RE: [ActiveDir] Delegating attribute in property Set (Personal Information set)
If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes) In your case look for physicalDeliveryOfficeName=7 under [user] after setting this to 0 you will see it in the deleg wizard. jorge From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Tue 2006-02-07 02:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegating attribute in property Set (Personal Information set) Hi all, Im trying to delegate the Office field shown in aduc - which actually maps to physicalDeliveryOfficeName field in AD. However via the gui this options seems to be hidden and seems like its part of a Personal Information property set. Would dsacls does delegation for this particular attribute only? Been trying it but getting errors :) Some lights to sheds perhaps? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OT: disconnecting remote TS session on DC
Title: Message Hi Frank Are they not able to click Start Logoff from the TS session? If they forget to do this then configure a GPO to reset a disconnected TS session after x minutes/hours/days cheers Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: 06 Feb 2006 18:33To: ActiveSubject: [ActiveDir] OT: disconnecting remote TS session on DC I have an issue whereby I have 3 dual roleFile Print Servers/DC's remaining in my org (cut down from 50+) where I can't separate these roles for another 6 months. My issue is that I have Server Ops staff who connect through to these FP DC's via Remote Desktop. They only have Server Operator privileges. I appreciate everyone's views about giving them access to the DC however, this is business rules and as we're working towards phasing this configuration out anyway, I can live with it. The problem I have are thatthis team disconnect themselves rather than log off. So ifthere are 2 concurrent disconnected sessions, no-one else can logon. With their Server Operator privileges, they aren't able to disconnect/log off/reset a terminal services session, they get an error. Does anyone know how I can delegate this permision to them? thanks frank Brings words and photos together (easily) withPhotoMail - it's free and works with Yahoo! Mail. This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] Schema Extension
Title: Message Hi Simon I was referring to the procedure for extending the schema (i.e. controlling outbound replication from the Schema Master etc) rather than designing extensions. But thanks anyway for this useful info. Regards David -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 06 Feb 2006 20:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Extension Hi David, depends on what you mean - either there's a supported way on how to extend the schema (pretty sure implementing the schema extensions via LDIF is supported), however if you are talking about designing the extensions it depends on your needs if anyone is able to support them. If you don't need MapiIds [1] you're pretty much on the safe side if you use a registered OID, prefix, registered Linked Attributes (did I forget something?) and put those in your own class or auxclass if you want to extend existing classes. OIDs you'll get from a registration service (like IANA) or Microsoft, you are able to register a prefix with Microsoft, and you are also able to get LinkIDs for the Linked Attributes from MS. http://msdn.microsoft.com/library/en-us/ad/ad/obtaining_an_object_identifier.asp If you need MapiIds you might have to support yourself. I've never found any way to register yourself for a certain range of MapiIds, and they need to be unique. So no matter what you choose you never have the assurance that never ever a vendor will use it. Did I mention that there's no supported way of exchanging system protected attributes like MapiIDs or LinkIDs? You are able to change them, but not supported. However PSS will tell you how to do it if you need it. [1] want to see your custom attributes in the GAL? Welcome to the world of MapiIds ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, DavidSent: Monday, February 06, 2006 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Extension Does anyone know of a supported procedure to extend the schema in Windows 2003 SP1 FFL AD? This message contains confidential information and is intended only for the individual or entity named. If you are not the named addresseeyou should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed, arrivelate or incomplete, or contain viruses. The sender therefore does notaccept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.This message is provided for informational purposes and should notbe construed as an invitation or offer to buy or sell any securities orrelated financial instruments.GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] Delegating attribute in property Set (Personal In formation set)
Title: Delegating attribute in property Set (Personal Information set) Thanks Jorge, Joe, Dean! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, February 07, 2006 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegating attribute in property Set (Personal Information set) If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes)In your case look for physicalDeliveryOfficeName=7 under [user]after setting this to 0 you will see it in the deleg wizard. jorge From: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Tue 2006-02-07 02:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegating attribute in property Set (Personal Information set) Hi all, Im trying to delegate the "Office" field shown in aduc - which actually maps to "physicalDeliveryOfficeName" field in AD. However via the gui this options seems to be hidden and seems like its part of a Personal Information property set. Would dsacls does delegation for this particular attribute only? Been trying it but getting errors :) Some lights to sheds perhaps? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Hi All-Please Help
Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Nesting groups
It really is a single domain; would I lie to you?? :-) I've now gone through all the groups. They were all mail enabled and permissions haven't been changed but I think there are two things which were causing problems - one I've now fixed the other I'm still working on. The names of some of the groups have been changed; normally, I would make the name, display name, pre-Windows 2000 name and alias all the same but some of these had been renamed and not all the names matched up (and a couple had spaces - I think this is allowed but I always avoid spaces in names!) I've now made sure that they're all the same (and even the SMTP address is the same although I doubt that matters??) and it now seems to work (I sent an email to the top level list and all the names appear in the Exchange log; yesterday that wasn't the case) The one issue I've still got is the way Outlook 2003 in cached mode doesn't seem to update the address book properly. If I log on to a machine with Outlook 2003 and don't set up cached mode then I get to see all the groups. If I log on in cached mode then the Global Address List in the address book doesn't show all the groups. If I pick All Groups from the All Address Lists section then I get to see all the groups. I'm pretty sure this is a client-side issue (Office XP sees it OK; using Find in OWA also works OK) Thanks for all the suggestions. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 07 February 2006 08:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Just one of the standard questions I use for DL expansion issues. Not relevant to a single domain forest but we don't know in this case if this is for sure a single domain forest or they simply manage a single domain in a forest. I've made that assumption based on verbiage in the past and paid for it, little more careful now[1]. Anyway, the one group specifically not receiving the message sounds very much like it isn't mail enabled, the group is a global/dlg that isn't being expanded on the correct GC, or the permissions for the group have been modified incorrectly. Actually that reminds me, another question I should have specifically spelled out below is are the permissions standard for the groups and users?, i.e. has anyone tried to tighten down the directory? joe [1]No, the forest has multiple domains, the other domain is just an empty root and is run by the schema admin folks until the rest of the company converts, we don't have any groups or users in that domain so we didn't figure you wanted to hear about it You have to love hearing that after several hours of trying to troubleshoot from descriptions and start catching inconsistencies. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Joe, What would be the point of B? Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 06, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups No limits that I am aware of, I swear I have tested in the past to 4 or 5 layers and seen it work. I know I definitely tested three layers as I have done that several times to mimic various environments. I would A. Make sure all groups/users in question are mail-enabled. B. Make sure that the groups truly are universal. C. Make sure that the groups are all replicating properly to the GCs that the Exchange servers are using. D. Doublecheck settings on the groups that you think are involved in users not getting mail. E. For testing, Send mail to each of the lists individually and check for recipt. Step up a level in nesting, repeat. The size of the DL is relatively small so it isn't an issue with number of users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Monday, February 06, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nesting groups Is there a limit to the amount of nesting which can be carried out on Universal Security Groups? We have a single domain (mix of Windows 2003 and 2000 servers) with Exchange 2003 and a number of nested groups but we've just discovered a problem - mail sent to some of the lists is not reaching all the members of the list. Some detail: Top level list: Technology_Faculty This comprises: Technology_Teaching, Technology_Support, Technology_Admin, Technology_Technicians Each of those groups is split further; eg: Technology_Teaching contains: School_Auto_Engineering, School_Building_Crafts, School_Mech_Engineering etc The
RE: [ActiveDir] OT: disconnecting remote TS session on DC
Normally what I will do is use the console switch (if they are 2003 servers) and free up the 2 in use connections. So its basicallyI use a3rd allowed RDP connection. Start, then run: mstsc /v:servername /console But there are definetly GPO settings you can put in place to help with this problem, as others have mentioned. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Monday, February 06, 2006 12:33 PMTo: ActiveSubject: [ActiveDir] OT: disconnecting remote TS session on DC I have an issue whereby I have 3 dual roleFile Print Servers/DC's remaining in my org (cut down from 50+) where I can't separate these roles for another 6 months. My issue is that I have Server Ops staff who connect through to these FP DC's via Remote Desktop. They only have Server Operator privileges. I appreciate everyone's views about giving them access to the DC however, this is business rules and as we're working towards phasing this configuration out anyway, I can live with it. The problem I have are thatthis team disconnect themselves rather than log off. So ifthere are 2 concurrent disconnected sessions, no-one else can logon. With their Server Operator privileges, they aren't able to disconnect/log off/reset a terminal services session, they get an error. Does anyone know how I can delegate this permision to them? thanks frank Brings words and photos together (easily) withPhotoMail - it's free and works with Yahoo! Mail.
