RE: [ActiveDir] Quiet? DEC? Related?
I think he may have been there with us, as I believe the force may be strong in him: as in keeping with Joe2D2, Dean3PO, Gilbacca and Princess Horr-hay - Deji is an anagram of Jedi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: 01 April 2006 07:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Definitely a huge thanks to everyone for making this an awesome first DEC for me! It was great matching up faces to the email addresses I see daily. The DR, Security and Interopt sessions were a couple of my favorites. The DJ show was awesome! For those not able to attend this year, make it a priority next year. I was told I could take a class this quarter...I've taken enough AD and Exchange classes over the years so I chose to attend DEC because of the praise given to it by the folks on this list. It was well worth the trip...didn't hurt that red 9 kept hitting either ;-) So the only mystery left is where was Deji? Cheers, Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Absolutely. Very entertained. I had a near permanent smile from the point I directed a question to Stuart asking him where he was from so I could give him a copy of AD3E. The funny part was him thinking I was trying to set him up for something... As soon as I saw him in the audience I intended on giving him a copy to say thanks from all of us for the work he has done on this stuff and his lack of failure in listening to our feedback. The way it all played out though was great and added to the fun. To those who sadly didn't attend we gave out copies of Active Directory Third Edition to folks who were answering questions we tossed out into the open. I said the next question is for Stuart alone and said Stuart, where are you from? knowing that most of the folks in the audience would know exactly where he was from having seen his keynote abt Identity Management I figured most people would yell it out so I said it was just for him. His response was priceless... Now or originally? The audience howled. Great fun. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? That's cool. I can go with that. As long as you're entertained. Let's just say it's not my kind of entertainment, unlike the joe and Dean show. Hey, joe and Dean, aren't you the guys who sing Little Old Lady From Pasadena? Or was that Little Old Attr Caused PAS Expansion? :) Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Well it really depends on their attitude. What Guido I did wasn't gambling though I stated it as such previously. Wee were being entertained. You don't really gamble when you play the slots, you have no control over the outcome. If someone goes in thinking they will walk away with more money than they started with, I would argue they should not be doing it at all. I personally figure out how much money I am spending on entertainment and then spend it be it on slots, meals, drinks, or cool little rubber duckies at the hotel airport. Thinking that way, I lost $0 as well, though I spent about $500 on entertainment. Best money spent IMO. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? I've always thought that gambling in general was a tax on those who don't understand probability by those who do understand brain chemistry. I lost $0. Though it was sometimes fun watching other people support the Las Vegas economy. What's lost in Lost Wages stays in Lost Wages. :) Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, March 31, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? $20 of it was spent showing Guido how US slot machines worked in the Belagio. and that was so complicated to learn :-) Obviously I lost all of what I've put into the machines as well (hadn't expected anything else) - a whopping $12! But now I can gamble all I want since on the last day I went to the MM world-store on the strip and bought a Slot-Machine-Type of MM dispenser for my kids - it's way cool and I'm sure I'll use it more
Re: [ActiveDir] User accessing mailboxes
There was a hotfix that changed the behavior of Exchange 2003 for the full mailbox access rights. Could be you ran into that. If I recall correctly, you need to also grant the receive as rights for [EMAIL PROTECTED] to access [EMAIL PROTECTED] (grant it on sales account). That send as and receive as should allow him to access the account properly. From there, you may want to get more granular and remove some rights, but that's something you'll have to work on to get it the way you want in your organization. For the users that need to send as, grant them the send as rights. They can do this from their Outlook client when they want to send as. Al On 4/1/06, Milton Sancho [EMAIL PROTECTED] wrote: Hi,I configure an user with his mailbox-enable account [EMAIL PROTECTED], besides this user needs to get access to the mailbox-enabled account [EMAIL PROTECTED], it is a business company e-mail account. I granted him rights over sales e-mail account:-Delete mailbox storage and Full Mailbox access -Grant permissions to: Send on behalf However when the user access his mailbox [EMAIL PROTECTED] can send and receive e-mails fine; but when I added him the mailbox [EMAIL PROTECTED] he can not send e-mails as sales user, IMAP config will works fine; but exchange e-mail accounts the process change.-On the other hand, I need several users with rights to send but no receive e-mails ([EMAIL PROTECTED]) Thanks comments that drive me to the right config or to understand why I can not get the config that I need! Thanks comments
