RE: [ActiveDir] exporting group membership
sorry, when I use the csvde command with it's parameters, it exports the data to CSV.When I open the CSV file, I get the member information listed as:CN=Frank Abagnale,OU=UserAccounts,DC=,DC=intara,DC=com;CN=Mike Richards,OU=UserAccounts,DC=intara,DC=com in one cell.How can I list the member without the full dnbeing displayede,g just the display name thanksRick Kingslan [EMAIL PROTECTED] wrote: Excel?Otherwise, I'm not completely clear as to what you're trying to accomplish.Rick--Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, November 25, 2005 10:02 AMTo: ActiveSubject: [ActiveDir] exporting group membershipI am trying to export the following fields from Active Directory using CSVDEI ran the following command CSVDE -F c:\output.csv -d "ou=security groups,ou=INTARA,dc=COM" -r "(objectclass=group)" -l cn,description,member,whencreated,whenchanged,info,managedby,mailThis retrieves the information I want, however, the Member tab displays a list of users full DN in one single cell and makes it difficult to overview the member list.How can I display a list of the users in there own individualcells going downwards (if that makes sense) does CSVDE allow this? If not any other tools out there? Yahoo! Music Unlimited - Access over 1 million songs. Try it free. Yahoo! DSL Something to write home about. Just $16.99/mo. or less
RE: [ActiveDir] Query out all user members in nested groups
I apologize for leaving out crucial information. I am trying to enchance (less-than-optimal) .NET code, so this involves the use of DirectorySearcher and SearchResult classes in the System.DirectoryServices namespace. The current implementation takes the top-level group name and searches for it, then loops through the member collection returned (part of the SearchResult.Properties collection), determining which is a User and which is a Group. For those identified as Groups, they are put through their own level of Members search. For each User that is retrieved, yet another search is performed to get their logon name (appears the results of the Member collection shows only Full Name property of Users). So in an example scenario, that can result in 200+ calls for individual User query, taking some 179 seconds. My immediate idea was to find a way to make a single chunky query rather than numerous small queries (similar to SQL query advice), so I wondered if there is an LDAP search pattern that can have itself recursively drill down all groups and return me the Logon names in one fell swoop. If that is not possible, then the next best thing would be to return all Users' Logon names in a Group rather than the Full name. Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Query out all user members in nested groups
My response is assuming that you are using the old DirectoryServices stuff and not the newer 2.0 DS.Protocols stuff. With that caveat, most DS .NET code is less than optimal as it relies on ADSI which is in itself less than optimal. Group enumeration is great because it uses multiple queries to get ANYTHING besides the DN of the members. So if you say query a group and you even know that a member is not a user, you have already done the query for the group, and another query for that member. So to enumerate a group of 500 members and display a full name or object type or anything besides a DN, ADSI has already done another query on your behlaf to return the info for each member you have displayed so you would have done 501 queries at that point. If you have to force additional queries beyond that, well that is above and beyond. The only thing that is close to what you are asking for is something MS added to K3 AD reachable only if you are using pure LDAP (not ADSI calls) is called an attribute scoped query. Basically it allows you to do a BASE level query of AD and tell it to return a specific Object to you (i.e. you can't do a subtree search, you already need the DN of the object) but instead of getting members as DNs, you can tell the AD to return to you any of the attributes of each of the members or even to return only specific members (say the users or the groups). You can learn more here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/p erforming_an_attribute_scoped_query.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/l dap_server_asq_oid.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/a ds_searchpref_enum.asp Note, I just noticed the filter they use in the example of link 1 may not be optimal. It isn't normally but it depends entirely on the implementation in the backend as I don't expect the query is actually sent through the normal process. I tried to find the implementation in the source to verify because track it down. So I will send a note onto the MSDN folks to see if it can be verified. The possibly non-optimal piece is the filter objectclass=user. I don't use .NET, but it looks like there is some chatter on this, see http://msdn.microsoft.com/msdnmag/issues/05/12/DirectoryServices/default.asp x http://winfx.msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref /html/T_System_DirectoryServices_Protocols_AsqRequestControl.asp joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Saturday, November 26, 2005 8:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Query out all user members in nested groups I apologize for leaving out crucial information. I am trying to enchance (less-than-optimal) .NET code, so this involves the use of DirectorySearcher and SearchResult classes in the System.DirectoryServices namespace. The current implementation takes the top-level group name and searches for it, then loops through the member collection returned (part of the SearchResult.Properties collection), determining which is a User and which is a Group. For those identified as Groups, they are put through their own level of Members search. For each User that is retrieved, yet another search is performed to get their logon name (appears the results of the Member collection shows only Full Name property of Users). So in an example scenario, that can result in 200+ calls for individual User query, taking some 179 seconds. My immediate idea was to find a way to make a single chunky query rather than numerous small queries (similar to SQL query advice), so I wondered if there is an LDAP search pattern that can have itself recursively drill down all groups and return me the Logon names in one fell swoop. If that is not possible, then the next best thing would be to return all Users' Logon names in a Group rather than the Full name. Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exporting group membership
The group membership comes back as DNs. A single subtree scope LDAP command isn't going to resolve that to display names or samaccountnames, etc. There is something special you can do if writing LDAP API code (or S.DS.Protocols). See response I gave just prior to this one. The output format you are describing isn't CSV, you want a report, not a CSV dump.You will need to write ascriptor find a tool that will do this. Expanding group memberships (including primary groups, nested groups, etc) is one ofthe more painful things to do with AD. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Saturday, November 26, 2005 7:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] exporting group membership sorry, when I use the csvde command with it's parameters, it exports the data to CSV. When I open the CSV file, I get the member information listed as: CN=Frank Abagnale,OU=UserAccounts,DC=,DC=intara,DC=com;CN=Mike Richards,OU=UserAccounts,DC=intara,DC=com in one cell. How can I list the member without the full dnbeing displayede,g just the display name thanksRick Kingslan [EMAIL PROTECTED] wrote: Excel? Otherwise, I'm not completely clear as to what you're trying to accomplish. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, November 25, 2005 10:02 AMTo: ActiveSubject: [ActiveDir] exporting group membership I am trying to export the following fields from Active Directory using CSVDE I ran the following command CSVDE -F c:\output.csv -d "ou=security groups,ou=INTARA,dc=COM" -r "(objectclass=group)" -l cn,description,member,whencreated,whenchanged,info,managedby,mail This retrieves the information I want, however, the Member tab displays a list of users full DN in one single cell and makes it difficult to overview the member list. How can I display a list of the users in there own individualcells going downwards (if that makes sense) does CSVDE allow this? If not any other tools out there? Yahoo! Music Unlimited - Access over 1 million songs. Try it free. Yahoo! DSL Something to write home about. Just $16.99/mo. or less
RE: [ActiveDir] Server Disappeared
That sounds goofy that you needed a new MAC address. However if that is what they said, no use arguing with the rain. You just get wet. You don't need to swap the physical hardware around, most desktop/server NICs allow you to specify what MAC address they are. Just change that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harald Sent: Thursday, November 24, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server Disappeared Yesterday morning I had to change my Win2k Server up a bit. I wanted a new static IP address, and the ISP told me that in order to do that, I needed a new NIC (MAC Address). So, I switched the cables on the back of the server, and got the new IP for my external card. I then reversed the settings on both NIC's, so that my (new) internal card used the old internal settings, and the (new) external card used the old external settings. I double-checked the DNS server settings, and they were properly updated. I don't use DHCP internally, so I figured that should be all that I needed to do. However, I have lost my internal network connectivity. The DFS no longer works, from my network machines to the server, though it does work from the server out. I also can no longer connect to the printer which is connected through the server. When I try to map an external drive, when I click on the browse button, all the machines show up except for the server. I've checked each of the workstations, and they can all connect to each other, but as far as they are concerned, the server does not exist. Obviously there is something on the server that I missed, but I have no idea where to even start looking. Can anyone help me to figure this out? Thanks. -- Harald Gill Without Dreams...Life is Nothing List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest Trusts Accessing Resources