RE: [ActiveDir] Hi All-Please Help
Cisco has discussion forums on their own site, I have received some answers there before - http://forum.cisco.com/eforum/servlet/NetProf?page=main Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Hi All-Please Help
I see some flamming to come. :-D -Z.V. Dan Tesch wrote: Cisco has discussion forums on their own site, I have received some answers there before - http://forum.cisco.com/eforum/servlet/NetProf?page=main Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: disconnecting remote TS session on DC
I think you can set this setting in GPO. If you go to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions and there you canenable "Set time limit for disconnected ssessions" and set it to 1 minute.Sullivan Tim [EMAIL PROTECTED] wrote: Normally what I will do is use the console switch (if they are 2003 servers) and free up the 2 in use connections. So its basicallyI use a3rd allowed RDP connection.Start, then run: mstsc /v:servername /consoleBut there are definetly GPO settings you can put in place to help with this problem, as others have mentioned. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Monday, February 06, 2006 12:33 PMTo: ActiveSubject: [ActiveDir] OT: disconnecting remote TS session on DCI have an issue whereby I have 3 dual roleFile Print Servers/DC's remaining in my org (cut down from 50+) where I can't separate these roles for another 6 months.My issue is that I have Server Ops staff who connect through to these FP DC's via Remote Desktop. They only have Server Operator privileges. I appreciate everyone's views about giving them access to the DC however, this is business rules and as we're working towards phasing this configuration out anyway, I can live with it.The problem I have are thatthis team disconnect themselves rather than log off. So ifthere are 2 concurrent disconnected sessions, no-one else can logon.With their Server Operator privileges, they aren't able to disconnect/log off/reset a terminal services session, they get an error. Does anyone know how I can delegate this permision to them?thanks frankBrings words and photos together (easily) withPhotoMail - it's free and works with Yahoo! Mail. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
Re: [ActiveDir] Nesting groups
I don't imagine you're looking for suggestions for the last part, but just in case: If I log on to a machine with Outlook 2003 and don't set up cached mode then I get to seeall the groups. If I log on in cached mode then the Global Address Listin the address book doesn't show all the groups. If I pick All Groups from the All Address Lists section then I get to see all the groups.I'm pretty sure this is a client-side issue (Office XP sees it OK;using Find in OWA also works OK) Check your OAB generation to be sure there are no errors and that your client has the latest copy. Cached mode works from the OAB vs. the live copy. Al On 2/7/06, Steve Rochford [EMAIL PROTECTED] wrote: It really is a single domain; would I lie to you?? :-)I've now gone through all the groups. They were all mail enabled and permissions haven't been changed but I think there are two things whichwere causing problems - one I've now fixed the other I'm still workingon.The names of some of the groups have been changed; normally, I would make the name, display name, pre-Windows 2000 name and alias all thesame but some of these had been renamed and not all the names matched up(and a couple had spaces - I think this is allowed but I always avoid spaces in names!) I've now made sure that they're all the same (and eventhe SMTP address is the same although I doubt that matters??) and it nowseems to work (I sent an email to the top level list and all the names appear in the Exchange log; yesterday that wasn't the case)The one issue I've still got is the way Outlook 2003 in cached modedoesn't seem to update the address book properly. If I log on to amachine with Outlook 2003 and don't set up cached mode then I get to see all the groups. If I log on in cached mode then the Global Address Listin the address book doesn't show all the groups. If I pick All Groupsfrom the All Address Lists section then I get to see all the groups. I'm pretty sure this is a client-side issue (Office XP sees it OK;using Find in OWA also works OK)Thanks for all the suggestions.Steve-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: 07 February 2006 08:31To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Nesting groupsJust one of the standard questions I use for DL expansion issues. Notrelevant to a single domain forest but we don't know in this case if this is for sure a single domain forest or they simply manage a singledomain in a forest. I've made that assumption based on verbiage in thepast and paid for it, little more careful now[1].Anyway, the one group specifically not receiving the message sounds very much like it isn't mail enabled, the group is a global/dlg that isn'tbeing expanded on the correct GC, or the permissions for the group havebeen modified incorrectly.Actually that reminds me, another question I should have specifically spelled out below is are the permissions standard for the groups andusers?, i.e. has anyone tried to tighten down the directory?joe[1]No, the forest has multiple domains, the other domain is just an empty root and is run by the schema admin folks until the rest of thecompany converts, we don't have any groups or users in that domain so wedidn't figure you wanted to hear about it You have to love hearing that after several hours of trying to troubleshoot from descriptions andstart catching inconsistencies.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of[EMAIL PROTECTED]Sent: Monday, February 06, 2006 11:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Nesting groups Joe,What would be the point of B?Deji-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: Monday, February 06, 2006 5:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Nesting groups No limits that I am aware of, I swear I have tested in the past to 4 or5 layers and seen it work. I know I definitely tested three layers as Ihave done that several times to mimic various environments. I wouldA. Make sure all groups/users in question are mail-enabled.B. Make sure that the groups truly are universal.C. Make sure that the groups are all replicating properly to the GCsthat the Exchange servers are using. D. Doublecheck settings on the groups that you think are involved inusers not getting mail.E. For testing, Send mail to each of the lists individually and checkfor recipt. Step up a level in nesting, repeat. The size of the DL is relatively small so it isn't an issue with numberof users.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Steve RochfordSent: Monday, February 06, 2006 11:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Nesting groupsIs there a limit to the amount of nesting which can be