RE: [ActiveDir] display name confusion
Tom, The column Name in ADUC is not the displayName, but you can add this latter column. When generating a user via ADUC, the field called Full Name is used to populate the user's CN, displayName and name attributes. By default this format is "givenName sn" but you can modify this via the relevant DisplaySpecifier as you mentioned (see http://support.microsoft.com/?kbid=250455). Note thatchanging the DisplaySpecifier only affects objects created afterwards; objects previously created won't be updated to reflect this change. Additionally, the displayName can be subsequently over-written, or a displayName can be specified at the point of object creation which doesn't adhere to the createDialog format. If your createDialog for users is %sn, %givenName then - within ADUC - the Full Namefield (which populates the CN, displayName and name attributes) will bepopulated automatically based on the information in the First name and Last namefields. If you don't populate these two fields then the Full Name will need to be specified manually before you can proceed. I presume that this field is required in ADUC because it populates the CN, which is a mandatory attribute, and just for convenience sake the information from this field is then used to populate those other attributes. Creating a user via another mechanism, such as via a script,should only require you to specify the CN and samAccountName, since other attributes including the displayName are optional. Actually, you don't even need to specify the samAccountName come to think of it, since it will be created automatically if you don't, but ultimately the samAccountName attribute itself is mandatory. So, if you're certain that you're creating the users via ADUC, then someone manually entered the samAccountName in the Full Name field, which propagates tothe displayName attribute amongst others. I'm not sure what you mean by "the dn's are all mixed". I thought that your problem waswith the displayName attribute? It sounds to me like someone mis-populated the Full Name field, which then flows to the displayName and the CN, and the distinguishedName. HTH, Katherine Coombs PS. For those interested, it would appear that 4 days is the time required to spend with joe before being converted from a lurker to an eassayist :-) PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 30 March 2006 07:16To: activedirectorySubject: [ActiveDir] display name confusion Can someone explain to me how the display names get generated in ADUC? I have users whose display names are "lastname,firstname" but whose accounts show up in aduc as the samaccountname format. This is sporadic and not for all users. The "user-Display" is set to "lastname,firstname" as well in the config NC. When I do a query with adfind or dsquery, the dn's are all mixed as well with some in sAMAccountName format and some as the display name. Thanks
RE: [ActiveDir] User accessing mailboxes
Al, I think that this is what you're referring to? http://support.microsoft.com/kb/895949/ Cheers, Katherine Coombs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 01 April 2006 14:48To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User accessing mailboxes There was a hotfix that changed the behavior of Exchange 2003 for the full mailbox access rights. Could be you ran into that. If I recall correctly, you need to also grant the receive as rights for [EMAIL PROTECTED] to access [EMAIL PROTECTED] (grant it on sales account). That send as and receive as should allow him to access the account properly. From there, you may want to get more granular and remove some rights, but that's something you'll have to work on to get it the way you want in your organization. For the users that need to send as, grant them the send as rights. They can do this from their Outlook client when they want to send as. Al On 4/1/06, Milton Sancho [EMAIL PROTECTED] wrote: Hi,I configure an user with his mailbox-enable account [EMAIL PROTECTED], besides this user needs to get access to the mailbox-enabled account [EMAIL PROTECTED], it is a business company e-mail account. I granted him rights over sales e-mail account:-Delete mailbox storage and Full Mailbox access -Grant permissions to: Send on behalf However when the user access his mailbox [EMAIL PROTECTED] can send and receive e-mails fine; but when I added him the mailbox [EMAIL PROTECTED] he can not send e-mails as sales user, IMAP config will works fine; but exchange e-mail accounts the process change.-On the other hand, I need several users with rights to send but no receive e-mails ([EMAIL PROTECTED]) Thanks comments that drive me to the right config or to understand why I can not get the config that I need! Thanks comments
RE: [ActiveDir] display name confusion
PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. Landed yesterday evening (Friday if i recall correctly) - and am still a bit jetlagged. And the rubber ducky is still on the road - luggage got lost (or not transfered in time) in San Fransisco so I may expect it earliest tonight. Was nice meeting you - and glad you've made it out of the lurking space ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katherine CoombsSent: Saturday, April 01, 2006 5:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] display name confusion Tom, The column Name in ADUC is not the displayName, but you can add this latter column. When generating a user via ADUC, the field called Full Name is used to populate the user's CN, displayName and name attributes. By default this format is "givenName sn" but you can modify this via the relevant DisplaySpecifier as you mentioned (see http://support.microsoft.com/?kbid=250455). Note thatchanging the DisplaySpecifier only affects objects created afterwards; objects previously created won't be updated to reflect this change. Additionally, the displayName can be subsequently over-written, or a displayName can be specified at the point of object creation which doesn't adhere to the createDialog format. If your createDialog for users is %sn, %givenName then - within ADUC - the Full Namefield (which populates the CN, displayName and name attributes) will bepopulated automatically based on the information in the First name and Last namefields. If you don't populate these two fields then the Full Name will need to be specified manually before you can proceed. I presume that this field is required in ADUC because it populates the CN, which is a mandatory attribute, and just for convenience sake the information from this field is then used to populate those other attributes. Creating a user via another mechanism, such as via a script,should only require you to specify the CN and samAccountName, since other attributes including the displayName are optional. Actually, you don't even need to specify the samAccountName come to think of it, since it will be created automatically if you don't, but ultimately the samAccountName attribute itself is mandatory. So, if you're certain that you're creating the users via ADUC, then someone manually entered the samAccountName in the Full Name field, which propagates tothe displayName attribute amongst others. I'm not sure what you mean by "the dn's are all mixed". I thought that your problem waswith the displayName attribute? It sounds to me like someone mis-populated the Full Name field, which then flows to the displayName and the CN, and the distinguishedName. HTH, Katherine Coombs PS. For those interested, it would appear that 4 days is the time required to spend with joe before being converted from a lurker to an eassayist :-) PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 30 March 2006 07:16To: activedirectorySubject: [ActiveDir] display name confusion Can someone explain to me how the display names get generated in ADUC? I have users whose display names are "lastname,firstname" but whose accounts show up in aduc as the samaccountname format. This is sporadic and not for all users. The "user-Display" is set to "lastname,firstname" as well in the config NC. When I do a query with adfind or dsquery, the dn's are all mixed as well with some in sAMAccountName format and some as the display name. Thanks
RE: [ActiveDir] Thanks to all who came to DEC 2006
Hi Gil, Thanks to you and your team, especially Stella and Christine, for all the work you did to make this conference as special as it is to all of us. I also want to thank Stuart, AFAIK he was not only sponsoring the event but also enabled a lot of his folks (Nathan, Levon, Brian,..) to attend and spent time with us - there were a lot of great discussions between all of the attendees, speakers, MS, and the conference would not be the same without their support physically being there. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Friday, March 31, 2006 12:30 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Thanks to all who came to DEC 2006 | |Thank you to everyone on the list who came to DEC this year |and helped make it a success. I've had nothing but positive |comments ranging from really great to un-f***ing-believably |great. I've had four different people tell me (including |Stuart) that if they can only go to one show a year, DEC would be it. | |Certainly the Joe Dean Show stands out as a popular (and |hillarious, and informing) event, but even more critical to |the show's success was having the expertise of people like |joe, Dean, Guido, Ulf, Jorge, Laura, Wook, and the other |list-denizens wandering the halls and talking to people. There |was a _scary_ amount of expertise attending the show, and |_that's_ what brings people back. | |One of the things I do during DEC is wander the halls during |the parties and between sessions and listen in on the |conversations... I usually don't pick up on anything specific, |but I can usually get a sense of the conversation... is it |positive/negative, is it energetic, are the people engaged, |etc. And this year the halls were positively buzzing, all the |way through the final sessions on Wednesday afternoon. It has |_never_ been like that before. | |I'd like to take this opportunity to thank joe, Ulf, Dean, and |Laura for helping Guido and me with the