RE: [ActiveDir] GPO on XP 2000 Pro
Title: RE: [ActiveDir] GPO on XP & 2000 Pro Actually my point was less around the initial organization of AD than around changing an AD design to accomodate short-term requirements. I am all for the approach you've described below if it meets the administrative and business needs of an organization. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RMSent: Wednesday, August 24, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO on XP 2000 Pro On Wed, 24 Aug 2005 20:45:07 -0400, [1]"Robert Bobel"[EMAIL PROTECTED] said: I'm pretty much with Darren on this one. Keeping it organizadover the long term may end up being a lot of trouble especially if theenvironment of a fairly large size.It's easy when not every Tom, Dick, and Harry can createcomputer accounts.If your org is really that large, you likelyalready have OU's that either follow geographic lines orhierarchical lines. Sub OU's would contain servers or workstations. I cringe at the thought of a Fortune 500 with 30,000 computer accounts in one OU. Do companies really run that way? RM
RE: [ActiveDir] Ports during authentication/logons...
I would really suspect that this is soon not going to be true and may not be at this point (dont know havent asked yet). Think of it this way NAP (Network Access Protection) is going to have one heck of a time working if DC - Member isnt a supported scenario. As to the 135 traffic on AuthN Id happily take a look at the trace. Ill have a few minutes tomorrow. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... I would normally look at the IPSec route, too, but it's not (as far as I know) supported by MS between domain members and DC's. It's supposed member-member and DC-DC, but not members-DC's. At least, not if Kerberos is used. Not sure how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their backs up with 135. Do you know what's using it during a logon/GPO process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 24, 2005 10:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service User Login and Authentication and Computer Login and Authentication: 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to what ports are needed... include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
[ActiveDir] OU permissions for user object
Hi, I've created an OU and I have delegated a security group the Create/DeleteUser Object with Full Permissions. I have also delegated the 'Create, Delete Manage User Account' right with F/C I only want this security group to be able to manage user accounts in this OU and modify the users details/group membership. The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists. If Icreate a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you haveinsufficient rights to perform this operation"or the details are greyed out. Any idea's where I can check? Iain__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] OU permissions for user object
I may be mistaken, but it sounds to me like you need to recursively reset the permissions ofthe existing objects within that OU. Jose - Original Message - From: Frank Abagnale To: Active Sent: Thursday, August 25, 2005 1:45 AM Subject: [ActiveDir] OU permissions for user object Hi, I've created an OU and I have delegated a security group the Create/DeleteUser Object with Full Permissions. I have also delegated the 'Create, Delete Manage User Account' right with F/C I only want this security group to be able to manage user accounts in this OU and modify the users details/group membership. The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists. If Icreate a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you haveinsufficient rights to perform this operation"or the details are greyed out. Any idea's where I can check? Iain __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] OU permissions for user object
What I meant was, I had first tried delegating a security group withthe Create/DeleteUser Object with Full Permissions. When this didn't work, I then remove the permissions and tried delegating the 'Create, Delete Manage User Account' right with F/C When I look at the Security Tab of the existing users, my security group is not listed as a member, but new accounts which I have created do which explains my issue. How can Iensure my security groupexists in the security tab of all of theuser objects within the OU so they have access? Jose Medeiros [EMAIL PROTECTED] wrote: I may be mistaken, but it sounds to me like you need to recursively reset the permissions ofthe existing objects within that OU. Jose - Original Message - From: Frank Abagnale To: Active Sent: Thursday, August 25, 2005 1:45 AM Subject: [ActiveDir] OU permissions for user object Hi, I've created an OU and I have delegated a security group the Create/DeleteUser Object with Full Permissions. I have also delegated the 'Create, Delete Manage User Account' right with F/C I only want this security group to be able to manage user accounts in this OU and modify the users details/group membership. The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists. If Icreate a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you haveinsufficient rights to perform this operation"or the details are greyed out. Any idea's where I can check? Iain __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [ActiveDir] MSSQL and AD
Is that the only way?!? Nothing?! DAMN! I'm screwed! On 8/24/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Sure. But there will be no relationship between them. You would need to knowhow to script. You will need to script reading the names from SQL and feeding each name into AD as new user using net user, CSVDE, straight LDAP,etc.It's all free, except for time investment.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of MeWeSent: Wed 8/24/2005 1:52 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] MSSQL and ADHey guys...Is it possible to copy users from a MSSQL 2000 server to Active Desktop with FREE! microsoft tools? or other free tools!?thanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Best RegardsKasper Sørensenwww.mewe.dk
[ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003?-- Best RegardsKasper Sørensenwww.mewe.dk
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agenciesworldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 7:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003?-- Best RegardsKasper Sørensenwww.mewe.dk
[ActiveDir] UPN vs. SAM Account Name
