Re: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
okay okay I don't lurk well There are white papers regarding the peformance boosts you get on 64 especially in AD that I saw somewhere linked off a blog but I can't find it now [probably on Brett's blog is where I spotted them] in the meantime.. Benefits of 64-Bit Computing: http://www.microsoft.com/windowsserversystem/64bit/benefits.mspx From today's Stuart Kwan Active Directory Chat...: http://msmvps.com/clustering/archive/2005/05/17/47309.aspx MWCC's WebLog : 64-bit Domain Controllers in MSIT: http://blogs.msdn.com/mwcc/archive/2004/11/17/259320.aspx Oh and... in case you are wondering...Bob Muglia said the next version of SBS will be 64 bit ;-) [Exchange is our drag and is not 64 at this time] Steve Linehan wrote: In my opinion the biggest bang for the buck is consolidation of servers to the 64bit platform assuming of course that you have a large enough database, greater than 3 GB, and put enough memory in the servers to cache the entire database contents. I have come across very few cases where Domain Controllers were truly CPU bound and in almost all cases they were I/O bound. These servers perform extremely well for servers that are taking large amounts of ldap traffic from applications like Exchange. Thanks, -Steve *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Mauricio F. Funes *Sent:* Thursday, October 13, 2005 11:56 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] BLOCKED::blocked::mailto:[EMAIL PROTECTED] Pasadena, CA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Knowing when users were deleted.
Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs Speaking of which Steve I am starting to see questions of the type of how does 64 bit DC change the best practice 4:1 proc recommendations for Exchange to GC processor. Does PSS/MCS/Dev have any thoughts? Especially if you are able tocache the entire DIT. I have seen some 64 bit testing numbers from third parties but that is far from authoritative in terms of what MS thinks for the best practice numbers which weigh heavily with customers who want to do it the "Microsoft way". Ditto the dual core CPUs. Another one that recently came across my desk was if you have 4000 users on a 4 proc Exchange server and are currently using a single 1 proc GC and then you decide due to load on Exchange (say RPC load due to search/archive software which isn't impacting GCs) you want to go to 2 4 proc Exchange servers with2000 userseach do you have to go to a dual proc GC or add another single proc GC or is it ok to stay with the one single proc GC? Oh and another question I was asked was about using single proc GCs versus MP GCs and how the scaling of MP wasn't linear so should that be somehow involved in the Exchange best practice numbers? It seems from my experience that you do better with making bigger andmore powerfulGCs in general because while Exchange does some limited logic round-robin load balancing at the server level, it doesn't do it at the site level amongst all Exchange servers so you can really start beating down a few GCs while the otherssee relatively light loading. Of course you don't want to have few GCs though in case you do have a problem so you throw a couple of extra larger GCs into the mix for fault tolerance for when you have to bring a GC down for maint or it just falls down for some reason. Also it seems that there is no real good way of determing exactly when you need to change your GC strategy for Exchange because your various Exchange AD related counters could be poor yet AD is still seeming to be performant and possibly even under utilized. This seems to really come into play if a lot of DL expansion of very large groups is coming into play. Possibly it is simply related to bad queries from Exchange due to, well bad queries, or third party event sinks a la Exclaimer or multiple to software, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Friday, October 14, 2005 1:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs In my opinion the biggest bang for the buck is consolidation of servers to the 64bit platform assuming of course that you have a large enough database, greater than 3 GB, and put enough memory in the servers to cache the entire database contents. I have come across very few cases where Domain Controllers were truly CPU bound and in almost all cases they were I/O bound. These servers perform extremely well for servers that are taking large amounts of ldap traffic from applications like Exchange. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. FunesSent: Thursday, October 13, 2005 11:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] Pasadena, CA
Re: [ActiveDir] salary(OT)
What you say, the employer might be on this forum. -z.v. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, October 12, 2005 9:37 PM To: activedirectory Subject: [ActiveDir] salary(OT) well, i've been consulting for 2 monthsfull time for a company and now they want to make me an offer to work for them(yeah,i'm amazed too..) At first it was a head/senior AD position but now they want to throw in Exchange in the mix. they used to outsource all their windows infrastructure and during my tenure there, they took it back so they have no AD/Exchange people. This is a 3000 user finanical corp in Manhattan. my question is, what kind of salary would one expect for a such a position, taking into account the bussiness and location and size. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs I've been looking at HP DL385s for some SAP stuff. SAP's benchmarking page (http://www50.sap.com/benchmarkdata/sd2tier.asp) shows that a dual dual-core AMDbox gives the same performance as a 4-way Intel box. I've built a few 385s so far, and they rock! And, as a bonus, you could run your DCs on 64 bit windows. Four CPUs, 16GB of RAM, and 64 bit windows - that's one honkin' DC! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. FunesSent: Thursday, October 13, 2005 11:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] Pasadena, CA
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs Nice box! Take this kind of hardware, put terminal services on it, and call it a mainframe! LOL! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, October 14, 2005 8:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs I've been looking at HP DL385s for some SAP stuff. SAP's benchmarking page (http://www50.sap.com/benchmarkdata/sd2tier.asp) shows that a dual dual-core AMDbox gives the same performance as a 4-way Intel box. I've built a few 385s so far, and they rock! And, as a bonus, you could run your DCs on 64 bit windows. Four CPUs, 16GB of RAM, and 64 bit windows - that's one honkin' DC! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. Funes Sent: Thursday, October 13, 2005 11:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] Pasadena, CA
RE: [ActiveDir] Knowing when users were deleted.
Yann, There are some utilities you can purchase that will alert you when an object is deleted, added, modified... Dan Original Message Subject: [ActiveDir] Knowing when users were deleted. From: Yann [EMAIL PROTECTED] Date: Thu, October 13, 2005 11:56 pm To: ActiveDir@mail.activedir.org Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici ! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] salary(OT)
I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony occasionally posting the lurker list, I am curious as to how many people I am getting mad at me any given day. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, October 13, 2005 6:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not to hijack this thread but, I hope lurking remains free. Dan Original Message Subject: RE: [ActiveDir] salary(OT) From: joe [EMAIL PROTECTED] Date: Thu, October 13, 2005 2:50 pm To: ActiveDir@mail.activedir.org I have found that shooting for your contract salary is as good a target as any, but expect to miss unless you didn't get a very good contract rate. I have only seen one case where a company was willing to pay contract level fees to a FTE and that was back when I first got back into the industry (I burned out on it back when I was about 21 or so and left it) and had been completely screwed over by the contract house for my rate where they were making at least as much as I was. When I said I was leaving the FTE offer I received would have been a 60% raise from my previous salary. Unfortunately, the new contract position I was taking was a 100%+ increase and with OT (which you don't get as a FTE) ended up being a 200% increase. Anyway, you tend to take a considerable hit (I have seen reductions of 20%-75% for FTE offers and all but one of which I turned down cold) but you try to make it up in benefits such as vaca, retirement, insurance, etc. As a contractor you tend to have a different mindset than as an FTE as well. As a contractor it is jump for the money and your mind should always be ready to make that jump. As FTE it seems people get in a rut and don't want to move once they start to get a feeling of ownership. Personally I wouldn't be an FTE but for a very small handful of companies where I really like and respect the management. My manager I have now is probably one of the best managers in the universe, he is certainly the best I have had to this point in my career and I have had several good managers. He is the kind of guy that you love or hate, if you aren't above the curve, you hate him. But then I have often been described as the person you love or hate myself. I had one manager once say of me, joe is the Bill Lambeer of IT, if he is on y our team you feel great and you love him. If he isn't, you want to kill him.. Another said joe is worth his weight in gold and he ain't a small guy After I heard that one I went and asked for a raise. Somehow I failed. Every time I have negotiated with someone on any job I always just ask up front, so what salary or rate are you thinking. If the range is some ridiculous range like $50k-$300k which headhunters like to do because they think they are bright or something I
RE: [ActiveDir] Knowing when users were deleted.