pre-conference |disaster recovery workshop. They wandered into the room where |we were setting up, and stayed with us till well after |midnight testing and configuring the lab systems. Hmmm... |funny, that's about when the Scotch ran out as well... :) To |give you an idea of how cool these guys are, they showed up at |the workshop the next morning around 7:30 (after getting very |little sleep the night before) and spent the next several |hours configuring the IP settings in the 150+ lab VMs because |the code I wrote to automate the process crashed and burned. |And then they spent the rest of the workshop helping the |attendees get connected to the wireless net, helping them do |the exercises, answering questions, etc. etc. All voluntary, |just to help out. | |I have to give special thanks to Jorge for running through the |pre-conference lab docs until about 3:00 in the morning, just |out of the goodness of his heart. Jorge is touring the |Southwest US for the next couple of weeks with his girlfriend |Nellika (sp?) and I hope he has a great trip. | |And double-special-thanks to Guido for partnering with me to |produce the whole pre-conference workshop. Guido spent more |nights and weekends than either of us want to remember to put |the workshop together, and I certainly could not have done it |without him. As big a PITA as it was, working with Guido made |it a lot of fun except for the part when the VMs started |to blue-screen an hour before the workshop was supposed to |start. That part truly sucked. :) | |Thanks again to all of you who came, and I hope those who |couldn't make this year can make it next year. | |-gil | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Grillenmeier, Guido |Sent: Friday, March 31, 2006 12:37 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | | $20 of it was spent showing Guido how US slot machines |worked in the Belagio. | |and that was so complicated to learn :-) Obviously I lost all |of what I've put into the machines as well (hadn't expected |anything else) - a whopping $12! But now I can gamble all I |want since on the last day I went to the MM world-store on |the strip and bought a Slot-Machine-Type of MM dispenser for |my kids - it's way cool and I'm sure I'll use it more often |than they will ;-)) | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Donnerstag, 30. März 2006 19:00 |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Quiet? DEC? Related? | |Would be interested in hearing the survery
RE: [ActiveDir] Reset Local Admin Passwords
Title: RE: [ActiveDir] Reset Local Admin Passwords
Hello Scott,
If you are talking about the DSRM-Password: SetPW - which
is available in W2k SP4 - enables you to remotly reset a DCs DCRM-Password. If
you want to run this across all running DCs you can do that as
following:
for /f %i in ('dsquery * -Filter
"((objectCategory=Computer)(userAccountControl=532480))" attr name -q') do
setpwd /s:%i /p:[EMAIL PROTECTED]
Make sure you extend the script to provide you with logging
- you need to make sure that you know if you were unable to reset a DCs
DSRM-Password.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
KlassenSent: Friday, March 31, 2006 10:19 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local
Admin Passwords
A bit dated I know,
but Danish companys web site seems to have gone kaput. Does anyone here
happen to have a copy of DCPC to share?
Scott
Klassen
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Katrin
WilhelmSent: Tuesday,
January 31, 2006 3:54 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local
Admin Passwords
Use a tool call DCPC
(DC password changer) freeware you can find it here http://www.danish-company.com/dcpc
all you need is the domain admin password and all PC running. Strait forward
and I am changing the password every 2-3 month.
Cheers,
Katrin
Wilhelm (MCSA)CVGT Employment Training
SpecialistsAustraliaE-mail: [EMAIL PROTECTED]
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, 1 February 2006 4:09
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local
Admin Passwords
We do
realize the potential risk in this but this request is coming
from a higher
authority (my boss). I've been asked to find a way to change it
and I believe that they are
going to have the password reset on a monthly basis.
-Original Message- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Laura E. Hunter Sent: Tuesday, January 31, 2006 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Reset
Local Admin Passwords
We currently have about 4 different passwords floating around our
domain
and we'd like to get it down to a single standard. Any help
would
be appreciated.
Okay,
just to offer a counterpoint to your underlying plan - you do
realise that by using a single
local admin password across your enterprise, if even -one- of those workstations gets
the admin password compromised, the attacker who did so now has local
admin rights to every workstation on your network? With apologies to
Jesper Johannsen[1], it's one of those "How to get your network hacked in
10 easy steps" things - if I've just compromised the local admin
password of WorkstationA, what do you think is going to be the
very first password I try when I move on to try and compromise
WorkstationB?