Knowing that it is strongly recommended that the username portion of the UPN and the SAM Account Name should be identical, what would be considered a valid reason for having them be different? And, if they were deliberately being set to different values, when it comes to naming a home directory for the user, would you be more likely to name the home directory after the UPN or the SAM Account Name? My choice would be to key on the UPN, but I'm wondering if there's any reason to do it a different way. The reasoning behind the question... I'm monitoring changes to the UPN and SAM Account Name attribute values on user objects for purposes of updating user-specific storage on a server as well as updating other information external to AD that is linked to the user. Given that the user's object DN is irrelevant during a rename operation due to the fact that the before value never gets reported with with after value, all I can key on for a rename of a user object is the possibility that the UPN and/or the SAM Account Name might get changed as part of the rename. The Display Name isn't suitable for use in linking to the external information, and the external information reposity can't really be modified to link via the user object's GUID value, so using the UPN or SAM Account Name are really the most viable options. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agenciesworldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 7:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003?-- Best RegardsKasper Sørensen www.mewe.dk -- Best RegardsKasper Sørensenwww.mewe.dk
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Title: Message While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 8:29 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agenciesworldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 7:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003?-- Best RegardsKasper Sørensenwww.mewe.dk -- Best RegardsKasper Sørensenwww.mewe.dk �
RE: [ActiveDir] OT: ISA FW Client
Basically, you just need to delete the shortcut from the StartUp Start Menu folder. If you're deploying the client using group policy, you can use the .MST file at www.scottes.com/MS_FWC.zip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Wednesday, August 24, 2005 5:54 PM To: ActiveDir Subject: [ActiveDir] OT: ISA FW Client I need to make it so that when a user logs into a computer they do not see the FW icon in the tray. all I have been able to come up with is this info from isaserver.org http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=27;t=000313 I tried the method of placing the following in the All Users\Application Data\Microsoft\Firewall Client 2004 then Common.ini [TrayIcon] TrayIconVisualState=1 But this does not seem to do anything I even tried restarting after this and still no luck so then I tried it in the Management.ini and no luck there either. So anyways I am getting frustrated and I am hoping that someone here may have some insight to this. Also is there anyway to configure the client so that it cannot be disabled? Is there any GPO's for this stuff? Thanks, Aaron Visser List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Yes, there is an MS-SQL MA that comes with MIIS Enterprise Edition. http://www.microsoft.com/windowsserversystem/miis2003/evaluation/overview/default.mspx. MIIS may be a little much if this is a one-time import. Configuration is about a day or two depending on your situation. If you need to have on-going sync of those accounts then MIIS would be pretty good solution. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003? -- Best Regards Kasper Sørensen www.mewe.dk
[ActiveDir] OT: Question on WSUS implementation and GPO's...
Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general slowdown in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the only arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Good point. If it's a one-time thing, I'm thinking even 10K is a killer. And MIIS will be like nuking a cockroach. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Thu 8/25/2005 6:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com http://www.cps-systems.com/ ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agencies worldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003? -- Best Regards Kasper Sørensen www.mewe.dk http://www.mewe.dk/ -- Best Regards Kasper Sørensen www.mewe.dk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO on XP 2000 Pro
Here is such a script. Just unrem the correct strOS line that you're working with and set strSource and strDestination to the correct values for your environment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, August 24, 2005 5:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro I'd create the Workstations OU and the Servers OU. Then write a script that looks at each of the machines in the computers container, and based on what you find in the operatingSystem attribute have the script move the object to the appropriate OU. I'd also not leave new computer objects in the computers container. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro I have over 2000 machines in my computers containers. Is there any other way? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 24, 2005 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro WMI filters aren't processed by Win2K so that won't work on that platform. Your best bet is probably to put all the XP win2k machines in one security group and then security filter the GPO based on that group (i.e. remove the Authenticated Users ACE from the sec. filter on that GPO and add the new group with Read and Apply GP permissions). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, August 24, 2005 2:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO on XP 2000 Pro How can I get a GPO to only run on all Windows XP and 2000 Pro. machines in a domain? WMI Filter is applied to 2000 machines so it'll run on 2000 server if I filter by OS type. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Option Explicit Dim strBase, strFilter, strAttrs, strScope Dim oConnAD, oRSAD Dim strOS Dim strSource, strDestination Dim strADDN, strADName Dim oOU 'strOS = Windows XP Professional 'strOS = Windows 2000 Professional 'strOS = Windows 2000 Server strOS = Windows Server 2003 strSource = LDAP://CN=Computers,DC=evangel,DC=edu strDestination = LDAP://OU=W2K3Servers,DC=evangel,DC=edu Set oOU = GetObject(strDestination) strBase =strSource ; strFilter = (operatingSystem= strOS ); strAttrs= distinguishedName,Name; strScope= subtree Set oConnAD = CreateObject(ADODB.Connection) oConnAD.Provider = ADsDSOObject oConnAD.Open Active Directory Provider Set oRSAD = oConnAD.Execute(strBase strFilter strAttrs strScope) While Not oRSAD.EOF strADDN = oRSAD.Fields(0) strADName = oRSAD.Fields(1) oOU.MoveHere LDAP:// strADDN, cn= strADName oRSAD.MoveNext Wend Set oOU = nothing oRSAD.Close Set oRSAD = nothing oConnAD.Close Set oConnAD = nothing
RE: [ActiveDir] OT: Question on WSUS implementation and GPO's...