Title: Message This is typically done in very security sensitive environments, however, is a pain if you need to grant access to a lot of users from the trusted forest. That is what scripts and command line tools are for. :o) I am 100% behind not nesting groups from other domains into domain local groups[1]if you have any thoughts whatsoever on being sure about membership and who has access to a resource. Once the owner of the resource (and generally owner of the group that secures the resource) nests in another group, unless they own that group, they have lost control of who has access to the resource. [1] Or even nesting globals into locals at all unless you are trying to build some form of role based security structure and even then I would be more apt to do domain local into domain local nesting. The single domain membership nature of global groups is annoying to me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, November 25, 2005 1:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest Trusts Accessing Resources there is no single correct way - creating an extra universal group doesn't make any sense in your situation, since you only havea single domain in your trusted forest. However, you need to consider who manages the respective forests, what data you'regranting access to in your resource forest and who is to control access to that data. By nesting a group from the trusted forest to a local group in the resource forest (which you then use to grant the rights on the resource), you're basically granting the admins of the trusted forest to manage which users are granted access to the resource. This is typically ok, but needs to be understood. If you need to ensure that only specific users are granted access to the resource and this access must be controlled by the resource owners, then you'd want to add the users from the trusted forest directly to your local groups in the resource forest. This is typically done in very security sensitive environments, however, is a pain if you need to grant access to a lot of users from the trusted forest. Both are valid options (other optionsare possible as well) - your requirements will depend what's the best option for you. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Freitag, 25. November 2005 11:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest Trusts Accessing Resources Hi all... Scenario: We have 2 Windows 2003 forests (forest functional level set at Windows 2003) and each forest has a single domain. There is a one-way trust between the two forests, Forest A trusts Forest B. Question: We need to grant users in Forest B access to resources in Forest A. Having read Microsoft best practice KBs, they recommend creating a Global Group in Forest B and adding users to this. This Global Group isthen added to anewly created Universal groupalso in Forest B which in turn isthen added to a Domain Local Group in Forest A which is assigned permissions to the resource...phew!... What issues would there be by just adding the Global Group in Forest B directly to the resource in Forest A? Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] Query out all user members in nested groups
Unfortunately it won't expand groups, it goes the other way, finds all (or most all) memberships a user has. I have a couple of scripts that do this but nothing I can share publicly as they were written for customers. I keep meaning to write a tool to do it. I really want to write it though to do ASQ queries (as mentioned twice before today actually) but that only works against K3. I wish people would stop using 2K. ;o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Friday, November 25, 2005 6:52 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Query out all user members in nested groups I believe Joe's memberOf tool is what you are looking for: -- http://joeware.net/win/free/tools/memberof.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quest Migration manager(OT)
Overall I wasn't thrilled about everything being named Active Directory this or that. There was and is still is more than enough confusion with ADSI and whether or not you can use it for non-AD environments. It is entirely marketing driven. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Friday, November 25, 2005 7:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Quest Migration manager(OT) They're being rebranded anyway. I believe the DS guys at the summit said IIFP will become Active Directory Meta Directory Services. Not sure if MIIS' name will change. Certificates and AD as we know it are all going to be rebranded, in what would appear to be a much more meaningful set of names. All under the lovely banner of Active Directory - which is good, as it gives all people, including numpty salesmen and "technical architects" (read stupid pre-sales people) a clear idea of the "family" of products that everything is to become...
RE: [ActiveDir] Connecting the test environment to the production - what is your opinion?
If the applications are important enough to be tested, get them into your test environment. There are times other than domain upgrades, etc that they will need to be tested as well. Running test against production data is insane and asking for problems. If I were a manager of someone who did this, they would be fired. If I was the employee of a manager who said we had to do this, I would fight it tooth and nail. I would liken this to testing a new fix-a-flat mixture. You could put the gunk into a flat tire on the freeway and run it up to 90 and see if it holds or you could do it on a test track. If you did due diligence every step along the way, you probably aren't going to hurt anything. However, if you missed just one thing you could hurl off your side of the road and kill a family of six driving back from seeing grandma. After the fact, people would be asking you questions like, how did you justify that risk in your head? There are test environments for a very specific reason. If you want to test in production, grow a set, sign up for the responsibility and have at it for real, don't think that a complicated set of controls might help alleviate issues because even the set of controls is being tested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, November 24, 2005 7:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Connecting the test environment to the production - what is your opinion? Hi All, I would be interested in your feedback concerning the story below. The full story is also available on my blog (http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/149.aspx). Any feedback on it would be a appreciated! If you have question feel free to ask! Thanks in advance! Cheers, Jorge ## Now, independent of the reason why you want to do an in-place upgrade of the current NT4 domain to an AD domain, to just test the migration you install a new BDC in the production domain and sync it with the PDC. You move that BDC into a test environment, and promote it to a PDC. For testing purposes you install an additional BDC in the test environment. To prepare for the domain upgrade you install 2 freshly installed W2K3 member servers, install and configure them with DNS/WINS/DHCP and configure them with NT4Emulator and NeutralizeNT4Emulator registry keys. After that reboot the servers! So it's time upgrade the NT4 PDC...but before doing so also configure it with the NT4Emulator and NeutralizeNT4Emulator registry keys and reboot the PDC. After the PDC is up again the upgrade is started and after a while the first W2K3 DC has been introduced. That same W2K3 is also the first GC and hosts all FSMO roles. Followed by this is the promotion of the 2 W2K3 member servers to AD DCs. After the promotion these new DCs might be configured as GCs and the FSMo roles might be transfered to one of them. As your environment may consist of legacy clients (you may need to update them first prior installing the first W2K3 DC with latest service packs and/or the DSClient) and W2K/WXP/W2K3 clients and server you may want to test authentication against NT4/W2K3 DCs, only W2K3 DCs and only NT4 DCs. If you are satisfied with the results you could remove the NT4 BDCs and the upgraded W2K3 DC. At this moment you are left with 2 W2K3 DCs and the Forest Functional Level is set to Windows 2000 (choose if the domain will also contain W2K DCs) or Windows Server 2003 Interim (choose if the domain will only contain NT4 and W2K3 DCs). This choice is made during the upgrade of the NT4 PDC to a W2K3 DC. To stop the emulating stuff on the W2K3 DCs the NT4Emulator and NeutralizeNT4Emulator registry keys are removed and the DCs are rebooted. As soon as W2K/WXP/W2K3 clients and servers detect the W2K3 DCs not emulating anymore these clients and servers will upgrade their secure channel to use Kerberos for authentication instead of using NTLMv2. So at this moment the migration has been tested and the results are satisfying. However, before doing this in production you just may want to test the (core) applications against an AD domain and additionally test the same applications against an AD domain in Forest Functional Level Windows Server 2003. So how are you going to do this, if it is not possible to introduce those (core) applications on servers/systems into the test environment? Now this is a wild and crazy scenario and I would love to know what you're opinions are? Discription of the wild and crazy scenario... So at this moment you have 2 W2K3 DCs hosting a domain that is practically the same as in production (same name, sids, etc.) These servers also host DNS and WINS. Only the two DCs, their names and IPs are different. As you use a server based computing (SBC) solution in your production environment, you install a WXP client and a SBC server in your test environment. On that SBC server
