other bad things are going on. If it has been recently, you need to chase your replication and determine where the update stopped at. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:36 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account That's exactly the case, except its not in the child domain (child1.domain.com) but it exists everywhere else, (domain.com, child2.domain.com, child3.domain.com) When I try the admod command, it tries to contact the child domain (child1.domain.com) that is the owner of the account, but does not find it there. Some how, it seems that the deletion did not replication to all other GC's in the forest. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account That means your default GC has the object in its database but your default DC for that domain doesn't see it. You can tell which DCs are involved by doing this adfind -gc -b -s base dnshostname adfind -h domain.com -b -s base dnshostname If the object is in your default domain you can shorten the second command to adfind -b -s base dnshostname joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:13 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account When I try to remove the object, I get this: C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 DN Count: 1 Using server: server.domain.com Deleting specified objects... DN: cn=doe\, john,cn=users,dc=domain,dc=com...: [server.domain .com] Error 0x20 (32) - No Such Object ERROR: Too many errors encountered, terminating... The command did not complete successfully -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 3:55 PM To: ActiveDir@mail.activedir.org Cc: Harding, Devon Subject: RE: [ActiveDir] Remove orphaned account Resend and Update, list blocked because I responded from wrong account Almost, -del or -rm would delete the entire user object... But you need to use -dsq on adfind to output the quoted DN. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del Also if you want to just remove that address you could do adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod proxyaddresses:-:smtp:[EMAIL PROTECTED] Note that if that address is the primary SMTP Exchange may get grumpy if you don't set another address as primary. [UPDATE} Looking at Hunters Response, he makes sense. Instead of deleting the object or the attribute, consider clearing the Exchange attributes. adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | exchmbx -clear joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15,
RE: [ActiveDir] LDAP query question
Yep. But I would truly recommend renaming the objects. I would also kill any names with spaces in them and commas in them, those are also a pain to deal with. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, February 16, 2005 3:03 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] LDAP query question Initial thought - string substitution, escape it with (ironically) a backslash "\" ?? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Wednesday, February 16, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object("LDAP://" distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] HELP!!! Undelete required
Sometimes it is fun to see how the answers to someones question arrive earlier then question itself ;-) -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 2/16/2005 7:26 PM Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove orphaned account
You don't WANT to just delete the object and by default deleting from a GC isn't allowed. You want to find out why your replication isn't working. You could have much worse issues going on than a duplicate SMTP address. If we get to the point, and you honestly may already be there, of having lingering objects outside of the tombstone period you will get to start digging through the various lingering objects KBs. But right now, your first priority needs to be fix your replication. joe -Original Message- From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 16, 2005 3:33 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This is killing me. I am able to search through adsiedit and find the account in GC mode (3268) but cannot delete. When I switch to ldap mode (389), I cannot find the object. HELP!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, February 16, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account Well the break seems to from that specific child domain. When I run an ADfind against all other GC's the object exists; when I run it against that one child domain GC, the object is not found. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 9:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You need to figure out where the break is. Look at the GC that you expect it at and chase back through the replication connections to determine how the change should get there from the domain. There has to be a break somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This has been since last week. (about 5 days). Is there anyway to force the delete to the other GC's? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account How long ago was this account deleted? If it has been longer than the tombstone period, you have a lingering object and you need to start worrying about what other bad things are going on. If it has been recently, you need to chase your replication and determine where the update stopped at. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:36 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account That's exactly the case, except its not in the child domain (child1.domain.com) but it exists everywhere else, (domain.com, child2.domain.com, child3.domain.com) When I try the admod command, it tries to contact the child domain (child1.domain.com) that is the owner of the account, but does not find it there. Some how, it seems that the deletion did not replication to all other GC's in the forest. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account That means your default GC has the object in its database but your default DC for that domain doesn't see it. You can tell which DCs are involved by doing this adfind -gc -b -s base dnshostname adfind -h domain.com -b -s base dnshostname If the object is in your default domain you can shorten the second command to adfind -b -s base dnshostname joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:13 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account When I try to remove the object, I get this: C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 DN Count: 1 Using server: server.domain.com Deleting specified objects... DN: cn=doe\, john,cn=users,dc=domain,dc=com...: [server.domain .com] Error 0x20 (32) - No Such Object ERROR: Too many errors encountered, terminating... The command did not complete successfully -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 3:55 PM To: ActiveDir@mail.activedir.org Cc: Harding, Devon Subject: RE: [ActiveDir] Remove orphaned account Resend and Update, list blocked because I responded from wrong account Almost, -del or -rm would delete the entire user object... But you need to use -dsq on adfind to output the quoted DN. adfind -gc -b -f