RE: [ActiveDir] OT: disconnecting remote TS session on DC
Somewhat OT, but I found a bug with the console TS sessions. Don't use them to connect to Cisco Unity servers. It hoses the Unity app and causes some big uglies. Cisco has a tech note on it somewhere IIRC. The normal TS sessions are OK, though. Found out the hard way... :-( ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zvonimir Bilic Sent: Tuesday, February 07, 2006 7:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: disconnecting remote TS session on DC I think you can set this setting in GPO. If you go to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions and there you can enable Set time limit for disconnected ssessions and set it to 1 minute. Sullivan Tim [EMAIL PROTECTED] wrote: Normally what I will do is use the console switch (if they are 2003 servers) and free up the 2 in use connections. So its basically I use a 3rd allowed RDP connection. Start, then run: mstsc /v:servername /console But there are definetly GPO settings you can put in place to help with this problem, as others have mentioned. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Monday, February 06, 2006 12:33 PM To: Active Subject: [ActiveDir] OT: disconnecting remote TS session on DC I have an issue whereby I have 3 dual role File Print Servers/DC's remaining in my org (cut down from 50+) where I can't separate these roles for another 6 months. My issue is that I have Server Ops staff who connect through to these FP DC's via Remote Desktop. They only have Server Operator privileges. I appreciate everyone's views about giving them access to the DC however, this is business rules and as we're working towards phasing this configuration out anyway, I can live with it. The problem I have are that this team disconnect themselves rather than log off. So if there are 2 concurrent disconnected sessions, no-one else can logon. With their Server Operator privileges, they aren't able to disconnect/log off/reset a terminal services session, they get an error. Does anyone know how I can delegate this permision to them? thanks frank Brings words and photos together (easily) with PhotoMail http://us.rd.yahoo.com/mail_us/taglines/PMDEF3/*http://photom ail.mail.yahoo.com - it's free and works with Yahoo! Mail. Relax. Yahoo! Mail virus scanning http://us.rd.yahoo.com/mail_us/taglines/viruscc/*http://commu nications.yahoo.com/features.php?page=221 helps detect nasty viruses! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Change Tracking Database
bugzilla www.bugzilla.org On 1/30/06, Noah Eiger [EMAIL PROTECTED] wrote: Hi – I am looking for a database (preferably with a web interface) to track all changes made in the network/directory infrastructure. Change something in DNS? Log it. Make some registry changes on a server? Log it. Change a recipient policy in Exchange? Log it. You get the picture. Right now we are using a somewhat-clunky, homegrown, MySQL database. Anything off the shelf or free/shareware? TIA -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date: 1/30/2006 -- --dfc [EMAIL PROTECTED]
RE: [ActiveDir] Hi All-Please Help
Marwa, You can also try http://www.tek-tips.com/ Salaam. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, February 07, 2006 8:40 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hi All-Please Help I see some flamming to come. :-D -Z.V. Dan Tesch wrote: Cisco has discussion forums on their own site, I have received some answers there before - http://forum.cisco.com/eforum/servlet/NetProf?page=main Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hi All-Please Help
Heres a generic link directly to the cisco forums - where I can actually answer questions instead of just lurking - lol. Enjoy! http://forum.cisco.com/ Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
RE: [ActiveDir] Delegating attribute in property Set (Personal Information set)
Title: Delegating attribute in property Set (Personal Information set) Dssec.dat? Isnt it called dessicant? J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, February 06, 2006 8:09 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Delegating attribute in property Set (Personal Information set) Probably a DSSEC.DAT related issue ... google the filename for instructions. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Monday, February 06, 2006 8:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegating attribute in property Set (Personal Information set) Hi all, Im trying to delegate the Office field shown in aduc - which actually maps to physicalDeliveryOfficeName field in AD. However via the gui this options seems to be hidden and seems like its part of a Personal Information property set. Would dsacls does delegation for this particular attribute only? Been trying it but getting errors :) Some lights to sheds perhaps? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Hi All-Please Help
Marwa- Cisco-nsp on puck.nether.net is the Cisco list I hang out on/like. It's geared towards larger networks, and service providers to a certain degree so it depends what sort of Cisco discussion you're looking for. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of marwahashem Sent: Monday, February 06, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hi All-Please Help Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP Error
Okay you guys. On one of my DC I keep getting an LDAP error when I run netdiag /test:LDAP. I get the error "[FATAL] Cannot do negotiate authenticated ldap_bin to 'dc.domain.edu': Invalid Credentials" The domain account and password was recently changed. In the System Log: Event Type: Warning Event Source: Kerberos Event Category: None Event ID: 14 Date: 2/7/2006 Time: 11:50:58 AM User: N/A Computer: DC Description: There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential domain\adminaccount. (adminaccount is old admin) __ Where is the "Stored User Names and Passwords" applet? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LDAP Error