RE: [ActiveDir] Removing foreign accounts
To expand a little... An FSP is ONLY needed if you are referencing an object from a foreign domain in an attribute that takes DNs like themember attribute. You have to use a valid DN. The creation of an FSP gives a valid DN to be used. Completely agree with the SID cleanup Guido mentions. Also the fact that if a domain is shutdown, there should beno harm in removing any FSPs referencing that domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, November 25, 2005 1:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Removing foreign accounts FSPs are only created if you link a foreignaccount (from a trusted domain) to an object in AD, e.g. by means of adding him as a member to a domain local group - not when you assign permissions in AD to a foreign account (this will only store the object's SID in the ACL of the object). The latter is a bitch to clean up - same as when you've deleted an AD account/group that was granted permissions anywhere. There is no useful solution I'm aware of that tackles this issue - you'd have to dump the ACLs and check for unresolved SIDs yourself and then do your homework. But at least you will find all the memberships of the exernal accounts in the memberOf attribute of the FSP and should have no problem deleting them, esp. if the domain has been shutdown (be careful if you have setup trusts to multiple domains...) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Donnerstag, 24. November 2005 19:20To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Removing foreign accounts just curious, How do we know, where that FSP is used in AD.If FSP is member of any group we can find them using memberof attribure of FSP.But, If that is not populated, it might be the case that, someone directly and stupidly gave that FSP some right somewhere.How do we find that? On 11/23/05, joe [EMAIL PROTECTED] wrote: Go into the ForeignSecurityPrincipals container and delete all of the FSPs that exist from the old NT4 domain. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ahmed Al-AwahSent: Tuesday, November 22, 2005 5:30 PMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Removing foreign accounts Hello all, Until recently we had two domains, a W2K domain and a WinNT4 domain. I've managed to finally shut downthe Windows NT4 domain. However, given our previous setup and the trust relationships that existed between both domains I'm left with several users from the old domain in AD groups on our primary Windows 2K Domain. I was wondering if anyone had a script that would remove users from a particular domain fromanother domain's groups (removing all NT4 accounts from the W2K domain groups)? The reason I'd like to do this is because everytime we attempt to access a group in AD with members from the previous domain we recieve an error stating that some of the names cannot be shown in user-friendly form which is primarily due to the fact that the previous domain has been shutdown. I've searched the MS Script Repository to no avail. Any help is appreciated. Cheers,Ahmed-- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] Outlook installed on a DC
Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Thursday, November 24, 2005 11:39 AMTo: ActiveSubject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Proving a User is logged on to the domain
If there were an easy way to guarantee it I would have just pointed at that. Since there isn't, I wanted to know how accurate the info needs to be so you can determine how much work you are willing to do. I wouldn't guarantee that info as accurate no. The user's PC could somehow be unavailable for a moment or blocking you from querying it and users don't always register a messenger record for users logged onto the machine. For instance, if I look at the name table for the machine I am currently logged on typing this message, I have no messenger record for me. Most likely I was logged in someplace else and the name collided so I wasn't able to register it. Additionally someone could have hibernated for the moment you tried to reach out to their PC or they could have unplugged or the wireless dropped or any number of things. How do you treat a machine you can't A) Can't resolve B) Can't contact (firewall or very very busy or ???) C) Get to respond to a NetBIOS name table request? The only way approaching any kind of guaranteed way would be to place a positively secure client probably running at the driver level on every machine you care about and have it monitoring who is logged on (in all sessions, because what about RCMD or psexec or telnet, etc), when the machine is functioning on the network, etc. Basically to get something that would legally stand up in court, it is very very very tough to get that info and have any sort of guarantee behind it. To get a rough guess at what you have, your idea will work, a logon script that registers info somewhere will work, etc. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 23, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Proving a User is logged on to the domain joe, I'm surprised at such a Techocrat as you missing that. Of all people! ;-) I would expect you to respond to your own question from like say somebody else as follows; joe Information is like pregnancy, it's either true (hence accurate) or it's false. It can't be anything else. It's either accurate or not. Just playing with you boss (YMYMYM). Yes sir!, I need the information to be accurate, to answer your question. I suppose I could rely on my NBTSTAT query. [1] I monitor the logs. [2] I see the User logged on to PCx [3] I ping PCx and get its IP address [4] I run nbtstat -A IPAddressOfPCx [5] NBTSTAT reports the Netbios name of the PC AND who is logged on. Would you state that to be accurate? Thanks for responding. Happy Thanksgiving. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, November 23, 2005 3:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Proving a User is logged on to the domain Lots of suggestions on how to do this but the first thought that came to my mind was how strongly do you have to guarantee the accuracy of your information? Finding out when someone logged on is an audit item, you enable auditing and collect the logs. Proving that someone is STILL logged on and active is tougher. User could be hibernated or had their machine unplugged or any number of things. So you have to go back to their machine and actually have it tell you if the user is logged on. That is much more involved than the auditing and auditing is not the really all that easy if you have a lot of DCs or a lot of events. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 23, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Proving a User is logged on to the domain Gentlemen, Is there a preferred and/or easy way to prove that a User has logged on to the Domain and is currently operating (ie: able to access resources)? The question is not whether he can get to a resource or not, but only that he has successfully logged in to a domain from some computer and is considered live on the Domain? I have not been able to figure that out yet. By the way, Happy Thanksgiving to all this day!! Thanks. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] OldCmp
So, other than the bug reports and requests I have received previously prior to this email, it is perfect? Cool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 18, 2005 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp Ok, so now that you have had time to play with oldcmp and you have decided youlike it or maybe just simply deal with it or it really upsets you, what would you change about it? If it were your app and you were like, I need to make this better, what things would you do to it to make it better? LIke for instance, you are sitting there and you think, man this is cool, but it would be really cool if "X" I am starting to feel the urge to dig into that code again and since the first version was driven in great part by requests from this list, I figured I would ask about before going off and making changesfrom my own head and from previous requests or issues I have heard or assumed from things I have heard. Ping me with an email directly at this address or the one from the usage screen. Obviously if you have thoughts about other tools that I have out there, I always welcome those comments as well. joe P.S. Anyone on this list work for Borland or know someone well that works at Borland that could comp me a copy of the new Borland C++ Builder 2006 or give me a really good price break? I have a copy of Visual Studio 2005 but it just doesn't do it for me. The cool stuff[1] assumes you want to codeusing .NET and you know what they say about assumptions. [1]Likequick and easy service creation and windowsgui app building which BB did long ago with native code.