[1] And
additional apologies for the fact that I'm sure I just spelled
his name wrong.
-- --- Laura E. Hunter Microsoft MVP - Windows Server
Networking Author: _Active Directory Consultant's Field
Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
Confidentiality:
The contents contain privileged and/or
confidential information intended for the named recipient of this
email.
CVGT does not warrant that the contents
of any electronically transmitted information will remain
confidential.
If the reader of this email is not the
intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the email is
prohibited.
If you receive this email in error,
please reply to us immediately and delete the
document.Viruses:
It is the recipient/client's duties to
virus scan and otherwise test the information provided before loading onto any
computer system.
No warranty is made that this material
is free from computer virus or any other defect or
error.
Any loss/damage incurred by using this
material is not the sender's responsibility. CVGTs entire liability
will be limited to resupplying the material.Please contact us at
www.cvgt.com.au for further information regarding this
disclaimer.
RE: [ActiveDir] Quiet? DEC? Related?
I can only say that I really wanted to be there, glad you all had a great time! I will try to be there the next time, if work allows it... Joe/Deano - sounds like I missed a great session! /Jimmy the Swede Jimmy Andersson, Principal Advisor - Q Advice AB Microsoft MVP - Directory Services Security --- www.qadvice.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Saturday, April 01, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? I think he may have been there with us, as I believe the force may be strong in him: as in keeping with Joe2D2, Dean3PO, Gilbacca and Princess Horr-hay - Deji is an anagram of Jedi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: 01 April 2006 07:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Definitely a huge thanks to everyone for making this an awesome first DEC for me! It was great matching up faces to the email addresses I see daily. The DR, Security and Interopt sessions were a couple of my favorites. The DJ show was awesome! For those not able to attend this year, make it a priority next year. I was told I could take a class this quarter...I've taken enough AD and Exchange classes over the years so I chose to attend DEC because of the praise given to it by the folks on this list. It was well worth the trip...didn't hurt that red 9 kept hitting either ;-) So the only mystery left is where was Deji? Cheers, Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Absolutely. Very entertained. I had a near permanent smile from the point I directed a question to Stuart asking him where he was from so I could give him a copy of AD3E. The funny part was him thinking I was trying to set him up for something... As soon as I saw him in the audience I intended on giving him a copy to say thanks from all of us for the work he has done on this stuff and his lack of failure in listening to our feedback. The way it all played out though was great and added to the fun. To those who sadly didn't attend we gave out copies of Active Directory Third Edition to folks who were answering questions we tossed out into the open. I said the next question is for Stuart alone and said Stuart, where are you from? knowing that most of the folks in the audience would know exactly where he was from having seen his keynote abt Identity Management I figured most people would yell it out so I said it was just for him. His response was priceless... Now or originally? The audience howled. Great fun. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? That's cool. I can go with that. As long as you're entertained. Let's just say it's not my kind of entertainment, unlike the joe and Dean show. Hey, joe and Dean, aren't you the guys who sing Little Old Lady From Pasadena? Or was that Little Old Attr Caused PAS Expansion? :) Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Well it really depends on their attitude. What Guido I did wasn't gambling though I stated it as such previously. Wee were being entertained. You don't really gamble when you play the slots, you have no control over the outcome. If someone goes in thinking they will walk away with more money than they started with, I would argue they should not be doing it at all. I personally figure out how much money I am spending on entertainment and then spend it be it on slots, meals, drinks, or cool little rubber duckies at the hotel airport. Thinking that way, I lost $0 as well, though I spent about $500 on entertainment. Best money spent IMO. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? I've always thought that gambling in general was a tax on those who don't understand probability by those who do understand brain chemistry. I lost $0. Though it was sometimes fun watching other people support the Las Vegas economy. What's lost in Lost Wages stays in Lost Wages. :) Wook -Original Message- From: [EMAIL
[ActiveDir] CNF entries and LDIFDE.
Howdy.
At DEC
I was approached concerning a problem where an admin was having with LDIFDE and
importing CNF (conflict) objects, basically LDIFDE hits an error and stops when
it processes one of these DNs. That is not generally the result you are looking
for. It certainly puts a crimp in your productivity for the day if it keeps
happening and you can't stop it.
