RE: [ActiveDir] [List Owner] Mailing list is 5 today!
Tony and others... Congrats and a happy 5th! Thanks for this great and cool list! Definitely a great place to hang out, meet people and learn about AD! ;-) Cheers, Jorge PS.: so, where is the party? From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Fri 2006-01-13 01:57 To: [EMAIL PROTECTED] Subject: [ActiveDir] [List Owner] Mailing list is 5 today! Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] File Permissions: Deny vs. Allow
Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] File Permissions: Deny vs. Allow Hi all, I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. After some research I found that the global group was a member of a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. P.S.: Just as an FYI, the global group and domain local group are located in different OUs but are part of the same domain. Any clarifications on why this is happening are appreciated. Thanks, Ahmed List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] File Permissions: Deny vs. Allow
Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] File Permissions: Deny vs. Allow Hi all, I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. After some research I found that the global group was a member of a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. P.S.: Just as an FYI, the global group and domain local group are located in different OUs but are part of the same domain. Any clarifications on why this is happening are appreciated. Thanks, Ahmed List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
... Internet Explorer, Outlook Express, Windows Messenger, Media Player, and... oh wait, that's all versions of server... Core is not out yet, is it... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Ahem . I think you forgot Windows. :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wed 1/11/2006 7:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook Exchange
Title: Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Thursday, January 12, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks
RE: [ActiveDir] Outlook Exchange
I am not sure if this is what you want. When you create a pst file you have the option of where to save it. Go to Mail in the Control Panel, Under Mail Setup click data files under Outlook Data Files, Select add then personal folder file (pst file) You can choose where to save it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Friday, January 13, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Thursday, January 12, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Outlook Exchange
1) File--Import/Export 2) Export to a file 3) Choose .pst 4) Choose folder 5) Browse to where you want to store the .pst file 6) Click finish If this is not want you wanted than please rephrase your question. -Z.V. Subject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Thursday, January 12, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook Exchange
Title: Outlook Exchange I sent you an email (offline) yesterday with screenshots Essentially Got to TOOLS EMAIL ACCOUNTS (Make sure View or Change is selected) On the bottom use the drop down and change from MAILBOX to PERSONAL FOLDERS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Friday, January 13, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Thursday, January 12, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks
RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
Well for beta... But that won't help SBS. SBS won't run on Core, it has too many dependencies. Lots of stuff may find issue with core. It is intended to be a lean and mean tight OS like a server should be. I think many people will be quite surprised when their stuff doesn't work, I suggest everyone who can get in the beta and start testing their stuff. It will also change the face of admin work. It will require a higher level of understanding IMO. However it is tough to talk specifics regarding a product in beta. But I do recommend people get the beta and test. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, January 13, 2006 8:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD ... Internet Explorer, Outlook Express, Windows Messenger, Media Player, and... oh wait, that's all versions of server... Core is not out yet, is it... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Ahem . I think you forgot Windows. :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wed 1/11/2006 7:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] File Permissions: Deny vs. Allow
A good start would be MSDN. It is anathema to many admins but often the absolute best source of some info if you can read it and personally I think admins should be able to read dev docs. I can't explain how many times I found something digging through MSDN that helped me in the admin world. Something that I didn't know existed I find that exists so I go looking for the tool to do it which may be some obscure function in an MS tool or more often something I have to build or find elsewhere. It lets you know what is possible based on the actual capabilities versus what is exposed in the tools. Anyway, I would start here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/se curity/order_of_aces_in_a_dacl.asp There is some more in a more english way here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ directory/activedirectory/actdid3.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Friday, January 13, 2006 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] File Permissions: Deny vs. Allow Hi all, I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts
RE: [ActiveDir] File Permissions: Deny vs. Allow
Did the response from Marcus Oh not suffice? The security reference monitor evaluates the list of entries in this order: noninherited deny, noninherited allow, inherited deny, and inherited allow. That means the noninherited allow will override the inherited deny. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: 13 January 2006 13:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] File Permissions: Deny vs. Allow Hi all, I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. After some research I found that the global group was a member of a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. P.S.: Just as an FYI, the global group and
RE: [ActiveDir] OT: DEC 2006
I remember those. That was my last year at U of L and they announced that the next year all engineering students would be required to buy a rainbow. The cost was to be spread over 4 years of tuition. Fortunately, the rainbow proved itself an instant flop and U of L dropped that plan. If memory serves, they did run MSDOS, but they didn't have a pc compatible BIOS so that while they gave the impression that they were PC compatible, in reality they wouldn't run anything that required BIOS calls (which was 99% of the software out there). We used a lot of HP 150 touch screens, and they were the same way. Also, you had to buy pre-formatted floppies from DEC - you couldn't format your own. At least until someone leaked the formatting utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 9:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones that did play were pretty good at it and were winning too much. I'll not be attending but I'm sending someone that works for me instead. Have a good conference. John McGlinchey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 10, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 I think you are going to find the same at Green Valley - http://www.greenvalleyranchresort.com/gaming/index.html Leave your car and house titles at home! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
Outlook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook Exchange
Title: Outlook Exchange Tried to send you a nice PDF write-up but attachement would not go through. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Friday, January 13, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook Exchange I sent you an email (offline) yesterday with screenshots Essentially Got to TOOLS EMAIL ACCOUNTS (Make sure View or Change is selected) On the bottom use the drop down and change from MAILBOX to PERSONAL FOLDERS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrickSent: Friday, January 13, 2006 12:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrickSent: Thursday, January 12, 2006 10:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts Have the GUI remember columns I chose to show On a single machine or across AD? Or possibly a config file you could export/import to specific machines? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, January 12, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joeSent: Thu 1/12/2006 10:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this.Everyone who has an idea for a change to ADUC post to the ideas to thisthread. Don't be shy, you may have thought of something no one else wouldthink of that once seeing it would go this is very cool. Then when thethread seems to die (or some point after that when I catch up :oP ) I willsummarize to make sure I understand and then post to LadyBug as improvementsthat could be made. Also, you may or may not be shocked to hear that many ofthe folks working on the stuff in Redmond actually watch this list on aregular basis too so they may see it directly. I know the conversation wehad previously about suggested improvements to AD was watched pretty closelyand generated several DCRs without me even arguing with anyone.So let's hear it. First item on the table is different icons flaggingaccounts (and I am stating this generically) that are not currently live.This includes disabled, locked, expired passwords, expired accounts? Wouldthis be better to add maybe as additional columns that you could tell theGUI to sort on? Or the icons are best?Note to Dean: This is D's bailywick now isn't it? I think I recall us havingthis conversation at BB. joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Thursday, January 12, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsI believe it would be helpful if different icons could be used for disabledaccounts, expired account, expired password, etc.Mike Thommes-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 12, 2006 7:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsPhilosophical question really. How do you want the GUI to present things toyou. The developers or whomever wrote the spec for the developers didn'tfeel it should. You also have to ask if accounts with locked passwordsshould show up that way and define if you mean expired accounts or expiredpasswords on accounts and whether or not you would differentiate them inthat marking.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Douglas M. LongSent: Thursday, January 12, 2006 8:35 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Expired AccountsShouldn't expired accounts show up with a red X just like a disabledaccount?List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Speaking of Dean... He knows tricks in ADUC.
Hey Dean is there a way of doing this by having unlock called in the
backend?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 12, 2006 11:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Your starter for 10: [Dean will explain this, joe :) ]
Add context menu options below out of the box:
1. Unlock User (user context menu)
2. Unlock all users (OU context menu)
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 12 January 2006 15:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Well, ok, lets do this.
Everyone who has an idea for a change to ADUC post to the ideas to this
thread. Don't be shy, you may have thought of something no one else would
think of that once seeing it would go this is very cool. Then when the
thread seems to die (or some point after that when I catch up :oP ) I will
summarize to make sure I understand and then post to LadyBug as improvements
that could be made. Also, you may or may not be shocked to hear that many of
the folks working on the stuff in Redmond actually watch this list on a
regular basis too so they may see it directly. I know the conversation we
had previously about suggested improvements to AD was watched pretty closely
and generated several DCRs without me even arguing with anyone.
So let's hear it. First item on the table is different icons flagging
accounts (and I am stating this generically) that are not currently live.
