RE: [ActiveDir] User account and home directory management
Thanks for all your input on this - I will check these out. I must say I'm surprised they are not easy to come by, or that MS have not implemented something like it themselves - as for many institutions it must be a basic requirement. Dan. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson LeslieSent: 08 June 2005 00:31To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User account and home directory management It looks like they've changed things since I used it last, but there was a tool from ADMWin (http://www.admwin.com/default.htm) that would do exactly what you're looking for. I believe the one that will do what you want is now calledSetupBatcher. It's pretty straight forward, you enter the list of users (it can be imported from file), enter user info (name, location, username, passwords, descriptions, etc.), enter groups, mailbox info, etc, and specify home directories, including the server to create the directories, shares, and set permissions on. It's definitely changed since I used it last (over three years ago), but it looks like everything is still there. The place I used it at last was a school board, with over 200 schools. We used to build the scripts and send them out to the schools. They just had to supply the student info and a server name. We had scripts to create everything for September, and remove everything in June,and they worked very well. HTH, Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Monday, June 06, 2005 6:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account and home directory management Hi to all on the list. Forgive me if this subject has been covered, as I am new to the list. I manage a school network, and one of the issues I face is that an AD user account, the user profile and the user's home directory share are inextricably linked. I need to be able to create users and shares in on go, so that the account is set up, the share and profilecreated, and permissions set, and the details entered into the AD object. Does anyone know of any software or scripts that would accomplish this? I would ideally like to be able to do it for individual users or in bulk. Thanks in advance, Dan Stanford. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system.
RE: [ActiveDir] Exchange and disabling accounts
Title: Exchange and disabling accounts Hello; Endeed, i use admodifyfor 1 yearbecause it's a great tool that feet all my needs without having much knowledge in dev. like me :) AD 2003 has this option of bulk modify objects attributes but it's a bit limitated. Alex: joe stated that you have to set associated external account and the msExchangeMasterAccountSid attribute to self. I think that admodcmd -dn "john doe" -s -grantselfaea is for "associated external account" and admodcmd -dn john doe -s -grantselffullandread is to give Grants Full Mailbox Access and Read to SELF. But what about setting the msExchangeMasterAccountSid attribute to self ? Is it the -grantselffullandread switch ? Regards, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alex FontanaEnvoyé: mardi 7 juin 2005 23:21À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Exchange and disabling accounts I wrote a batch file used during terminations that included granting the SELF account the associate external account permission. I used a tool called admodcmd. I believe this is the site: http://blogs.technet.com/exchange/archive/2004/08/20/208045.aspx admodcmd -dn john doe -s -grantselffullandread admodcmd -dn "john doe" -s -grantselfaea -Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Tuesday, June 07, 2005 6:57 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange and disabling accounts Hi Everyone, After users (with mailboxes) leave the organization their user accounts are disabled for an amount of time and after that they are deleted. When a account is disabled the attribute msExchUserAccountControl is set to 2. This tells exchange to look at the attribute msExchMasterAccountSid for permissioning. However when disabling a user account, exchange starts complaining with event ID 9548 (and source = MSExchangeIS) if the user account is used in some ACL within exchange. This happens because the attribute msExchMasterAccountSid is empty and is not automatically populated when disabling the account. The solution to this is to at least have one account on the exchange security descriptor of the mailbox of the disabled user account with the permission "Associated External Account" and if no account has this permission on the mailbox (which is default) the solution is to at least at SELF with the permission "Associated External Account" through the GUI of ADUC. This mentioned in Q328880. I would like to do this with ADMOD (automation) because several accounts exist in the domain that have been disabled at once. So exchange is screeming in the event logs. For one account the syntax is: admod -b "USER-DN" attribute:+:ACE For multiple accounts the syntax is: adfind -default -f "((objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))" -dsq | admod attribute:+:ACE In this case: attribute = ExchMailboxSecurityDescriptor ACE = SELF with "Read" "Full Mailbox Access" "Associated external account" translated to SDDL this is D:(A;CI;CCDCLCRC;;;PS)" I don't want to replace the DACL, I just want to add an ACE for SELF with the permissions mentioned to the ACL in the DACL. Does anyone know how to do this with ADMOD and how to specify ACE in this case? If someone has other suggestions/thought about this, I would love to hear them! Thanks! Cheers #JORGE# This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Modifying behaviour of Users and Computers snap-i n
Thanks for the script Dan. I am still having problems. The script correctly changes cn=user-Display but does not appear in the context menu. At first I thought the problem might be because of cn=409 (USA) and I am in Spain. So I changed the script to reflect this cn=C0A but no joy. What am I missing? Regards Peter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange and disabling accounts