No I do not believe this would be possible without creating more than 1 GPO, however WSUS does allow you to break down the computers into groups but I am pretty sure this is strictly for patch management and not release management(ie picking what groups get what patches but not when they get them) Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steven L Dunn Sent: Thursday, August 25, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's... Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general slowdown in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the only arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Title: Message I agree completely completely with Al. For a 1-time load there are a number of good tools that can get the job done. SimpleSync is designed for synchronizing LDAP directories and ODBC data sources on an ongoing basis. I am sure there are members of this group who use it for Exchange GAL sync. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, August 25, 2005 9:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 8:29 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agenciesworldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 7:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003?-- Best RegardsKasper Sørensenwww.mewe.dk -- Best RegardsKasper Sørensenwww.mewe.dk
RE: [ActiveDir] OT: Question on WSUS implementation and GPO's...
Correct. WSUS has internal logic that staggers the deployment/install such that the clients are not pulling all at the same time. My experience has been that this staggering is sufficient, and, depending on the number of clients and sites you have, one server can accommodate and service the requests without the manual intervention you are doing right now. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Thu 8/25/2005 7:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Question on WSUS implementation and GPO's... No I do not believe this would be possible without creating more than 1 GPO, however WSUS does allow you to break down the computers into groups but I am pretty sure this is strictly for patch management and not release management(ie picking what groups get what patches but not when they get them) Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steven L Dunn Sent: Thursday, August 25, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's... Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general slowdown in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the only arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Move Computer Permissions
http://blog.joeware.net/2005/07/17/48/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, August 25, 2005 1:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Move Computer Permissions Moving a computer requires the following two steps: Delete the object from the source OU Create the object in the destination OU There is no such thing as a move right. So, given you grant the create right for computer objects in the destination OU to this group, and the delete right for computer objects in the source OU. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mills, Wallace Sent: Thursday, August 25, 2005 12:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move Computer Permissions Would appreciate some directions/assistance in resolving this problem. We have a couple of users to whom we wish to give permissions to allow them to createand delete computer accounts and also able to move said computers between Ous in the AD. Currently we have a security group set up with the permissions set to Special Permissions and clicking on Advanced Security Settings set the create/delete computers plus given them create/delete child objects. This has still not allowed them to move computers, they can create/delete computers but not move. Has anyone any suggestions as to what to try next? Thanks in advance. Wallace DISCLAIMER The information contained in the above e-mail message or messages (which includes any attachments) is confidential and may be legally privileged. It is intended only for the use of the person or entity to which it is addressed. If you are not the addressee any form of disclosure, copying, modification, distribution or any action taken or omitted in reliance on the information is unauthorised. Opinions contained in the message(s) do not necessarily reflect the opinions of the Queensland Government and its authorities. If you received this communication in error, please notify the sender immediately and delete it from your computer system network. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Hm, Its not a One time.. There is some users in the SQL database.. And they have to be up to date with the users in the Active Directory.. We have som girls in the reception, and they are updating, creating users, by internet interface... And those users have to be in the active directory, without changing in the ASP pages.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: I agree completely completely with Al. For a 1-time load there are a number of good tools that can get the job done. SimpleSync is designed for synchronizing LDAP directories and ODBC data sources on an ongoing basis. I am sure there are members of this group who use it for Exchange GAL sync. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, August 25, 2005 9:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 8:29 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agenciesworldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kasper SørensenSent: Thursday, August 25, 2005 7:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003?-- Best RegardsKasper Sørensen www.mewe.dk -- Best RegardsKasper Sørensen www.mewe.dk -- Best RegardsKasper Sørensenwww.mewe.dk
RE: [ActiveDir] UPN vs. SAM Account Name
what would be considered a valid reason for having them be different? The fact that they are different is a valid reason. Someone decided they wanted them to be different. Making them the same is more of a convenience and to reduce confusion. By default, no UPN is set when creating a user object. Some tools will force the population of the attribute. If it isn't specifically populated, it is still available though. Also note that with K3 AD, you do not have to specify the sAMAccountName and AD will autogenerate one. At that point, you better have a different easier to recall UPN because the sAMAccountName isn't something you will want to type in all the time. Why can't the external repository link via the GUID? It doesn't store binary or can't convert to the GUID binary format when looking back? If that is the case, add a custom attribute and populate it with the text form of the GUID and link on that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Thursday, August 25, 2005 7:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UPN vs. SAM Account Name Knowing that it is strongly recommended that the username portion of the UPN and the SAM Account Name should be identical, what would be considered a valid reason for having them be different? And, if they were deliberately being set to different values, when it comes to naming a home directory for the user, would you be more likely to name the home directory after the UPN or the SAM Account Name? My choice would be to key on the UPN, but I'm wondering if there's any reason to do it a different way. The reasoning behind the question... I'm monitoring changes to the UPN and SAM Account Name attribute values on user objects for purposes of updating user-specific storage on a server as well as updating other information external to AD that is linked to the user. Given that the user's object DN is irrelevant during a rename operation due to the fact that the before value never gets reported with with after value, all I can key on for a rename of a user object is the possibility that the UPN and/or the SAM Account Name might get changed as part of the rename. The Display Name isn't suitable for use in linking to the external information, and the external information reposity can't really be modified to link via the user object's GUID value, so using the UPN or SAM Account Name are really the most viable options. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Question on WSUS implementation and GPO's...