Found it... Problem solved.. Za Vue wrote: Okay you guys. On one of my DC I keep getting an LDAP error when I run netdiag /test:LDAP. I get the error "[FATAL] Cannot do negotiate authenticated ldap_bin to 'dc.domain.edu': Invalid Credentials" The domain account and password was recently changed. In the System Log: Event Type: Warning Event Source: Kerberos Event Category: None Event ID: 14 Date: 2/7/2006 Time: 11:50:58 AM User: N/A Computer: DC Description: There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential domain\adminaccount. (adminaccount is old admin) __ Where is the "Stored User Names and Passwords" applet? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DSQUERY filter for space character only
I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
Re: [ActiveDir] DSQUERY filter for space character only
What's the query for? Can you not query on all objects then export to excel or word and look for the spaces? Crude but it should work. Mark -Original Message- From: Sitton Glen E [EMAIL PROTECTED] Date: Tue, 7 Feb 2006 11:16:53 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hi All-Please Help
Groupstudy has a Cisco list that is quite active. http://www.groupstudy.com/list/cisco.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 07, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hi All-Please Help Marwa- Cisco-nsp on puck.nether.net is the Cisco list I hang out on/like. It's geared towards larger networks, and service providers to a certain degree so it depends what sort of Cisco discussion you're looking for. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of marwahashem Sent: Monday, February 06, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hi All-Please Help Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DSQUERY filter for space character only
Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
You follow this list? From: Olivarez, Sergio J Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
Title: RE: [ActiveDir] DSQUERY filter for space character only Some automated process has thrown a single space character into the displayName and I'm hoping to construct a simple DSQUERY to find them and then fix them. Yes, the workaround you describe is pretty much what I am doing in lieu of a DSQUERY filter. It's just a pain because there are over 100,000 user accounts. I am dumping the values to a temp file, then querying it in a secondary process. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Tuesday, February 07, 2006 11:57 AM To: ActiveDir.org Subject: Re: [ActiveDir] DSQUERY filter for space character only What's the query for? Can you not query on all objects then export to excel or word and look for the spaces? Crude but it should work. Mark -Original Message- From: Sitton Glen E [EMAIL PROTECTED] Date: Tue, 7 Feb 2006 11:16:53 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DSQUERY filter for space character only
That will only work on appropriately indexed attributes. Try \20. That would be the appropriate escaped filter. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBSSent: Tuesday, February 07, 2006 11:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
Been using the archive for a while, but I just subscribed yesterday! Thanks... ... ... ... Sergio J. Olivarez From: Gilbert, Daniel L Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only You follow this list? From: Olivarez, Sergio J Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
IIRC, the query processor barks at the use of values comprised entirely of spaces. As such, use the following - dsquery * dc=mset,dc=local -scope subtree -filter "((objectcategory=user)(displayname=\20)) ... or for a more creative approach - dsquery * dc=mset,dc=local -scope subtree -filter "((objectcategory=user)(displayname=!)) Note that the latter will return any qualifying object whose displayName contains any number of spaces whereas the former's equality match is more literal. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen ESent: Tuesday, February 07, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
(objectCategory=user)(displayName=\20)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen ESent: Tuesday, February 07, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
Cool, buckle up, lots of very smart folks here (not me K) you will see lots of chances to learn. Dan From: Olivarez, Sergio J Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only Been using the archive for a while, but I just subscribed yesterday! Thanks... ... ... ... Sergio J. Olivarez From: Gilbert, Daniel L Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only You follow this list? From: Olivarez, Sergio J Mr ANOSC/FCBS [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
Thank you Gil, Dean, Hunter. That works perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Tuesday, February 07, 2006 12:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DSQUERY filter for space character only (objectCategory=user)(displayName=\20)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen ESent: Tuesday, February 07, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] DSQUERY filter for space character only
Have you tried: ((objectCategory=Person)(objClass=User)(displayName=\\ )) David AragonYour ability to perceive a solution is limitedonly by your understanding of the problem From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen ESent: Tuesday, February 07, 2006 9:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
[ActiveDir] Site Links
AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel
RE: [ActiveDir] Site Links
Do you have manually created links? Youll likely get a lot better answers than mine, but basically when I had replication problems, I eventually determined that a lot of it was my own causing. Basically, I had no reason to create any site links manually, which I had done. I got rid of those, changed the costs per recommendations on this list, and let the KCC do the rest. Its been perfect ever since. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, February 07, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Links AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Automagic Security groups.