Title: Exchange and disabling accounts Tim, Joe, Alex, Thanks for the info you guys provided! Cheers #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: dinsdag 7 juni 2005 22:39To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and disabling accounts Oh this is a fun one. Straight up, as someone else mentioned, you can use nomas to do this cleanup. However it isn't the most efficient tool if you have a lot of them to clean up. I have sent MS docs on things I think need to be corrected for it. I don't think they will be implemented though because they really don't care about that tool, it is a thing to deal with an issue that really shouldn't exist and wouldn't if the Exchange Dev folks would step up and rework those aspects. In the meanwhile, LOTS of companies run into this and don't realize the perf hits they are taking because of it. For some reason they made the assumption that no one would simply disable an account unless they wanted it to be a resource account. That is a rather large silly assumption in my mind but hey, they made it, we live with it. I mean come on, why wouldn't you just delete the mailbox versus just disable the account. The mailbox will hang around for a while anyway if you need to reconnect it so it shouldn't be an issue right? Wrong. Mailbox reconnects are a pain in the ass or in K3 you can use a crappy wmi interface to do it which is still a pain in the ass. Also if you disconnect a mailbox, you can't move it from one server to another, so if you have to do a quick move because of issues, the movemailbox mechanism isn't available unless you reconnect the disconnected mailboxes and then move them. I haven't talked to a large Enterprise using Exchange that this isn't an issue with. Anyway... With admod, you should be able to set the msExchMasterAccountSid attribute with the new binary attribute update capability, setting the SD is theoretically impossible with admod but I am not entirely convinced of that yet as I haven't proven it to myself. The SD that has to be updated is the msExchSD. Supposedly if the mailbox already exists in the store, you can not successfully modify the msExchSD in the directory and have it stick, you have to update the ACL in the store. I have not actually tried to do this so I can't say if it is true or not. I have some measure of hope that it may be possible because also according to the same documentation that says you can't modify that SD in AD, it also says that that SD doesn't contain the inherited ACEs and I have clearly seen that it does recently. So the docs are wrong on at least that aspect of it. Maybe they are wrong on the other as well. Sorry about not having better news. This is just one of the things I had encountered over the years that gets me pissy about howExchange uses AD. The permission structure is a nightmare with its combination of AD ACLs in the config with AD ACLs on the mail objects and the store ACLs and the MAPI folder property permissions, etc. Anyway, your best bet is to use nomas and see how you like it or write a script to do the ACL setting. This is the main KB you will want to reference http://support.microsoft.com/kb/310866 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Tuesday, June 07, 2005 9:57 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange and disabling accounts Hi Everyone, After users (with mailboxes) leave the organization their user accounts are disabled for an amount of time and after that they are deleted. When a account is disabled the attribute msExchUserAccountControl is set to 2. This tells exchange to look at the attribute msExchMasterAccountSid for permissioning. However when disabling a user account, exchange starts complaining with event ID 9548 (and source = MSExchangeIS) if the user account is used in some ACL within exchange. This happens because the attribute msExchMasterAccountSid is empty and is not automatically populated when disabling the account. The solution to this is to at least have one account on the exchange security descriptor of the mailbox of the disabled user account with the permission "Associated External Account" and if no account has this permission on the mailbox (which is default) the solution is to at least at SELF with the permission "Associated External Account" through the GUI of ADUC. This mentioned in Q328880. I would like to do this with ADMOD (automation) because several accounts exist in the domain that have been disabled at once. So exchange is screeming in the event logs. For one account the syntax is: admod -b "USER-DN" attribute:+:ACE For multiple accounts the syntax is: adfind -default -f "((objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))" -dsq | admod attribute:+:ACE In this case: attribute = ExchMailboxSecurityDescriptor ACE = SELF with
Re: [ActiveDir] Modifying behaviour of Users and Computers snap-i n
Works perfectly now! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User account and home directory management
Yeah, I have asked this question a lot through the years. Generally the answer I have heard back is that MS wants to make sure there is a market for third party tools,etc. I generally hear that and go ok, whatever. On the positive side there is generallysome API exposed to allow you to do what it is you want to do so you can script or write your own tools to do it. I think a lot of the really interesting tools come out of MS when someone who actually needs something for a specific project or something sits down and writes it and it becomes popular internally and starts slipping out through the cracks of MCSand PSS. DSADD would have been a logical place for it if you look at the overall suite of tools from MS, but I would bet that they had the same thought I had when I set up admod to do adds in that it was an AD tool, not a specific user creation tool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Wednesday, June 08, 2005 2:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User account and home directory management Thanks for all your input on this - I will check these out. I must say I'm surprised they are not easy to come by, or that MS have not implemented something like it themselves - as for many institutions it must be a basic requirement. Dan. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson LeslieSent: 08 June 2005 00:31To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User account and home directory management It looks like they've changed things since I used it last, but there was a tool from ADMWin (http://www.admwin.com/default.htm) that would do exactly what you're looking for. I believe the one that will do what you want is now calledSetupBatcher. It's pretty straight forward, you enter the list of users (it can be imported from file), enter user info (name, location, username, passwords, descriptions, etc.), enter groups, mailbox info, etc, and specify home directories, including the server to create the directories, shares, and set permissions on. It's definitely changed since I used it last (over three years ago), but it looks like everything is still there. The place I used it at last was a school board, with over 200 schools. We used to build the scripts and send them out to the schools. They just had to supply the student info and a server name. We had scripts to create everything for September, and remove everything in June,and they worked very well. HTH, Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan StanfordSent: Monday, June 06, 2005 6:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account and home directory management Hi to all on the list. Forgive me if this subject has been covered, as I am new to the list. I manage a school network, and one of the issues I face is that an AD user account, the user profile and the user's home directory share are inextricably linked. I need to be able to create users and shares in on go, so that the account is set up, the share and profilecreated, and permissions set, and the details entered into the AD object. Does anyone know of any software or scripts that would accomplish this? I would ideally like to be able to do it for individual users or in bulk. Thanks in advance, Dan Stanford. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system.