Title: Message raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 14, 2005 11:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the "administrators group" nonsense, it points to a specific security principal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Friday, October 14, 2005 3:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Hi Freddy, The information you gave rocks ! Idid not thinkusing the Last modified date attributeand query it with the magic joe's tool : - "adfind -default -showdel -f isdeleted=TRUE" It saves my job ! :) The security audit isnow configured and on. Thanks for your help. YannFreddy HARTONO [EMAIL PROTECTED] a écrit : Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici ! Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
true. I was looking rather for free tools, and i found the free eventriggers tool form the 2k3 rktools that did the job. It alerts you in real time for a specific eventID. You can telleventriggers to do a particular actionsuch as using dumpel.exe to dump the 630 id (frecnh specific id i presume)that corresponds to a deleted object action. Notice that eventriggers.exe only works on w2k3/XP machine. Cheers, YannDaniel Gilbert [EMAIL PROTECTED] a écrit : Yann,There are some utilities you can purchase that will alert you when anobject is deleted, added, modified...Dan Original Message Subject: [ActiveDir] Knowing when users were deleted. From: Yann <[EMAIL PROTECTED]> Date: Thu, October 13, 2005 11:56 pm To: ActiveDir@mail.activedir.org Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici ! List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Another possibility is the pure scripting way ... and leverage WMI with two event WQL queries: 1/ Select * From __InstanceDeletionEvent Within 60 Where TargetInstance ISA "ds_user" 2/ Select * From __InstanceCreationEvent Where TargetInstance ISA "Win32_NTLogEvent"And TargetInstance.Logfile = "Audit" You can use a logic similar to Sample 3.54 - GroupMonitor.wsf (at http://www.lissware.net, volume 2) but just need to adapt it to users. The same reasoning can be used to monitor FSMO role changes (Sample 3.55 and Sample 3.56 - FSMOMonitor.wsf). These two scripts send an email containing info about the modified object. Tweak them to meet your requirements with the WQL queries 1/ and 2/. You can download the script freely from my site. Enable object access auditing and you can eventually run the script as a Windows Service (yes) on the DC.Then you are all set! You can watch the web cast at http://go.microsoft.com/fwlink/?LinkId=39643where I explain how to run scripts as Windows service with the right security context. HTH. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, October 14, 2005 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Freddy, The information you gave rocks ! Idid not thinkusing the Last modified date attributeand query it with the magic joe's tool : - "adfind -default -showdel -f isdeleted=TRUE" It saves my job ! :) The security audit isnow configured and on. Thanks for your help. YannFreddy HARTONO [EMAIL PROTECTED] a écrit : Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici ! Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Eventtriggers tool uses WMI WQL query as described in my previous mail referring to the WMI scripting technique. Nothing different except that you don't have to deal with a script ... but if you have a script you master the logic better. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, October 14, 2005 8:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. true. I was looking rather for free tools, and i found the free eventriggers tool form the 2k3 rktools that did the job. It alerts you in real time for a specific eventID. You can telleventriggers to do a particular actionsuch as using dumpel.exe to dump the 630 id (frecnh specific id i presume)that corresponds to a deleted object action. Notice that eventriggers.exe only works on w2k3/XP machine. Cheers, YannDaniel Gilbert [EMAIL PROTECTED] a écrit : Yann,There are some utilities you can purchase that will alert you when anobject is deleted, added, modified...Dan Original Message Subject: [ActiveDir] Knowing when users were deleted. From: Yann <[EMAIL PROTECTED]> Date: Thu, October 13, 2005 11:56 pm To: ActiveDir@mail.activedir.org Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici ! List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Thanks Alain, I will look throught your link right now. Cheers, YannAlain Lissoir [EMAIL PROTECTED] a écrit : Another possibility is the pure scripting way ... and leverage WMI with two event WQL queries: 1/ Select * From __InstanceDeletionEvent Within 60 Where TargetInstance ISA "ds_user" 2/ Select * From __InstanceCreationEvent Where TargetInstance ISA "Win32_NTLogEvent"And TargetInstance.Logfile = "Audit" You can use a logic similar to Sample 3.54 - GroupMonitor.wsf (at http://www.lissware.net, volume 2) but just need to adapt it to users. The same reasoning can be used to monitor FSMO role changes (Sample 3.55 and Sample 3.56 - FSMOMonitor.wsf). These two scripts send an email containing info about the modified object. Tweak them to meet your requirements with the WQL queries 1/ and 2/. You can download the script freely from my site. Enable object access auditing and you can eventually run the script as a Windows Service (yes) on the DC.Then you are all set! You can watch the web cast at http://go.microsoft.com/fwlink/?LinkId=39643where I explain how to run scripts as Windows service with the right security context. HTH. /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, October 14, 2005 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Freddy, The information you gave rocks ! Idid not thinkusing the Last modified date attributeand query it with the magic joe's tool : - "adfind -default -showdel -f isdeleted=TRUE" It saves my job ! :) The security audit isnow configured and on. Thanks for your help. YannFreddy HARTONO [EMAIL PROTECTED] a écrit : Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici ! Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici ! Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, October 14, 2005 3:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp _ From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? _ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger T?l?chargez http://us.rd.yahoo.com/messenger/mail_taglines/default/*http://fr.messenger yahoo.com le ici ! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] finding computer objects
Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~Fortune and Love befriend the bold ~~~
RE: [ActiveDir] Knowing when users were deleted.
Is that a yes you'll add it? Or no, ..and no bananas for you. answer? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, October 14, 2005 3:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp _ From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? _ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez http://us.rd.yahoo.com/messenger/mail_taglines/default/*http://fr.mes senger yahoo.com le ici ! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] Knowing when users were deleted.
Well, first you should _never_ ever view anything _I_ am musing as a possible feature from the product group, I muse ALOT of stuff. PMs will be feature groups spokespeople, I am a dev. This feature (in various forms) has been under consideration before, specicfically Win2k, Win2k3, and Longhorn timeframes. Secondarily, features for any company, is always an optimization question of profit opportunity of feature A vs. feature B vs. cost vs. available resources ... would you give up the planned Longhorn RODC features for something like this? And finally ... you've dealt with the product group before ... they tell us (devs) the first time we goto a conference never promise the customer anything, as we are only supposed to set expectations in customers that will be delievered on ... IF you really want a commitment on adding it... how about this, I can commit to delivering my first blog post before giving you user modification tracking in metadata. ... have I now doomed the feature to never show up? So you asked was that a yes or no in that previous post ... I'd view this as nothing less than and nothing more than ... msft has smart people who think about this stuff ... and in that spirit, if it were done, you probably don't need to worry about DIT bloat (I'm much too smart to let that happen, frankly you insult me ;). Cheers, BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: Is that a yes you'll add it? Or no, ..and no bananas for you. answer? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, October 14, 2005 3:18 AM To:
RE: [ActiveDir] Knowing when users were deleted.