RE: [ActiveDir] DC or not DC
Yes; you can do that. I have 9 VMs running on one server running Vmware GSX. Needs to be a pretty beefy box to do it, though, and you're paying more since you have one extra OS to buy as well as the GSX license. Our server was around $30K IIRC, and needs about $5K in additional ram. I underspec'd the ram because oh, there's no way they'll want to add more stuff to that server. It's just for those 4 test lab boxes. Well, we've doubled that number in less than a year... I think the VM environment is a good idea for the medium-sized enterprise; we're planning to migrate a bunch of services to VMs. For the small business market, that has trouble affording two boxes to put a DC and exch/sql/whatever on, it's not always cost effective. From a physical perspective, it works extremely well. I have had no issues with the underlying OS or GSX. Rock solid... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Wednesday, February 16, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I
RE: [ActiveDir] Strange Issue
Actually I tested this with a user from the same domain as the computer account and everything worked fine. I think that these are just not able to work across domains for some reason. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 16, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange Issue Sandra, The best way to check this out is to activate detailed logging by setting the following registry key on the client:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserEnvDebugLevel = 65538 (Dword) After loginng on again, check out the log in %windir%\Debug\UserMode\userenv.log. It is a bit messy so we offer a free tool that assists you to view it. You may find that the ADM extension is not applying for some reason. http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml If you still have problems, mail me the log offline and I will look at it for you. Also check the Event log for any issues Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, February 17, 2005 4:53 AM Subject: RE: [ActiveDir] Strange Issue Settings are User settings in the parent domain where the user resides. The user is getting other policy settings with no problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Wednesday, February 16, 2005 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Issue Check your policy to determine if these settings are in the Computer or User portion of the GPO. If they are set in the Computer portion, then the computer in the child domain won't get the policy settings from the parent domain. You would need to set the same policy items in the child domain's GPO. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 16, 2005 10:25 AM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Issue I am not getting any errors but I have a computer in a child domain and a user in the root domain. When the user logs in they get all the policy settings applied except the ones that say that the My Computer Icon and the My Network Places Icon and the My Documents Icon are not removed from the desktop. I have each of these set to disable just like all my other policies and yet when this user logs in to the child domain PC those very specific settings do not get applied, but other parts of the policy do, like folder redirection and internet explorer settings. Any Ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query question
Replace the forward slash with "\2f" -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, February 16, 2005 1:03 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] LDAP query question Initial thought - string substitution, escape it with (ironically) a backslash "\" ?? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Wednesday, February 16, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object("LDAP://" distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices Actually you still agree with me, you just state it differently. :o) In that case, the domainpolicy for the user accounts isn't being applied at all. I believe theidea of the OP sprang form the idea toblock a certain OU from having the policy impact the users in that OU. This isn't possible because the policies are actually initiating changes on the default NC of the domain controllers which are applied to all users within the domain. I.E. When you set the lockout policy for instance you impact a couple of attributes on the default NC, specifically F:\DEV\cpp\dosdadfind -schema -f ldapdisplayname=*lockout* -nodn -nolabel ldapdisplayname AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com lockOutObservationWindowlockoutDurationlockoutThresholdlockoutTime 4 Objects returned From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Wednesday, February 16, 2005 3:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices I used to agree with Joe on topic 2 until I actually ran into a problem in my forest. I needed to make a change to the password complexity setting on one domain and the change wasnt happening. The problem was that the block inheritance setting was checked on the domain controllers OU. Once the checkbox was cleared, the new account policy took affect. This was a Windows 2000 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, February 16, 2005 10:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set "user can not change password", if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Wednesday, February 16, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the "block inheritance" option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got "password never expires" and "user can not change password" options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] LDAP query question
How did you manage to create a group with a / in the samaccountname? When I create a group (in W2K3) in tells me that's an illegal character and it will be replaced with an underscore. Then again, when I think of it the samaccountname does not contain the / character but the CN does. In the latter case apply a \ in front of it. CN=GROUP\/NAME,OU=BLABLA,DC=DOMAIN,DC=LOCAL Try that. When I look at the DN of this object with Ldp I don't see the \ . However when I have a , in the name I see a \ in front of the , (\,) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 2/16/2005 8:05 PM Subject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object(LDAP://; distinguishedname) The LDAP query is assuming that I'm trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?) This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] userenv bug in w2k3?