RE: [ActiveDir] Purging Mailboxes Programatically
How much time do you have till they need to be purged? Any benefit of lowering the mailbox retention time for the duration of the removal process (or permanently if that fits?) Maybe lower it to a day or two and let the system take care of this. You may want to increase the online maintenance process time to run as well. IIRC, these aresettings you can make via policy. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 07, 2005 12:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Does mbconn purge mailboxes? I just looked at it and it s like it only reconnects I think Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 06, 2005 10:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Oh... I think you are screwed. :o) I once looked at alternate methods to do this and mailbox reconnects but it was all MAPI based and MS was very ungiving in terms of documentation around this stuff. What I got working was so incredibly flakey I didn't trust it and it never made it out of very very raw pre-alpha POC stage. I really would like to find some other method because the method MS gave for doing reconnects in E2K3 completely sucks though they can at least say it is better than what was available for E2K. We went from unforgivable to sucky. I wish they would publish source to the ESM or mbconn which are doing this stuff through MAPI from what I can tell. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, June 06, 2005 11:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Danke. Just that Im running on Ex2000. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 06, 2005 10:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Recipe 17.13 in the Windows Server Cookbook... It is probably on Robbie's website somewhere, I would post it here but I am not clear if I have the rights to even though I wrote the script. I believe it is owned by O'Reilly. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, June 06, 2005 11:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Purging Mailboxes Programatically Im pretty sure weve had this discussion here before, but I cant find the thread. :( I need to programmatically purge a fairly extensive list of mailboxes across more than a dozen mailbox servers. I cannot wait the retention time, and I certainly cannot run the cleanup agent on 12 servers x 4 storage groups x 5 mailstores manually. I have this feeling Im going to be told Im SOL, but, can I purge mailboxes somehow in code/script? Thx, brian Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Exchange and disabling accounts
Title: Exchange and disabling accounts Hi, I just did what I posted with ADMODCMD (from the latest version of ADModify) and it worked like a charm!!! These tools (ADFIND, ADMOD, ADModify) kick ass! Thanx, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, June 07, 2005 23:21To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange and disabling accounts I wrote a batch file used during terminations that included granting the SELF account the associate external account permission. I used a tool called admodcmd. I believe this is the site: http://blogs.technet.com/exchange/archive/2004/08/20/208045.aspx admodcmd -dn john doe -s -grantselffullandread admodcmd -dn "john doe" -s -grantselfaea -Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Tuesday, June 07, 2005 6:57 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange and disabling accounts Hi Everyone, After users (with mailboxes) leave the organization their user accounts are disabled for an amount of time and after that they are deleted. When a account is disabled the attribute msExchUserAccountControl is set to 2. This tells exchange to look at the attribute msExchMasterAccountSid for permissioning. However when disabling a user account, exchange starts complaining with event ID 9548 (and source = MSExchangeIS) if the user account is used in some ACL within exchange. This happens because the attribute msExchMasterAccountSid is empty and is not automatically populated when disabling the account. The solution to this is to at least have one account on the exchange security descriptor of the mailbox of the disabled user account with the permission "Associated External Account" and if no account has this permission on the mailbox (which is default) the solution is to at least at SELF with the permission "Associated External Account" through the GUI of ADUC. This mentioned in Q328880. I would like to do this with ADMOD (automation) because several accounts exist in the domain that have been disabled at once. So exchange is screeming in the event logs. For one account the syntax is: admod -b "USER-DN" attribute:+:ACE For multiple accounts the syntax is: adfind -default -f "((objectclass=user)(msexchuseraccountcontrol=2)(!(msexchmasteraccountsid=*)))" -dsq | admod attribute:+:ACE In this case: attribute = ExchMailboxSecurityDescriptor ACE = SELF with "Read" "Full Mailbox Access" "Associated external account" translated to SDDL this is D:(A;CI;CCDCLCRC;;;PS)" I don't want to replace the DACL, I just want to add an ACE for SELF with the permissions mentioned to the ACL in the DACL. Does anyone know how to do this with ADMOD and how to specify ACE in this case? If someone has other suggestions/thought about this, I would love to hear them! Thanks! Cheers #JORGE# This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Browser toolbar customization
thanks. Hi Fred... Try User Configuration/Administrative Templates/Windows Components/Internet Explorer/Toolbars/Configure toolbar buttons. You can choose what you wish to show there...I believe John Freddie Coleman III [EMAIL PROTECTED] To sb.org ActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject [ActiveDir] Browser toolbar customization 06/07/2005 10:28 AM Please respond to [EMAIL PROTECTED] tivedir.org Good morning everybody. I need to remove some buttons from IE's toolbar on certain accounts. It seems like this should be done in the GPO under User Config/ windows settings/ ie maint/ browser user intrface/ browser toolbar customizations/ by checking the box to delete existing buttons... This does not work, am I looking in the wrong place? thanks, Fred List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Freddie Coleman III Lead Computer Technician Plaquemines Parish School Board (504)214-3945 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Purging Mailboxes Programatically