P.S. - You can't really insult me ... P.P.S - and if we were smart, we would've compressed the metadata from the get go ;) and we'd be trying to figure out how to stuff the SID in the metadata w/o bloating the DIT by 10% ... and instead we'd have to be really cunning (cunning is smarter than smart) to make it all work out, P.P.P.S. - or do survey's to see if the increase in DIT size is worth the feature to you guys (which is an interesting question in itself, just to see what people are willing to pay. ;) P.P.P.P.S. - Instead we're lucky. The line between lucky and cunning is very narrow. OK, I'm done. On Fri, 14 Oct 2005, Brett Shirley wrote: Well, first you should _never_ ever view anything _I_ am musing as a possible feature from the product group, I muse ALOT of stuff. PMs will be feature groups spokespeople, I am a dev. This feature (in various forms) has been under consideration before, specicfically Win2k, Win2k3, and Longhorn timeframes. Secondarily, features for any company, is always an optimization question of profit opportunity of feature A vs. feature B vs. cost vs. available resources ... would you give up the planned Longhorn RODC features for something like this? And finally ... you've dealt with the product group before ... they tell us (devs) the first time we goto a conference never promise the customer anything, as we are only supposed to set expectations in customers that will be delievered on ... IF you really want a commitment on adding it... how about this, I can commit to delivering my first blog post before giving you user modification tracking in metadata. ... have I now doomed the feature to never show up? So you asked was that a yes or no in that previous post ... I'd view this as nothing less than and nothing more than ... msft has smart people who think about this stuff ... and in that spirit, if it were done, you probably don't need to worry about DIT bloat (I'm much too smart to let that happen, frankly you insult me ;). Cheers, BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: Is that a yes you'll add it? Or no, ..and no bananas for you. answer? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday,
RE: [ActiveDir] Knowing when users were deleted.
would you give up the planned Longhorn RODC features for something like this? I'd happily give up RODC in favor of this. But I appreciate the honest answer and wasn't looking for a commitment. I'll be more careful to word things more appropriately in the future and to eat my vegetables at every meal. I'd be very happy to see this as an option with some growth parameters that are documented (if you do x, expect this amount of storage per item increase over not doing it) sort of documentation. Now if only I could find that microsoft wish email address to send such a request to Al P.S. I can't insult you? Really? If I do, will you blog about it in your second blog post? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. P.S. - You can't really insult me ... P.P.S - and if we were smart, we would've compressed the metadata from the get go ;) and we'd be trying to figure out how to stuff the SID in the metadata w/o bloating the DIT by 10% ... and instead we'd have to be really cunning (cunning is smarter than smart) to make it all work out, P.P.P.S. - or do survey's to see if the increase in DIT size is worth the feature to you guys (which is an interesting question in itself, just to see what people are willing to pay. ;) P.P.P.P.S. - Instead we're lucky. The line between lucky and cunning is very narrow. OK, I'm done. On Fri, 14 Oct 2005, Brett Shirley wrote: Well, first you should _never_ ever view anything _I_ am musing as a possible feature from the product group, I muse ALOT of stuff. PMs will be feature groups spokespeople, I am a dev. This feature (in various forms) has been under consideration before, specicfically Win2k, Win2k3, and Longhorn timeframes. Secondarily, features for any company, is always an optimization question of profit opportunity of feature A vs. feature B vs. cost vs. available resources ... would you give up the planned Longhorn RODC features for something like this? And finally ... you've dealt with the product group before ... they tell us (devs) the first time we goto a conference never promise the customer anything, as we are only supposed to set expectations in customers that will be delievered on ... IF you really want a commitment on adding it... how about this, I can commit to delivering my first blog post before giving you user modification tracking in metadata. ... have I now doomed the feature to never show up? So you asked was that a yes or no in that previous post ... I'd view this as nothing less than and nothing more than ... msft has smart people who think about this stuff ... and in that spirit, if it were done, you probably don't need to worry about DIT bloat (I'm much too smart to let that happen, frankly you insult me ;). Cheers, BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: Is that a yes you'll add it? Or no, ..and no bananas for you. answer? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made
RE: [ActiveDir] Knowing when users were deleted.
Now if only I could find that microsoft wish email address to send such a request to Try http://www.windowsserverfeedback.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 14, 2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. would you give up the planned Longhorn RODC features for something like this? I'd happily give up RODC in favor of this. But I appreciate the honest answer and wasn't looking for a commitment. I'll be more careful to word things more appropriately in the future and to eat my vegetables at every meal. I'd be very happy to see this as an option with some growth parameters that are documented (if you do x, expect this amount of storage per item increase over not doing it) sort of documentation. Now if only I could find that microsoft wish email address to send such a request to Al P.S. I can't insult you? Really? If I do, will you blog about it in your second blog post? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. P.S. - You can't really insult me ... P.P.S - and if we were smart, we would've compressed the metadata from the get go ;) and we'd be trying to figure out how to stuff the SID in the metadata w/o bloating the DIT by 10% ... and instead we'd have to be really cunning (cunning is smarter than smart) to make it all work out, P.P.P.S. - or do survey's to see if the increase in DIT size is worth the feature to you guys (which is an interesting question in itself, just to see what people are willing to pay. ;) P.P.P.P.S. - Instead we're lucky. The line between lucky and cunning is very narrow. OK, I'm done. On Fri, 14 Oct 2005, Brett Shirley wrote: Well, first you should _never_ ever view anything _I_ am musing as a possible feature from the product group, I muse ALOT of stuff. PMs will be feature groups spokespeople, I am a dev. This feature (in various forms) has been under consideration before, specicfically Win2k, Win2k3, and Longhorn timeframes. Secondarily, features for any company, is always an optimization question of profit opportunity of feature A vs. feature B vs. cost vs. available resources ... would you give up the planned Longhorn RODC features for something like this? And finally ... you've dealt with the product group before ... they tell us (devs) the first time we goto a conference never promise the customer anything, as we are only supposed to set expectations in customers that will be delievered on ... IF you really want a commitment on adding it... how about this, I can commit to delivering my first blog post before giving you user modification tracking in metadata. ... have I now doomed the feature to never show up? So you asked was that a yes or no in that previous post ... I'd view this as nothing less than and nothing more than ... msft has smart people who think about this stuff ... and in that spirit, if it were done, you probably don't need to worry about DIT bloat (I'm much too smart to let that happen, frankly you insult me ;). Cheers, BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: Is that a yes you'll add it? Or no, ..and no bananas for you. answer? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick
Re: [ActiveDir] finding computer objects
You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- KamleshOn 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~Fortune and Love befriend the bold ~~~ -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] Knowing when users were deleted.
shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
*raises hand* sid of the last modify-er would be just nice for me. Usually we just want to know which admin is the culprit without analyzing 30gig of DC security log (one day log) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 11:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the "administrators group" nonsense, it points to a specific security principal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Friday, October 14, 2005 3:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] salary(OT)
I think there are a few types of questions one can ask in list such as this... 1) questions where you have searched for an hour and nothing seems relevant, or there is so much info that it would take days to sort through 2) questions where the sh_t is down hard and what the heck is THIS and you did a cursory search that either turned up nothing useful or info you don't understand how to apply 3) questions where your lack of experience in an area means you just plain don't know how to search or where to start, but if someone would point you in the right direction you'd be happy to do your own research With the above types, I don't think anyone minds those, everyone has been there - and the more _relevant_ details that are provided, the better. 4) questions that can be pasted into a search engine, click I Feel Lucky, and paste the text from the first hit back as a response 5) questions with a subject line that reads, PLEASE HELP and a message that says, what's the syntax for ntdsutil? 6) questions that are so off-topic, detailed, and irrelevant to most of the list audience's experience as to make people ask, did I switch to the SQL (or Exchange or C#) list somehow? These are some of the questions that do become a drain. As long as the questions show you tried to find out yourself, are relevant, and if possible the answers should be relevant to the community, then no one minds questions. That's what the list is for (IMHO). Another thing - when you (referring to no one in particular) ask questions that can be easily researched, you deny yourself two valuable aspects of learning - you learn more when you research it yourself, and you often find related but additional interesting information that helps your overall understanding. There are times I've thought to post a question and decided to look a bit further, and found answers to lots of other things as well that I didn't realize were out there. In IT I firmly believe it's not what you know, but how good you are at research and troubleshooting, that sets you apart. But that's just my opinion. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 13, 2005 7:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] salary(OT) ...at the same time has the questions asked been of benefit to others on the list? Yes? I find that when I turn into the 'teacher role' in my own SBS community I learn a lot more. It makes me stretch when I have to document 'why' I do the things I do and recommend. I have to google [oh sorry...msn search] or the resources and documentation which makes me learn more. Even with the trolls [the ones that are arguementative trolls but not the stupid trolls], I find that when I'm arguing my point... I'm backing it up with documentation of why I think like that. It helps me to solidify my views. Sometimes even the dumb questions make you dig back into the foundations and think. For me, you lurk, you sit at the feet of the masters and you soak in with the hopes that some of that grey matter will drip on you. Active Directory experts aren't just popped out of the ground, right? And books alone don't cut it right? Some of this [a lot of this] is BTDT credential based, right? [BTDT - been there done that - no greater credential in the world] As a newbie here to this list you will forgive me when I ask the dumb ones, yes? back to lurking oh and do you guys take paypal? I may be annoying and ask some more Tom Kern wrote: Am I capable? Who knows? I've only been in IT for less than 4 years and I never owned a computer until 6 years ago. Everything i learned, i learned from screwing around at home,books,websites, and most of all, lists like this. I haven't lied or fluffed up my resume or past in anyway to employers, so if they are willing to offer me positions, i can only assume i'm close to capable I'm 36yrs old and I have a B.A. in English lit from NYU and as i said, no computer experience until i was about 30. Before IT, i was in grad school for english and working as a TA at Boston University. I'm always upfront to employers about all of this. They hire me and seem to be pleased. As to this list being a question sink, i've been a lurker on this list for 2yrs and i admit i've sent a deluge of questions latlely, but only about 10% of them have been about my current position. The other 90% have just been for my own
RE: [ActiveDir] Knowing when users were deleted.
Ok, now you've done it Gil :-) I guess this is the geek version of "dueling banjos" :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
I get to be Burt Reynolds! :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of "dueling banjos" :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] salary(OT)
Tony Murray Said: Joe, I've had no complaints about you to date. Good. I'll start. Here's your first. He's an over-bearing know-it-all looking for his first and second million. Plus, he uses more bandwidth than everyone combined. If someone asks, he - Could I stand a second domain controller up for redundant purposes? Can joe just say, Yes. Nope - never. You're going to get 15 pages minimum of OK - here's what *I'd* do. However, all that being said - we love joe and would never want him to change. Well, except for his clothes on occasion. And, dude - you need some of that Power Stripe deodorant. Seriously. And, I'm sorry to hear that a book that isn't even available YET is only going to sell 2000 copies. How in the heck did you and Robbie get O'Reilly to agree to do a 3rd edition? Surely you jest when referencing that number Oh, and I can't even find it referenced on O'Reilly's site yet. How about some pre-print advertising? You think THAT might boost your numbers? Love ya buddy! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony occasionally posting the lurker list, I am curious as to how many people I am getting mad at me any given day. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, October 13, 2005 6:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not to hijack this thread but, I hope lurking remains free. Dan Original Message Subject: RE: [ActiveDir] salary(OT) From: joe [EMAIL PROTECTED] Date: Thu, October 13, 2005 2:50 pm To: ActiveDir@mail.activedir.org I have found that shooting for your contract salary is as good a target as any, but expect to miss unless you didn't get a very good contract rate. I have only seen one case where a company was willing to pay contract level fees to a FTE and that was back when I first got back into the industry (I burned out on it back when I was about 21 or so and left it) and had been completely screwed over by the contract house for my rate where they were making at least as much as I was. When I said I was leaving the FTE offer I received would have been a 60% raise from my previous salary. Unfortunately, the new contract position I was taking was a 100%+ increase and with OT (which you don't get as a FTE) ended up being a 200% increase. Anyway, you tend to take a considerable hit (I have seen reductions of 20%-75% for FTE offers and all but one of which I turned down cold) but you try to make it up in benefits such as vaca, retirement, insurance, etc. As a contractor you tend to have a different mindset than as an FTE as well. As a contractor it is
RE: [ActiveDir] salary(OT)
And this is why I absolutely *LOVE* this list - it's not only informative, it's entertaining as well! Keep it coming, guys! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Tony Murray Said: Joe, I've had no complaints about you to date. Good. I'll start. Here's your first. He's an over-bearing know-it-all looking for his first and second million. Plus, he uses more bandwidth than everyone combined. If someone asks, he - Could I stand a second domain controller up for redundant purposes? Can joe just say, Yes. Nope - never. You're going to get 15 pages minimum of OK - here's what *I'd* do. However, all that being said - we love joe and would never want him to change. Well, except for his clothes on occasion. And, dude - you need some of that Power Stripe deodorant. Seriously. And, I'm sorry to hear that a book that isn't even available YET is only going to sell 2000 copies. How in the heck did you and Robbie get O'Reilly to agree to do a 3rd edition? Surely you jest when referencing that number Oh, and I can't even find it referenced on O'Reilly's site yet. How about some pre-print advertising? You think THAT might boost your numbers? Love ya buddy! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony occasionally posting the lurker list, I am curious as to how many people I am getting mad at me any given day. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, October 13, 2005 6:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not to hijack this thread but, I hope lurking remains free. Dan Original Message Subject: RE: [ActiveDir] salary(OT) From: joe [EMAIL PROTECTED] Date: Thu, October 13, 2005 2:50 pm To: ActiveDir@mail.activedir.org I have found that shooting for your contract salary is as good a target as any, but expect to miss unless you didn't get a very good contract rate. I have only seen one case where a company was willing to pay contract level fees to a FTE and that was back when I first got back into the industry (I burned out on it back when I was about 21 or so and left it) and had been completely screwed over by the contract house for my rate where they were making at least as much as I was. When I said I was leaving the FTE offer I received would have been a 60% raise from my previous salary. Unfortunately, the new contract position I was taking was a 100%+ increase and with OT (which you don't get as a FTE) ended up
RE: [ActiveDir] Knowing when users were deleted.
Gentlemen, "WHICH IS CHEAPER?" LOL RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 1:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of "dueling banjos" :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Was going to ask that myself. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Gentlemen, WHICH IS CHEAPER? LOL RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darren Mar-Elia Sent: Friday, October 14, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of dueling banjos :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, October 14, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, October 13, 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici !
RE: [ActiveDir] Virtual Servers in Branch Offices
Thanks for the thoughts. And thanks Tony for the reference
-- just finished reading it.
Unfortunately, deploying the DC at HQ or simply
authenticating over the WAN is not really an option. The WAN links are ok (and
getting better) but are located in places where environmental (as in the
weather) conditions often cause short interruptions.
Does placing the DC inside a virtual machine add any
security? Would it be harder for someone with physcial access to compromise the
DC? The white paper does not really make this clear. Also, I am assuming that a
host machine would be a domain member, right? Does it authenticate off the
virtual DC? [1]
Thanks again.
-- nme
[1] This sort of reminds me of the scene in Animal House
when they talk about the "whole universe as we know it existing under the
fingernail of some other giant being..." Whoa, dude!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005
12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Virtual Servers in Branch Offices
Other important factors in this scenario must be the
physical and logical security of the server housing the DC
role.
1. Will the server be securely locked away in the
branches? If not, do not deploy a DC.
2. Do you trust the file server admins to have physical
access to the server hosting the DC role?
3. Who administers theserver that hosts the file
and DC roles? Are they also trusted?
When designing the branch office, I would always ask the
questions below, too:
1. Is a local DC required? i.e. what are the drawbacks if
a DC is not deployed?
2. Is logon/startup traffic over the WAN larger than
replication traffic over the WAN? If not, consider not deploying a local
DC.