RE: [ActiveDir] userCertificate Property in Active Directory
Very cool, thanks for sharing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, November 21, 2005 12:39 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] userCertificate Property in Active Directory Thanks, I think Ifigured it out. For those interested here's the bit of code. Thanks,Dave Set objAdsysinfo = CreateObject("ADSystemInfo")Set objMe = GetObject("LDAP://" objAdsysinfo.UserName)objCer = objMe.usercertificate(0)myStore.Open CAPICOM_MEMORY_STORE, "My", CAPICOM_STORE_OPEN_READ_WRITEmyStore.Import objCerSet objCert = myStore.Certificates(1)MsgBox objCert.IssuerName
RE: [ActiveDir] Active Directory 3rd Book
Most all of the scripts have been modified. Several of the larger main scripts were modified considerably or completely rewritten. The chapters I recall the biggest changes to were the Security, Schema, and Replication chapters. At least those are the ones that I got stuck on for some time that stuck out in my head. There were terms in the replication chapter that the only google hits were for that AD1E and 2E books so I tried to bring that all up to match up with the MS docs and names for the concepts, etc. Again the security chapter changes were huge, the previous examples really were not "optimal". The ADAM chapter, R2 Chapter, and Exchange Basic Tasks chapter are new to the book. The Exchange Basic Tasks chapter is a slightly reduced and updated version of the chapter I wrote for the Server 2003 cookbook. The R2 Chapter is very small and quite frankly, there really isn't anything tricky about upgrading to R2. The ADAM chapter is all new and should be useful. In terms of joeware version numbers, this wouldn't have been a 1.1 to 1.2 change, this would have been a 1.1 to 2.0 change. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, November 21, 2005 12:08 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory 3rd Book Does anyone know if the scripting portion of the book was changed significantly? Or better yet, does anyone have a listing of the chapters that underwent a major change since the 2nd edition(I know about the security chapter)? I have both editions and loved each one. The first edition was the first AD book I ever read. I think that this AD book and Inside Active Directory 2nd ed are the best AD books out there and I recommend them it everyone I know in AD! Thanks On 11/21/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Yes and yes.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, JoseSent: Friday, November 18, 2005 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd BookIs Robbie Allen still going to MIT for his Masters or is he back atCisco?Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of joeSent: Friday, November 18, 2005 7:46 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd BookLOL.Umm no.-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Creamer, MarkSent: Friday, November 18, 2005 10:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd BookWho wants to hear Joe do a Cornet solo at DEC???!!!-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, November 18, 2005 9:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd BookYou will probably find me, if you can find me there, in the penny slotsoron one of those darn Wheel of Fortune slot machines. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Thommes,Michael M.Sent: Wednesday, November 16, 2005 6:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd Book I am hoping to bring a copy with me to Henderson, NV in March 2006(DEC2006).Hopefully, the author will be there to sign it!Mike ThommesFrom: [EMAIL PROTECTED] on behalf of Medeiros, JoseSent: Wed 11/16/2005 5:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd Book Hey Joe, If I buy it. Will you autograph it? I already asked Robbie topresent at our user group and do a book signing. Would you be interestedaswell?Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of joeSent: Wednesday, November 16, 2005 3:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd BookNot available yet, it is Active Directory Third Edition. From O'Reillypublishing. As soon as Amazon has it available I will have a link to it frommy website - http://www.joeware.net and announce it in my bloghttp://blog.joeware.net. If you don't like purposely enflaming blogentriesI recommend pointing the RSS feed at the tech specific links though youstill won't avoid them, just the non-technical ones. :o)joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Etts, RussellSent: Tuesday, November 15, 2005 11:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 3rd BookI'm sorry for
RE: [ActiveDir] How to Force application of inheritance for OUs that have inheritance blocked - Correction.