I chatted with Brian offline on this. One of the solutions we discussed that I think he is moving towardswas to set up a mailbox DB and before deleting the users, move them all to this one DB. Then delete the users and afterward, the DB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, June 08, 2005 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically How much time do you have till they need to be purged? Any benefit of lowering the mailbox retention time for the duration of the removal process (or permanently if that fits?) Maybe lower it to a day or two and let the system take care of this. You may want to increase the online maintenance process time to run as well. IIRC, these aresettings you can make via policy. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 07, 2005 12:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Does mbconn purge mailboxes? I just looked at it and it s like it only reconnects I think Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 06, 2005 10:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Oh... I think you are screwed. :o) I once looked at alternate methods to do this and mailbox reconnects but it was all MAPI based and MS was very ungiving in terms of documentation around this stuff. What I got working was so incredibly flakey I didn't trust it and it never made it out of very very raw pre-alpha POC stage. I really would like to find some other method because the method MS gave for doing reconnects in E2K3 completely sucks though they can at least say it is better than what was available for E2K. We went from unforgivable to sucky. I wish they would publish source to the ESM or mbconn which are doing this stuff through MAPI from what I can tell. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, June 06, 2005 11:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Danke. Just that Im running on Ex2000. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 06, 2005 10:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Recipe 17.13 in the Windows Server Cookbook... It is probably on Robbie's website somewhere, I would post it here but I am not clear if I have the rights to even though I wrote the script. I believe it is owned by O'Reilly. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, June 06, 2005 11:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Purging Mailboxes Programatically Im pretty sure weve had this discussion here before, but I cant find the thread. :( I need to programmatically purge a fairly extensive list of mailboxes across more than a dozen mailbox servers. I cannot wait the retention time, and I certainly cannot run the cleanup agent on 12 servers x 4 storage groups x 5 mailstores manually. I have this feeling Im going to be told Im SOL, but, can I purge mailboxes somehow in code/script? Thx, brian Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Purging Mailboxes Programatically
That'd do it as well as long as replication is accounted for :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, June 08, 2005 10:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically I chatted with Brian offline on this. One of the solutions we discussed that I think he is moving towardswas to set up a mailbox DB and before deleting the users, move them all to this one DB. Then delete the users and afterward, the DB. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, June 08, 2005 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically How much time do you have till they need to be purged? Any benefit of lowering the mailbox retention time for the duration of the removal process (or permanently if that fits?) Maybe lower it to a day or two and let the system take care of this. You may want to increase the online maintenance process time to run as well. IIRC, these aresettings you can make via policy. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 07, 2005 12:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Does mbconn purge mailboxes? I just looked at it and it s like it only reconnects I think Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 06, 2005 10:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Oh... I think you are screwed. :o) I once looked at alternate methods to do this and mailbox reconnects but it was all MAPI based and MS was very ungiving in terms of documentation around this stuff. What I got working was so incredibly flakey I didn't trust it and it never made it out of very very raw pre-alpha POC stage. I really would like to find some other method because the method MS gave for doing reconnects in E2K3 completely sucks though they can at least say it is better than what was available for E2K. We went from unforgivable to sucky. I wish they would publish source to the ESM or mbconn which are doing this stuff through MAPI from what I can tell. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, June 06, 2005 11:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Danke. Just that Im running on Ex2000. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 06, 2005 10:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Purging Mailboxes Programatically Recipe 17.13 in the Windows Server Cookbook... It is probably on Robbie's website somewhere, I would post it here but I am not clear if I have the rights to even though I wrote the script. I believe it is owned by O'Reilly. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, June 06, 2005 11:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Purging Mailboxes Programatically Im pretty sure weve had this discussion here before, but I cant find the thread. :( I need to programmatically purge a fairly extensive list of mailboxes across more than a dozen mailbox servers. I cannot wait the retention time, and I certainly cannot run the cleanup agent on 12 servers x 4 storage groups x 5 mailstores manually. I have this feeling Im going to be told Im SOL, but, can I purge mailboxes somehow in code/script? Thx, brian Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
[ActiveDir] DNS Error?
Hi Everyone: Win 2k3 in 2000 Mixed mode AD. My DNS server is throwing this error: Event Type: Error Event Source: DNS Event Category: None Event ID: 7055 Date: 6/7/2005 Time: 6:23:05 PM User: N/A Computer: JAFFA Description: The DNS server accept() function failed. The event data contains the error. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 26 27 00 00 '.. I can not find any information, on MS website or eventid.net and my google phraseology is a bit lacking I guess. If someone could bring light to this or, help me with my googling skills. I would appreciate it. Thanks, Rick
[ActiveDir] DNS Error?
Return Receipt Your [ActiveDir] DNS Error? document : was Ricardo Konno/SCI received by: at: 08/06/2005 11:48:29 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Link from yesterday
Guys Can someone please repost the HPWorld link from yesterday. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Prevent Redirection for My Music, My Videos, etc.
Hi: We use a group policy to redirect My Documents to a network share. Is it possible to prevent the redirection of subfolders from My Documents such as My Music, My Videos, My Virtual Machines, My Pain in the Ass? If so, how? Thanks. -- nme
RE: [ActiveDir] Prevent Redirection for My Music, My Videos, etc.