3. Does a local DC offer redundancy in the event of a WAN
failure? If other apps are accessed over the WAN, then consider deploying the
DC at a central location and not at the branch.
hth,
neil
___ Neil Ruston Global Technology Infrastructure Nomura International plc
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
MurraySent: 13 October 2005 01:12To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual
Servers in Branch Offices
Here's a link to a Microsoft document that covers what
you need to do to run a production DC on Virtual Server
2005.
http://tinyurl.com/5enjd
Tony
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
EigerSent: Thursday, 13 October 2005 11:30 a.m.To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in
Branch Offices
Hi
-
Just to follow up
on the design thread Since I am placing DCs in small branch offices is
there a value in using Virtual Server 2005 to create separate virtual boxes
(DC file server) running on the same physical box? Some users have
administrative access to the file server, and I'd love to keep them off the
DCs. I am also curious about optimal physical and virtual drive configurations
for such a box.
I reviewed the
thread here about Virtual Domain Controllers but it seemed to focus on using
them as backups. I am talking about production.
Any thoughts most
welcome.
--
nme
This communication, including any attachments, is
confidential.If you are not the intended recipient, you should not read it
- please contact me immediately, destroy it, and do not copy
oruse any part of this communication or disclose anything about
it.Thank You.
Please note that this communication does not designate an
information system for the purposes of the NZ Electronic Transactions Act
2002..
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at
Gen-i
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
[ActiveDir] Major issue not sure if 2003 created this problem
Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Servers in Branch Offices
"Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC?" Hmmm interesting. Yes, and no. Physical access is always an issue, but the NTDS.DIT is not out there in the open on a disk as it might be in a traditional DC. However, anyone with a VS *COULD* mount and start your DC - so the same rules apply. Don't allow anyone you do not trust physical access to your systems. As to domain member - I don't recall VS requiring Domain Membership (more, because I just haven't tried...). So, does this mean that a machine that is a work group system could host a VS with a number of DCs? Ummm - yeah. I suppose so. But, if it *IS* a domain member, then yes - it could likely authN off of the VM that it hosts - but obviously not at start up. Brings up a Schrödinger's cat' quandary, now doesn't it? Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box. I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production. Any thoughts most welcome. -- nme This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy oruse any part of this communication or disclose anything about it.Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002.. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ
RE: [ActiveDir] Knowing when users were deleted.
Come on...we're software companies. The price is directly related to the number of days left in a particular quarter. Its called "vendor management" :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, October 14, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Was going to ask that myself. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Friday, October 14, 2005 2:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Gentlemen, "WHICH IS CHEAPER?" LOL RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 1:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of "dueling banjos" :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
Whens the end of the Quest FY? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 14, 2005 3:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Come on...we're software companies. The price is directly related to the number of days left in a particular quarter. Its called vendor management :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Was going to ask that myself. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 2:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Gentlemen, WHICH IS CHEAPER? LOL RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darren Mar-Elia Sent: Friday, October 14, 2005 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of dueling banjos :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, October 14, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, October 13, 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez le ici !
RE: [ActiveDir] Major issue not sure if 2003 created this problem
Well To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.domain.tld To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.site name._sites.dc._msdcs.domain.tld If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Servers in Branch Offices
Right, the Host does not _have_ to be a member of the domain. However, the white paper makes references to securing the directories that contain the vhd and the NTDS.DIT (in the DC-as-VS model) for domain admins, implying that it should be a member of the domain. And, as you said Rick, the Host could not authenticate at startup so must it use cached credentials? Hmmm. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices "Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC?" Hmmm interesting. Yes, and no. Physical access is always an issue, but the NTDS.DIT is not out there in the open on a disk as it might be in a traditional DC. However, anyone with a VS *COULD* mount and start your DC - so the same rules apply. Don't allow anyone you do not trust physical access to your systems. As to domain member - I don't recall VS requiring Domain Membership (more, because I just haven't tried...). So, does this mean that a machine that is a work group system could host a VS with a number of DCs? Ummm - yeah. I suppose so. But, if it *IS* a domain member, then yes - it could likely authN off of the VM that it hosts - but obviously not at start up. Brings up a Schrödinger's cat' quandary, now doesn't it? Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I
RE: [ActiveDir] Virtual Servers in Branch Offices
Im curious, you said the WAN links can have interruptions so you wouldnt want to authenticate over the WAN but if all you have in a branch is a DC, what do you gain by having the DC locally if the link is down unless you have additional servers there too (i.e. Exchange, F/P). Assuming you dont turn off cached credentials, the users could still log on even without a DC there. If there are other servers there, you would want a DC because you couldnt auth against them without seeing a DC. But users could still listen to CDs and MP3s, play solitaire, and all the other things users like to do when connectivity is down. J With Exchange in cached mode, youd hedge somewhat against needing local Exchange servers too. So the question is, will you have resource servers out there. If so, and your links are unreliable to the point of forcing your design, then youd want a DC there. If not, then a DC will not make a practical difference. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, October 14, 2005 2:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the whole universe as we know it existing under the fingernail of some other giant being... Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 13 October 2005 01:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, 13 October 2005 11:30 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box. I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production. Any thoughts most welcome. -- nme This communication, including any attachments, is confidential. If you are not the intended recipient, you should not
Re: [ActiveDir] Adding users to local Admin group
Title: Adding users to local Admin group Doesn't matter. Computer policy is computer policy. You can also simply link the GPO to the domain and filter it based on another security group - one that simply holds the computer accounts in question. Here's an article on what you want to do: -- http://www.msresource.net/content/view/45/46/ Remember, this doesn't have to be the administrators group. That's just the main use of this. Any group can be used. That article also discusses another way of doing this - by adding users to the group in question using NET USE (via Startup script). --Paul - Original Message - From: Salandra, Justin A. To: ActiveDir@mail.activedir.org Sent: Thursday, October 13, 2005 6:05 PM Subject: RE: [ActiveDir] Adding users to local Admin group I am concerned about the local PCs not the Servers -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Thursday, October 13, 2005 11:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding users to local Admin group One of the processes we use for servers is to create a global security group in AD that identifies accounts to be used for administering a particular computer, say ServerName_admins. That group is then added to the local ServerName\administrators group. hth, Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake StablSent: Thursday, October 13, 2005 9:16 AMTo: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]; techcoords@listserv.osn.state.oh.usSubject: [ActiveDir] Adding users to local Admin group I am using Active Directory and I need to know how to add certain people to the local admin group only on certain computers. I know I can do this under restricted groups but that makes thoses users local admin on all machines they log into. Specificly I have a cisco class I need to give admin rights to but only on those computers they use. Any one have a suggestion? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org Office: 330.492.3500 Cell : 330.704.1278 IP Phone: 4466
Re: [ActiveDir] Major issue not sure if 2003 created this problem
I believe the _msdcs sub domain is Microsoft/ Windows only. Non-Windows clients will use _ldap._tcp.domain-name or _ldap._tcp.site name._sites.domain-name. - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Sent: Friday, October 14, 2005 8:50 PM Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Well To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.domain.tld To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.site name._sites.dc._msdcs.domain.tld If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Kix to VBS
use regread for keyexist and readvalue functions of shell object regwrite for addkey writevalue fucntions while, _vbscript_ will exit with error if regread couldn't find the key, you can use on error resume next before validating the key existence, to continue the script execution. reference: http://msdn.microsoft.com/library/default.asp?url=""> On 10/14/05, Harding, Devon [EMAIL PROTECTED] wrote: I'm having a tough time converting this kix script to ..vbs. Any Ideas? ; This change will fix an IXOS problem where the default paper size is A4 instead of Letter If KeyExist(HKCU\Software\IXOS\IXOS_ARCHIVE) = 1 If KeyExist(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX) = 0 AddKey(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX) EndIf If ReadValue(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX,PaperSize) 1 WriteValue(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX,PaperSize,1,reg_dword) EndIf EndIf Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] Kix to VBS
Hi,
Try the following:
Cheers,
jorge
'http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/enumvalues_method_in_class_stdregprov.asp
###
Const HKCU = H8001
Set
oReg=GetObject(winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv)
sPath = Software\IXOS
On Error Resume Next
sKeyExist = False
oReg.EnumKey HKCU, sPath, arrSubKeys
For Each sSubKey In arrSubKeys
If UCase(sSubKey) = IXOS_ARCHIVE Then
sKeyExist = True
Exit For
End If
Next
Set sSubKey = Nothing
Set arrSubKeys = Nothing
If sKeyExist = True Then
sPath = Software\IXOS\IXOS_ARCHIVE\Viewer\Printing
On Error Resume Next
oReg.EnumKey HKCU, sPath, arrSubKeys
sKeyExist = False
For Each sSubKey In arrSubKeys
If UCase(sSubKey) = FAX Then
sKeyExist = True
Exit For
End If
Next
Set sSubKey = Nothing
Set arrSubKeys = Nothing
If sKeyExist = False Then
oReg.CreateKey HKCU, sPath \FAX
oReg.SetDWORDValue HKCU, sPath \FAX, PaperSize, 1
Else
On Error Resume Next
oReg.EnumValue HKCU, sPath, arrValueNames, arrValueTypes
sValueExist = False
For Each sValue In arrValueNames
If sValue = PaperSize Then
sValueExist = True
Exit For
End If
Next
Set sValue = Nothing
Set arrValueNames = Nothing
Set arrValueTypes = Nothing
If sValueExist = True Then
oReg.GetDWORDValue HKCU, sPath \FAX, PaperSize, MYValueData
If MYValueData 1 Then
oReg.SetDWORDValue HKCU, sPath \FAX, PaperSize, 1
End If
Else
oReg.SetDWORDValue HKCU, sPath \FAX, PaperSize, 1
End If
End If
End If
###
From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Fri 10/14/2005 7:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kix to VBS
I'm having a tough time converting this kix script to ..vbs. Any Ideas?