First
some background, these objects appear when an object is created with the same DN
on multiple DSAs (Directory Service Agents aka DCs or ADAM instances) within the
same replication convergence interval. They replicate and eventually collide and
following standard collision rules, the loser gets marked with a newline (\0A),
the string literal 'CNF:' and the objectGUID value in friendly format. Looking
something like
CN=collision\0ACNF:efc83ba9-412f-452e-ad49-72f91d31c201,CN=Users,DC=duck,DC=com
The
winner of the collision is usually determined by the timestamp of the RDN on the
various servers because the version of the RDN of both objects is almost always
1 making the version slightly less than helpful for the comparison. Note I was
careful not to say the second one created will win, it is the one with the later
timestamp, if servers are out of sync in time with each other, it could confuse
the situation. However, assuming you have a good time structure, the object
created first shouldbe renamed and the object created second will have the
"clean" name.
So the
problem with LDIFDE is related to that darn NEWLINE character. That isn't
something you can generally import in for a name and Microsoft specifically used
that character to get your attention. When LDIFDE tries to importan object
like that the DSA says "No way Jose!". Well it isa little more
professional and says NAMING_VIOLATION with an error of 200B which is
G:\granamigodelpatoerr 200b# for hex 0x200b / decimal 8203
:
ERROR_DS_INVALID_ATTRIBUTE_SYNTAX
winerror.h# The attribute syntax specified to the directory service is#
invalid.# 1 matches found for "200b"
You do
occasionally (or more or less often - YMMV) get these objects in your directory.
As a general rule, clean them up when you find them. How you do that is very
specific to the objects, you will have to use some judgement and try to figure
out which is the right object to keep, the non-CNF stamped object or the CNF
stamped object. About the only incorrect answer here is to say that you always
keep one or the other simply based on whether it has the CNF or not.
As the name indicates they are indicative of a collision andthey
are a mechanismto protect you from something that could possibly have
really hurt. Don't like collision objects you say?? Consider the alternatives
which are thatsomething disappears or you get some sort of odd
amalgamation of two different objects. Both of those alternatives suck because
they aremuch worse than just having a CNF object. With a CNF object at
least you have something you can detect and have a fighting chance to
correct.
So the
admin is having troubles importing the objects because he keeps hitting CNF
objects. It would be nice if LDIFDE handled this situation
gracefully. And guess what... it can. :o) The latest version of LDIFDE
which isin the ADAM SP1 or R2 release has a version of LDIFDE dated
2005/11/23 with a file version of 1.1.3790.2075 which has a '-z' option
whichtellsldifde to continue importing regardless of
errors.
Very
cool, yet anotherreason for you to download ADAM SP1 or dig it
offyour R2 CDs. However Do you really want to always do that? I mean come on, keep on
going regardless of errors... That is equivilent to the _vbscript_ ON ERROR RESUME
NEXT programming mechanism and we don't even have ERROR levels so we can really
check to stop our process midstream and correct.
So the
"right" solution in my mind if you have CNF objects is to clean them up. If that
isn't feasible at the time or you already have the LDIF dump you need to import,
clean up the file prior to import. This can be done by hand with notepad or if
you have a 600MB LDIF file like the admin in question did you will want to
script it. Below is a simple script to do this cleanup. It takes the name of an
input LDIF file and the name of an output LDIF file and strips out the CNF
entries. In the spirit of letting folks learn by doing I purposely left
out messages telling you how many CNFs it found as well as logging the CNFs to
another file both of which I think are handy and can be added withbasic
modifications.