I remembered seeing this tip on annoyances.org. Maybe it would help? http://www.annoyances.org/exec/show/article05-100 mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 08, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Prevent Redirection for My Music, My Videos, etc. Hi: We use a group policy to redirect My Documents to a network share. Is it possible to prevent the redirection of subfolders from My Documents such as My Music, My Videos, My Virtual Machines, My Pain in the Ass? If so, how? Thanks. -- nme This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] nltest, adfind errors
Running these commands on a child domain controller: nltest /sc_query:anl.gov /server:rhino221 I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nltest /sc_query:anl.gov /server:tiger201 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:hippo308 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:bison752 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Rhino221 holds the FSMO roles. DNS A and SRV records seem to be OK. joe's adfind tool works fine from a non-privileged account on a workstation to the child domain in searching for accounts named admin* , yet fails when the same adfind command is run from a root DC: C:\SYSMGR\binadfind -b dc=bio,dc=anl,dc=gov -f samaccountname=admin* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: rhino221.anl.gov Directory: Windows Server 2003 ldap_get_next_page_s: [rhino221.anl.gov] Error 0xa (10) - Referral REFERRAL: ldap://bio.anl.gov/dc=bio,dc=anl,dc=gov 0 Objects returned I am stumped! Any thoughts out there? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Active directory migration and security standards issues
I have several laptops that are encrypted per the new campus security standards in my shop that are being used as desktop computers. I am now trying to bring them into our AD domain. When joining the domain all seems fine, reboot, then notice that the domain list does not include Berkeley.edu (Kerberos REALM). How does disk encryption affect Kerberos authentication? So far, this has happened only on machines that are encrypted. Any iedas? David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] 2-6417
RE: [ActiveDir] nltest, adfind errors
Is your child site delegation setup properly? Are all the entries for DCs in your child site correct? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 08, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nltest, adfind errors Running these commands on a child domain controller: nltest /sc_query:anl.gov /server:rhino221 I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nltest /sc_query:anl.gov /server:tiger201 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:hippo308 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:bison752 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Rhino221 holds the FSMO roles. DNS A and SRV records seem to be OK. joe's adfind tool works fine from a non-privileged account on a workstation to the child domain in searching for accounts named admin* , yet fails when the same adfind command is run from a root DC: C:\SYSMGR\binadfind -b dc=bio,dc=anl,dc=gov -f samaccountname=admin* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: rhino221.anl.gov Directory: Windows Server 2003 ldap_get_next_page_s: [rhino221.anl.gov] Error 0xa (10) - Referral REFERRAL: ldap://bio.anl.gov/dc=bio,dc=anl,dc=gov 0 Objects returned I am stumped! Any thoughts out there? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] whenCreated and createTimeStamp
In the Schema documentation on MSDN, it looks like whenCreated and createTimeStamp are used for the same thing, but whenCreated is in the Global Catalog. If I want to report on the date each account was created in the entire forest, am I safe to use the whenCreated attribute so I can use the GC as my source? Are the values ever different for any reason? Thanks Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] nltest, adfind errors
As far as I know, yes. This child domain had been working OK as of about a week ago. Some replication issues on one of the child DCs showed up. That DC was DCpromo'd out. Some time went by and then it was dcpromo'd in again. The current issue appears to be ldap connectivity between the child domain controllers and my root DC/PDC. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nltest, adfind errors Is your child site delegation setup properly? Are all the entries for DCs in your child site correct? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 08, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nltest, adfind errors Running these commands on a child domain controller: nltest /sc_query:anl.gov /server:rhino221 I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nltest /sc_query:anl.gov /server:tiger201 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:hippo308 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:bison752 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Rhino221 holds the FSMO roles. DNS A and SRV records seem to be OK. joe's adfind tool works fine from a non-privileged account on a workstation to the child domain in searching for accounts named admin* , yet fails when the same adfind command is run from a root DC: C:\SYSMGR\binadfind -b dc=bio,dc=anl,dc=gov -f samaccountname=admin* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: rhino221.anl.gov Directory: Windows Server 2003 ldap_get_next_page_s: [rhino221.anl.gov] Error 0xa (10) - Referral REFERRAL: ldap://bio.anl.gov/dc=bio,dc=anl,dc=gov 0 Objects returned I am stumped! Any thoughts out there? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Directories
If you follow Microsoft's recommendation (see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/user01.mspx#EHAA), but you grant modify rights with "take ownership" (not full control) folder redirection is happy to create the directories, and user's can't easily change the permissions on files. The real danger with rights being changed besides a user locking themselves out, is they lock out the system account so backups/anti-virus can't run, but weall check our error logs for these products, right? Now, this does mean a user could take ownership of the directory and give themselves full control, but this method will prevent your above average users from modifing it.Besides, it's fairly easy toscripta "check system has rights," or to enforcement. In any case, this was the best solution between form and function. Rights at the root folder for accounts: User Account Minimum permissions required Creator/Owner Modify rights Take Ownership, Subfolders And Files Only Authenticated users Transverse Folder/Execute File List Folder/Read Data Create Folders/Append Data, This folder only Local System Full Control, This Folder, Subfolders And Files Robert Presson
[ActiveDir] Renaming user and group object CNs
I have been researching the implication of modifying object CNs for users and groups in order to provide a) a more consistent cn format for objects in our directory, b) remove "special" characters such as /, #, and : that make dealing with objects via scripting difficult. Courtesy of the Active Directory Connector for Exchange, our AD user and Group Objects have CN attributes that are copies of the Exchange 5.5 directory Display Name attribute. Our initial testing did not seem to indicate that this would be a problem, but very shortly after we started to migrate users in production we noticed some issues and modified the ADC to stop this behaviour. Problemwas that all the distribution groups had already been migrated along with 200-300 user objects (hence the cn= ex5.5 display name). Now that migration of users and groups from NT4 and Ex5.5 is complete (and has been for a number of months) the full impact (annoyance) of having these / , :, and # in the CN is is becoming visible. Command line tools such as dsquery etc, LDIFDE, CSVDE etc hiccup and generally add a number of flaming hoops to jump through to the point that I would like to rename the CNs on these objects (users and Universal distribution groups). Is this possible to do on a large scale (200-300 users and 2700 + groups)? If so how, what are the gotchas etc Thanks in advance.