; This change will fix an IXOS problem where the default paper size is A4
instead of Letter
If KeyExist(HKCU\Software\IXOS\IXOS_ARCHIVE) = 1
If KeyExist(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX)
= 0
AddKey(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX)
EndIf
If
ReadValue(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX,PaperSize)
1
WriteValue(HKCU\Software\IXOS\IXOS_ARCHIVE\Viewer\Printing\FAX,PaperSize,1,reg_dword)
EndIf
EndIf
Devon Harding
Windows Systems Engineer
Southern Wine Spirits - BSG
954-602-2469
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Major issue not sure if 2003 created this problem
LDAP is not authentication [1] If you hardcoded the ldap server, is there a referral going on? When you say hardcoded, was it by ip address or ?? How did you notice that these *nix machines are talking to a DC in a remote location? [1] there, I said it. I got that off my chest :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, October 14, 2005 3:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LegalNoticeText maximum value
Sounds like something you could find on www.shutuplaura.com BTW, it is annoying that I have to get an account to leave a comment. I don't need any more accounts. So congrats on signing up for the run, you will make Penn State proud! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, October 13, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegalNoticeText maximum value Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. Thanks all. - Laura -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Servers in Branch Offices
The host would reach across the WAN and auth assuming the WAN was available at the time. Once the VS for the DC was up and running, the host could use that local DC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Right, the Host does not _have_ to be a member of the domain. However, the white paper makes references to securing the directories that contain the vhd and the NTDS.DIT (in the DC-as-VS model) for domain admins, implying that it should be a member of the domain. And, as you said Rick, the Host could not authenticate at startup so must it use cached credentials? Hmmm. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices "Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC?" Hmmm interesting. Yes, and no. Physical access is always an issue, but the NTDS.DIT is not out there in the open on a disk as it might be in a traditional DC. However, anyone with a VS *COULD* mount and start your DC - so the same rules apply. Don't allow anyone you do not trust physical access to your systems. As to domain member - I don't recall VS requiring Domain Membership (more, because I just haven't tried...). So, does this mean that a machine that is a work group system could host a VS with a number of DCs? Ummm - yeah. I suppose so. But, if it *IS* a domain member, then yes - it could likely authN off of the VM that it hosts - but obviously not at start up. Brings up a Schrödinger's cat' quandary, now doesn't it? Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch
Re: [ActiveDir] Virtual Servers in Branch Offices
I don't think running a DC inside a virtual machine would give any added security; if someone could log onto the server running the VMs then it is just as bad as being able to have physcial access to a normal DC since they can control starting and stopping the VMs. As Rick mentioned they could also copy the VHD to another machine and work on it at their leisure, so it might actually give you a little less security than just running a normal DC secured from physical access. Phil On 10/14/05, Rick Kingslan [EMAIL PROTECTED] wrote: Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? Hmmm interesting. Yes, and no. Physical access is always an issue, but the NTDS.DIT is not out there in the open on a disk as it might be in a traditional DC. However, anyone with a VS *COULD* mount and start your DC - so the same rules apply. Don't allow anyone you do not trust physical access to your systems. As to domain member - I don't recall VS requiring Domain Membership (more, because I just haven't tried...). So, does this mean that a machine that is a work group system could host a VS with a number of DCs? Ummm - yeah. I suppose so. But, if it *IS* a domain member, then yes - it could likely authN off of the VM that it hosts - but obviously not at start up. Brings up a Schrödinger's cat' quandary, now doesn't it? Rick From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the whole universe as we know it existing under the fingernail of some other giant being... Whoa, dude! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box. I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production. Any thoughts most welcome. -- nme This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy
RE: [ActiveDir] salary(OT)
Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony occasionally posting the lurker list, I am curious as to how many people I am getting mad at me any given day. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, October 13, 2005 6:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not to hijack this thread but, I hope lurking remains free. Dan
RE: [ActiveDir] Virtual Servers in Branch Offices
The assumption for us is that there is also a file and print server there. The solitaire thing is a whole angle I did not consider. Is a DC required for solitaire? What about a virtual MP3 player running in cached mode? Ok. I'm clearly ready for the weekend ;-) Thanks for all the thoughts, folks. I will churn this over in my little brain and spend some quality time curled up with a few good white papers. Have a great weekend. -- nme From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 12:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Im curious, you said the WAN links can have interruptions so you wouldnt want to authenticate over the WAN but if all you have in a branch is a DC, what do you gain by having the DC locally if the link is down unless you have additional servers there too (i.e. Exchange, F/P). Assuming you dont turn off cached credentials, the users could still log on even without a DC there. If there are other servers there, you would want a DC because you couldnt auth against them without seeing a DC. But users could still listen to CDs and MP3s, play solitaire, and all the other things users like to do when connectivity is down. J With Exchange in cached mode, youd hedge somewhat against needing local Exchange servers too. So the question is, will you have resource servers out there. If so, and your links are unreliable to the point of forcing your design, then youd want a DC there. If not, then a DC will not make a practical difference. Rich ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005.