It's not likely due to GPO processing. GPOs themselves are typically very quick to process, unless there is either Software Install that is taking place through the GPO or complex WMI filtering that would slow it down. Otherwise, GPO is very fast. I've done testing with 1 GPO and with 50 GPOs... Appreciable difference in log on time? Less than 1 second. It's something else other than GPO. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven L Dunn Sent: Thursday, August 25, 2005 9:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's... Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general slowdown in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the only arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
And, given that Science has proven cockroaches will survive a nuclear war, it's even a worse choice than originally thought :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 25, 2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Good point. If it's a one-time thing, I'm thinking even 10K is a killer. And MIIS will be like nuking a cockroach. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Thu 8/25/2005 6:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com http://www.cps-systems.com/ ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agencies worldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003? -- Best Regards Kasper Sørensen www.mewe.dk http://www.mewe.dk/ -- Best Regards Kasper Sørensen www.mewe.dk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
So, the ASP pages feed the SQL. If so, then in your case, I'd just extend the ASP pages to feed AD at the same time. You already have a mechanism in place, you just need to extend it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Kasper Sørensen Sent: Thu 8/25/2005 8:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Hm, Its not a One time.. There is some users in the SQL database.. And they have to be up to date with the users in the Active Directory.. We have som girls in the reception, and they are updating, creating users, by internet interface... And those users have to be in the active directory, without changing in the ASP pages.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: I agree completely completely with Al. For a 1-time load there are a number of good tools that can get the job done. SimpleSync is designed for synchronizing LDAP directories and ODBC data sources on an ongoing basis. I am sure there are members of this group who use it for Exchange GAL sync. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Thursday, August 25, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com http://www.cps-systems.com/ ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agencies worldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003? --
Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Well, as i said.. I dont have the permission to chamge the ASP pages.. And was told they are not to touch.. THATS my problem.. Because, it was my first ideer On 8/25/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: So, the ASP pages feed the SQL. If so, then in your case, I'd just extend theASP pages to feed AD at the same time. You already have a mechanism in place, you just need to extend it.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Kasper SørensenSent: Thu 8/25/2005 8:01 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?Hm, Its not a One time..There is some users in the SQL database..And they have to be up to date with the users in the Active Directory..We have som girls in the reception, and they are updating, creating users, by internet interface... And those users have to be in the active directory,without changing in the ASP pages..On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: I agree completely completely with Al.For a 1-time load there are anumber of good tools that can get the job done. SimpleSync is designed for synchronizing LDAP directories and ODBC data sources on an ongoing basis.I am sure there are members of this groupwho use it for Exchange GAL sync. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype):Jerry_Welch( www.skype.nethttp://www.skype.net/) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Thursday, August 25, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL2000 integration? While I agree that Jerry has a good solution, I'm not sure Iunderstand your complete requirement.Do you have a database that is the start of the identity lifecycle?Or is this a one time create? Is this something that you need to have records of?Any reason notto script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS orother is a better fit.) If this is a one time create, then just use some of the built intools and SQL.If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message- From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD andMSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems (www.cps-systems.com http://www.cps-systems.com/) Provides synchronization between any ODBC DB and AD or other LDAP directories.No additional SQL MetaDirectory.Cost for whatyou describe is about $10K.You can expect to be running in a matter ofhours. 240 major companies and government agencies worldwide.As an example, Northrop Grumman uses SimpleSync betweenPeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype):Jerry_Welch( www.skype.nethttp://www.skype.net/) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft MIIS: Server 2003 ADand MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to importusers that are stored in a MSSQL 2000 database, to Active Directory 2003? -- Best Regards Kasper Sørensen www.mewe.dk http://www.mewe.dk/ -- Best Regards Kasper Sørensen www.mewe.dk http://www.mewe.dk/--Best RegardsKasper Sørensen www.mewe.dkList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- Best Regards Kasper Sørensenwww.mewe.dk
Re: [ActiveDir] UPN vs. SAM Account Name
joe wrote: what would be considered a valid reason for having them be different? The fact that they are different is a valid reason. Someone decided they wanted them to be different. Making them the same is more of a convenience and to reduce confusion. By default, no UPN is set when creating a user object. Some tools will force the population of the attribute. If it isn't specifically populated, it is still available though. Also note that with K3 AD, you do not have to specify the sAMAccountName and AD will autogenerate one. At that point, you better have a different easier to recall UPN because the sAMAccountName isn't something you will want to type in all the time. Interesting. I need to do some more testing with the AD tree at various functional levels. Right now, if I logon to my test 2K3 DC [only DC for the test tree, set to Win2K native mode], regardless of whether I use the SAM account name or the UPN, all of the downl-level API functions report my username as being the SAM account name, which is as expected. The USERNAME environment variable is also set to the SAM account name. I'll test with it set to 2K3 Native mode and see how the SAM account name is used and whether it or the base portion of the UPN gets returned by any of the down-level API functions. It's somewhat annoying to have multiple account naming attributes that can be used in terms of how the user identifies themselves at logon time. If a UPN isn't mandatory and uniqueness of UPN values is not enforced by AD itself, and the SAM account name attribute is only forced to be unique within a domain, it makes it difficult to figure out which one of these naming attributes' values should be used when linking to an external system. Why can't the external repository link via the GUID? It doesn't store binary or can't convert to the GUID binary format when looking back? If that is the case, add a custom attribute and populate it with the text form of the GUID and link on that. Using the GUID may not be an option. This isn't a restriction that I've imposed, it's a restriction on the external system itself. It pre-dates the use of a GUID to uniquely identify a user account and may not be customizable. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UPN vs. SAM Account Name