[ActiveDir] Security permissions on user object
We migrated all our users from an NT4 domain to our AD domain. Anyone who was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins" on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated "Domain Admins" who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here." box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] Longhorn Beta
Not sure if this is common knowledge but in a session on NAP at TechED they just stated that there will be Longhorn Server beta's available as of next month (July). I assume AD will be part of the base beta. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Renaming user and group object CNs
You can script this using a tool like dsmod if you can come up with a list of the CNsthat you want to change to. There are other scripting options too, and if you want to change the CN to something like Lastname, Firstname you could even use ADModify. Phil On 6/8/05, Frost, David: #CIO-BPI [EMAIL PROTECTED] wrote: I have been researching the implication of modifying object CNs for users and groups in order to provide a) a more consistent cn format for objects in our directory, b) remove special characters such as /, #, and : that make dealing with objects via scripting difficult. Courtesy of the Active Directory Connector for Exchange, our AD user and Group Objects have CN attributes that are copies of the Exchange 5.5 directory Display Name attribute. Our initial testing did not seem to indicate that this would be a problem, but very shortly after we started to migrate users in production we noticed some issues and modified the ADC to stop this behaviour. Problem was that all the distribution groups had already been migrated along with 200-300 user objects (hence the cn= ex5.5 display name). Now that migration of users and groups from NT4 and Ex5.5 is complete (and has been for a number of months) the full impact (annoyance) of having these / , :, and # in the CN is is becoming visible. Command line tools such as dsquery etc, LDIFDE, CSVDE etc hiccup and generally add a number of flaming hoops to jump through to the point that I would like to rename the CNs on these objects (users and Universal distribution groups). Is this possible to do on a large scale (200-300 users and 2700 + groups)? If so how, what are the gotchas etc Thanks in advance. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security permissions on user object
It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, June 08, 2005 12:26 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins" on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated "Domain Admins" who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here." box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] nltest, adfind errors
Are you sure all the old metadata was removed from AD for that particular DC (rhino...)? What does DCDIAG say? #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/8/2005 8:27 PM Subject: RE: [ActiveDir] nltest, adfind errors As far as I know, yes. This child domain had been working OK as of about a week ago. Some replication issues on one of the child DCs showed up. That DC was DCpromo'd out. Some time went by and then it was dcpromo'd in again. The current issue appears to be ldap connectivity between the child domain controllers and my root DC/PDC. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nltest, adfind errors Is your child site delegation setup properly? Are all the entries for DCs in your child site correct? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 08, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nltest, adfind errors Running these commands on a child domain controller: nltest /sc_query:anl.gov /server:rhino221 I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nltest /sc_query:anl.gov /server:tiger201 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:hippo308 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:bison752 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Rhino221 holds the FSMO roles. DNS A and SRV records seem to be OK. joe's adfind tool works fine from a non-privileged account on a workstation to the child domain in searching for accounts named admin* , yet fails when the same adfind command is run from a root DC: C:\SYSMGR\binadfind -b dc=bio,dc=anl,dc=gov -f samaccountname=admin* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: rhino221.anl.gov Directory: Windows Server 2003 ldap_get_next_page_s: [rhino221.anl.gov] Error 0xa (10) - Referral REFERRAL: ldap://bio.anl.gov/dc=bio,dc=anl,dc=gov 0 Objects returned I am stumped! Any thoughts out there? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Reading BIOS Information
Hi, Is there any software through which i can read the information such as usb and floppy drivers as disabled in the system bios. Regards, K.SENTHIL KUMAR Discover Yahoo! Have fun online with music videos, cool games, IM & more. Check it out!
RE: [ActiveDir] Longhorn Beta
Thanks, Mark. I, too, would believe that AD will be in the initial betas, but that all remains to be seen. Glad to see that things are moving along with the next iteration. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, June 08, 2005 2:32 PM To: ActiveDir.org Subject: [ActiveDir] Longhorn Beta Not sure if this is common knowledge but in a session on NAP at TechED they just stated that there will be Longhorn Server beta's available as of next month (July). I assume AD will be part of the base beta. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active directory migration and security standards issues
When you say Disk Encryption, are you referring to EFS (Encrypted file system)? If so which disk is encrypted, and is your account a recovery agent? Finally, which OS? Honestly I dont know of anything that would prevent a system configured with the basic information that you provide (EFS or not) that would allow you to join a domain, but not allow you to see a Realm. However, I am making a huge leap that you are, in fact JOINing a W2k or W2k3 domain. Is this a bad assumption? Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Lee Sent: Wednesday, June 08, 2005 12:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active directory migration and security standards issues I have several laptops that are encrypted per the new campus security standards in my shop that are being used as desktop computers. I am now trying to bring them into our AD domain. When joining the domain all seems fine, reboot, then notice that the domain list does not include Berkeley.edu (Kerberos REALM). How does disk encryption affect Kerberos authentication? So far, this has happened only on machines that are encrypted. Any iedas? David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] 2-6417
[ActiveDir] OT Office 2003
Does anyone know where a good list or group is that could answer a question i got in regards to Office 2003? Jeff
RE: [ActiveDir] Renaming user and group object CNs