Title: Question about inheritance at the Domain Root level. You will need to either browse to the level and recheck the inheritence box or use dsacls with /P:N on each OU that has inheritence disabled. Alternatively you could write a script that modifies the ACLs directly. Probably the best/easiest way would be to write a script that takes the OU you specify and doesa query for all OUs below it and then does a dsacls /P:N for each OU found. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Wednesday, November 16, 2005 1:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to Force application of inheritance for OUs that have inheritance blocked - Correction. Hi, No one answered me snif snif ;o) I think that u would probably said "no it is not possible" and i think it too,...but just asked the question, we never know... Have a nice day :) Yann De: [EMAIL PROTECTED] de la part de TIROA YANNDate: lun. 14/11/2005 23:07À: ActiveDir@mail.activedir.orgObjet : [ActiveDir] How to Force application of inheritance for OUs that have inheritance blocked - Correction. Imade a little mistake about the subjectof my previous mail. It is rather "how to Force application ofinheritancefor OUs that have inheritance blocked."Cheers,Yann
RE: [ActiveDir] OT:Exchange move settings from one to another and it looks like this gets stuck in AD somewhere
Yes. Unfortunately not with adfind and admod doesn't handle CSV input yet. It will, just not yet. Keep in mind that msExchTurfListNames is a multivalue attribute that has a fixed limit... 2K it will be ~850 values and with K3 it is somewhere around ~1300 values when you will hit administrative limit exceeded and be unable to add any more new values to that attribute and no new attributes to that object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 23, 2005 10:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT:Exchange move settings from one to another and it looks like this gets stuck in AD somewhere Can I export out the blocked sender list and use them in another server?: http://msmvps.com/bradley/archive/2005/10/23/72481.aspx Thanks Brian [and Joe!] Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://www.webservertalk.com/message155871.html Man does that need a GUI front end... Using server: kikibitzfinal.Kikibitzrtm.local Directory: Windows Server 2003 Base DN: CN=Configuration,DC=Kikibitzrtm,DC=local dn:CN=Default Message Filter,CN=Message Delivery,CN=Global Settings,CN=KIKIBITZR TM,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Kikibitzrtm,DC=local objectClass: top objectClass: msExchSMTPTurfList cn: Default Message Filter distinguishedName: CN=Default Message Filter,CN=Message Delivery,CN=Global Sett ings,CN=KIKIBITZRTM,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Kikibi tzrtm,DC=local instanceType: 4 whenCreated: 20031114195547.0Z whenChanged: 20051024020843.0Z uSNCreated: 21532 uSNChanged: 1585305 showInAdvancedViewOnly: TRUE name: Default Message Filter objectGUID: {F785B680-45FF-49B5-AF67-204BA8062D03} versionNumber: 7638 systemFlags: 1073741824 objectCategory: CN=ms-Exch-SMTP-Turf-List,CN=Schema,CN=Configuration,DC=Kikibit zrtm,DC=local dSCorePropagationData: 20031114205848.0Z dSCorePropagationData: 20031114200645.0Z dSCorePropagationData: 16010101000417.0Z msExchTurfListNames: @doofus.com msExchTurfListNames: @reallywacko.com msExchTurfListNames: @reallyreallywacko.com msExchTurfListNames: @wacko.com Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://www.sbslinks.com/images/time.h79.gif Okay so an SBSer asked if he could take the .txt file he has of domains he wants to block and bulk insert them into that place in Exchange servers and reinstall in an existing rebuilt on [not a backup mind you] And checking with Brian ahead of time to make sure this wasn't a stupid question that looks like something that would ultimately get stuck somewhere in AD, yes? And in looking at adsiedit.msc ... [and do you guys not have a search button in this sucker somewhere?] it does look like it might be stuck somewhere in here? Socan one bulk import a block list into an Exchange server and if so how does one do that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripts/client name/AD groups
No, user group memberships is handled, well on the user object. You would need to write an app or script that looked up the client, found the user, then modified the users membership. However that wouldn't take affect again until the user logged off and logged on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Tuesday, November 15, 2005 2:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripts/client name/AD groups Here is the situation. We are running Terminal Services with Tarantella Secure Global Desktop. Due to Microsofts wondeful licensing scheme and cost of MS Office we currently only have MS Office on maybe 20% of our computers and Open Office on the other 80%. We are looking at centralizing the applications via Secure Global Desktop. I can connect to the Terminal Services server, go to a command prompt and run SET. I see my computers name in the CLIENTNAME field. What I am wondering is if anyone knows if there is a way to set a users AD Group Membership on a Terminal Services server by using the Client Name? Not sure if it is even possible. Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OldCmp
I scanned through the list of current switches and you appear to already have everything I was going to ask for. :) The only item I wasn't 100% certain on was if it can query lastLogon. I saw references to pwdLastSet and lastLogonTimeStamp. The ability to query lastLogon would be nice for environments that aren't 2003 DFL and may not have a good password policy or for whatever reason pwdLastSet isn't a great solution by itself. I know it's less efficient since it has to query every DC in a domain, but it's still useful in certain scenarios. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, November 26, 2005 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp So, other than the bug reports and requests I have received previously prior to this email, it is perfect? Cool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 18, 2005 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp Ok, so now that you have had time to play with oldcmp and you have decided youlike it or maybe just simply deal with it or it really upsets you, what would you change about it? If it were your app and you were like, I need to make this better, what things would you do to it to make it better? LIke for instance, you are sitting there and you think, man this is cool, but it would be really cool if "X" I am starting to feel the urge to dig into that code again and since the first version was driven in great part by requests from this list, I figured I would ask about before going off and making changesfrom my own head and from previous requests or issues I have heard or assumed from things I have heard. Ping me with an email directly at this address or the one from the usage screen. Obviously if you have thoughts about other tools that I have out there, I always welcome those comments as well. joe P.S. Anyone on this list work for Borland or know someone well that works at Borland that could comp me a copy of the new Borland C++ Builder 2006 or give me a really good price break? I have a copy of Visual Studio 2005 but it just doesn't do it for me. The cool stuff[1] assumes you want to codeusing .NET and you know what they say about assumptions. [1]Likequick and easy service creation and windowsgui app building which BB did long ago with native code.
RE: [ActiveDir] Connecting the test environment to the production - what is your opinion?
Hi Joe and Al, Thank you both for the reactions. I know how I think about it and what I told the client that proposed this. I think your reactions say enough about the wild idea. The client that proposed this was told by me and a collegue that although it seems OK, the risks are too high and other alternatives should be explored like putting the app (although modeled maybe) in the test environment, etc. The gut feeling was not OK (or better yet, it was wrong), because nothing should be missed (as you explain in your example) and no mistakes could be made. All alternatives we gave were thrown away. Main reasons: not possible, to complicated, no time, etc. After a while we were getting the impression something else was on the agenda... We thought he had promissed something to management and was trying to get us to say yes this wild idea is OK as that seemed the possible answer to him. And if something would go wrong guess who he would blame? The guy was not happy with what we told him. I also advised him to ask the vendors of the app if these work in a W2K3 environment with a certain functional level (what issues could be expected) and I advised him to ask Microsoft the same question as he asked us (with the remark that Microsoft probably is going to say: no way, don't do that!, etc.) Well, he called Microsoft and guess what the answer was? DON'T DO THAT! At that point the started complaining that technicians were not thinking and helping him to accomplish this migration. (I was just hired for a day to talk about implementing GPOs and the migration) Although I most certainly knew the answer people would give, I was still interested WHAT people had to say about it, but also HOW they would say it! In the end I told him: I advise against it, but if you want to, go for it, cross the highway with your eyes closed! The slightest chance exists you will survive it, but be prepared as you most probably will become roadkill. For both you need to take responsibility. It is your decision! Cheers, Jorge From: [EMAIL PROTECTED] on behalf of joe Sent: Sat 11/26/2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Connecting the test environment to the production - what is your opinion? If the applications are important enough to be tested, get them into your test environment. There are times other than domain upgrades, etc that they will need to be tested as well. Running test against production data is insane and asking for problems. If I were a manager of someone who did this, they would be fired. If I was the employee of a manager who said we had to do this, I would fight it tooth and nail. I would liken this to testing a new fix-a-flat mixture. You could put the gunk into a flat tire on the freeway and run it up to 90 and see if it holds or you could do it on a test track. If you did due diligence every step along the way, you probably aren't going to hurt anything. However, if you missed just one thing you could hurl off your side of the road and kill a family of six driving back from seeing grandma. After the fact, people would be asking you questions like, how did you justify that risk in your head? There are test environments for a very specific reason. If you want to test in production, grow a set, sign up for the responsibility and have at it for real, don't think that a complicated set of controls might help alleviate issues because even the set of controls is being tested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, November 24, 2005 7:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Connecting the test environment to the production - what is your opinion? Hi All, I would be interested in your feedback concerning the story below. The full story is also available on my blog (http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/149.aspx). Any feedback on it would be a appreciated! If you have question feel free to ask! Thanks in advance! Cheers, Jorge ## Now, independent of the reason why you want to do an in-place upgrade of the current NT4 domain to an AD domain, to just test the migration you install a new BDC in the production domain and sync it with the PDC. You move that BDC into a test environment, and promote it to a PDC. For testing purposes you install an additional BDC in the test environment. To prepare for the domain upgrade you install 2 freshly installed W2K3 member servers, install and configure them with DNS/WINS/DHCP and configure them with NT4Emulator and NeutralizeNT4Emulator registry keys. After that reboot the servers! So it's time upgrade the NT4 PDC...but before doing so also configure it with the NT4Emulator and NeutralizeNT4Emulator registry keys and reboot the PDC. After the PDC is up again the upgrade is started and after a while the first W2K3
[ActiveDir] FRSInlog
Hi I am using Microsoft Sonar tool to keep an eye on my 6 DCs in 2 domains - FRS / SYSVOL. Last week Sonar flagged few errors - FRSInlog, FRSSets - I am not impressed by the help file you don't get with Sonar - so what do these errors mean? FRSInlog?? or FRSSets?? Thanks for help James _ MSN Messenger 7.5 is now out. Download it for FREE here. http://messenger.msn.co.uk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] How to Force application of inher itance for OUs that have inheritance blocked - Correcti on.