I just wonder whether W2K3 gets confused and tries to treat authenticating against MIT Kerberos realm as fully bloated cross-forest logon. Do you have loopback enabled in this GPO ? W2K3 and W2K behave a bit differently when doing cross-forest logons. W2K by default does not process the user policies, roaming profiles and logon scripts from the user account domain when authenticating over cross forest trust (but does not default to loopback). W2K3 (by default) disables the cross-forest GPO processing and defaults to loopback. Now if you explicitly disable the loopback, W2K still fails to process the logon scripts (I believe there is an open bug regarding this one). I'd suggest you to explicitly set Allow cross-forest User Policies and Roaming Profiles in the computer part of the GPO to Disabled and also check whether disabling/enabling loopback changes things. Well... Just my 2 mumbling cents. Guy -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, February 16, 2005 8:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] userenv bug in w2k3? Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Display Computer Name on Desktop
Title: RE: [ActiveDir] Display Computer Name on Desktop Ok another question. Is there a simple way to modify this script so that My Network Places is renamed to the Domain they are logged into and My Documents is renamed to the username? And Yes I know BGINFO can provide this but we are wanting things to be unobtrusive and limit what is actually being displayed on the desktop. Thanks. For any further help. Jeff From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 15, 2005 12:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop Thats enough. Windows knows what program to use to execute them. To run frm a commandline - cscript myscript.vbs :) --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Mon 2/14/2005 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop I don't know a lot about scripting or vbs. But can I take the below Lines of text starting at CONST and paste that into a notepad and save it as .vbs does that work or do I need to use some vbs program? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Devan Pala Sent: Friday, February 11, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop The code would help right.8-) Const MY_COMPUTER = H11 Set objNetwork = CreateObject(Wscript.Network) objComputerName = objNetwork.ComputerName Set objShell = CreateObject(Shell.Application) Set objFolder = objShell.Namespace(MY_COMPUTER) Set objFolderItem = objFolder.Self objFolderItem.Name = objComputerName Original Message Follows From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org CC: [EMAIL PROTECTED] Subject: [ActiveDir] Display Computer Name on Desktop Date: Fri, 11 Feb 2005 13:41:15 -0500 I have a question, is there a way to display the computer name on the desktop either through a login script or via GPO? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange Issue
USER = Parent Domain USER GPO = Parent Domain -Computer Configuration Disabled Computer = CHILD Domain Computer GPO = CHILD Domain -User Configuration Disabled User from parent logs on to computer from child in to the parent domain and just the part of the USER GPO that does not apply is that of the My Computer Icon and others on the Desktop. All other parts apply no problems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Wednesday, February 16, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Issue Then check the child domain and the OU where the PC resides. If the GPO for the child domain or a GPO for the OU countermands the parent domain GPO, you will need to change the down-level GPO. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 16, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Issue Settings are User settings in the parent domain where the user resides. The user is getting other policy settings with no problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Wednesday, February 16, 2005 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Issue Check your policy to determine if these settings are in the Computer or User portion of the GPO. If they are set in the Computer portion, then the computer in the child domain won't get the policy settings from the parent domain. You would need to set the same policy items in the child domain's GPO. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, February 16, 2005 10:25 AM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Issue I am not getting any errors but I have a computer in a child domain and a user in the root domain. When the user logs in they get all the policy settings applied except the ones that say that the My Computer Icon and the My Network Places Icon and the My Documents Icon are not removed from the desktop. I have each of these set to disable just like all my other policies and yet when this user logs in to the child domain PC those very specific settings do not get applied, but other parts of the policy do, like folder redirection and internet explorer settings. Any Ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
That's your cunning answer to this problematic situation, eh ? ;) Actually, it seems the message was sent twice.. either that or my mailserver has gone bonkers.. both are possible.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 16, 2005 9:45 PM To: 'Aramide Adebanjo '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] HELP!!! Undelete required Sometimes it is fun to see how the answers to someones question arrive earlier then question itself ;-) -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 2/16/2005 7:26 PM Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS/DHCP/RAS issue