I am almost looking for a query based Security Group, similar to Distribution Groups. It would save me a ton of time if when I moved a user from OUone to OUtwo if it would/could strip that user of all their old groups and drop them into the new groups, based upon what OU the user account currently resides in. 15 schools, students moving from school to school all year longit would save us a ton of time. In fact I could delegate the move and have others do it. It would be the last part of the puzzle to making these moves near zero administrative overhead. Any ideas? Jim Kennedy
RE: [ActiveDir] Site Links
To be sure, connection objects and site links are two different things. Connection objects I typically created by the KCC/ISTG although they can be created manually. Site Links are always created manually even if that manual operation is performed by a script. Site links should be created to join AD sites, which typically represent physically different locations. From a physical to logical mapping, in most cases, the site link represents the WAN link between those locations. If bandwidth is at all a concern (throughput or latency) you should in most cases create site link with only two members: the hub site and the specific spoke site. This provides optimal control and knowledge of what systems connection objects will be created between. In the unlikely event (hopefully) that all of your hub domain controllers are down for an extended period of time, your spoke site could connect and replicate with other spokes attached to the same hub so long as site link transitivity has not been disabled. If your spoke sites have direct network access to more than one hub location (via frame cloud or alternate link) then it might be advantageous to implement a secondary higher cost site link in the same manner to act as a backup. As Mark mentioned, if at all possible, let the KCC/ISTG create and remove the required connection objects as it sees fit. This is typically the most reliable way of maintaining a connected and properly replicating topology all else being equal (and properly configured :-). Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, February 07, 2006 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site Links Do you have manually created links? Youll likely get a lot better answers than mine, but basically when I had replication problems, I eventually determined that a lot of it was my own causing. Basically, I had no reason to create any site links manually, which I had done. I got rid of those, changed the costs per recommendations on this list, and let the KCC do the rest. Its been perfect ever since. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, February 07, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Links AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Site Links
Adeel, Ah, the old "best practices" question.You'll get a lot of responses regarding the whole concept of "best practices" which will ultimately say "it depends" :) For instance, what sort of administrators do you have? Are they experienced, well educated in AD, reliable, etc? What's your organizations risk tolerance? Threat profile? Budget? Maturity? To be more helpful, you'll need to fill in some blanks. First off, whats the issue you're trying to fix? Is there an operational problem? Generally speaking, if you have the right site links in place, they don't need to be changed unless the underlying topology changes, or unless a DC goes down. Or is the problem that you don't know if your topology is right to being with? That all being said, some "best practices" which might or might no apply to your situation. 1. Monitoring DCs is critical for a multi-site AD, and especially so for topologies with manual site links. 2. Monitoring replication is also critical 3. If your'e using WS2003, its best to let the KCC sort out this sort of thing and not muck it up manually. There are few situations that the KCC will not handle well in WS2003 AD. 4. Implement strict change control on your topology. The change process should include justification for change, review by someone who understands how replication and KCC work, implementation, and auditing of the final result, including some testing to ensure that the change actually does what you think. 5. Monitoring DCs and replications is really important. 6. And be sure to monitor... HTH, -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Tuesday, February 07, 2006 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site Links AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel
RE: [ActiveDir] Site Links
I have about 650 remote sites here, between 50 and 60 remote DCs depending on how you count it. I have a script which generates the site links based on a template link, and then depending on the connection between the sites and utilization metrics, I have another list of links which are configured to different replication intervals. I was going to have this metric as part of the script, just never got to it would probably take ten minutes to add given it runs off a CSV. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, February 07, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Links AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel
RE: [ActiveDir] Automagic Security groups.
Two options come to mind, I'm sure there are others... 1) Build a set of scripts and put a web front-end on them, which would allow others to move the user account and as part of the move, the OUone groups would get stripped and the OUtwo groups would get added. 2) Directly delegate the object move (or like above, stick it in a web page). Then have a scheduled task that periodically runs and looks at all user objects in OUone and sets the group membership correctly, same for OUtwo. Option 1 has a more immediate effect, and that may be an important point. Option 2 has the advantage of consistently enforcing group membership, so even if someone makes an inadvertant change it will get corrected on the next pass of the script. It also makes it easier to change the groups and have all users get updated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Tuesday, February 07, 2006 12:47 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automagic Security groups. I am almost looking for a query based Security Group, similar to Distribution Groups. It would save me a ton of time if when I moved a user from OUone to OUtwo if it would/could strip that user of all their old groups and drop them into the new groups, based upon what OU the user account currently resides in. 15 schools, students moving from school to school all year longit would save us a ton of time. In fact I could delegate the move and have others do it. It would be the last part of the puzzle to making these moves near zero administrative overhead. Any ideas? Jim Kennedy
[ActiveDir] Moving Certificates between separate AD infrastructures