Thanks for your answer joe :) Yann. De: [EMAIL PROTECTED] de la part de joe Date: sam. 26/11/2005 17:23 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] How to Force application of inheritance for OUs that have inheritance blocked - Correction. You will need to either browse to the level and recheck the inheritence box or use dsacls with /P:N on each OU that has inheritence disabled. Alternatively you could write a script that modifies the ACLs directly. Probably the best/easiest way would be to write a script that takes the OU you specify and does a query for all OUs below it and then does a dsacls /P:N for each OU found. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, November 16, 2005 1:39 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] How to Force application of inheritance for OUs that have inheritance blocked - Correction. Hi, No one answered me snif snif ;o) I think that u would probably said no it is not possible and i think it too,...but just asked the question, we never know... Have a nice day :) Yann De: [EMAIL PROTECTED] de la part de TIROA YANN Date: lun. 14/11/2005 23:07 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] How to Force application of inheritance for OUs that have inheritance blocked - Correction. I made a little mistake about the subject of my previous mail. It is rather how to Force application of inheritance for OUs that have inheritance blocked. Cheers, Yann winmail.dat
Re: [ActiveDir] Outlook installed on a DC
I'm convinced that Joe wouldn't even want a c:\ on the screen. Maybe a c or a colon or a slash...but all three? Too much bloat. ;-) joe wrote: Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank Abagnale Sent: Thursday, November 24, 2005 11:39 AM To: Active Subject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Outlook installed on a DC
lol. :) Susan, what if you had a server that you couldn't do any GUI from butinstead you loaded up the GUI to control the server ona workstation? Would that be good enough for you or do you absolutely HAVE to run the GUI on the server? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Saturday, November 26, 2005 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Outlook installed on a DC I'm convinced that Joe wouldn't even want a c:\ on the screen. Maybe a c or a colon or a slash...but all three? Too much bloat.;-)joe wrote: Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Thursday, November 24, 2005 11:39 AMTo: ActiveSubject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] OldCmp
Yeah I have been thinking about that one for a while, I don't just want to do it, I would want to do it efficiently and with some measure of a guarantee which is tough, especially in large environments or environments with WAN sites (for instance, if there is one or moreDCs that you can't contact, how do you make ANY decisions, you don't have all of the info). You could disable an ID that is absolutely in use, you just didn't talk to the one DC that it authenticates against. Using lastLogon can be dangerous in my opinion. lastLogonTimeStamp is also a bit touchy but at least if the DC connects occasionally the stamps should get updated. I would visualize I would have to add switches like "allow X DCs to not respond and still do something" or allow a list of DCs to be specified that if they don't respond it doesn't matter what they have to say. Of course speed and possibly memory could be impacted. To be honest, my favorite method is to use pwdLastSet. I think folks who like to have non-expiring IDs are a bit kookoo. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Saturday, November 26, 2005 11:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp I scanned through the list of current switches and you appear to already have everything I was going to ask for. :) The only item I wasn't 100% certain on was if it can query lastLogon. I saw references to pwdLastSet and lastLogonTimeStamp. The ability to query lastLogon would be nice for environments that aren't 2003 DFL and may not have a good password policy or for whatever reason pwdLastSet isn't a great solution by itself. I know it's less efficient since it has to query every DC in a domain, but it's still useful in certain scenarios. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, November 26, 2005 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp So, other than the bug reports and requests I have received previously prior to this email, it is perfect? Cool. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 18, 2005 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OldCmp Ok, so now that you have had time to play with oldcmp and you have decided youlike it or maybe just simply deal with it or it really upsets you, what would you change about it? If it were your app and you were like, I need to make this better, what things would you do to it to make it better? LIke for instance, you are sitting there and you think, man this is cool, but it would be really cool if "X" I am starting to feel the urge to dig into that code again and since the first version was driven in great part by requests from this list, I figured I would ask about before going off and making changesfrom my own head and from previous requests or issues I have heard or assumed from things I have heard. Ping me with an email directly at this address or the one from the usage screen. Obviously if you have thoughts about other tools that I have out there, I always welcome those comments as well. joe P.S. Anyone on this list work for Borland or know someone well that works at Borland that could comp me a copy of the new Borland C++ Builder 2006 or give me a really good price break? I have a copy of Visual Studio 2005 but it just doesn't do it for me. The cool stuff[1] assumes you want to codeusing .NET and you know what they say about assumptions. [1]Likequick and easy service creation and windowsgui app building which BB did long ago with native code.
RE: [ActiveDir] Connecting the test environment to the production - what is your opinion?