I'm seeing some oddities with DNS and DHCP in my environment. W2K3 AD, 2 DCs on same subnet, 1 WINS/DHCP server, about 30 member servers, and about 100 W2K pro clients. W2K3 RRAS server. Our RAS clients are assigned an address on one subnet through the RRAS properties for the server. If those users then return to the office, they are on a different subnet. The problem is that when they get the IP address via RAS, they automatically register in DNS but DNS doesn't dump it once the client logs off. If they connect on the local LAN, it works OK and their address is scavenged from DNS. I have found as many as 4 different DNS entries for the same client PC. Any idea how to correct this? I'd like the DNS entry to disappear when the client logs out of the RAS connection... Thanks. ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices That makes me feel better. Its too disruptive to my worldview when I think that Joe could be wrong grin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices Actually you still agree with me, you just state it differently. :o) In that case, the domainpolicy for the user accounts isn't being applied at all. I believe theidea of the OP sprang form the idea toblock a certain OU from having the policy impact the users in that OU. This isn't possible because the policies are actually initiating changes on the default NC of the domain controllers which are applied to all users within the domain. I.E. When you set the lockout policy for instance you impact a couple of attributes on the default NC, specifically F:\DEV\cpp\dosdadfind -schema -f ldapdisplayname=*lockout* -nodn -nolabel ldapdisplayname AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com lockOutObservationWindow lockoutDuration lockoutThreshold lockoutTime 4 Objects returned From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, February 16, 2005 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices I used to agree with Joe on topic 2 until I actually ran into a problem in my forest. I needed to make a change to the password complexity setting on one domain and the change wasnt happening. The problem was that the block inheritance setting was checked on the domain controllers OU. Once the checkbox was cleared, the new account policy took affect. This was a Windows 2000 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 10:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set user can not change password, if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the block inheritance option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got password never expires and user can not change password options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] LDAP query question
Thanks to all, changing / to \/ in the dn did the trick. Unfortunately, I cant get the groups renamed. Luckily, none of my users have created the groups using commas in their names. We do have numerous groups with embedded spaces and those havent caused any of my apps to fail. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 12:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query question Yep. But I would truly recommend renaming the objects. I would also kill any names with spaces in them and commas in them, those are also a pain to deal with. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, February 16, 2005 3:03 PM To: Send - AD mailing list Subject: RE: [ActiveDir] LDAP query question Initial thought - string substitution, escape it with (ironically) a backslash \ ?? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, February 16, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object(LDAP:// distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Remove orphaned account **Solved**
Problem Solved!!! As it turns out, error 1265 was logged on our root GC and could not verify trust authentication with the child domain. Once the Trust was reset, replication started working again and the orphaned object was automatically deleted. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328701 Thanks for all your help Joe ActiveDir.org for pointing me in the right direction. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 3:46 PM To: Harding, Devon; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You don't WANT to just delete the object and by default deleting from a GC isn't allowed. You want to find out why your replication isn't working. You could have much worse issues going on than a duplicate SMTP address. If we get to the point, and you honestly may already be there, of having lingering objects outside of the tombstone period you will get to start digging through the various lingering objects KBs. But right now, your first priority needs to be fix your replication. joe -Original Message- From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 16, 2005 3:33 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This is killing me. I am able to search through adsiedit and find the account in GC mode (3268) but cannot delete. When I switch to ldap mode (389), I cannot find the object. HELP!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, February 16, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account Well the break seems to from that specific child domain. When I run an ADfind against all other GC's the object exists; when I run it against that one child domain GC, the object is not found. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 9:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account You need to figure out where the break is. Look at the GC that you expect it at and chase back through the replication connections to determine how the change should get there from the domain. There has to be a break somewhere. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 5:07 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account This has been since last week. (about 5 days). Is there anyway to force the delete to the other GC's? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account How long ago was this account deleted? If it has been longer than the tombstone period, you have a lingering object and you need to start worrying about what other bad things are going on. If it has been recently, you need to chase your replication and determine where the update stopped at. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:36 PM To: ActiveDir@mail.activedir.org; joe Subject: RE: [ActiveDir] Remove orphaned account That's exactly the case, except its not in the child domain (child1.domain.com) but it exists everywhere else, (domain.com, child2.domain.com, child3.domain.com) When I try the admod command, it tries to contact the child domain (child1.domain.com) that is the owner of the account, but does not find it there. Some how, it seems that the deletion did not replication to all other GC's in the forest. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 15, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account That means your default GC has the object in its database but your default DC for that domain doesn't see it. You can tell which DCs are involved by doing this adfind -gc -b -s base dnshostname adfind -h domain.com -b -s base dnshostname If the object is in your default domain you can shorten the second command to adfind -b -s base dnshostname joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, February 15, 2005 4:13 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove orphaned account When I try to remove the object, I get this: C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004 DN Count: 1 Using server: server.domain.com Deleting
RE: [ActiveDir] Time server in windows 2003 !!
Senthil, Goodinfo on timehere in plain english... http://www.activexperts.com/activmonitor/functions/ntp/ In order to set up an authorative time server on a Windows 2003 server: http://support.microsoft.com/kb/816042 To set a server as the default time server you can use the below batch file on workstations or serversas a login script: CLS@echo offECHO.ECHO Sets SNTP Server To Internal NTP Server...net time /setsntp:%IPAddressOfTimeServer%net stop w32timenet start w32timeECHO. To verify the settings are correct from a command prompt type in: net time /querysntp You could go further and in your workstation builds do the following registry hacks: Windows Registry Editor Version 5.00 ; Delete Time Server Defaults From Registry[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers] ; Add Domain Specific Time Server [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]@="1""1"="%IPAddressOfTimeServer" ; Change W32 Time Polling Interval To Every Hour[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient]"SpecialPollInterval"=dword:e10 James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: Wednesday, 16 February 2005 10:39 PMTo: Active directory groupSubject: [ActiveDir] Time server in windows 2003 !! Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR Do you Yahoo!?Yahoo! Search presents - Jib Jab's 'Second Term'
RE: [ActiveDir] LDAP query question
Hi Larry, That escape trick is probably enough for you (using perhaps the VBS Replace function, if your DNs are in variables), but depending on what you are doing, you have also other options to get access to the objects with slash characters in the RDN: - Use ADO over ADSI (of course, this is read only) - First bind to the parent container and then enumerate with For Each objChild... - First bind to the parent container and then bind to the child with an RDN instead of a DN, that is "Set objChild = objContainer.GetObject("group", "CN=some/group") Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Thursday, February 17, 2005 12:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP query question Thanks to all, changing / to \/ in the dn did the trick. Unfortunately, I cant get the groups renamed. Luckily, none of my users have created the groups using commas in their names. We do have numerous groups with embedded spaces and those havent caused any of my apps to fail. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, February 16, 2005 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP query question Yep. But I would truly recommend renaming the objects. I would also kill any names with spaces in them and commas in them, those are also a pain to deal with. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, February 16, 2005 3:03 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] LDAP query question Initial thought - string substitution, escape it with (ironically) a backslash "\" ?? --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, LarrySent: Wednesday, February 16, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP query question I have developed a number of applications that do various queries on AD. However, I have run into a problem with doing an LDAP query in groups that have been named with the / character in their name. Since the group was named with a /, the distinguished name for the object also has the / character. When my app tries to connect to the object using the following, an error results: Create Object("LDAP://" distinguishedname) The LDAP query is assuming that Im trying to do a query of the form LDAP://server/distinguishedname. The WINNT provider has the same issue. Any suggestions? (Besides renaming the groups?)