RE: [ActiveDir] salary(OT)
I would have to concur with most if not all of this. I don't much mind the OT posts as long as the subject is prefixed with a [OT] so it can be easily filtered out when sorting by subject or even if you use outlook to colorize the messages or folderize them or something else. Even the OT posts often seem to be a source of great learning. I have to say that I particular agree with the google piece. Google is your friend, maybe at some point MSN Search will also be your friend as well even though you can use the name as a verb. In addition, no one is automatically a great let alone good troubleshooter. It is one of those things where you watch others solve issues in front of you or you work hard trying to noodle through the problem. You look at perf counters you look at network traces and you figure it out. Something weird going on, do a netmon of it working and of it not working, what is the difference? You don't necessarily have to be a network tracing expert to do that. I started out that way and slowly grew to being able to generally get a feel for what is going on in a trace. No one sat me down and said this is how you do it, here are some pointers, etc. I had the one Enterprise NT4 course which mostly just burned your brain out versus teaching anything useful. I learned too things when I came out of that course, I learned I hated network traces and I learned that if you hear a word enough times in a one hour period that word will cease to connect to anything in your mind. I got to the point where I could hear the word trust and I honestly couldn't associate it with anything. It was like I had never heard the word in my entire life. So anyway, run into an issue, keep bumping into it and try to work through it. Google it, try to teach yourself as much about it as possible. You can certainly ask and if the answer is quickly returned, there is a good chance you won't learn nor recall it. I also agree with Susan that the best way to learn the material is to teach it. I used to tutor folks at Michigan State forever ago and besides getting lots of good dates, I found I learned Calculus, Physics, and the various C and ASM coursework much better because I had to explain it to someone in a way that made sense to them. By the time I had tutored my third Calc student I had done a couple of things, first I had learned Calc far better than I had ever learned in class all the way up to Calc IV and I had gotten a reputation of only tuturing really smart girls. ;o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, October 14, 2005 1:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I think there are a few types of questions one can ask in list such as this... 1) questions where you have searched for an hour and nothing seems relevant, or there is so much info that it would take days to sort through 2) questions where the sh_t is down hard and what the heck is THIS and you did a cursory search that either turned up nothing useful or info you don't understand how to apply 3) questions where your lack of experience in an area means you just plain don't know how to search or where to start, but if someone would point you in the right direction you'd be happy to do your own research With the above types, I don't think anyone minds those, everyone has been there - and the more _relevant_ details that are provided, the better. 4) questions that can be pasted into a search engine, click I Feel Lucky, and paste the text from the first hit back as a response 5) questions with a subject line that reads, PLEASE HELP and a message that says, what's the syntax for ntdsutil? 6) questions that are so off-topic, detailed, and irrelevant to most of the list audience's experience as to make people ask, did I switch to the SQL (or Exchange or C#) list somehow? These are some of the questions that do become a drain. As long as the questions show you tried to find out yourself, are relevant, and if possible the answers should be relevant to the community, then no one minds questions. That's what the list is for (IMHO). Another thing - when you (referring to no one in particular) ask questions that can be easily researched, you deny yourself two valuable aspects of learning - you learn more when you research it yourself, and you often find related but additional interesting information that helps your overall understanding. There are times I've thought to post a question and decided to look a bit further, and found answers to lots of other things as well that I didn't realize were out there. In IT I firmly believe it's not what you know, but how good you are at research and troubleshooting, that sets you apart. But that's just my opinion. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development
RE: [ActiveDir] salary(OT)
joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]
RE: [ActiveDir] salary(OT)
Rick Rick Rick... Over-bearing yes. Know-it-all no. More of a know-some-of-it-all. Yeah I am hoping for more than 2000 copies as well. Actually I think O'Reilly expects the book to do spectacularly well, even after I told them I had a relatively small family and many of them can't read anyway and if they could it certainly wouldn't be something I wrote because they don't want to listen to me in person! Anyway, they think it will sell well and I think are putting it on heavy rotation this holiday season which is one of the reasons we had timeline ummm debates. In the end I had the book in their hands a full week before my last date I agreed to and like 4 or so weeks prior to when I originally signed but expected to exceed. Needless to say, I didn't get much else done this summer including tiling my kitchen which is going on right now. And finally, on the deodorant crack. I don't know how to respond but have this to say In about 3 or 4 days I need you to go outside when the moon is fullest and brightest and look up at it and look for Tycho like a giant blinking eye along the bottom portion of the full rounded moon and make a big smooching sound in that direction and and think about me. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 2:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Tony Murray Said: Joe, I've had no complaints about you to date. Good. I'll start. Here's your first. He's an over-bearing know-it-all looking for his first and second million. Plus, he uses more bandwidth than everyone combined. If someone asks, he - Could I stand a second domain controller up for redundant purposes? Can joe just say, Yes. Nope - never. You're going to get 15 pages minimum of OK - here's what *I'd* do. However, all that being said - we love joe and would never want him to change. Well, except for his clothes on occasion. And, dude - you need some of that Power Stripe deodorant. Seriously. And, I'm sorry to hear that a book that isn't even available YET is only going to sell 2000 copies. How in the heck did you and Robbie get O'Reilly to agree to do a 3rd edition? Surely you jest when referencing that number Oh, and I can't even find it referenced on O'Reilly's site yet. How about some pre-print advertising? You think THAT might boost your numbers? Love ya buddy! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony occasionally posting the lurker list, I am curious as to how many people I am getting mad at me any given day. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel
RE: [ActiveDir] salary(OT)
Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want
Re: [ActiveDir] salary(OT)
On 10/14/05, joe [EMAIL PROTECTED] wrote: I had done a couple of things, first I had learned Calc far better than Ihad ever learned in class all the way up to Calc IV and I had gotten a reputation of only tuturing really smart girls. ;o) You're even smarter than I thought ;) Phil
RE: [ActiveDir] Major issue not sure if 2003 created this problem
This assumes that the client knows how to retrieve SRV records though. The first thing I would say to do in troubleshooting this is to do drum roll please. Network trace, yeah you knew I was going to pull that one didn't you? Another thing to do would be to use proper authentication with Kerberos. Vintela and Centrify have products to help this be much less painless than it can be. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, October 14, 2005 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Well To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.domain.tld To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.site name._sites.dc._msdcs.domain.tld If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
Adfind saved your job? Hmmm that sounds like it is work 25% of your salary for the next year. ;o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, October 14, 2005 11:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Freddy, The information you gave rocks ! Idid not thinkusing the Last modified date attributeand query it with the magic joe's tool : - "adfind -default -showdel -f isdeleted=TRUE" It saves my job ! :) The security audit isnow configured and on. Thanks for your help. YannFreddy HARTONO [EMAIL PROTECTED] a écrit : Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici ! Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
Re: [ActiveDir] salary(OT)
joe is too kind...he's glossing over the bit where he kept saying If that [EMAIL PROTECTED] Laura makes -one- -more- [EMAIL PROTECTED] grammar fix :-) (And joe, if you do Theory of Computation, you may become my best friend during my next grad class. I fully expect to hire a tutor and just have the person move into my house for 16 weeks. :o)) On 10/14/05, joe [EMAIL PROTECTED] wrote: Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I
RE: [ActiveDir] Knowing when users were deleted.