Been there. Someone has a hairbrained idea and wants you to sign up to back it... There have been times I have signed up but anytime I have any unease about it I won't even think about signing up especially if I was consulted as an expert. If the person asks you and then fights you on the answer, they aren't looking for your opinion, they are looking for a fall guy. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, November 26, 2005 12:26 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Connecting the test environment to the production - what is your opinion? Hi Joe and Al, Thank you both for the reactions. I know how I think about it and what I told the client that proposed this. I think your reactions say enough about the wild idea. The client that proposed this was told by me and a collegue that although it seems OK, the risks are too high and other alternatives should be explored like putting the app (although modeled maybe) in the test environment, etc. The gut feeling was not OK (or better yet, it was wrong), because nothing should be missed (as you explain in your example) and no mistakes could be made. All alternatives we gave were thrown away. Main reasons: not possible, to complicated, no time, etc. After a while we were getting the impression something else was on the agenda... We thought he had promissed something to management and was trying to get us to say yes this wild idea is OK as that seemed the possible answer to him. And if something would go wrong guess who he would blame? The guy was not happy with what we told him. I also advised him to ask the vendors of the app if these work in a W2K3 environment with a certain functional level (what issues could be expected) and I advised him to ask Microsoft the same question as he asked us (with the remark that Microsoft probably is going to say: no way, don't do that!, etc.) Well, he called Microsoft and guess what the answer was? DON'T DO THAT! At that point the started complaining that technicians were not thinking and helping him to accomplish this migration. (I was just hired for a day to talk about implementing GPOs and the migration) Although I most certainly knew the answer people would give, I was still interested WHAT people had to say about it, but also HOW they would say it! In the end I told him: I advise against it, but if you want to, go for it, cross the highway with your eyes closed! The slightest chance exists you will survive it, but be prepared as you most probably will become roadkill. For both you need to take responsibility. It is your decision! Cheers, Jorge From: [EMAIL PROTECTED] on behalf of joe Sent: Sat 11/26/2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Connecting the test environment to the production - what is your opinion? If the applications are important enough to be tested, get them into your test environment. There are times other than domain upgrades, etc that they will need to be tested as well. Running test against production data is insane and asking for problems. If I were a manager of someone who did this, they would be fired. If I was the employee of a manager who said we had to do this, I would fight it tooth and nail. I would liken this to testing a new fix-a-flat mixture. You could put the gunk into a flat tire on the freeway and run it up to 90 and see if it holds or you could do it on a test track. If you did due diligence every step along the way, you probably aren't going to hurt anything. However, if you missed just one thing you could hurl off your side of the road and kill a family of six driving back from seeing grandma. After the fact, people would be asking you questions like, how did you justify that risk in your head? There are test environments for a very specific reason. If you want to test in production, grow a set, sign up for the responsibility and have at it for real, don't think that a complicated set of controls might help alleviate issues because even the set of controls is being tested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, November 24, 2005 7:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Connecting the test environment to the production - what is your opinion? Hi All, I would be interested in your feedback concerning the story below. The full story is also available on my blog (http://blogs.dirteam.com/blogs/jorge/archive/2005/11/24/149.aspx). Any feedback on it would be a appreciated! If you have question feel free to ask! Thanks in advance! Cheers, Jorge ## Now, independent of the reason why you want to do an in-place upgrade of the current NT4 domain to an AD domain, to just test the migration you install a new BDC
Re: [ActiveDir] Outlook installed on a DC
You do realize we even have folks that turn themes on their SBS boxes because they want it to look 'pretty'. :-) There are still times you have to be 'on' a box ...especially down here. joe wrote: lol. :) Susan, what if you had a server that you couldn't do any GUI from butinstead you loaded up the GUI to control the server ona workstation? Would that be good enough for you or do you absolutely HAVE to run the GUI on the server? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 26, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Outlook installed on a DC I'm convinced that Joe wouldn't even want a c:\ on the screen. Maybe a c or a colon or a slash...but all three? Too much bloat. ;-) joe wrote: Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank Abagnale Sent: Thursday, November 24, 2005 11:39 AM To: Active Subject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Outlook installed on a DC
t'cha Disabling OpenGL screen savers used to be a constant battle for me with my SBS'er clients. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Saturday, November 26, 2005 6:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Outlook installed on a DC You do realize we even have folks that turn themes on their SBS boxes because they want it to look 'pretty'. :-)There are still times you have to be 'on' a box ...especially down here.joe wrote: lol. :) Susan, what if you had a server that you couldn't do any GUI from butinstead you loaded up the GUI to control the server ona workstation? Would that be good enough for you or do you absolutely HAVE to run the GUI on the server? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Saturday, November 26, 2005 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Outlook installed on a DCI'm convinced that Joe wouldn't even want a c:\ on the screen. Maybe a c or a colon or a slash...but all three? Too much bloat.;-)joe wrote: Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Thursday, November 24, 2005 11:39 AMTo: ActiveSubject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Outlook installed on a DC
When specifically? If you don't point them out, there is less chance it will get corrected. :o) I would love to get to a point of not having to interactively logon to servers except at initial configuration. Much less chance of doing stupid accidental things. One of the great strengths and weaknesses of a server desktop that looks like a client desktop is that everyone thinks they they can manage a server because they think they can use a desktop machine. Great from a marketing and sales standpoint, companies think that anyone can run the things. Bad from a realistic running the companies servers and security standpoint. Thankfully MS has been backing off of the "you have to know enough to turn something off" to the "you have to know enough to turn something on" mindset, but just the same, there are a lot of people running servers who probably have trouble controlling their alarm clock. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Saturday, November 26, 2005 6:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Outlook installed on a DC You do realize we even have folks that turn themes on their SBS boxes because they want it to look 'pretty'. :-)There are still times you have to be 'on' a box ...especially down here.joe wrote: lol. :) Susan, what if you had a server that you couldn't do any GUI from butinstead you loaded up the GUI to control the server ona workstation? Would that be good enough for you or do you absolutely HAVE to run the GUI on the server? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Saturday, November 26, 2005 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Outlook installed on a DCI'm convinced that Joe wouldn't even want a c:\ on the screen. Maybe a c or a colon or a slash...but all three? Too much bloat.;-)joe wrote: Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Thursday, November 24, 2005 11:39 AMTo: ActiveSubject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Re: [ActiveDir] Outlook installed on a DC