RE: [ActiveDir] Display Computer Name on Desktop
Da. Looked up in MSDN the ShellSpecialFoldersConstant. This is where that H11 in the snippet comes from. For MY Network places: Const NETHOOD = H13 Set objNetwork = CreateObject(Wscript.Network) Set objShell = CreateObject(Shell.Application) Set objFolder = objShell.Namespace(NETHOOD) Set objFolderItem = objFolder.Self objFolderItem.Name = objNetwork.UserDomain --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Wed 2/16/2005 3:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop Ok another question. Is there a simple way to modify this script so that My Network Places is renamed to the Domain they are logged into and My Documents is renamed to the username? And Yes I know BGINFO can provide this but we are wanting things to be unobtrusive and limit what is actually being displayed on the desktop. Thanks. For any further help. Jeff From: Brian Desmond [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 15, 2005 12:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop Thats enough. Windows knows what program to use to execute them. To run frm a commandline - cscript myscript.vbs :) --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Mon 2/14/2005 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop I don't know a lot about scripting or vbs. But can I take the below Lines of text starting at CONST and paste that into a notepad and save it as .vbs does that work or do I need to use some vbs program? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, February 11, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Display Computer Name on Desktop The code would help right.8-) Const MY_COMPUTER = H11 Set objNetwork = CreateObject(Wscript.Network) objComputerName = objNetwork.ComputerName Set objShell = CreateObject(Shell.Application) Set objFolder = objShell.Namespace(MY_COMPUTER) Set objFolderItem = objFolder.Self objFolderItem.Name = objComputerName Original Message Follows From: Salandra, Justin A. [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org CC: [EMAIL PROTECTED] Subject: [ActiveDir] Display Computer Name on Desktop Date: Fri, 11 Feb 2005 13:41:15 -0500 I have a question, is there a way to display the computer name on the desktop either through a login script or via GPO? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
Re: [ActiveDir] userenv bug in w2k3? *solved*
Thanks for the suggestions -- I actually did have loopback processing configured, but not the cross-forest setting. That didn't correct the problem though. It was indeed a bug, someone from Microsoft posted the fix on another list that I am on. Here it is if anyone is interested: http://support.microsoft.com/default.aspx?scid=kb;en-us;827182 Thanks again for the help, - Robbie Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University Guy Teverovsky wrote: I just wonder whether W2K3 gets confused and tries to treat authenticating against MIT Kerberos realm as fully bloated cross-forest logon. Do you have loopback enabled in this GPO ? W2K3 and W2K behave a bit differently when doing cross-forest logons. W2K by default does not process the user policies, roaming profiles and logon scripts from the user account domain when authenticating over cross forest trust (but does not default to loopback). W2K3 (by default) disables the cross-forest GPO processing and defaults to loopback. Now if you explicitly disable the loopback, W2K still fails to process the logon scripts (I believe there is an open bug regarding this one). I'd suggest you to explicitly set Allow cross-forest User Policies and Roaming Profiles in the computer part of the GPO to Disabled and also check whether disabling/enabling loopback changes things. Well... Just my 2 mumbling cents. Guy -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, February 16, 2005 8:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] userenv bug in w2k3? Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices Actually, this isn't entirely true. A little testing on Win2K3 shows the following: If I have domain account policy defined, say, on the Default Domain Policy, and I set block inheritance on the Domain Controllers OU, then any changes to the domain account policy on that domain-linked GPO will be ignored by DCs located in the DC OU. You can see this by looking at the effective account policy on a given DC by firing up the local GPO editor (gpedit.msc). If you look at account policy on the local GPO of a DC, it shows the current effective policy as delivered by any domain linked GPOs. If you try to change it from the local GPO, you'll noticed its grayed out--and can't be changed. Interestingly, if you set Block Inheritance on the DC OU, not only are changes to domain account policy from that domain-linked GPO ignored, but you can now change the local account policy on a given DC from the local GPO editor. Obviously that isn't too desirable since this would imply to me that you could have a different account policy on each DC. Yuck. Its unclear to me whether AD has any kind of mechanism to prevent this, but I am currently doubting it until I test some more. So bottom line is don't put Block Inheritance on the DC OU or, better yet, always set the GPO where you define domain account policy to Enforced. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, February 16, 2005 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set "user can not change password", if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Wednesday, February 16, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the "block inheritance" option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got "password never expires" and "user can not change password" options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] userenv bug in w2k3?