This includes disabled, locked, expired passwords, expired accounts?
Would this be better to add maybe as additional columns that you could tell
the GUI to sort on? Or the icons are best?
Note to Dean: This is D's bailywick now isn't it? I think I recall us having
this conversation at BB.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, January 12, 2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Expired Accounts
I believe it would be helpful if different icons could be used for disabled
accounts, expired account, expired password, etc.
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 12, 2006 7:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Expired Accounts
Philosophical question really. How do you want the GUI to present things to
you. The developers or whomever wrote the spec for the developers didn't
feel it should. You also have to ask if accounts with locked passwords
should show up that way and define if you mean expired accounts or expired
passwords on accounts and whether or not you would differentiate them in
that marking.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, January 12, 2006 8:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Expired Accounts
Shouldn't expired accounts show up with a red X just like a disabled
account?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Allow ADUC to handle larger numbers of objects in a container without running like a snail. Are you thinking vlv here Wook? I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. Could you flesh this one out a little more, I can interprete that in a couple of ways. Possibly give a concrete example? The rest I believe I understand. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info :
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 12, 2006 11:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 12 January 2006 15:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joeSent: Thu 1/12/2006 10:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this.Everyone who has an idea for a change to ADUC post to the ideas to thisthread. Don't be shy, you may have thought of something no one else wouldthink of that once seeing it would go this is very cool. Then when thethread seems to die (or some point after that when I catch up :oP ) I willsummarize to make sure I understand and then post to LadyBug as improvementsthat could be made. Also, you may or may not be shocked to hear that many ofthe folks working on the stuff in Redmond actually watch this list on aregular basis too so they may see it directly. I know the conversation wehad previously about suggested improvements to AD was watched pretty closelyand generated several DCRs without me even arguing with anyone.So let's hear it. First item on the table is different icons flaggingaccounts (and I am stating this generically) that are not currently live.This includes disabled, locked, expired passwords, expired accounts? Wouldthis be better to add maybe as additional columns that you could tell theGUI to sort on? Or the icons are best?Note to Dean: This is D's bailywick now isn't it? I think I recall us havingthis conversation at BB. joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Thursday, January 12, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsI believe it would be helpful if different icons could be used for disabledaccounts, expired account, expired password, etc.Mike Thommes-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 12, 2006 7:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsPhilosophical question really. How do you want the GUI to present things toyou. The developers or whomever wrote the spec for the developers didn'tfeel it should. You also have to ask if accounts with locked passwordsshould show up that way and define if you mean expired accounts or expiredpasswords on accounts and whether or not you would differentiate them inthat marking.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Douglas M. LongSent: Thursday, January 12, 2006 8:35 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Expired AccountsShouldn't expired accounts show up with a red X just like a disabledaccount?List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a
RE: [ActiveDir] File Permissions: Deny vs. Allow
Thanks, Joe. I'm definitely not scared of spelunking through the MSDN site. However, the most difficult thing is often just finding the relevant info. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 9:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow A good start would be MSDN. It is anathema to many admins but often the absolute best source of some info if you can read it and personally I think admins should be able to read dev docs. I can't explain how many times I found something digging through MSDN that helped me in the admin world. Something that I didn't know existed I find that exists so I go looking for the tool to do it which may be some obscure function in an MS tool or more often something I have to build or find elsewhere. It lets you know what is possible based on the actual capabilities versus what is exposed in the tools. Anyway, I would start here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauth z/se curity/order_of_aces_in_a_dacl.asp There is some more in a more english way here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ directory/activedirectory/actdid3.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Friday, January 13, 2006 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow)
RE: [ActiveDir] [List Owner] Mailing list is 5 today!
16 more years and we can start drinking... WooHoo.. My cranial capacity on AD has grown immensely through the sharing on the list. Thanks much to you and the members of the list. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, January 12, 2006 4:57 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] [List Owner] Mailing list is 5 today! Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook Exchange
Title: Outlook Exchange Microsoft spends all kinds of time creating help files for their applications, it's amazing how few people use the Help. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 13, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook Exchange Brian responded to you yesterday at 10:54AM EST and,btw, that is a good number of responses as this is WAAY OT for this forum. This is the kind of thing that you type into google and get 11 million hits for or pick up the book 'Outlook for the Less Inclined' or use the Office Assistant. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrickSent: Friday, January 13, 2006 12:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrickSent: Thursday, January 12, 2006 10:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks
Re: [ActiveDir] Outlook Exchange
Not to mention unless you use the little tool to backup that pst you have no backup on that file. Eileen Brown's WebLog : Back up your PST's with Outlook 2003 Addin: http://blogs.technet.com/eileen_brown/archive/2005/04/07/backup_pst.aspx joe wrote: Brian responded to you yesterday at 10:54AM EST and, btw, that is a good number of responses as this is WAAY OT for this forum. This is the kind of thing that you type into google and get 11 million hits for or pick up the book 'Outlook for the Less Inclined' or use the Office Assistant. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *patrick *Sent:* Friday, January 13, 2006 12:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Outlook Exchange NOBODY??? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *patrick *Sent:* Thursday, January 12, 2006 10:20 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook Exchange
Title: Outlook Exchange
Flame on! ouch!
btw I tried and only got 10.5 million hits
:-^
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 13 January 2006 14:55To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook
Exchange
Brian responded to you yesterday at 10:54AM EST
and,btw, that is a good number of responses as this is WAAY OT for
this forum. This is the kind of thing that you type into google and get 11
million hits for or pick up the book 'Outlook for the Less Inclined' or use the
Office Assistant.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
patrickSent: Friday, January 13, 2006 12:33 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Outlook
Exchange
NOBODY???
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of patrickSent: Thursday, January 12, 2006 10:20
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Outlook
Exchange
Could someone please
expand
on how to setup a PST and how to get it to download to the pst so as not to stay
on the email server?
ThanksPLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] File Permissions: Deny vs. Allow
Sorry, must've missed that. Must've been in another response that I didn't see. If you search through the message I replied to, that quote is nowhere to be found (other than what you put in). The problem with email lists is that often responses to threads get fragmented and sometimes it's easy to miss a valuable piece of info if you miss reading a response... The difficulties we have to learn to live with. :) Peace. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Did the response from Marcus Oh not suffice? The security reference monitor evaluates the list of entries in this order: noninherited deny, noninherited allow, inherited deny, and inherited allow. That means the noninherited allow will override the inherited deny. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: 13 January 2006 13:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject:
Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
misspelled Outlook Server Enterprise Edition - Original Message - From: Ken Cornetet [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 13, 2006 7:01 AM Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Outlook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DEC 2006
There's one on eBay right now. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, January 13, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 I remember those. That was my last year at U of L and they announced that the next year all engineering students would be required to buy a rainbow. The cost was to be spread over 4 years of tuition. Fortunately, the rainbow proved itself an instant flop and U of L dropped that plan. If memory serves, they did run MSDOS, but they didn't have a pc compatible BIOS so that while they gave the impression that they were PC compatible, in reality they wouldn't run anything that required BIOS calls (which was 99% of the software out there). We used a lot of HP 150 touch screens, and they were the same way. Also, you had to buy pre-formatted floppies from DEC - you couldn't format your own. At least until someone leaked the formatting utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 9:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones that did play were pretty good at it and were winning too much. I'll not be attending but I'm sending someone that works for me instead. Have a good conference. John McGlinchey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 10, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 I think you are going to find the same at Green Valley - http://www.greenvalleyranchresort.com/gaming/index.html Leave your car and house titles at home! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are
Re: [ActiveDir] ADUC updates - Was Expired Accounts
When I copy an account I would like to be prompted to update the info on the profile tab if any exists. I would like to be able to set up template accounts that don't resolve variables until the accounts are created. The acctinfo.dll to be standard and have a next DC button to query user properties on the next DC-effectively enabling a DC scroll through. Thinking of more... -Original Message- From: joe [EMAIL PROTECTED] Date: Fri, 13 Jan 2006 09:59:39 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Please make it easy to turn off drag and drop? Advanced option perhaps? Thanks, John List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
I would also like to see the additional information exposed by installing acctinfo.dll be made standard (built-in) rather than by having to install an additional dll and the information it exposes be viewable on the user object when that user is found via a search. David Aragon Your ability to perceive a solution is limited only by your understanding of the problem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
Not on a server sir. [at least not on Exchange 2003 anyway... next version it will be supported for whatever insane reason ...] Ken Cornetet wrote: Outlook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Hmmm... I'm tripping up on the vlv terminology. It's been awhile but when I was playing with taskpad, I found that it was not very useful without scripting. Maybe adding a load of simple tasks (add user to group, etc) would be extremely useful in making taskpad easier to handle. :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you.