I have a DOD customer that is looking to break off a piece of the organization to stand up its own agency. The DOD customer is currently deployed in an Active Directory infrastructure with a PKI infrastructure deployed and smartcardsin use. Shortly, the customers will be moved to a completely new AD infrastructure at their own request. Unfortunately, the organization will not immediately deploy new certs and smart cards to the staff due to logistics issues. Smartcard access to DOD systems is an absolute requirement. Disruption to the user community must be kept to an absolute minimum. The organization would like continue to use the existing certs and smartcards with the new infrastructure. My question is, assuming that the PKI infrastructure can support the old certs, is there a way to automate the movement of user certs during the migration process? Can we automate the publishing of the old certificate from the old directory into the new directory? Is there existing migration tools out there that does this (i.e. Quest, Bindview)? Does ADMT do this by default? I've been reviewing the ADMT documentation and I haven't seen a mention of migrating user certificates yet. I was thinking to develop some code using CAPICOM to do this; however, I didn't want to reinvent the wheel. A second question would be do both the values in the userCertificate and userSMIMECertificate properties have to go? Thanks in advance, Dave
[ActiveDir] AD Web Interface
AD Gurus, Anyone know of a web interface for somebasic AD administration preferably acheap or free solution. Basically, this webinterfacewill be provided to the heldesk to perform tasks like unlock account, move account, check group membershipetc. By googling arround I found PHP based AdLDAP http://adldap.sourceforge.netand I am able to make a web interface with it (that website designing hobby finally paid off)however, I found it to be very slowinthe production environment.Just wondering if anyone out there has had need for such tool. -Adeel
RE: [ActiveDir] AD Web Interface
I have a need, but, alas, no funds... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Tuesday, February 07, 2006 2:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Web Interface AD Gurus, Anyone know of a web interface for somebasic AD administration preferably acheap or free solution. Basically, this webinterfacewill be provided to the heldesk to perform tasks like unlock account, move account, check group membershipetc. By googling arround I found PHP based AdLDAP http://adldap.sourceforge.netand I am able to make a web interface with it (that website designing hobby finally paid off)however, I found it to be very slowinthe production environment.Just wondering if anyone out there has had need for such tool. -Adeel
RE: [ActiveDir] AD Web Interface
I haven't used it but recently learned of https://www.hp-lab.ch/ldapweb/ -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Tuesday, February 07, 2006 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Web Interface AD Gurus, Anyone know of a web interface for somebasic AD administration preferably acheap or free solution. Basically, this webinterfacewill be provided to the heldesk to perform tasks like unlock account, move account, check group membershipetc. By googling arround I found PHP based AdLDAP http://adldap.sourceforge.netand I am able to make a web interface with it (that website designing hobby finally paid off)however, I found it to be very slowinthe production environment.Just wondering if anyone out there has had need for such tool. -Adeel
RE: [ActiveDir] Delegating attribute in property Set (Personal Information set)
Title: Delegating attribute in property Set (Personal Information set) instead of editing the DSSEC.DAT file to adjust the visibility of the attribute in ADUC's sec-editor (which will only apply to the local ADUC instance anyways), you could also just choose to set the appropriate permissions via ADSIedit.msc, where the DSSEC.DAT filter doesn't apply = you should directly see the attribute (and many more) in the sec-editor. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Dienstag, 7. Februar 2006 02:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegating attribute in property Set (Personal Information set) Hi all, Im trying to delegate the "Office" field shown in aduc - which actually maps to "physicalDeliveryOfficeName" field in AD. However via the gui this options seems to be hidden and seems like its part of a Personal Information property set. Would dsacls does delegation for this particular attribute only? Been trying it but getting errors :) Some lights to sheds perhaps? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] DSQUERY filter for space character only
The tricky piece here is the space, the displayname=\20 mechanism would work as well as the very cute little query Dean posted of displayname=!. Check out http://msdn.microsoft.com/library/default.asp?url="">. It talks a little about constructing queries. The other thing that stuck out to me appears to have stuck out to you is the fact that everyone was using objectcategory=user. The user class isn't a valid objectcategory. Luckily AD figures that out for you and changes the query to objectcategory=person. However, that may not be the query the OP wanted because that will return matching users and contacts. Since displayname is indexed, you could probably get away with the query ((objectclass=user)(displayname=\20)). The tried and true test would be to submit that query up against ((objectcategory=person)(objectclass=user)(displayname=\20)) or even ((sAMAccountType=805306368)(displayname=\20)) with the STATS control and see what indexes get used, I would expect displayName generally. I just did a trace and took a peek and the displayname=" " doesn't even get to the server, the client dumps it as a bad query before then. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AragonSent: Tuesday, February 07, 2006 2:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried: ((objectCategory=Person)(objClass=User)(displayName=\\ )) David AragonYour ability to perceive a solution is limitedonly by your understanding of the problem From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen ESent: Tuesday, February 07, 2006 9:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] Nesting groups