Robbie- I'm not completely familiar with this kind of Kerb. Interop, but this sounds like expected behavior. If you are trying to process user policy, then Windows will query the user's domain to find the GPOs that apply--not the computer's (unless you're using loopback policy). So I guess the question is--what does Windows think the user's domain is? Is the user's Kerb ticket from the MIT realm or AD? Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Wednesday, February 16, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] userenv bug in w2k3? Hi, I have a w2k3 machine (terminal server) that works fine when a user logs in to the domain. But, if a user authenticates to a MIT kerberos realm (with a name mapping defined in AD) then the server logs an event id 1054 (Userenv). The description is: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. To make a long story shorter, I enabled debug logging for userenv and confirmed that it is looking in the wrong domain for the DC's when looking up group policy for the user. Its looking in the authenticating realm (the MIT kerberos realm) and not the AD domain. The server configuration *is* correct. In other words, the domain suffix is the AD domain name. (confirmed by ipconfig /all and netdiag). This server is using the same GP as another working (2000) server. I compared TGT's and they look the same, so I'm not sure where else to look. Suggestions? :-) Thanks! -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Exchange 2003 Forestprep
This is a shot in the dark but has anyone experienced (and solved) this before. Forestprep was run quite sometime ago on a clean Windows 2003 AD environment. In addition to thisa couple of other schema extensions have been applied ( ILO and Novadigm extensions). I am now in the process of installing Exchange 2003 after completing the setup and sync with ADC. When I run the setup I receive the following error Setup failed while installing sub component Microsoft Exchange Organization-Level Container chilren with error code 0xc1037ae6. I have looked at the LDIF.err file and found it to be failing when trying to modify an object in the CN=Address-Templates container (within Exchange part of configuration container) I have looked in here and found that there are no template objects. I uninstalled Exchange (fully) and rerun forestprep but this still hasn't created them. The account being used to install Exchange has Schema, Enterprise, Exchange delegation, local machine admin rights but I didn't think it really need all this once the forestprep had been run. I have looked at article 870829 but unless I doing something wrong this doesn't appear to help (I did change the paths while the setup was halfway through (at the error) and tried a retry instead of cancel and rerunning the setup processas it takes an age to complete the installtion and then remove it to start again) Hope all this makes sense after all it is 2am Cheers Jacqui
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices This would put the domain into an entirely inconsistent state. I have helped companies get out of similar predicaments that they got into accidently like this that was due to poor FRS replication. Basically what happens is that the changes get applied locally, replicate out through the domain partition, get stomped on by some other DC somewhere else which replicates back out. If you different policies on several DCs you would be entirely in flux and could never guarantee where you would be in terms of settings as it would depend on which DC you last replicated in changes from and whether or not the local policy had recently reapplied. I have seen this for password policies, lockout policies, and restricted groups (this is a hoot if the group is admins or domain admins because you have to time your logon at a point when you have rights). Basically anything that replicates in the directory as well as through FRS. This is fairly easy to catch by looking at version numbers on the domain nc attributes, when you see something that is the hundreds, you may have an issue. Alternatively have a script that watches for changes and you will keep seeing the domain NC popping up as changing. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, February 16, 2005 7:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices Actually, this isn't entirely true. A little testing on Win2K3 shows the following: If I have domain account policy defined, say, on the Default Domain Policy, and I set block inheritance on the Domain Controllers OU, then any changes to the domain account policy on that domain-linked GPO will be ignored by DCs located in the DC OU. You can see this by looking at the effective account policy on a given DC by firing up the local GPO editor (gpedit.msc). If you look at account policy on the local GPO of a DC, it shows the current effective policy as delivered by any domain linked GPOs. If you try to change it from the local GPO, you'll noticed its grayed out--and can't be changed. Interestingly, if you set Block Inheritance on the DC OU, not only are changes to domain account policy from that domain-linked GPO ignored, but you can now change the local account policy on a given DC from the local GPO editor. Obviously that isn't too desirable since this would imply to me that you could have a different account policy on each DC. Yuck. Its unclear to me whether AD has any kind of mechanism to prevent this, but I am currently doubting it until I test some more. So bottom line is don't put Block Inheritance on the DC OU or, better yet, always set the GPO where you define domain account policy to Enforced. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, February 16, 2005 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set "user can not change password", if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Wednesday, February 16, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the "block inheritance" option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got "password never expires" and "user can not change password" options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank
RE: [ActiveDir] OT: Exchange 2003 Forestprep
Assuming that the necessary components (SMTP, NNTP, ASP, etc) are already in place on the Exchange server, the only thing I have seen that causes that error is where there is no GC at the site where the Exchange server is located. I have no explanation for why it is so, but I ran into this twice already. In both situations, there were already E2K in place and functional and installing a new E2K at the site does not present the same problem. The problem only manifested itself when installing E2K3. Putting up a GC at the site and allowing time for replication was the only way I was able to get E2K3 installed. YMMV Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacqui Hurst Sent: Wed 2/16/2005 6:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2003 Forestprep This is a shot in the dark but has anyone experienced (and solved) this before. Forestprep was run quite sometime ago on a clean Windows 2003 AD environment. In addition to this a couple of other schema extensions have been applied ( ILO and Novadigm extensions). I am now in the process of installing Exchange 2003 after completing the setup and sync with ADC. When I run the setup I receive the following error Setup failed while installing sub component Microsoft Exchange Organization-Level Container chilren with error code 0xc1037ae6. I have looked at the LDIF.err file and found it to be failing when trying to modify an object in the CN=Address-Templates container (within Exchange part of configuration container) I have looked in here and found that there are no template objects. I uninstalled Exchange (fully) and rerun forestprep but this still hasn't created them. The account being used to install Exchange has Schema, Enterprise, Exchange delegation, local machine admin rights but I didn't think it really need all this once the forestprep had been run. I have looked at article 870829 but unless I doing something wrong this doesn't appear to help (I did change the paths while the setup was halfway through (at the error) and tried a retry instead of cancel and rerunning the setup process as it takes an age to complete the installtion and then remove it to start again) Hope all this makes sense after all it is 2am Cheers Jacqui List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange 2003 Forestprep
Pre-requisites all in place and all DC's are GC's so I guess it can't be that. I feel a PSS call coming :-) [EMAIL PROTECTED] wrote: Assuming that the necessary components (SMTP, NNTP, ASP, etc) are already inplace on the Exchange server, the only thing I have seen that causes thaterror is where there is no GC at the site where the Exchange server islocated. I have no explanation for why it is so, but I ran into this twicealready. In both situations, there were already E2K in place and functionaland installing a new E2K at the site does not present the same problem. Theproblem only manifested itself when installing E2K3. Putting up a GC at thesite and allowing time for replication was the only way I was able to getE2K3 installed.YMMVSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Jacqui HurstSent: Wed 2/16/2005 6:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Exchange 2003 ForestprepThis is a shot in the dark but has anyone experienced (and solved) thisbefore.Forestprep was run quite sometime ago on a clean Windows 2003 AD environment.In addition to this a couple of other schema extensions have been applied (ILO and Novadigm extensions).I am now in the process of installing Exchange 2003 after completing thesetup and sync with ADC.When I run the setup I receive the following errorSetup failed while installing sub component Microsoft ExchangeOrganization-Level Container chilren with error code 0xc1037ae6.I have looked at the LDIF.err file and found it to be failing when trying tomodify an object in the CN=Address-Templates container (within Exchange partof configuration container) I have looked in here and found that there areno template objects.I uninstalled Exchange (fully) and rerun forestprep but this still hasn'tcreated them. The account being used to install Exchange has Schema,Enterprise, Exchange delegation, local machine admin rights but I didn'tthink it really need all this once the forestprep had been run.I have looked at article 870829 but unless I doing something wrong thisdoesn't appear to help (I did change the paths while the setup was halfwaythrough (at the error) and tried a retry instead of cancel and rerunning thesetup process as it takes an age to complete the installtion and then removeit to start again) Hope all this makes sense after all it is 2am Cheers JacquiList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/