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Maybe the ability to change the security context for certain operations within a session? Like a task-specific run-as. I haven't thought this all the way through in terms of security implications, but usually when I fire up ADUC it's with a non-privileged account, and then I have to go back with a different account or different tool in a privileged context if I need to make a change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 8:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical
RE: [ActiveDir] ADUC updates - Was Expired Accounts
You misunderstand - I can and have done this via cute methods. I want to
see more of these context menu options available by default and/or
configurable via a UI/CLI.
The present method is clunky and involves writing scripts :/
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 13 January 2006 15:08
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Speaking of Dean... He knows tricks in ADUC.
Hey Dean is there a way of doing this by having unlock called in the
backend?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 12, 2006 11:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Your starter for 10: [Dean will explain this, joe :) ]
Add context menu options below out of the box:
1. Unlock User (user context menu)
2. Unlock all users (OU context menu)
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 12 January 2006 15:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Well, ok, lets do this.
Everyone who has an idea for a change to ADUC post to the ideas to this
thread. Don't be shy, you may have thought of something no one else
would think of that once seeing it would go this is very cool. Then when
the thread seems to die (or some point after that when I catch up :oP )
I will summarize to make sure I understand and then post to LadyBug as
improvements that could be made. Also, you may or may not be shocked to
hear that many of the folks working on the stuff in Redmond actually
watch this list on a regular basis too so they may see it directly. I
know the conversation we had previously about suggested improvements to
AD was watched pretty closely and generated several DCRs without me even
arguing with anyone.
So let's hear it. First item on the table is different icons flagging
accounts (and I am stating this generically) that are not currently
live.
This includes disabled, locked, expired passwords, expired accounts?
Would this be better to add maybe as additional columns that you could
tell the GUI to sort on? Or the icons are best?
Note to Dean: This is D's bailywick now isn't it? I think I recall us
having this conversation at BB.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, January 12, 2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Expired Accounts
I believe it would be helpful if different icons could be used for
disabled accounts, expired account, expired password, etc.
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 12, 2006 7:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Expired Accounts
Philosophical question really. How do you want the GUI to present things
to you. The developers or whomever wrote the spec for the developers
didn't feel it should. You also have to ask if accounts with locked
passwords should show up that way and define if you mean expired
accounts or expired passwords on accounts and whether or not you would
differentiate them in that marking.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, January 12, 2006 8:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Expired Accounts
Shouldn't expired accounts show up with a red X just like a disabled
account?
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling
RE: [ActiveDir] ADUC updates - Was Expired Accounts
I'd like the ability to customize the display pane differently for each node in the tree. For example, specifying different widths for the same column in different nodes and choosing different sets of columns to display for different nodes in the tree. For instance if I had an OU of users and one of computers, I might like to display Name and Office for the user OU and Name and OS for the computers OU. Granted OS isn't even an option to choose, which is addressed below. I'd also like more options to choose columns from, ideally any attribute of an object. Prolly would work best by having a slightly expanded list than what's there now, by default, but also having an advanced button to access the rest. The next is best described with an example. When changing the Managed By attribute of a group, I click change and Select User, Contact, or Group search box comes up. In order to search for a group, I have to click Object Types and check the box next to groups. Ignoring the fact that this is slightly inconsistent with the title of the search box, I would like the option to change whether that's selected by default. Finally, its probably more an issue with the mmc than aduc, but my view pane often changes to large icon mode instead of detail. It seems to happen when I return from a different snap-in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 9:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts As per my reply to context menus, I would like this to be more flexible and configurable. Today, there are too many (undocumented / poorly documented) steps to follow to perform a simple change. I wouldn't expect a drag and drop UI - the latter would suffice for v1. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 13 January 2006 15:08To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 12, 2006 11:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 12 January 2006 15:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joeSent: Thu 1/12/2006 10:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this.Everyone who has an idea for a change to ADUC post to the ideas to thisthread. Don't be shy, you may have thought of something no one else wouldthink of that once seeing it would go this is very cool. Then when thethread seems to die (or some point after that when I catch up :oP ) I willsummarize to make sure I understand and then post to LadyBug as improvementsthat could be made. Also, you may or may not be shocked to hear that many ofthe folks working on the stuff in Redmond actually watch this list on aregular basis too so they may see it directly. I know the conversation wehad previously about suggested improvements to AD was watched pretty closelyand generated several DCRs without me even arguing with anyone.So let's hear it. First item on the table is different icons flaggingaccounts (and I am stating this generically) that are not currently live.This includes disabled, locked, expired passwords, expired accounts? Wouldthis be better to add maybe as additional columns that you could tell theGUI to sort on? Or the icons are best?Note to Dean: This is D's bailywick now isn't it? I think I recall us havingthis conversation at BB. joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Thursday, January 12, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsI believe it would be helpful if different icons could be used for disabledaccounts, expired account, expired password, etc.Mike Thommes-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 12, 2006 7:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsPhilosophical question really. How do you want the GUI to present things toyou. The developers or whomever wrote the spec for the developers didn'tfeel it should. You also have to ask if accounts with locked passwordsshould show up that way and define if you mean expired accounts or expiredpasswords on accounts and whether or not you would differentiate them inthat marking.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Douglas M. LongSent: Thursday, January 12, 2006 8:35 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Expired AccountsShouldn't expired accounts show up with a red X just like a disabledaccount?List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info :
RE: [ActiveDir] File Permissions: Deny vs. Allow
Thanks Joe et all. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 7:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow A good start would be MSDN. It is anathema to many admins but often the absolute best source of some info if you can read it and personally I think admins should be able to read dev docs. I can't explain how many times I found something digging through MSDN that helped me in the admin world. Something that I didn't know existed I find that exists so I go looking for the tool to do it which may be some obscure function in an MS tool or more often something I have to build or find elsewhere. It lets you know what is possible based on the actual capabilities versus what is exposed in the tools. Anyway, I would start here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/se curity/order_of_aces_in_a_dacl.asp There is some more in a more english way here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ directory/activedirectory/actdid3.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Friday, January 13, 2006 8:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow Joe always provides very useful information... (Yes, I'm kissing up so I can get the next question answered.) Now, for the $64K question: Where can we find a good explanation of how ACE's are ordered in the ACL's to get a solid understanding of under what conditions this can happen? Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, January 13, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow Thanks, Joe... Extremely useful info. :) -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, joe [EMAIL PROTECTED] wrote: It is a little more involved than that, when you do an access check, last time I looked into it, it traverses the ACL until it has hit enough ACES to grant the access requested or to deny it, once that is achieved it stops. It doesn't stop on the first ACE that has that security principal granting *something*. The ACEs are ordered in the ACL for enumeration such that the inheritence hierarchy is preserved as is the ordering of deny versus grant. If you had an explicit grant out of order and in front of an explicit deny for instance, access would still be granted even though if you looked at the ACL (especially in the GUI) it would show the deny. This special dorked up ordering is called non-canonical ordering and Exchange actually uses it on AD ACLs for hidden membership groups. But yes, the upshot of the whole thing is that a grant at a lower level in the hierarchy will override a deny. Such as an explicit grant or a grant one level above the object will override a deny more than one level up from the object. If you ever want to make absolute sure that something is absolutely denied, apply the deny directly to the object (explicit deny). Alternatively, don't use deny ACEs, use pass denies by not granting the access. Denies have been a source of confusion for access since the whole inherited ACL model came around. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] File
[ActiveDir] Find date Computer object was deleted and created
Hi all, I am trying to determine if and when a Sysadmin with domain admin pass deleted and recreated a computer object in the domain. This info will useful to any IT manager or SysAdmin who is having doubts about what is being reported when computer objects are suddenly absent, then they reappear in the domain computer listing next day. Any help out there? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Seems like people have been asking forever that the Employee ID field be added to the display. We ended up purchasing Hyena from SystemTools Software just so our admins could populate this field, which is used to sync AD employee information with other systems. Hyena is a great tool for many other reasons - perhaps Microsoft should acquire them. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts The biggest pain in the ADUC for me is its search function. Once you do a simple search, there should be an easy way to locate that object in the hierarchy or to identify the OU in which it resides. Either an OU column or a right-click and Go to Object command (or both) would be great. [1] Thanks. -- nme [1] This is one of those functions that I figure must be in there somewhere already, and I am just missing it. One of those: it must be right in front of my eyes things. If that is the case, please elucidate and the request is withdrawn ;-) From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 12 January 2006 15:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/12/2006 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] File Permissions: Deny vs. Allow