Nothing personal, I assume everyone is lying to me. When I entered the world of enterprise class corporate support back in like 1996, my supervisor sat me down the first day and told me words to live by 1. Believe none of what you hear and only half of what you see. 2. Users lie. He further clarified #2 with several points. First that users were defined as anyone asking you for help so that could be end users or other admins or even your boss. Second, they don't necessarily do it on purpose, some of them truly believe what they tell you. Others are out and out not telling you the truth and don't want you to figure out the truth, they just want you to make it so they can continue doing whatever it was that they were doing when they ran into the occasion that required your assistance. I agree that the changes you mention shouldn't have made a difference. Possibly there was something else going on when the message was sent previously, I would just keep an eye open. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, February 07, 2006 7:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups It really is a single domain; would I lie to you?? :-) I've now gone through all the groups. They were all mail enabled and permissions haven't been changed but I think there are two things which were causing problems - one I've now fixed the other I'm still working on. The names of some of the groups have been changed; normally, I would make the name, display name, pre-Windows 2000 name and alias all the same but some of these had been renamed and not all the names matched up (and a couple had spaces - I think this is allowed but I always avoid spaces in names!) I've now made sure that they're all the same (and even the SMTP address is the same although I doubt that matters??) and it now seems to work (I sent an email to the top level list and all the names appear in the Exchange log; yesterday that wasn't the case) The one issue I've still got is the way Outlook 2003 in cached mode doesn't seem to update the address book properly. If I log on to a machine with Outlook 2003 and don't set up cached mode then I get to see all the groups. If I log on in cached mode then the Global Address List in the address book doesn't show all the groups. If I pick All Groups from the All Address Lists section then I get to see all the groups. I'm pretty sure this is a client-side issue (Office XP sees it OK; using Find in OWA also works OK) Thanks for all the suggestions. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 07 February 2006 08:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Just one of the standard questions I use for DL expansion issues. Not relevant to a single domain forest but we don't know in this case if this is for sure a single domain forest or they simply manage a single domain in a forest. I've made that assumption based on verbiage in the past and paid for it, little more careful now[1]. Anyway, the one group specifically not receiving the message sounds very much like it isn't mail enabled, the group is a global/dlg that isn't being expanded on the correct GC, or the permissions for the group have been modified incorrectly. Actually that reminds me, another question I should have specifically spelled out below is are the permissions standard for the groups and users?, i.e. has anyone tried to tighten down the directory? joe [1]No, the forest has multiple domains, the other domain is just an empty root and is run by the schema admin folks until the rest of the company converts, we don't have any groups or users in that domain so we didn't figure you wanted to hear about it You have to love hearing that after several hours of trying to troubleshoot from descriptions and start catching inconsistencies. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups Joe, What would be the point of B? Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 06, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nesting groups No limits that I am aware of, I swear I have tested in the past to 4 or 5 layers and seen it work. I know I definitely tested three layers as I have done that several times to mimic various environments. I would A. Make sure all groups/users in question are mail-enabled. B. Make sure that the groups truly are universal. C. Make sure that the groups are all
[ActiveDir] OT: Another reason to update IE 5.5 to 6 on Windows 2000 boxes
Microsoft Security Advisory (91): Vulnerability in Internet Explorer Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/91.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Web Interface
Someone pointed me to this earlier on - http://www.namescape.com/ Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Wednesday, February 08, 2006 5:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Web Interface AD Gurus, Anyone know of a web interface for somebasic AD administration preferably acheap or free solution. Basically, this webinterfacewill be provided to the heldesk to perform tasks like unlock account, move account, check group membershipetc. By googling arround I found PHP based AdLDAP http://adldap.sourceforge.netand I am able to make a web interface with it (that website designing hobby finally paid off)however, I found it to be very slowinthe production environment.Just wondering if anyone out there has had need for such tool. -Adeel
RE: [ActiveDir] Moving Certificates between separate AD infrastructures
MIIS can do this From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 08, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moving Certificates between separate AD infrastructures I have a DOD customer that is looking to break off a piece of the organization to stand up its own agency. The DOD customer is currently deployed in an Active Directory infrastructure with a PKI infrastructure deployed and smartcardsin use. Shortly, the customers will be moved to a completely new AD infrastructure at their own request. Unfortunately, the organization will not immediately deploy new certs and smart cards to the staff due to logistics issues. Smartcard access to DOD systems is an absolute requirement. Disruption to the user community must be kept to an absolute minimum. The organization would like continue to use the existing certs and smartcards with the new infrastructure. My question is, assuming that the PKI infrastructure can support the old certs, is there a way to automate the movement of user certs during the migration process? Can we automate the publishing of the old certificate from the old directory into the new directory? Is there existing migration tools out there that does this (i.e. Quest, Bindview)? Does ADMT do this by default? I've been reviewing the ADMT documentation and I haven't seen a mention of migrating user certificates yet. I was thinking to develop some code using CAPICOM to do this; however, I didn't want to reinvent the wheel. A second question would be do both the values in the userCertificate and userSMIMECertificate properties have to go? Thanks in advance, Dave
[ActiveDir] AD management MMC
I remember in the past downloading a MMC that already had ADUC, GPO, DNS, and other snapins in it. I thought it was called Active Directory Management Tool, but I can't find it. Does anyone else recall this tool? Its name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD management MMC
Have a look for admgmt.msc More info here: http://technet2.microsoft.com/WindowsServer/en/Library/b8fa00f7-d3ff-48ee-8b 36-b2e1588686901033.mspx And here http://www.activedir.org/article.aspx?aid=91 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, 8 February 2006 6:24 p.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD management MMC I remember in the past downloading a MMC that already had ADUC, GPO, DNS, and other snapins in it. I thought it was called Active Directory Management Tool, but I can't find it. Does anyone else recall this tool? Its name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/