Flexibility often is annoying. However, the concept is not new, and is useful for several scenarios that require one set of credentials vs. the other. Like I mentioned earlier, your logon credentials will be reported a certain way depending on the app. If the app needs samaccountname, then that's what you'll have to give it else re-write the app. Even in NT 3-4x I could rename the samaccountname; that's not new. What is new is a way to uniquely identify identities across multiple federated security domains unlike in NT4 where you had to ensure that via your naming standards etc. Most of the workstation variables will pull the downlevel version of the logon credentials and rightfully so as they have no idea if they're in a mixed or other type of domain. Are there any other options for the app? From: [EMAIL PROTECTED] on behalf of Chuck Chopp Sent: Thu 8/25/2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UPN vs. SAM Account Name joe wrote: what would be considered a valid reason for having them be different? The fact that they are different is a valid reason. Someone decided they wanted them to be different. Making them the same is more of a convenience and to reduce confusion. By default, no UPN is set when creating a user object. Some tools will force the population of the attribute. If it isn't specifically populated, it is still available though. Also note that with K3 AD, you do not have to specify the sAMAccountName and AD will autogenerate one. At that point, you better have a different easier to recall UPN because the sAMAccountName isn't something you will want to type in all the time. Interesting. I need to do some more testing with the AD tree at various functional levels. Right now, if I logon to my test 2K3 DC [only DC for the test tree, set to Win2K native mode], regardless of whether I use the SAM account name or the UPN, all of the downl-level API functions report my username as being the SAM account name, which is as expected. The USERNAME environment variable is also set to the SAM account name. I'll test with it set to 2K3 Native mode and see how the SAM account name is used and whether it or the base portion of the UPN gets returned by any of the down-level API functions. It's somewhat annoying to have multiple account naming attributes that can be used in terms of how the user identifies themselves at logon time. If a UPN isn't mandatory and uniqueness of UPN values is not enforced by AD itself, and the SAM account name attribute is only forced to be unique within a domain, it makes it difficult to figure out which one of these naming attributes' values should be used when linking to an external system. Why can't the external repository link via the GUID? It doesn't store binary or can't convert to the GUID binary format when looking back? If that is the case, add a custom attribute and populate it with the text form of the GUID and link on that. Using the GUID may not be an option. This isn't a restriction that I've imposed, it's a restriction on the external system itself. It pre-dates the use of a GUID to uniquely identify a user account and may not be customizable. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Does your SQL table know when the information has been updated? If not, then SimpleSync or MIIS are a good idea to investigate further. If it does, you could use that and have it trigger updates. Or you could have timed procedures that wake up, check for changes, and then commit the changes. Still fairly simple solution and can be done by yourself. SimpleSync starts to get more attractive if you have to write code and definitely as you begin to want to sync multiple identity stores. This is still one to one from what I hear, so you have options available that range in price and complexity. From: [EMAIL PROTECTED] on behalf of Kasper Sørensen Sent: Thu 8/25/2005 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well, as i said.. I dont have the permission to chamge the ASP pages.. And was told they are not to touch.. THATS my problem.. Because, it was my first ideer On 8/25/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: So, the ASP pages feed the SQL. If so, then in your case, I'd just extend the ASP pages to feed AD at the same time. You already have a mechanism in place, you just need to extend it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Kasper Sørensen Sent: Thu 8/25/2005 8:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Hm, Its not a One time.. There is some users in the SQL database.. And they have to be up to date with the users in the Active Directory.. We have som girls in the reception, and they are updating, creating users, by internet interface... And those users have to be in the active directory, without changing in the ASP pages.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: I agree completely completely with Al. For a 1-time load there are a number of good tools that can get the job done. SimpleSync is designed for synchronizing LDAP directories and ODBC data sources on an ongoing basis. I am sure there are members of this group who use it for Exchange GAL sync. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Thursday, August 25, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS
[ActiveDir] OT: Questions about hotfix 903235 (MS05-037)
Hi -
I've posted this
elsewhere, but thought maybe not a bad idea to run it past this list for those
that don't mind (thanks). I'veseen thefollowingbehavior with regard to this hotfix 903235:
(1) The
bulletinMS05-037 states to check
here for its existence (post installation):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}
In the past, the 'norm' for IExpress-type patches has been here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98} [note: GUID above is specific to this
hotfix] Why this change in
documentation?(2) I find that the SRVINFO tool does NOT identify
this hotfix on SP1 (XP) and SP4 (2000) machines. Was expecting to see it
under the "Internet Explorer 6" subheading of the SRVINFO output for these
O/S.(3) I find that MBSA v.2 neither identifies it
as installed nor identifies it as missing on
SP1/2 (XP) and SP4 (2000) machines. Can
anyone else corrorborate these findings? I'm told by our TAM that
nobody else has reported this yet.Thanks!