Can you do some sort of backlink type of magic where you use some smaller sized value to represent the real value via indirection or something? I expect most companies would be willing to take the hit on DIT size to get this kind of capability. ESE can handle it right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, October 14, 2005 3:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp _ From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? _ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez http://us.rd.yahoo.com/messenger/mail_taglines/default/*http://fr.mes senger yahoo.com le ici ! List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] LegalNoticeText maximum value
You know, there's a reason nobody likes you, Richards. ;o) - L On 10/14/05, joe [EMAIL PROTECTED] wrote: Sounds like something you could find on www.shutuplaura.com BTW, it is annoying that I have to get an account to leave a comment. I don't need any more accounts. So congrats on signing up for the run, you will make Penn State proud! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, October 13, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegalNoticeText maximum value Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. Thanks all. - Laura -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
The Oracle sales model. :) There was a link a couple of days ago to Joel on Software describing thisprice model. The correct answer to this is probably closer to "Depends on who you talk to last..." From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 3:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Come on...we're software companies. The price is directly related to the number of days left in a particular quarter. Its called "vendor management" :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, October 14, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Was going to ask that myself. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Friday, October 14, 2005 2:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Gentlemen, "WHICH IS CHEAPER?" LOL RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 1:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of "dueling banjos" :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] finding computer objects
Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here)will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)If I misunderstood your requirement, please ignore this mail..--Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter "((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~"Fortune and Love befriend the bold" ~~~-- ~~~"Fortune and Love befriend the bold"~~~
Re: [ActiveDir] finding computer objects
so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here)will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail..--Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~Fortune and Love befriend the bold ~~~-- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] finding computer objects
Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003)) -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] finding computer objects
LDAP filter for disabled user accounts ((objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2)) LDAP filter for enabled user accounts ((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Sat 10/15/2005 2:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003)) -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete
RE: [ActiveDir] LegalNoticeText maximum value
you will make Penn State proud! Don't folks at the University of Pennsylvania take umbrage when you call it Penn State ?? They did when I lived there :-] /Child of 2 Penn State alums -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LegalNoticeText maximum value Sounds like something you could find on www.shutuplaura.com BTW, it is annoying that I have to get an account to leave a comment. I don't need any more accounts. So congrats on signing up for the run, you will make Penn State proud! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, October 13, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegalNoticeText maximum value Forgive me if this is an obvious thing and my Google-fu is just failing me, but can someone remind me of the maximum string length on this when running 2003? I'm finding conflicting references between 255 and 512 characters. Thanks all. - Laura -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Major issue not sure if 2003 created this problem
Hi all, The linux client is configured with a host parameter in the ldap.conf file and isn't srv aware. I was running several network traces and sniffers, etc to determine what exactly was going on but the dumps came up empty. But, I think the issue has gone away but not sure why. On another note: I did look into vintela before we decided to go with ldap but they were extremly expense. We are heading to kerberos with the rh 3.0 upgrade and I cannot wait for that! Thanks for you input! Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem This assumes that the client knows how to retrieve SRV records though. The first thing I would say to do in troubleshooting this is to do drum roll please. Network trace, yeah you knew I was going to pull that one didn't you? Another thing to do would be to use proper authentication with Kerberos. Vintela and Centrify have products to help this be much less painless than it can be. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, October 14, 2005 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Well To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.domain.tld To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.site name._sites.dc._msdcs.domain.tld If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Major issue not sure if 2003 created this problem
Glad you said something Al. I thought we completely glazed over this part in her first post: I noticed today that even thought I have the host ip hard coded to a local Server... Host IP hard coded...? :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 14, 2005 5:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem LDAP is not authentication [1] If you hardcoded the ldap server, is there a referral going on? When you say hardcoded, was it by ip address or ?? How did you notice that these *nix machines are talking to a DC in a remote location? [1] there, I said it. I got that off my chest :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, October 14, 2005 3:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] finding computer objects
if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter. why can't you just have userAccountControl=2 then and just use !, to find a disabled or enabled acouunt? Thats where my confusion comes in. Thanks On 10/14/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: LDAP filter for disabled user accounts((objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2))LDAP filter for enabled user accounts((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))Cheers,Jorge From: [EMAIL PROTECTED] on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] finding computer objectsTom-I'll certainly not try to explain it while joe's around :-)but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew theflags for already...How to use the UserAccountControl flags to manipulate user accountproperties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objectsso how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s - since you responded to this one after my stupid salary query andthis actually is one of those questions which has nothing to do with mycurrent job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the ADCookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks againOn 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter(which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of KamleshParmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are notchecking its absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that those are disabled accounts.(which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery *dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter((objectcategory=computer)(operatingSystem=windows server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,description only gripe is can't change the delimeter, and DNis always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. ## ## # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] salary(OT)
Actually, I think that book and the Windows XP book are the only two that I Haven't reviewed. As to why I wasn't asked - I dunno. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Re: [ActiveDir] Reverse DNS
So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, rubix cube [EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, Ed Crowley [MVP] [EMAIL PROTECTED] wrote: I can't fathom why any organization would have to. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Wednesday, October 12, 2005 3:35 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you have to. Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools. The only gripe I've got with them is that they won't host SPF records. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bernard, AricSent: Wednesday, October 12, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet. Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records. If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of rubix cubeSent: Wednesday, October 12, 2005 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal DNS? or is it enough to keep it hte same way? Also assuming that I want the ISP to configure the reverse dns for me, I just ask them to add a reverse DNS for my subnet? Thanks r.c. On 10/12/05, Brian Desmond [EMAIL PROTECTED] wrote: That's not entirely true. Your ISP will need to delegate your subnet(s) to your DNS servers if you want to run your own reverse DNS. If you own yoru subnet, you need to work with the registrar to get the delegation. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed Crowley [MVP]Sent: Wednesday, October 12, 2005 1:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reverse DNS It's likely that your ISP will have to host your Internet reverse zone if they own your IP addresses. Really, you're going to have to ask them. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of rubix cubeSent: Wednesday, October 12, 2005 9:47 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Reverse DNS Hi list, How do you exactly configure a reverse DNS zone? which type should it be? (standard, primary, active directory integrated), should it allow for zone transfer, if I want to configure it on my internal DNS server (which doesn't do any zone transfers with any one else its only internal, but it can resolve external names), how should I do that? I need it for
RE: [ActiveDir] finding computer objects
Useraccountcontrol is a bitmask. You can have a disabled account which also has a non expiring password. This is no longer just 2. Its 1002 2 or 1000. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 10:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter. why can't you just have userAccountControl=2 then and just use !, to find a disabled or enabled acouunt? Thats where my confusion comes in. Thanks On 10/14/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: LDAP filter for disabled user accounts ((objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2)) LDAP filter for enabled user accounts ((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Sat 10/15/2005 2:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s - since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery *dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003)) -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to,
Re: [ActiveDir] Reverse DNS
Or get a better ISP or DNS record keeper that will allow you to do what you need to do. okay okay I don't lurk well ... I know I know... Phil Renouf wrote: So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, *rubix cube* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, *Ed Crowley [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I can't fathom why any organization would have to. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!™ *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Derek Harris *Sent:* Wednesday, October 12, 2005 3:35 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you have to. Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools. The only gripe I've got with them is that they won't host SPF records. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Bernard, Aric *Sent:* Wednesday, October 12, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet. Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records. If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *rubix cube *Sent:* Wednesday, October 12, 2005 1:44 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal DNS? or is it enough to keep it hte same way? Also assuming that I want the ISP to configure the reverse dns for
Re: [ActiveDir] Reverse DNS
Why lurk when you can participate so effectively? :) Phil On 10/15/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Or get a better ISP or DNS record keeper that will allow you to do whatyou need to do.okay okay I don't lurk well ... I know I know... Phil Renouf wrote: So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, *rubix cube* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, *Ed Crowley [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I can't fathom why any organization would have to. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!™ *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Derek Harris *Sent:* Wednesday, October 12, 2005 3:35 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you have to.Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools.The only gripe I've got with them is that they won't host SPF records. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] *On Behalf Of *Bernard, Aric *Sent:* Wednesday, October 12, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet.Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records.If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *rubix cube *Sent:* Wednesday, October 12, 2005 1:44 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal DNS? or is it enough to keep it hte same way? Also assuming that I want the ISP to configure the reverse dns for me, I just ask them to add a reverse DNS for my subnet? Thanks r.c. On 10/12/05, *Brian Desmond* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: *That's not entirely true. Your ISP will need to delegate your subnet(s) to your DNS servers if you want to run your own reverse DNS. If you own yoru subnet, you need to work with the registrar to get the delegation. * * * **Thanks,*** **Brian Desmond*** ** [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] **c - 312.731.3132** *From:* [EMAIL PROTECTED]