As Phil states, this can be done. However, some of these characters are in there for good reason (such as the '/' as an escape character for the ',') and I would seriously suggest setting up a complete test environment to test out your proposed changes before you run a script against your production AD. Even then, I'd take a system state backup before you run the script so that you can restore in the event of 'bad things'. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, June 08, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Renaming user and group object CNs You can script this using a tool like dsmod if you can come up with a list of the CNsthat you want to change to. There are other scripting options too, and if you want to change the CN to something like Lastname, Firstname you could even use ADModify. Phil On 6/8/05, Frost, David: #CIO-BPI [EMAIL PROTECTED] wrote: I have been researching the implication of modifying object CNs for users and groups in order to provide a) a more consistent cn format for objects in our directory, b) remove special characters such as /, #, and : that make dealing with objects via scripting difficult. Courtesy of the Active Directory Connector for Exchange, our AD user and Group Objects have CN attributes that are copies of the Exchange 5.5 directory Display Name attribute. Our initial testing did not seem to indicate that this would be a problem, but very shortly after we started to migrate users in production we noticed some issues and modified the ADC to stop this behaviour. Problem was that all the distribution groups had already been migrated along with 200-300 user objects (hence the cn= ex5.5 display name). Now that migration of users and groups from NT4 and Ex5.5 is complete (and has been for a number of months) the full impact (annoyance) of having these / , :, and # in the CN is is becoming visible. Command line tools such as dsquery etc, LDIFDE, CSVDE etc hiccup and generally add a number of flaming hoops to jump through to the point that I would like to rename the CNs on these objects (users and Universal distribution groups). Is this possible to do on a large scale (200-300 users and 2700 + groups)? If so how, what are the gotchas etc Thanks in advance. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT Office 2003
Ping me a mail, if I can't answer it I am at Teched and there should be enough geek power here to generate the gigawatts needed to power up the flux capacitor. Mark -Original Message- From: Cothern Jeff D. Team EITC [EMAIL PROTECTED] Date: Wed, 8 Jun 2005 16:56:40 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Office 2003 Does anyone know where a good list or group is that could answer a question i got in regards to Office 2003? Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming user and group object CNs
The preferred method would be to use the movehere method. There are some gotchas when dealing with different languages. As for the gotchas of changing this, the biggest that jumps out occurs if you're using apps that rely on RDN or CN. Otherwise, it's a breeze. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/ad si/iadscontainer_movehere.asp Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, June 08, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Renaming user and group object CNs You can script this using a tool like dsmod if you can come up with a list of the CNsthat you want to change to. There are other scripting options too, and if you want to change the CN to something like Lastname, Firstname you could even use ADModify. Phil On 6/8/05, Frost, David: #CIO-BPI [EMAIL PROTECTED] wrote: I have been researching the implication of modifying object CNs for users and groups in order to provide a) a more consistent cn format for objects in our directory, b) remove special characters such as /, #, and : that make dealing with objects via scripting difficult. Courtesy of the Active Directory Connector for Exchange, our AD user and Group Objects have CN attributes that are copies of the Exchange 5.5 directory Display Name attribute. Our initial testing did not seem to indicate that this would be a problem, but very shortly after we started to migrate users in production we noticed some issues and modified the ADC to stop this behaviour. Problem was that all the distribution groups had already been migrated along with 200-300 user objects (hence the cn= ex5.5 display name). Now that migration of users and groups from NT4 and Ex5.5 is complete (and has been for a number of months) the full impact (annoyance) of having these / , :, and # in the CN is is becoming visible. Command line tools such as dsquery etc, LDIFDE, CSVDE etc hiccup and generally add a number of flaming hoops to jump through to the point that I would like to rename the CNs on these objects (users and Universal distribution groups). Is this possible to do on a large scale (200-300 users and 2700 + groups)? If so how, what are the gotchas etc Thanks in advance. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Reading BIOS Information
Kumar, you may be able to do this with WMI and a bit of scripting If you are looking to resctict access to USB devicesn we use Secure Waves, thus enabling keyboards and mice but disabling drives and flash keys. Mark -Original Message- From: Senthil Kumar [EMAIL PROTECTED] Date: Wed, 8 Jun 2005 13:49:30 To:Active directory group activedir@mail.activedir.org Subject: [ActiveDir] Reading BIOS Information Hi, Is there any software through which i can read the information such as usb and floppy drivers as disabled in the system bios. Regards, K.SENTHIL KUMAR Discover Yahoo! Have fun online with music videos, cool games, IM more. Check it out! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Renaming user and group object CNs
Good points, I should have mentioned that as it is always an important thing to test scripts before running them in production. Thanks Rick :) Phil On 6/8/05, Rick Kingslan [EMAIL PROTECTED] wrote: As Phil states, this can be done. However, some of these characters are in there for good reason (such as the '/' as an escape character for the ',') and I would seriously suggest setting up a complete test environment to test out your proposed changes before you run a script against your production AD. Even then, I'd take a system state backup before you run the script so that you can restore in the event of 'bad things'. Rick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT Office 2003
The MS Newsgroups are usually pretty helpful for a lot of information. Phil On 6/8/05, Mark Parris [EMAIL PROTECTED] wrote: Ping me a mail, if I can't answer it I am at Teched and there should be enough geek power here to generate the gigawatts needed to power up the flux capacitor. Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Reading BIOS Information
I know of off the shelf solutions that do peeks and pokes to report the BIOS information but no idea how to intergrate them through scripting but WMI is definitely your best approach. Is there something in more particular you are looking for like port 1900 (USB broadcast)? That might help make things a bit clearer as to what your trying to find. Checking to see if a machine has a floppy drive or a second hard drive would indeed be easy enough in WMI. Getting seriously into what BIOS version may take some time to configure or script. If your trying to find something incredibly specific to the BIOS I would check the manufaturer site for specific BIOS inspecting and detection tools. You could, depending on the software, read that into the script as well. Brent Eads Employee Technology Solutions, Inc. Message scanned by TrendMicro
RE: [ActiveDir] Active directory migration and security standards issues