-DaveC
ReutersIST Service
Delivery
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
[ActiveDir] System Log
Help! I have a stand-alone W23K file server that the logs, mainly system log, keeps on corrupting. Eventually after a few days the rest of the logs would corrupt also. I have done: 1) Disabled event log service, reboot 2) delete the existing *.evt files 3) Enable event log service, reboot 4) logs work fine for a while than it corrupts again! The weir thing is that even if the logs are corrupted on the server itself, they look okay viewing remotely. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] System Log
If you have a 64 bit system, this may be of interest: http://support.microsoft.com/?kbid=899416 Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 25, 2005 11:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] System Log Help! I have a stand-alone W23K file server that the logs, mainly system log, keeps on corrupting. Eventually after a few days the rest of the logs would corrupt also. I have done: 1) Disabled event log service, reboot 2) delete the existing *.evt files 3) Enable event log service, reboot 4) logs work fine for a while than it corrupts again! The weir thing is that even if the logs are corrupted on the server itself, they look okay viewing remotely. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] System Log
i've seen this on some w2k3 sp1 systems and the solution, as strange as it sounds, was to change the NIC to Full Duplex... see this thread for details: http://groups.google.com/group/microsoft.public.windows.server.setup/browse_frm/thread/55177b4dd5f3f3db/193f15e5fed7d545?lnk=stq=corrupt+event+log+half+duplexrnum=4hl=en#193f15e5fed7d545 or: http://tinyurl.com/ap5s6 don't think there is a HF yet. john Za Vue wrote: Help! I have a stand-alone W23K file server that the logs, mainly system log, keeps on corrupting. Eventually after a few days the rest of the logs would corrupt also. I have done: 1) Disabled event log service, reboot 2) delete the existing *.evt files 3) Enable event log service, reboot 4) logs work fine for a while than it corrupts again! The weir thing is that even if the logs are corrupted on the server itself, they look okay viewing remotely. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] System Log
This forum is awesome! I think that may have done it. Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, August 25, 2005 1:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] System Log i've seen this on some w2k3 sp1 systems and the solution, as strange as it sounds, was to change the NIC to Full Duplex... see this thread for details: http://groups.google.com/group/microsoft.public.windows.server.setup/browse_ frm/thread/55177b4dd5f3f3db/193f15e5fed7d545?lnk=stq=corrupt+event+log+half +duplexrnum=4hl=en#193f15e5fed7d545 or: http://tinyurl.com/ap5s6 don't think there is a HF yet. john Za Vue wrote: Help! I have a stand-alone W23K file server that the logs, mainly system log, keeps on corrupting. Eventually after a few days the rest of the logs would corrupt also. I have done: 1) Disabled event log service, reboot 2) delete the existing *.evt files 3) Enable event log service, reboot 4) logs work fine for a while than it corrupts again! The weir thing is that even if the logs are corrupted on the server itself, they look okay viewing remotely. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)
Probably because the patch is not really installing anything new for IE. It
is just setting a killbit, setting the compatibility mode to 1024 so IE
doesn't call that component any longer.
Just a SWAG. But that would explain why you don't see anything under
installed components (I haven't checked).
BTW, srvinfo reports 903235 under Windows Server 2003 here - I don't have
an XP handy. I'm guessing it's not under IE because it's not technically an
IE fix.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of David Cliffe
Sent: Thu 8/25/2005 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)
Hi -
I've posted this elsewhere, but thought maybe not a bad idea to run it
past this list for those that don't mind (thanks). I've seen the following
behavior with regard to this hotfix 903235:
(1) The bulletin MS05-037 states to check here for its existence (post
installation):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}
In the past, the 'norm' for IExpress-type patches has been here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}
[note: GUID above is specific to this hotfix] Why this change in
documentation?
(2) I find that the SRVINFO tool does NOT identify this hotfix on SP1 (XP)
and SP4 (2000) machines. Was expecting to see it under the Internet
Explorer 6 subheading of the SRVINFO output for these O/S.
(3) I find that MBSA v.2 neither identifies it as installed nor identifies
it as missing on SP1/2 (XP) and SP4 (2000) machines.
Can anyone else corrorborate these findings? I'm told by our TAM that
nobody else has reported this yet.