Thanks Marcus, Joe et all..interesting info always.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] File Permissions: Deny vs. Allow The security reference monitor evaluates the list of entries in this order: noninherited deny, noninherited allow, inherited deny, and inherited allow. That means the noninherited allow will override the inherited deny. :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, January 12, 2006 8:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] File Permissions: Deny vs. Allow It seems to me that if this were true, you would get inconsistent access to a file or folder whenever you were member of two groups that had access where one group had ReadOnly and the other had Full Control. Yet, I have never seen that behavior The answer from the earlier provided link seems more accurate. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote: The reason this happens is that that when looking for access to a directory or file windows goes through its list of acls until it gets a response - yes let me in or no don't let me in. But as soon as it has a response it stops looking for further responses so if a yes (allow) is found yet further down the list of acls there is a no (deny) it is never read so it is not applied. This has been demonstrated in many of john craddocks ad sessions. Mark -Original Message- From: Ahmed Al-Awah [EMAIL PROTECTED] Date: Thu, 12 Jan 2006 14:40:34 To:'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Subject: [ActiveDir] File Permissions: Deny vs. Allow Hi all, I'm hoping someone can help explain a situation I came across recently. I have a global security group that has been denied access to a specific network drive (a folder on a server). However, certain members within the global security group are able to access the drive. After some research I found that the global group was a member of a domain local group with access to the drive in question. When the group was removed from the domain local group (but were still members of the global group) the said users were no longer able to access the drive. File permissions, as I understand them, are designed such that deny permissions will always override allow permissions but in this case it seems that this is not the case, hence my confusion. P.S.: Just as an FYI, the global group and domain local group are located in different OUs but are part of the same domain. Any clarifications on why this is happening are appreciated. Thanks, Ahmed List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADUC updates - Was Expired Accounts
My biggest pet peeve with ADUC is petty but annoying. If I'm in a hurry and use the ADUC to find an object, I select the domain, select the find option, conduct my search, find the object then go look for the object tab to see where it is NO... the object field is only avaialbe in the advanced features. So kill everything, click advanced features, go though the steps again... The location of an object is important! Lets put it everywhere and not try to hide it! Cheers On 1/13/06, joe [EMAIL PROTECTED] wrote: How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 12, 2006 11:23 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: 12 January 2006 15:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/12/2006 10:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this.Everyone who has an idea for a change to ADUC post to the ideas to thisthread. Don't be shy, you may have thought of something no one else wouldthink of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I willsummarize to make sure I understand and then post to LadyBug as improvementsthat could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on aregular basis too so they may see it directly. I know the conversation wehad previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone.So let's hear it. First item on the table is different icons flaggingaccounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Wouldthis be better to add maybe as additional columns that you could tell theGUI to sort on? Or the icons are best?Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsI believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc.Mike Thommes-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things toyou. The developers or whomever wrote the spec for the developers didn'tfeel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expiredpasswords on accounts and whether or not you would differentiate them inthat marking.-Original Message-From: [EMAIL PROTECTED][ mailto:[EMAIL PROTECTED]] On Behalf Of Douglas M. LongSent: Thursday, January 12, 2006 8:35 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Expired AccountsShouldn't expired accounts show up with a red X just like a disabledaccount?List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ :
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Policy setting even better, thought about it after I hit send. John [EMAIL PROTECTED] lcollins.com Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 01/13/2006 09:53 RE: [ActiveDir] ADUC updates - Was AMExpired Accounts Please respond to [EMAIL PROTECTED] tivedir.org Please make it easy to turn off drag and drop? Advanced option perhaps? Thanks, John List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADUC updates - Was Expired Accounts
How about when viewing Groups as containers, in the resulting window after clicking on it it shows the group members. On 1/13/06, joe [EMAIL PROTECTED] wrote: How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 12 January 2006 15:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/12/2006 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADUC updates - Was Expired Accounts
In the query view in 2K3, allow LDAP queries to be used instead of using the GUI choices. On 1/13/06, Matt Johnson [EMAIL PROTECTED] wrote: How about when viewing Groups as containers, in the resulting window after clicking on it it shows the group members. On 1/13/06, joe [EMAIL PROTECTED] wrote: How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 12 January 2006 15:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/12/2006 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] OT: DEC 2006 (way OT ...)
Al, I always wished that Microsoft would support multiple file versions like VMS did. I'm just curious, if you have the time, for my own edification, what was this VMS file system feature? Could you elaborate how it worked? Cheers, BrettSh [msft] SDE - ESE On Thu, 12 Jan 2006, Al Lilianstrom wrote: Don't forget the VAXMate and PCSA v1.1. What a interesting pair... My brother in law worked for DEC at that time and had a VAXStation II and a Pro350 that he had bought from DEC in his basement. Kept trying to sell me the Pro. VMS was great. I turned off my last VAX just over 2 years ago. It had been up and running for 8 years. Great OS, great hardware, lousy company management. I always wished that Microsoft would support multiple file versions like VMS did. al Lee, Wook wrote: Ah, now we're really dragging out the old war horses. My first job at DEC was writing CBI courses for the DECmate WPS+ list processing module. They gave me a Robin (think VT100 with a processor and dual 5.25 floppy disks) to use at home (a little basement studio next to the laundry room in the basement of my apartment building in Acton, MA.) My second job was writing a device driver in C for a Polaroid CRT-to-film peripheral called the Polaroid Palette (had a mini-high resolution BW CRT and a Color-filter wheel all controlled by a Z80 processor) for the very same Rainbow PC. In those days, Digital could not decide on a PC strategy. There were three different product lines that all had some potential but none of them took off. We had the Rainbow which was close to what became mainstream with an 8088 or 8086 processor, the DECmate with was basically a secretarial workstation running WPS+ and not much else and the Pro 350 which was a repackaged PDP-11 that spent a few years as the console device for some of the bigger VAXen. If I recall correctly, the Pro 350 OS was based on RSTS. Those were the good old days before 1987 and Black Tuesday. I think I had some Digital options at something like $150. Sigh. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones that did play were pretty good at it and were winning too much. I'll not be attending but I'm sending someone that works for me instead. Have a good conference. John McGlinchey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 10, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject:
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts Note that the available columns can be extended via Display Specifiers (i.e. a distributed configuration). --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 13, 2006 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Have the GUI remember columns I chose to show On a single machine or across AD? Or possibly a config file you could export/import to specific machines? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, January 12, 2006 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joeSent: Thu 1/12/2006 10:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this.Everyone who has an idea for a change to ADUC post to the ideas to thisthread. Don't be shy, you may have thought of something no one else wouldthink of that once seeing it would go this is very cool. Then when thethread seems to die (or some point after that when I catch up :oP ) I willsummarize to make sure I understand and then post to LadyBug as improvementsthat could be made. Also, you may or may not be shocked to hear that many ofthe folks working on the stuff in Redmond actually watch this list on aregular basis too so they may see it directly. I know the conversation wehad previously about suggested improvements to AD was watched pretty closelyand generated several DCRs without me even arguing with anyone.So let's hear it. First item on the table is different icons flaggingaccounts (and I am stating this generically) that are not currently live.This includes disabled, locked, expired passwords, expired accounts? Wouldthis be better to add maybe as additional columns that you could tell theGUI to sort on? Or the icons are best?Note to Dean: This is D's bailywick now isn't it? I think I recall us havingthis conversation at BB. joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Thursday, January 12, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsI believe it would be helpful if different icons could be used for disabledaccounts, expired account, expired password, etc.Mike Thommes-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 12, 2006 7:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Expired AccountsPhilosophical question really. How do you want the GUI to present things toyou. The developers or whomever wrote the spec for the developers didn'tfeel it should. You also have to ask if accounts with locked passwordsshould show up that way and define if you mean expired accounts or expiredpasswords on accounts and whether or not you would differentiate them inthat marking.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Douglas M. LongSent: Thursday, January 12, 2006 8:35 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Expired AccountsShouldn't expired accounts show up with a red X just like a disabledaccount?List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/ListaspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
ah gee - where do we start... 1. option to view the domains in a real tree-like fashion (not needing to switch between various ADUC instances when handling multi-domain environments) 2. option in the UI to disable the filter for groups that are remote to the user, so that universal group memberships are displayed from any domain in the forest when connected to a GC (basically the way that it worked in Win2k; naturally I'd also want the local group memberships from the other domains, but I won't ask for too much at once...) 3. easy way to disable drag drop without the need to set a flag in the config-container. And disable drag drop by default. 4. an Advanced Tab in the New Users dialog-box that allows to enter all or at least an extended list of attributes (incl. group-memberships) 5. ability to select specific (or all) users from a search and right-click = add to group context option 6. replace the Delegation Wizard with something useful. How about something that understands the roles that it sets and can actually display them when viewing the security on objects. 7. normalize the way that objects are displayed and handled in search results with how they are handled when browsing to the object (e.g. same property pages, same context functions) 8. ability to copy group-memberships and paste them to another group - same for memberOf links from one User/Computer/Group object to another. 9. I very much support Wook's idea of a Raw mode that shows the real attribute names 10. I actually support all of Wook's ideas and I also like most of the others that were posted :-) Especially Hunter's request to enable elevation of privileges via run-as for specific tasks in ADUC. 11. I hate how ADUC refreshes the view and gets you back to the root of the domain just because I've added a different column to the view or have selected the Advanced View option. That is sooo anoying. I'd like it just to refresh the view I'm currently on, or if it must basically re-read the tree-structure (and close all of those nodes that I've opened until then), at least bring me back to where I was... 12. Undo/Redo /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 13. Januar 2006 16:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an
RE: [ActiveDir] [List Owner] Mailing list is 5 today!