=
print "\nRemoveCNF
V01.00.00pl Joe Richards ([EMAIL PROTECTED])April 2006\n\n";
$infile=shift;
$outfile=shift;
if (!$infile || !$outfile)
{
print "\nUsage: removecnf.pl inputfile
outputfile\n\n";
exit(1);
}
open IFH, "$infile" or
die("ERROR: Couldn't open input file ($infile) - $!\n");
open OFH, "$outfile" or
die("ERROR: Couldn't open output file ($outfile) - $!\n");
$skipping=0;
foreach $thisline
Re: [ActiveDir] Windows R2 - Extending the schema
Just make sure you update the schema using the 2nd cd of the R2 set. Good Luck. On 3/31/06, Mike Hogenauer [EMAIL PROTECTED] wrote: Thanks all I do plan to test in lab first but I had to ask! Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott Sent: Friday, March 31, 2006 1:29 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows R2 - Extending the schema I'm currently running the DFS-R component of R2 between several branch offices and my central data center and everything is working well. The only thing I wish MS had released with Windows 2003 R2 was an updated management pack for MOM 2005 to monitor the new DFS-R services. Other than that nothing major! Ion From: [EMAIL PROTECTED] on behalf of McLeod, Scotty Sent: Fri 3/31/2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows R2 - Extending the schema Have done this a few times in testing and a couple in live environments and not had any problems at all. Good luck with it. Scotty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: 31 March 2006 11:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows R2 - Extending the schema All, I want to deploy the new DFS feature in Window R2 but I have to extend my schema before I can use this. Has anyone ran into problem after doing this? Thanks Mike -- Ambition is a dream with a V8 engine. ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quiet? DEC? Related?
Yeah yeah, it seems to have gone well, I am starting to get that. :o) Too bad the sessions aren't videotaped, that would be handy. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, March 31, 2006 2:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Quiet? DEC? Related? one was a bit boring and seemed sort of lost but hadgreat technical content... will you shut up and give yourself a little credit! Both of you were excellent - totally different, but certainly excellent! Looking forward to next year with the two of you :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Donnerstag, 30. März 2006 18:40To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Speak for yourself, if that DEC lasted another couple of days I would have been dead. The whole thing was a huge whirlwind to me. The best DEC yet in my opinion by a landslide. Wish it lasted a few more days. :o) There was one presentation in particular that was amazing. Two speakers, one was a bit boring and seemed sort of lost but hadgreat technical content and the other was probably the best speaker I have ever seen, slides were hilarious, I nearly wet myself. Can't recall which session that was though. ;) Also once again, the absolute best part of the whole show was all of the people and conversations between the sessions and at the end of the day. Lots of new faces and a return of many of the old faces. Unfortunately there were several folks I wanted to touch base with and never seemed to get a chance to either because they seemed tied up or because I was. I was also quite ego-boosted to see the amount of joeware mentioned in various sessions. Unfortunately after a Monday 2:15 session I didn't get to go to but two sessions the rest of the week, I was tied up talking with people the rest of the time but that is fine, that is what it was all about. Hopefully others found value in the time I was able to give them. No one seemed to be too disappointed with what I told them. I know Dean greatly enjoyed himself as well as we spoke at length about it. The venue was quite nice except fora few items 1. My lips and eyes and skin were so dry I thought they would never be the same again. No matter how much water I had I always felt I needed to wet my whistle. I would say 50-60 words and would need another drink. Considered just shoving an IV into my neck. 2. That hotel (Green Valley Resort) had some interesting expenses. 3. That hotel (Green Valley Resort) hadreally badnetwork connectivity. Can't believe they charged for it. 4. Their beds didn't compare to the Westin beds. I spent one night in the Westin near the strip and that bed was just amazing. The hotel on the other hand was bit "banged up" :) but the beds... oy! I could have spent a month solid in one of those things and not come out for anything but water and the Westin chocolates they left in the room. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Wednesday, March 29, 2006 12:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Moon, BrendanSent: Wed 2006-03-29 19:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon
RE: [ActiveDir] Quiet? DEC? Related?