Thanks!
-DaveC
Reuters IST Service Delivery
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)
Inline.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, August 25, 2005
11:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Questions
about hotfix 903235 (MS05-037)
Hi -
I've posted this elsewhere, but thought
maybe not a bad idea to run it past this list for those that don't mind
(thanks). I'veseen thefollowingbehavior with regard to
this hotfix 903235:
(1) The bulletinMS05-037 states to check here for its
existence (post installation):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}
In the past, the 'norm' for IExpress-type patches has been here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}
[note: GUID above is specific to this hotfix] Why this change in documentation?
[RTK] Not a change in documentation.
The hotfix sets bits in the running of the actual component, so the compatibility
flags are manipulated, rather than new moving parts. I acknowledge that the
location changes, but this is due to how the hotfix effects the installed component,
JView Profiler.
(2) I find that the SRVINFO tool does NOT identify this hotfix on SP1 (XP) and
SP4 (2000) machines. Was
expecting to see it under the Internet Explorer 6 subheading of the
SRVINFO output for these O/S.
[RTK] Cant confirm or deny this one..
Dont have SRVINFO currently on anything
(3) I find that MBSA v.2 neither identifies it as installed nor
identifies it as missing on SP1/2 (XP) and SP4 (2000) machines.
Can anyone else corrorborate
these findings? I'm told by our TAM that nobody else has
reported this yet.
[RTK] MBSA on my systems detect that
it is either installed or not
installed.
Thanks!
-DaveC
ReutersIST Service Delivery
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
RE: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)
Thanks Rick/Deji.
Interesting that your MBSA v2 is reporting on it OK. Maybe I am the
only one :-o
Ihave worked aroundissues (2) and (3) [below] for
now,and will takea moment to offer my opinion on
(1).
Herewe havea hotfix/bulletin that has been given a critical
rating, as have many other hotfixes before and after it.From
acustomer's viewpoint,I would like some consistency in the manner in
which these hotfixes are reported as being installed. This has gotten
better by the way, but I don't find903235to bea good
example.
During the time when I am reporting on installed instances, the
technical details about each hotfix (what it does/how it does it) are not
important to me. Iwant toverify it's been
installedandI want to relyon a consistent method to do
so.
In this particular case, if there are OS/SP specific reasons why one reg
key has to be used in favor of another, then so be it, but thenI suggest
there may bean error in the documented bulletin, where at least the XP SP2
section shoulddirect us to the "Installed Components" subkey, rather than
the "ActiveX Compatibility" subkey.
-DaveC
ReutersIST Service
Delivery
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Thursday, August 25, 2005 2:11 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Questions
about hotfix 903235 (MS05-037)
Inline.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David
CliffeSent: Thursday, August
25, 2005 11:34 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Questions about
hotfix 903235 (MS05-037)
Hi
-
I've posted this
elsewhere, but thought maybe not a bad idea to run it past this list for those
that don't mind (thanks). I'veseen thefollowingbehavior
with regard to this hotfix 903235:
(1) The bulletinMS05-037
states to check here for its existence (post
installation):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\ActiveX
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0} In the past, the
'norm' for IExpress-type patches has been here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\Installed
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98} [note:
GUID above is specific to this hotfix] Why this change in documentation?
[RTK] Not a
change in documentation. The hotfix sets bits in the running of the actual
component, so the compatibility flags are manipulated, rather than new moving
parts. I acknowledge that the location changes, but this is due to how the
hotfix effects the installed component, JView Profiler.
(2) I find that the SRVINFO
tool does NOT identify this hotfix on SP1 (XP) and SP4 (2000) machines.
Was expecting to see it under the
"Internet Explorer 6" subheading of the SRVINFO output for these
O/S.
[RTK] Cant confirm or
deny this one.. Dont have SRVINFO currently on
anything
(3) I find that MBSA
v.2 neither identifies it as installed nor identifies it as missing on
SP1/2 (XP) and SP4 (2000) machines. Can anyone else corrorborate these
findings? I'm told by our TAM that nobody else has reported
this yet.
[RTK] MBSA on my
systems detect that it is either
installed or not installed.
Thanks!
-DaveC
ReutersIST Service
Delivery
-Visit
our Internet site at http://www.reuters.comTo find out more about
Reuters Products and Services visit http://www.reuters.com/productinfo
Any views expressed in this message are those of the
individualsender, except where the sender specifically states them to
bethe views of Reuters Ltd.