congrats Tony! - keep up the good work !!! /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 13. Januar 2006 01:57 To: [EMAIL PROTECTED] Subject: [ActiveDir] [List Owner] Mailing list is 5 today! Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Find date Computer object was deleted and created
Turn up auditing and then parse the Security event logs on your domain controllers. There are a variety of ways to partially or fully automate this, including EventComb and scripting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nigel Glasgow Sent: Friday, January 13, 2006 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Find date Computer object was deleted and created Hi all, I am trying to determine if and when a Sysadmin with domain admin pass deleted and recreated a computer object in the domain. This info will useful to any IT manager or SysAdmin who is having doubts about what is being reported when computer objects are suddenly absent, then they reappear in the domain computer listing next day. Any help out there? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Re vlv: Possibly, though I don't really care how it's done. Mostly, it's just the smarts required in the UI to be able to display just the part of the list I'm looking at rather than cramming all of the data into the various UI widgets and letting them fend for themselves. Vlv is a tool in the toolbox. I think it's more a question of smart UI design than brute force. Re explicit ACE references: What I mean is say I have a group. I want to know at with points in the AD that group is referred to in an ACL. I want to know what object it was applied to and what rights were allowed or denied. I don't want to see any of the inherited stuff, just the places where I may want to modify or remove it. What would be really nice would be a get a list of all the places where user accounts were added explicitly to ACLs so I can get rid of them all. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Allow ADUC to handle larger numbers of objects in a container without running like a snail. Are you thinking vlv here Wook? I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. Could you flesh this one out a little more, I can interprete that in a couple of ways. Possibly give a concrete example? The rest I believe I understand. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE:
[ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat jorge for your nomination as a MVP. :o)Will u have a microsoft professional card as the MCP/MCSE one ?Yann
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Title: RE: [ActiveDir] ADUC updates - Was Expired Accounts Consistently remember the last domain controller I connected to, and reconnect to it when I start it back up.
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Some things that I'd like to see, the Additional Account Info tab should exist for user objects by default without have to manually register acctinfo.dll. There is some very handy information on that tab. Something similar for computer objects would be nice as well. As a further suggestion, is there any chance you might be able to hook-up with someone on the group policy team for this same sort of fast-track virtual suggestion box? I know that I have several custom ADM templates and scripts to push out various settings that don't currently exist. More built in policies equal easier administration in my book. I would hope that I'm not alone in this. Thanks Joe, Scott Klassen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 9:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for
[ActiveDir] LDAPS SRV Records?
Title: LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon
RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
Oh I realize that, and SBS [W2K3KSE] I think by definition would not be useful if you pull some stuff out of it. I think Core is just for File, Print, DC, and... and... dang I forgot the other one. Well, 4 basic functions anyway. But it just doesn't seem right sometimes to have IE and MP on a server. And OE. That's what desktops are for. I'm not convinced those are needed on SBS, but at least with longhorn hopefully the IE-in-a-separate-space thing will help mitigate that somewhat. I personally liked the core idea a lot though, for your basic services. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Well for beta... But that won't help SBS. SBS won't run on Core, it has too many dependencies. Lots of stuff may find issue with core. It is intended to be a lean and mean tight OS like a server should be. I think many people will be quite surprised when their stuff doesn't work, I suggest everyone who can get in the beta and start testing their stuff. It will also change the face of admin work. It will require a higher level of understanding IMO. However it is tough to talk specifics regarding a product in beta. But I do recommend people get the beta and test. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, January 13, 2006 8:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD ... Internet Explorer, Outlook Express, Windows Messenger, Media Player, and... oh wait, that's all versions of server... Core is not out yet, is it... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Ahem . I think you forgot Windows. :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wed 1/11/2006 7:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained
RE: [ActiveDir] OT: DEC 2006 (way OT ...)
When you saved a file, it didn't overwrite the old version... You would have files like foo.txt;1 foo.txt;2, etc. until you explicitly removed the old versions. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, January 13, 2006 10:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...) Al, I always wished that Microsoft would support multiple file versions like VMS did. I'm just curious, if you have the time, for my own edification, what was this VMS file system feature? Could you elaborate how it worked? Cheers, BrettSh [msft] SDE - ESE On Thu, 12 Jan 2006, Al Lilianstrom wrote: Don't forget the VAXMate and PCSA v1.1. What a interesting pair... My brother in law worked for DEC at that time and had a VAXStation II and a Pro350 that he had bought from DEC in his basement. Kept trying to sell me the Pro. VMS was great. I turned off my last VAX just over 2 years ago. It had been up and running for 8 years. Great OS, great hardware, lousy company management. I always wished that Microsoft would support multiple file versions like VMS did. al Lee, Wook wrote: Ah, now we're really dragging out the old war horses. My first job at DEC was writing CBI courses for the DECmate WPS+ list processing module. They gave me a Robin (think VT100 with a processor and dual 5.25 floppy disks) to use at home (a little basement studio next to the laundry room in the basement of my apartment building in Acton, MA.) My second job was writing a device driver in C for a Polaroid CRT-to-film peripheral called the Polaroid Palette (had a mini-high resolution BW CRT and a Color-filter wheel all controlled by a Z80 processor) for the very same Rainbow PC. In those days, Digital could not decide on a PC strategy. There were three different product lines that all had some potential but none of them took off. We had the Rainbow which was close to what became mainstream with an 8088 or 8086 processor, the DECmate with was basically a secretarial workstation running WPS+ and not much else and the Pro 350 which was a repackaged PDP-11 that spent a few years as the console device for some of the bigger VAXen. If I recall correctly, the Pro 350 OS was based on RSTS. Those were the good old days before 1987 and Black Tuesday. I think I had some Digital options at something like $150. Sigh. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones
[ActiveDir] DEC2006 Sunday Workshop
In case anyone is interested, the DEC2006 Sunday Workshop includes continental breakfast and lunch, as well as a cocktail party that evening. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Wow ... That's a really nifty idea! Maybe if I had something like this I might make joe proud and try to start learning how to script. Me? Personally? I want an Undelete button that says Hey, if you click me, I will let you undelete anything that you accidentally deleted within the last 60 days and you don't have to do an Authoritative Restore or a Non-Authoritative Restore or a Tombstone Re-animation or a Guido-ism or a joeware tool or anything. Click it and go home and watch College Basketball like you were planning and relax. I'll take care of it. CAN I PLEASE GET THAT (and the scriting thing below, of course.) RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael B. Smith Sent: Friday, January 13, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I would like ADUC to maintain a log of command-line equivalents for all it's operations, so I can learn how to script it better. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, January 13, 2006 10:49 AM To: ActiveDir.org Subject: Re: [ActiveDir] ADUC updates - Was Expired Accounts When I copy an account I would like to be prompted to update the info on the profile tab if any exists. I would like to be able to set up template accounts that don't resolve variables until the accounts are created. The acctinfo.dll to be standard and have a next DC button to query user properties on the next DC-effectively enabling a DC scroll through. Thinking of more... -Original Message- From: joe [EMAIL PROTECTED] Date: Fri, 13 Jan 2006 09:59:39 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know
RE: [ActiveDir] [List Owner] Mailing list is 5 today!