Ok $3 to show you the basics, $17 to verify I was doing it correctly. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, March 31, 2006 2:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? $20 of it was spent showing Guido how US slot machines worked in the Belagio. and that was so complicated to learn :-) Obviously I lost all of what I've put into the machines as well (hadn't expected anything else) - a whopping $12! But now I can gamble all I want since on the last day I went to the MM world-store on the strip and bought a Slot-Machine-Type of MM dispenser for my kids - it's way cool and I'm sure I'll use it more often than they will ;-)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Donnerstag, 30. März 2006 19:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Would be interested in hearing the survery results. Oh that reminds me, I forgot to hand mine in. :o) I had to fly out Wed evening and was running around like my shorts were on fire trying to take care of some stuff that was absolutely mandatory prior to trying to get through security at McCarran. I would say that venue would be suitable for next year unless Sydney was an option... You could rent a jumbo jet and fly everyone going to the presession down in it and actually have the presession on the flight, that would certainly make it seem like the flight went faster. My return ticket though would have to be valid for a month as I know a lot of folks down there and would need to go say hi and collect on some beers I am owed. Odd thing is I spent no more than $60 on gambling. $20 of it was spent showing Guido how US slot machines worked in the Belagio. $20 was spent when I was passing a $1 Wheel of Fortune progressive slot on the way to the rest room because it called out to me and said it would make me financially independent for the rest of my natural born life (it lied), and finally $20 was spent while I sat at a bar playing Jacks or Better waiting on Dean and company to go to dinner not realizing that they didn't see me sit down next to them and were waiting on me to get there. I was up $80 bucks on that thing and then gave it all back. joe (The joe of the Dean and joe show, the j in www.jadonex.com) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 29, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] display name confusion
I concur with Ulf. Keep it up. joe P.S. With posts that well written, I am happy to take the blame. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Saturday, April 01, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] display name confusion PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. Landed yesterday evening (Friday if i recall correctly) - and am still a bit jetlagged. And the rubber ducky is still on the road - luggage got lost (or not transfered in time) in San Fransisco so I may expect it earliest tonight. Was nice meeting you - and glad you've made it out of the lurking space ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katherine CoombsSent: Saturday, April 01, 2006 5:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] display name confusion Tom, The column Name in ADUC is not the displayName, but you can add this latter column. When generating a user via ADUC, the field called Full Name is used to populate the user's CN, displayName and name attributes. By default this format is "givenName sn" but you can modify this via the relevant DisplaySpecifier as you mentioned (see http://support.microsoft.com/?kbid=250455). Note thatchanging the DisplaySpecifier only affects objects created afterwards; objects previously created won't be updated to reflect this change. Additionally, the displayName can be subsequently over-written, or a displayName can be specified at the point of object creation which doesn't adhere to the createDialog format. If your createDialog for users is %sn, %givenName then - within ADUC - the Full Namefield (which populates the CN, displayName and name attributes) will bepopulated automatically based on the information in the First name and Last namefields. If you don't populate these two fields then the Full Name will need to be specified manually before you can proceed. I presume that this field is required in ADUC because it populates the CN, which is a mandatory attribute, and just for convenience sake the information from this field is then used to populate those other attributes. Creating a user via another mechanism, such as via a script,should only require you to specify the CN and samAccountName, since other attributes including the displayName are optional. Actually, you don't even need to specify the samAccountName come to think of it, since it will be created automatically if you don't, but ultimately the samAccountName attribute itself is mandatory. So, if you're certain that you're creating the users via ADUC, then someone manually entered the samAccountName in the Full Name field, which propagates tothe displayName attribute amongst others. I'm not sure what you mean by "the dn's are all mixed". I thought that your problem waswith the displayName attribute? It sounds to me like someone mis-populated the Full Name field, which then flows to the displayName and the CN, and the distinguishedName. HTH, Katherine Coombs PS. For those interested, it would appear that 4 days is the time required to spend with joe before being converted from a lurker to an eassayist :-) PPS. I landed a couple of hours ago and am jetlagged, so anything written above should be taken with a pillar of salt. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 30 March 2006 07:16To: activedirectorySubject: [ActiveDir] display name confusion Can someone explain to me how the display names get generated in ADUC? I have users whose display names are "lastname,firstname" but whose accounts show up in aduc as the samaccountname format. This is sporadic and not for all users. The "user-Display" is set to "lastname,firstname" as well in the config NC. When I do a query with adfind or dsquery, the dn's are all mixed as well with some in sAMAccountName format and some as the display name. Thanks
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy OlsonSent: Friday, March 31, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ?Thanks again.Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: "Active Directory Performance for 64-bit Versions of Windows Server 2003" http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 2. April 2006 09:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy OlsonSent: Friday, March 31, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ?Thanks again.Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: "Active Directory Performance for 64-bit Versions of Windows Server 2003" http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