-
Visit our Internet site at http://www.reuters.com
To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
RE: [ActiveDir] GPO on XP 2000 Pro
Title: RE: [ActiveDir] GPO on XP 2000 Pro Most of what Ive seen is that they first organize by Geo then by organizationally (or the other way round) then further divide the objects by roles like Mobile users, Desktops, service accounts, de-provisioned users etc. I cant image organizing by attribute data like OS. I would think that a system upgrade could potentially cause GPOs to break and youd constantly be filtering ADUC on OS to figure out if you need to move stuff. I suppose scripting it could help From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RM Sent: Thursday, August 25, 2005 12:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO on XP 2000 Pro On Wed, 24 Aug 2005 20:45:07 -0400, [1]Robert Bobel [EMAIL PROTECTED] said: I'm pretty much with Darren on this one. Keeping it organizad over the long term may end up being a lot of trouble especially if the environment of a fairly large size. It's easy when not every Tom, Dick, and Harry can create computer accounts.If your org is really that large, you likely already have OU's that either follow geographic lines or hierarchical lines. Sub OU's would contain servers or workstations. I cringe at the thought of a Fortune 500 with 30,000 computer accounts in one OU. Do companies really run that way? RM
Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
Hm... Ya, after reading all the answers.. I have surrenderd.. And will talk to the Moneymaker The person who have all the money.. Hehe.. It sounds like the software i need...
Re: [ActiveDir] OT: Question on WSUS implementation and GPO's...
I believe that looking at the userenv.log file may help you determine why your client logons are taking longer. It is a great file for troubleshooting client logon issues. The location on my machine is c:\windows\debug\usermode Phil On 8/25/05, Rick Kingslan [EMAIL PROTECTED] wrote: It's not likely due to GPO processing. GPOs themselves are typically very quick to process, unless there is either Software Install that is taking place through the GPO or complex WMI filtering that would slow it down. Otherwise, GPO is very fast. I've done testing with 1 GPO and with 50 GPOs... Appreciable difference in log on time? Less than 1 second. It's something else other than GPO. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven L Dunn Sent: Thursday, August 25, 2005 9:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's... Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general slowdown in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the only arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UPN vs. SAM Account Name
Hi Chuck, Some comments. I would not think the SAM account name and UPN as downlevel and new world, but rather a short logon name and a long logon name, even though the former one is called pre-Windows 2000. I like to have UPNs the same as e-mails [EMAIL PROTECTED], and the SAM account name could be LASTNFI2, for example. The first one is clear, but long to type (especially for [EMAIL PROTECTED]). The second one is nice in profile and home folder names and short to type. The SAM account name is mandatory in old and new AD, but the new has the option of auto-generation. UPN is optional, although ADUC requires one if you create a user with it. The SAM account name must be unique in a domain, UPN must be unique in a forest. You can violate this uniqueness, if you create two users at the same time (within replication latence) on two DCs. In that case, however, neither user can log on. Even though the SAM account name is only unique in a domain, if you prepend the domain name, you obviously get wider uniqueness (the traditional DOMAIN\BillG format). Perhaps this works for your application? That gives uniqueness, but of course is not guaranteed to remain always the same (only the GUID does that). If you remove the braces and dashes of the string rep of the GUID, it's just a string of numbers and letters. Would that work for your application? The ACL Editor displays a different selection of names in each dialog box: - If you add a trustee and type a name, which has more than one match, you can select the trustee in a list that shows the RDN/CN, SAM account name, and e-mail address of the users. - After you pick one, the selected user is shown with his RDN/CN and UPN. - If after a while, you open ACL Editor again to see the permission list, ACL Editor displays the display name and UPN, and not RDN/CN anymore. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Thursday, August 25, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UPN vs. SAM Account Name Al Mulnick wrote: Flexibility often is annoying. However, the concept is not new, and is useful for several scenarios that require one set of credentials vs. the other. Well, it's really all one set of credentials in terms of which user object in AD is actually being used to logon. It's just that there's multiple naming attributes being used to identify which user object is to be used for authentication logon. Like I mentioned earlier, your logon credentials will be reported a certain way depending on the app. If the app needs samaccountname, then that's what you'll have to give it else re-write the app. Even in NT 3-4x I could rename the samaccountname; that's not new. What is new is a way to uniquely identify identities across multiple federated security domains unlike in NT4 where you had to ensure that via your naming standards etc. I understand the use of a GUID as a constant unique identifier that exists for the lifetime of the object regardless of whether it is renamed or moved to a new container. This is highly desirable when you need to maintain those external linkages with other repositories. If the GUID could readily be used with this particular application I would do so. The fact that the UPN is optional, can be duplicated [with adverse affects] but should be unique, combined with the SAM account name being mandatory in older versions of AD but auto-generated in later versions of AD with the requirement that it be unique within a domain and preferrably unique in the tree/forest, makes is difficult to just pick the UPN over the SAM account name in terms of which one is used to link user objects to entries in external repositories. Most of the workstation variables will pull the downlevel version of the logon credentials and rightfully so as they have no idea if they're in a mixed or other type of domain. Beyond the obvious down-level API functions and things like the USERNAME environment variable, other more subtle issues exist, such as what names are displayed when using the Explorer to modify the NTFS permissions. The user object's display name is shown along with the UPN following it in parenthesis, but the SAM account name is not displayed. So, the GUI is at least aware that it's in an AD-enabled environment and it takes the time to convert backwards from a SID [in the DACL in the SD on the file] to the display name UPN. The DsCrackNames() function is most likely being used to perform the name conversions Are there any other options for the app? I'll keep investigating it further. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864