I'm using a product call safguardeasy. Encrypting the entire hard drive. You must enter a username and password just after POST just to get the OS to load. The OS on the laptop is W2K the domain is 2003. I am joining an OU in the campus domain (campus.berkeley.edu) which includes the campus, berkeley and uc domains which Berkeley is the Kerberos realm. All of the domains come up except berkeley. All are installed via GPO. When I check the registry settings, Berkeley is not there. I have also recently discovered that on a laptop that was already a member of this domain, all was well (all domains present) until I encrypted the drive. Then Berkeley dissapears. At 01:50 PM 6/8/2005, Rick Kingslan wrote: When you say Disk Encryption, are you referring to EFS (Encrypted file system)? If so which disk is encrypted, and is your account a recovery agent? Finally, which OS? Honestly I dont know of anything that would prevent a system configured with the basic information that you provide (EFS or not) that would allow you to join a domain, but not allow you to see a Realm. However, I am making a huge leap that you are, in fact JOINing a W2k or W2k3 domain. Is this a bad assumption? Rick From: [EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of David Lee Sent: Wednesday, June 08, 2005 12:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active directory migration and security standards issues I have several laptops that are encrypted per the new campus security standards in my shop that are being used as desktop computers. I am now trying to bring them into our AD domain. When joining the domain all seems fine, reboot, then notice that the domain list does not include Berkeley.edu (Kerberos REALM). How does disk encryption affect Kerberos authentication? So far, this has happened only on machines that are encrypted. Any iedas? David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] 2-6417 David D. Lee Computer Resource Specialist II Office of Undergraduate Admissions [EMAIL PROTECTED] 2-6417
RE: [ActiveDir] Security permissions on user object
Also keep in mind that if you were ever a member of one of these protected groups that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0.so you can change those back when you know the user isnt a member of one of the protected groups (changing those values before ensuring this will result in the values being resetas you are well aware by this point). AdminCount is just a book keeping method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Purging Mailboxes Programatically
Im setting the mail store retention to 0 days tonight, when I get in tomorrow morning Ill sit in ESM and kick off the cleanup agent. Simple solution, will take me ten minutes to do. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, June 08, 2005 8:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically How much time do you have till they need to be purged? Any benefit of lowering the mailbox retention time for the duration of the removal process (or permanently if that fits?) Maybe lower it to a day or two and let the system take care of this. You may want to increase the online maintenance process time to run as well. IIRC, these aresettings you can make via policy. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 07, 2005 12:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Does mbconn purge mailboxes? I just looked at it and it s like it only reconnects I think Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 06, 2005 10:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Oh... I think you are screwed. :o) I once looked at alternate methods to do this and mailbox reconnects but it was all MAPI based and MS was very ungiving in terms of documentation around this stuff. What I got working was so incredibly flakey I didn't trust it and it never made it out of very very raw pre-alpha POC stage. I really would like to find some other method because the method MS gave for doing reconnects in E2K3 completely sucks though they can at least say it is better than what was available for E2K. We went from unforgivable to sucky. I wish they would publish source to the ESM or mbconn which are doing this stuff through MAPI from what I can tell. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, June 06, 2005 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Danke. Just that Im running on Ex2000. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 06, 2005 10:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Purging Mailboxes Programatically Recipe 17.13 in the Windows Server Cookbook... It is probably on Robbie's website somewhere, I would post it here but I am not clear if I have the rights to even though I wrote the script. I believe it is owned by O'Reilly. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, June 06, 2005 11:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Purging Mailboxes Programatically Im pretty sure weve had this discussion here before, but I cant find the thread. :( I need to programmatically purge a fairly extensive list of mailboxes across more than a dozen mailbox servers. I cannot wait the retention time, and I certainly cannot run the cleanup agent on 12 servers x 4 storage groups x 5 mailstores manually. I have this feeling Im going to be told Im SOL, but, can I purge mailboxes somehow in code/script? Thx, brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] OT Office 2003
MS Newsgroups tons of Office MVPs and my experience with them is that they generally know more than youll ever want to know about the various apps in the suite. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 08, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Office 2003 Does anyone know where a good list or group is that could answer a question i got in regards to Office 2003? Jeff
Re: [ActiveDir] Reading BIOS Information
Hi senthil, Give me a call. I think we have some more topics to discuss. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security permissions on user object
---BeginMessage--- OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box is not checked like every other user. If I check the box, others are temporarily able to modify that former domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know that I once read that this is by design, but how the heck do I fix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat---End Message--- ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
WellI guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or soother than that, the logic needed in a script to differentiate between users who are / are not currently in one of the protected groups would be astounding. You shouldnt have a problem trusting the fact that it will happen to the accounts still in the protected groups since thats what got you there in the first place J Hopefully that was helpfulhave a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that _vbscript_ in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these protected groups that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0.so you can change those back when you know the user isnt a member of one of the protected groups (changing those values before ensuring this will result in the values being resetas you are well aware by this point). AdminCount is just a book keeping method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
In fact, yes it will, Russ. Looking back at the thread, I don't see any discussion about HOW these users came to have the admincount attribute set to 1. Do you have a root cause? The reason that I ask is because I've dealt with this before when someone (who I never caught) added a group to a Protected group. This effectively set the admincount attribute on about 200 techs, and it took a while to clean up and straighten out. If you don't know why it happened, you might be reliving this pretty soon. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 9:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the
RE: [ActiveDir] Security permissions on user object
Oh Certainly...that would work quite well. Joe, how much should he charge for that ;-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 10:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box is not checked like every other user. If I check the box, others are temporarily able to modify that former domain admins account, but eventually, the box is unchecked again and they inherit their