That's really cool. Congratulations on creating the best online forum for AD professionals. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 13, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] Mailing list is 5 today! congrats Tony! - keep up the good work !!! /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 13. Januar 2006 01:57 To: [EMAIL PROTECTED] Subject: [ActiveDir] [List Owner] Mailing list is 5 today! Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Yes.. Congratulations. Thank you for all your help with my issues! Jose - Original Message - From: TIROA YANN To: ActiveDir@mail.activedir.org Sent: Friday, January 13, 2006 10:59 AM Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat jorge for your nomination as a MVP. :o)Will u have a microsoft professional card as the MCP/MCSE one ?Yann
RE: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Friday, January 13, 2006 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat jorge for your nomination as a MVP. :o)Will u have a microsoft professional card as the MCP/MCSE one ?Yann
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Agreed; it could work like Explorer's file search where you get an open containing folder option Steve From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Fri 13/01/2006 17:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts The biggest pain in the ADUC for me is its search function. Once you do a simple search, there should be an easy way to locate that object in the hierarchy or to identify the OU in which it resides. Either an OU column or a right-click and Go to Object command (or both) would be great. [1] Thanks. -- nme [1] This is one of those functions that I figure must be in there somewhere already, and I am just missing it. One of those: it must be right in front of my eyes things. If that is the case, please elucidate and the request is withdrawn ;-) From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts How much control would you like over the formatting if any? How do you visualize configuring the formatting, drag and drop type GUI interface or specify via parameters in some control location? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Agree - would be nice if extra attributes could be exposed via the UI more readily (e.g. employeeID) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 12 January 2006 15:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I think we discussed this one over an excellent burger last fall- I need to be able to write new property pages alot more easily than I do now dicking around with COM and CPP (two things I don't know much about). Would be nice to be able to shift click computers and do add to group Shift click group members and remove from group Choose columns displayed in the group members view (here we use employee IDs from HR for the CN which is what it displays). Have the GUI remember columns I chose to show Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/12/2006 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35
RE: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Yes congrats Jorge - and all the others who made it for the first time or were renewed. Although I think Im confused, Friday and all that, and too lazy to log in and check, but Jorge werent you in Redmond last fall?? Yes you get a little card, and a pin (has anyone actually ever worn those pins in public?), and some other stuff. There is a lot of info at http://mvp.support.microsoft.com There is also a lot of content on http://mvps.org as well as other sites. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] ADUC updates - Was Expired Accounts
I support most wishes in here. Guidos wish: I'd prefer to be able to add the domains I want to administer in ADUC, but see all of the selectively added domains in a tree view. Also provide a possibility to extend property sheets easily, such as the Outlook Adressbook can be configured. I'd prefer to see this in ADUCs Objects Properties, such as EmployeeID a.s.o. Provide a more easier way than COM and C++ to extend the wizards and interfaces. Move to MMC2.0 Ability to add custom attributes to the list view easily, different per client a.s.o. Ability to modify attributes in the list view, such as Exchange. Keep this possibility off by default, but enable admins to individually switch it on per client. For more changes it would be so cool just to change the phone-numbers or anything else in the list view. Click it, F2-Change it, then press Arrow-Down to move to the same property of the next user (Or Enter / Arrow-right for the next attribute of the same user). Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 4:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/0mail.activedir.o rg/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAPS SRV Records?
I think the functions are exposed in WinAPI and/or DNSAPI - I am NOT a programmer :) There are very likely where you'd start: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/dns_ srv_data.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/dns_ record.asp Because of the role DHCP client plays in dynamic DNS registration, I am thinking that DHCPCSVC.DLL may be in play as well. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bernier, Brandon (.) Sent: Fri 1/13/2006 12:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
More like the Active Directory Recycle Bin instead of the CraftyWarez Undelete Tool? :) I haven't seen huge implementations where the waiting period for returning queries is really long... but if there was a cancel button that would return you to the interface rather than make you wait until it returns the 9000 members of the container you just clicked by accident, that might be nice... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, January 13, 2006 2:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Wow ... That's a really nifty idea! Maybe if I had something like this I might make joe proud and try to start learning how to script. Me? Personally? I want an Undelete button that says Hey, if you click me, I will let you undelete anything that you accidentally deleted within the last 60 days and you don't have to do an Authoritative Restore or a Non-Authoritative Restore or a Tombstone Re-animation or a Guido-ism or a joeware tool or anything. Click it and go home and watch College Basketball like you were planning and relax. I'll take care of it. CAN I PLEASE GET THAT (and the scriting thing below, of course.) RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael B. Smith Sent: Friday, January 13, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts I would like ADUC to maintain a log of command-line equivalents for all it's operations, so I can learn how to script it better. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, January 13, 2006 10:49 AM To: ActiveDir.org Subject: Re: [ActiveDir] ADUC updates - Was Expired Accounts When I copy an account I would like to be prompted to update the info on the profile tab if any exists. I would like to be able to set up template accounts that don't resolve variables until the accounts are created. The acctinfo.dll to be standard and have a next DC button to query user properties on the next DC-effectively enabling a DC scroll through. Thinking of more... -Original Message- From: joe [EMAIL PROTECTED] Date: Fri, 13 Jan 2006 09:59:39 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC
RE: [ActiveDir] LDAPS SRV Records?
Title: LDAPS SRV Records? Try http://msdn.microsoft.com/library/default.asp?url=""> These are relatively new (WS2003 perhaps?) We developed our own DNS functions over Winsock. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Friday, January 13, 2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon
RE: [ActiveDir] Congrat Jorge !!!!!
Thanks everyone! A week ago on january 6th I got notice from the US MVP Lead I have been nominated (blogged that on january 6th http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx) and today (friday the 13th...) I got notice from the dutch MVP lead saying Microsoft awarded me the MVP DS Award (blogged that today http://blogs.dirteam.com/blogs/jorge/archive/2006/01/13/406.aspx) I don't how the process works... Gil, how did you find out? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Fri 2006-01-13 22:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] LDAPS SRV Records?
To see which service registers what see: http://support.microsoft.com/kb/q246804/ http://support.microsoft.com/default.aspx?scid=kb;EN-US;264539 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/cb7a2363-0ed6-4c7c-87ba-7cc9592a8028.mspx jorge From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Sat 2006-01-14 00:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? I think the functions are exposed in WinAPI and/or DNSAPI - I am NOT a programmer :) There are very likely where you'd start: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/dns_ srv_data.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/dns_ record.asp Because of the role DHCP client plays in dynamic DNS registration, I am thinking that DHCPCSVC.DLL may be in play as well. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bernier, Brandon (.) Sent: Fri 1/13/2006 12:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OT: DEC 2006 (way OT ...)