Well when RDP breaks or you have a stupid laptop that somehow thinks it's on a domain because it used to be on a domain and it's no longer on a domain and yet the firewall settings are still 'enabled' [okay that's not exactly the greatest example but it's the only one I could come up with at short notice. If you are totally headless, I'd do the ILOish like stuff that HP does. joe wrote: When specifically? If you don't point them out, there is less chance it will get corrected. :o) I would love to get to a point of not having to interactively logon to servers except at initial configuration. Much less chance of doing stupid accidental things. One of the great strengths and weaknesses of a server desktop that looks like a client desktop is that everyone thinks they they can manage a server because they think they can use a desktop machine. Great from a marketing and sales standpoint, companies think that anyone can run the things. Bad from a realistic running the companies servers and security standpoint. Thankfully MS has been backing off of the you have to know enough to turn something off to the you have to know enough to turn something on mindset, but just the same, there are a lot of people running servers who probably have trouble controlling their alarm clock. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Saturday, November 26, 2005 6:41 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Outlook installed on a DC You do realize we even have folks that turn themes on their SBS boxes because they want it to look 'pretty'. :-) There are still times you have to be 'on' a box ...especially down here. joe wrote: lol. :) Susan, what if you had a server that you couldn't do any GUI from but instead you loaded up the GUI to control the server on a workstation? Would that be good enough for you or do you absolutely HAVE to run the GUI on the server? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Saturday, November 26, 2005 4:49 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Outlook installed on a DC I'm convinced that Joe wouldn't even want a c:\ on the screen. Maybe a c or a colon or a slash...but all three? Too much bloat. ;-) joe wrote: Your manager is a soft fleshy milk-secreting glandular organ. Every new piece of software added to any machine is new possible threat vector. DCs are the bastion of your Windows network security. You run the absolute minimum on a DC that you can run (yes SBS makes me squeamish but that isn't a surprise to Susan). I don't think it is ever a good idea to run Outlook on any server except maybe a TS and the admins better not ever launch it. Outlook is not an email server, it is a client app, when someone tells me they need it for their server app, I laugh and tell them to find a better app or another way. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Frank Abagnale *Sent:* Thursday, November 24, 2005 11:39 AM *To:* Active *Subject:* [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed to split the DC File and Print roles and reduce the number of domain admins. My gut feeling is against this, though I have no technical reason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free. http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FRSInlog
Both of the errors deal with journal wrap in the FRS logs A number of issues as to WHY this happens. However, I'd upgrade to UltraSound - the successor to Sonar. It has much better JIT information associated with the errors - and how to fix them. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Green Sent: Saturday, November 26, 2005 12:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSInlog Hi I am using Microsoft Sonar tool to keep an eye on my 6 DCs in 2 domains - FRS / SYSVOL. Last week Sonar flagged few errors - FRSInlog, FRSSets - I am not impressed by the help file you don't get with Sonar - so what do these errors mean? FRSInlog?? or FRSSets?? Thanks for help James _ MSN Messenger 7.5 is now out. Download it for FREE here. http://messenger.msn.co.uk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] FRSInlog
The inlog is the inbound change orders. It would help to know what the actual error was.. steve - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, November 26, 2005 6:51 PM Subject: RE: [ActiveDir] FRSInlog Both of the errors deal with journal wrap in the FRS logs A number of issues as to WHY this happens. However, I'd upgrade to UltraSound - the successor to Sonar. It has much better JIT information associated with the errors - and how to fix them. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Green Sent: Saturday, November 26, 2005 12:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSInlog Hi I am using Microsoft Sonar tool to keep an eye on my 6 DCs in 2 domains - FRS / SYSVOL. Last week Sonar flagged few errors - FRSInlog, FRSSets - I am not impressed by the help file you don't get with Sonar - so what do these errors mean? FRSInlog?? or FRSSets?? Thanks for help James _ MSN Messenger 7.5 is now out. Download it for FREE here. http://messenger.msn.co.uk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 SP1 upgrade...
yawn Sometimes, I realize that I commented on something, go back and read the thread and come upon a novella. Occasionally, all I want is a paragraph. Hopefully, all of this information wasn't meant for me, because all I do day in, day out these days is drink from a fire hose - hence why I'm not around so much these days. This hopefully helped others, as it presents no value to me right now at all. I'm versed in this quite well. Yes - the question was meant to stir a conversation - more about interactive as a mechanism to remove a looming hole for accounts that NEED high level permissions but don't NEED to be logged into. Surprisingly, this is a vector that most people forget about. If you don't need to log in to it - why does it have interactive? As to which LUA - the actual, higher level principle of giving nothing (not just people) any more access than it absolutely requires. I made the assumption that the ACLing that you referred to had already removed any and all unnecessary permissions to things unsavory, dangerous, and shiny-but-sharp from touch. Hence the question about interactive. It's not an ACL. And, as to our direction with software and decisions made - I don't comment much public ally anymore. I've gotten myself into too much trouble of late, another reason I'm not here as much. Brett can answer some of these, or get someone from the dev team on Security issues. I'll answer anything you want on MCS and how to implement. But, as to why things are or where they are going to be in future product - I won't be commenting on that. That's another pretty, shiny, sharp-thing. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, November 21, 2005 7:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 SP1 upgrade... No. MS made it now so that you either need to use an ID that has admin rights or you have to change the ACL on the SCM to monitor the services OR the application doing the monitoring needs to know specifically what service to look at AND know how to ask how to open it WITHOUT asking for enumeration rights which is unusual since it was always possible previously because the ACL on the SCM wasn't configurable. All example source showed how to do it in a way that would break after the change. What this change does is require more privileges to do work easily done with an unprivileged account or to require you to partially undo what MS did to lock it down. Since the ability to changethe SCMACL previously wasn't something that could be done at all, I understand the idea to lock it down once it could be modified. However, MS didn't really give much in the way oftools to operate with it set that way. There was one tool, SC that was modifiedin order to work withit and at least initially, it wasn't very well documented. This easily should have been a GPO config item just like the other service ACL configs.Personally, I would have greatly appreciated say a new group... RemoteServiceEnumeration or something like that, then people simply add principals to that group in order to keep their apps working. I have often monitored services on servers remotely with an ID that has normal user rights in the domain. The ID had no permissions on the servers at all other than to look at them. Others have done the same. The monitoring scripts/apps would list all services to see what was running and what wasn't running, any changes whatsoever would be reported so you knew when something got added and when something got removed or if something was started that wasn't previously running or something that was previously running no longer was running. After SP1, it took modifying the ACL or granting admin level rights or required the ID to be used locally on the local machine instead of remotely. This change, forced people, at least initially until documentation started coming out,to use higher power IDs to do somethingthat previously could be done with lower power do-nothing IDs. To put it another way, there is no technical reason whatsoever that an admin ID is required to monitor services. Heck you can even delegate service control to non-admins, I have been giving out ability to stop/start specific services on servers since early NT4 days. BTW, which LUA are you referring to? The actual principal of least user access where you don't give people access to things they shouldn't have or the LUA to allow non-privileged users to actually do things without being an admin? I think the first, but it caught me by surprise and I read it as the second initially because most MS folks are using LUA strictly to speak about the new capability in Vista. I didn't mention LUA but was referring to not having to be an admin to do something simple. I have no problem with locking things down, but don't catch people by
[ActiveDir] windows installation question
Hello, I have a computer which has a w2k on it. It is on a network and does not have a CD drive. now I want to have a XP on it with out removing w2k. Is there any way that I can install XP through network without damaging my w2k? Thanks in advance. Roseta
RE: [ActiveDir] Outlook installed on a DC
You can notify via e-mail without any client at all on the system. Justmake upa message in an RFC 822 format and then drop it in the Exchange server's SMTP virtual serverpickup directory. You can literally make a notification message from a DOS batch file. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Thursday, November 24, 2005 8:39 AMTo: ActiveSubject: [ActiveDir] Outlook installed on a DC Hi all, I have a problem whereby our I've been asked by a manager to install outlook on our DC's to allow us to email back the services team when backups have failed. I am dead against this, I have just managed tosplit the DC File and Print roles and reduce the number of domain admins. Mygut feeling is against this, though I have notechnicalreason why this is bad? Does anyone have any views or advice on this matter? Any scenerio's that could occur would be nice... thanks Frank Yahoo! Music Unlimited - Access over 1 million songs. Try it free.