It sounds like this gave it on a per-save basis. Shadow copy gives it to you only if you took a snapshot, which has a non-trivial affect on performance (it snapshots the whole volume in a block level way, such that we have to incur copy-on-write IO costs). From what people have said of the feature, it sounds a bit more cunning, and at a logical level, rather than block based. A plust for snapshot however is that it also snaps the directory / file hierarchy, it sounds like, if however your data scheme made a dependency on a certain file structure representing something, it doesn't sound like you have the ability to say _not_ see file X, b/c you're looking at a previous version of the directory itself ... perhaps I'm wrong though. Cheers, BrettSh [msft] SDE - ESE On Fri, 13 Jan 2006, Robert Bobel wrote: Doesn't shadow copy essentially give you multiple file versions? From: [EMAIL PROTECTED] on behalf of Brett Shirley Sent: Fri 1/13/2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...) Al, I always wished that Microsoft would support multiple file versions like VMS did. I'm just curious, if you have the time, for my own edification, what was this VMS file system feature? Could you elaborate how it worked? Cheers, BrettSh [msft] SDE - ESE On Thu, 12 Jan 2006, Al Lilianstrom wrote: Don't forget the VAXMate and PCSA v1.1. What a interesting pair... My brother in law worked for DEC at that time and had a VAXStation II and a Pro350 that he had bought from DEC in his basement. Kept trying to sell me the Pro. VMS was great. I turned off my last VAX just over 2 years ago. It had been up and running for 8 years. Great OS, great hardware, lousy company management. I always wished that Microsoft would support multiple file versions like VMS did. al Lee, Wook wrote: Ah, now we're really dragging out the old war horses. My first job at DEC was writing CBI courses for the DECmate WPS+ list processing module. They gave me a Robin (think VT100 with a processor and dual 5.25 floppy disks) to use at home (a little basement studio next to the laundry room in the basement of my apartment building in Acton, MA.) My second job was writing a device driver in C for a Polaroid CRT-to-film peripheral called the Polaroid Palette (had a mini-high resolution BW CRT and a Color-filter wheel all controlled by a Z80 processor) for the very same Rainbow PC. In those days, Digital could not decide on a PC strategy. There were three different product lines that all had some potential but none of them took off. We had the Rainbow which was close to what became mainstream with an 8088 or 8086 processor, the DECmate with was basically a secretarial workstation running WPS+ and not much else and the Pro 350 which was a repackaged PDP-11 that spent a few years as the console device for some of the bigger VAXen. If I recall correctly, the Pro 350 OS was based on RSTS. Those were the good old days before 1987 and Black Tuesday. I think I had some Digital options at something like $150. Sigh. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours
RE: [ActiveDir] Congrat Jorge !!!!!
Thanks Rich Are you talking about the summit? Nope... I have never been to Redmond. For me this is the first MVP nomination and award! ;-) I also heard from a dutch friend of mine who is also MVP, to saw a bigger hole (letterbox) in the door so that the postman can shove all the stuff through it ;-) jorge From: [EMAIL PROTECTED] on behalf of Rich Milburn Sent: Fri 2006-01-13 23:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Yes congrats Jorge - and all the others who made it for the first time or were renewed. Although I think I'm confused, Friday and all that, and too lazy to log in and check, but Jorge weren't you in Redmond last fall?? Yes you get a little card, and a pin (has anyone actually ever worn those pins in public?), and some other stuff. There is a lot of info at http://mvp.support.microsoft.com http://mvp.support.microsoft.com/ There is also a lot of content on http://mvps.org http://mvps.org/ as well as other sites. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OT: DEC 2006 (way OT ...)
Not the same thing. Not elegant, given its many problems on DCs. And not local like VMS will give you. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Robert Bobel Sent: Fri 1/13/2006 1:23 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 (way OT ...) Doesn't shadow copy essentially give you multiple file versions? From: [EMAIL PROTECTED] on behalf of Brett Shirley Sent: Fri 1/13/2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...) Al, I always wished that Microsoft would support multiple file versions like VMS did. I'm just curious, if you have the time, for my own edification, what was this VMS file system feature? Could you elaborate how it worked? Cheers, BrettSh [msft] SDE - ESE On Thu, 12 Jan 2006, Al Lilianstrom wrote: Don't forget the VAXMate and PCSA v1.1. What a interesting pair... My brother in law worked for DEC at that time and had a VAXStation II and a Pro350 that he had bought from DEC in his basement. Kept trying to sell me the Pro. VMS was great. I turned off my last VAX just over 2 years ago. It had been up and running for 8 years. Great OS, great hardware, lousy company management. I always wished that Microsoft would support multiple file versions like VMS did. al Lee, Wook wrote: Ah, now we're really dragging out the old war horses. My first job at DEC was writing CBI courses for the DECmate WPS+ list processing module. They gave me a Robin (think VT100 with a processor and dual 5.25 floppy disks) to use at home (a little basement studio next to the laundry room in the basement of my apartment building in Acton, MA.) My second job was writing a device driver in C for a Polaroid CRT-to-film peripheral called the Polaroid Palette (had a mini-high resolution BW CRT and a Color-filter wheel all controlled by a Z80 processor) for the very same Rainbow PC. In those days, Digital could not decide on a PC strategy. There were three different product lines that all had some potential but none of them took off. We had the Rainbow which was close to what became mainstream with an 8088 or 8086 processor, the DECmate with was basically a secretarial workstation running WPS+ and not much else and the Pro 350 which was a repackaged PDP-11 that spent a few years as the console device for some of the bigger VAXen. If I recall correctly, the Pro 350 OS was based on RSTS. Those were the good old days before 1987 and Black Tuesday. I think I had some Digital options at something like $150. Sigh. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006
RE: [ActiveDir] Congrat Jorge !!!!!
I don't think Gil is allowed to say :) NDA, you know ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 1/13/2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Thanks everyone! A week ago on january 6th I got notice from the US MVP Lead I have been nominated (blogged that on january 6th http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx) and today (friday the 13th...) I got notice from the dutch MVP lead saying Microsoft awarded me the MVP DS Award (blogged that today http://blogs.dirteam.com/blogs/jorge/archive/2006/01/13/406.aspx) I don't how the process works... Gil, how did you find out? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Fri 2006-01-13 22:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAPS SRV Records?
Jorge, I think he is looking to write his own wrapper. So, he is looking for the bits where the functions are exposed. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 1/13/2006 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? To see which service registers what see: http://support.microsoft.com/kb/q246804/ http://support.microsoft.com/default.aspx?scid=kb;EN-US;264539 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Server Help/cb7a2363-0ed6-4c7c-87ba-7cc9592a8028.mspx jorge From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Sat 2006-01-14 00:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS SRV Records? I think the functions are exposed in WinAPI and/or DNSAPI - I am NOT a programmer :) There are very likely where you'd start: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/dns_ srv_data.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/dns_ record.asp Because of the role DHCP client plays in dynamic DNS registration, I am thinking that DHCPCSVC.DLL may be in play as well. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bernier, Brandon (.) Sent: Fri 1/13/2006 12:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Congrat Jorge !!!!!
I have my sources... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 13, 2006 5:15 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! I don't think Gil is allowed to say :) NDA, you know ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 1/13/2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Thanks everyone! A week ago on january 6th I got notice from the US MVP Lead I have been nominated (blogged that on january 6th http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx) and today (friday the 13th...) I got notice from the dutch MVP lead saying Microsoft awarded me the MVP DS Award (blogged that today http://blogs.dirteam.com/blogs/jorge/archive/2006/01/13/406.aspx) I don't how the process works... Gil, how did you find out? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Fri 2006-01-13 22:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Heh.I was wondering if he knew or not when I saw your blog. ;o) The program isn't always real fast at letting people know. g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, January 13, 2006 4:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Friday, January 13, 2006 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat jorge for your nomination as a MVP. :o)Will u have a microsoft professional card as the MCP/MCSE one ?Yann
RE: [ActiveDir] OT: DEC 2006 (way OT ...)
I think the limit was 32767 (07). But yep, it maintained the number of copies you specified and then would purge the oldest so you only kept that many. Every save resulted in a new file with an incremented value. There was a hardlink of the name w/o a version that pointed to the highest version so if you specified the name without a version you got the most recent. I don't recall a lot of files in VMS though that you would open and update the file directly and not end up writing a new file. There were some instances of it and those didn't increment. The latest version of Borland Builder (actually called Borland Developer Studio 2006) does this for all files maintained in the IDE. Very cool for rollback. 01/12/2006 11:26 PM 8,236 TControllerThreadUnit1.cpp.~74~ 01/12/2006 11:26 PM 8,236 TControllerThreadUnit1.cpp.~75~ 01/12/2006 11:27 PM 8,234 TControllerThreadUnit1.cpp.~76~ 01/12/2006 11:27 PM 8,235 TControllerThreadUnit1.cpp.~77~ 01/12/2006 11:28 PM 8,228 TControllerThreadUnit1.cpp.~78~ 01/12/2006 11:34 PM 8,257 TControllerThreadUnit1.cpp.~79~ Going back to my mindset when playing with that stuff, it was pretty sweet. :o) Hey Brett, you should go find VMS or OpenVMS and play with it. Who knows what kind of ideas could come of it. I heard a rumour that some of the other NT stuff has a VMS background... snicker Long live Digital Equipment Technology people. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, January 13, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...) Brett Shirley wrote: Al, I always wished that Microsoft would support multiple file versions like VMS did. I'm just curious, if you have the time, for my own edification, what was this VMS file system feature? Could you elaborate how it worked? It's a simple thing. You edit a file and when you save the file a new version of the file was created in the same directory. Say you edited login.com (in VMS this is not a binary) for the first time and saved your changes the directory would look something like this: LOGIN.COM;2 time/date stamp LOGIN.COM;1 ... Unless you have file version limits set or manually purged one could have up to 32768 copies of the file. It did chew up space but made rolling back bad command procedures really easy. It did cause problems on occasion but was very handy. Oh - lexical functions would be nice too. al Cheers, BrettSh [msft] SDE - ESE On Thu, 12 Jan 2006, Al Lilianstrom wrote: Don't forget the VAXMate and PCSA v1.1. What a interesting pair... My brother in law worked for DEC at that time and had a VAXStation II and a Pro350 that he had bought from DEC in his basement. Kept trying to sell me the Pro. VMS was great. I turned off my last VAX just over 2 years ago. It had been up and running for 8 years. Great OS, great hardware, lousy company management. I always wished that Microsoft would support multiple file versions like VMS did. al Lee, Wook wrote: Ah, now we're really dragging out the old war horses. My first job at DEC was writing CBI courses for the DECmate WPS+ list processing module. They gave me a Robin (think VT100 with a processor and dual 5.25 floppy disks) to use at home (a little basement studio next to the laundry room in the basement of my apartment building in Acton, MA.) My second job was writing a device driver in C for a Polaroid CRT-to-film peripheral called the Polaroid Palette (had a mini-high resolution BW CRT and a Color-filter wheel all controlled by a Z80 processor) for the very same Rainbow PC. In those days, Digital could not decide on a PC strategy. There were three different product lines that all had some potential but none of them took off. We had the Rainbow which was close to what became mainstream with an 8088 or 8086 processor, the DECmate with was basically a secretarial workstation running WPS+ and not much else and the Pro 350 which was a repackaged PDP-11 that spent a few years as the console device for some of the bigger VAXen. If I recall correctly, the Pro 350 OS was based on RSTS. Those were the good old days before 1987 and Black Tuesday. I think I had some Digital options at something like $150. Sigh. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror
RE: [ActiveDir] LDAPS SRV Records?
Title: LDAPS SRV Records? Hey Brandon. The call that something like IPCONFIG /REGISTERDNSuses is *probably* I_NetLogonControl2 with NETLOGON_CONTROL_FORCE_DNS_REG. That just tells a DC to reregister its records. Nothing to do with what records are actually registered for a DC. You definitely don't want to look into hooking into NETLOGON. First off it would have to be on the DCs which would be very difficult to get approval for even if the code could be written in a secure and stable way (doubtful since you would have to do code injection). I personally wouldn't allow it, there is no reason whythis can't bedone from another machine. Of course you could try to script around dnscmd or nsupdate. The dnscmd may be MS-DNScentric, I do not know. If it is, it may not work in your environment. Unless there has been some serious changes in DNS there nsupdate works great. I used to do a lot with DNS via perl scripts and nsupdate. Vern et alii should have some perl scripts thatI left behind that show how to use nsupdate. You could set something up with the scheduler service. Some job that runs every hour and checks to see if a certain DC (or the local DC if you can get it cleared to get it to run there) has LDAPS available and then registers the appropriate LDAPS record. At a lower level, looking about, you may be able to use the API in DNSAPI.DLL, unfortunately most of that API seems to be undocumented (when comparing the exports with MSDN)but DnsModifyRecordsInSet and DnsReplaceRecordSet look extremely promising... I would be willing to bet big that those are the calls MS is using under the covers in NetLogon. It is Windows 2000 and better so you should be safe for any machine you want to run from. Note I was pinged on this offline fromsomeone else there and put in a DCR for registering LDAPS records back in December. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Friday, January 13, 2006 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon
RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD
Yeah I believe I read that somewhere, probably ehlo. Of course that just helps the small misc MAPI issues with profiles, etc. It doesn't address the real reasons why you don't run Outlook on servers, like viruses, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Friday, January 13, 2006 12:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Because Outlook will be running in 32-bit emulation, using it's own copy of mapi32.dll while Exchange will be running in 64-bit mode, using it's own copy of mapi64.dll (or whatever they may call it). That's my presumption, anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 13, 2006 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Not on a server sir. [at least not on Exchange 2003 anyway... next version it will be supported for whatever insane reason ...] Ken Cornetet wrote: Outlook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD Don't forget SQL, Sharepoint, MSDE, ISA. I'm sure I've forgotten something around here... Laura E. Hunter wrote: ...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean? :-) On 1/11/06, joe [EMAIL PROTECTED] wrote: BLASPHEMY! Non-AD Environments! That's almost as bad as having a single Domain Controller!!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 11, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments: http://support.microsoft.com/?kbid=910203 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Perms change in Exchange
You Had Me At EHLO... : BlackBerry and GoodLink users may be unable to send messages after applying latest Exchange 2003 store hotfixes: http://blogs.technet.com/exchange/archive/2006/01/13/417440.aspx Speaking of the Ehlo blog... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
VLV is virtual list view. It is a new feature of Windows Server 2003 AD that allows you to have a window into a query which is great for a large result set. More info here http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/h ow_to_search_using_vlv.asp Other than that, there are some really good ideas in here, keep them coming folks. Quite honestly, the dev folks like lists like this to work against for ideas. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 13, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Hmmm... I'm tripping up on the vlv terminology. It's been awhile but when I was playing with taskpad, I found that it was not very useful without scripting. Maybe adding a load of simple tasks (add user to group, etc) would be extremely useful in making taskpad easier to handle. :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are user-friendly like calling samAccountName User logon name (pre-Windows 2000), Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this
RE: [ActiveDir] OT: Exchange - Send As
Cool thanks Mike, I will have to look into this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, January 06, 2006 9:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange - Send As Mark's content-transfer-encoding is set to base64/utf-8, and "more than likely" the message format properties of your default pop3 virtual server are incompatible. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, January 06, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange - Send As For some odd reason, many (but not all) of Mark's messages come through my outlook (POP3/SMTP from Exchange) blank. But if I look at the message in OWA it looks fine. Very odd. It would be a nice feature if it can be controlled. ;o) -- There are no bugs, only features that have yet to be described. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Friday, January 06, 2006 8:48 AMTo: ActiveDir.orgSubject: Re: [ActiveDir] OT: Exchange - Send As
RE: [ActiveDir] OT: Exchange - Send As
For the record, Most of my mails during the day are sent from my Blackberry which runs via my Telco and not via a localized exchange setup. So I am not sure if this is common to the numerous blank emails I see in this list every now and then. Evening mails are via my isp. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: 14 January 2006 06:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange - Send As Cool thanks Mike, I will have to look into this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael B. Smith Sent: Friday, January 06, 2006 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange - Send As Mark's content-transfer-encoding is set to base64/utf-8, and more than likely the message format properties of your default pop3 virtual server are incompatible. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Friday, January 06, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange - Send As For some odd reason, many (but not all) of Mark's messages come through my outlook (POP3/SMTP from Exchange) blank. But if I look at the message in OWA it looks fine. Very odd. It would be a nice feature if it can be controlled. ;o) -- There are no bugs, only features that have yet to be described. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Friday, January 06, 2006 8:48 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: Exchange - Send As
