[ActiveDir] How are folks setting hidden user attribs?
Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex winmail.dat
RE: [ActiveDir] Replication Metadata
Title: RE: [ActiveDir] Replication Metadata
hey joe,
how about ADFIND with an attribute
spellchecker? ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services
LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)
(Tel
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender
address
From: [EMAIL PROTECTED] on
behalf of joeSent: Thu 2006-09-21 03:36To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication
Metadata
;o) that would do it.--O'Reilly Active
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Isenhour, JosephSent: Wednesday, September 20, 2006 4:46
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication
MetadataNevermind, I guess I should learn to spell the attribute name
correctly.Works great, Thanks!-Original
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Isenhour,JosephSent: Wednesday, September 20, 2006 8:44
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication
MetadataOk for some reason ADSI doesn't seem to like this
attribute. I've tried_vbscript_ and System.DirectoryServices.In
_vbscript_:meta = group.GetEx("ms-DSReplValueMetaData")In
C#:string[] meta
=(string[])group.Properties["ms-DSReplValueMetaData"].Value;The line
in _vbscript_ throws an error saying it can't be found in the dircache.
The C# line doesn't throw an error but does not give me the
xmleither.I used dsquery against the same group and it gave me the
xml.Can you see what I'm doing
wrong?Thanks-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of joeSent: Thursday, September 14, 2006 6:31 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication
MetadataYep, if _vbscript_ you want the XML versions...You should
be able to do this in an hour You just need to pick therighthour.
;o)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Isenhour,JosephSent: Thursday, September 14, 2006 9:12
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication
MetadataThat's great info; thanks joe. I'll take a look
atmsDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to
dothis in a _vbscript_ and avoid getting into any compiled solutions.
Itold my boss I could do this in an hour because I thought I could
justuse IADsTools, oopsie.-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of joeSent: Thursday, September 14, 2006 5:38 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication
MetadataI doubt that IADsTools was updated. They seemed to be trying to
killthat asfar back as 2001. I think it was someone's pet project and
they went toanother petting zoo to work... I know I found some time issues
in itbackthen and some more later that I tried to get corrected and was
whollyunsuccessful on both occasions.But the answer is... There is
additional metadata available now forlookingat value level changes. The
way IADsTools was probably getting the info(this is a guess, never saw the
code) is through the attributereplPropertyMetaData but it very well could
have been using the RPCbasedAPI call DsReplicaGetInfo.Probably
the simplest mechanism to use now are the
attributesmsDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by
defaultwillreturn XML strings with the data. If you are equipped to
handle it, youcaninstead make the calls much faster and pass less data
on the wire byaskingfor the binary versions of those attributes by
appending the ;binarymodifier.If you want to write DC API based
code, you can use DsReplicateGetInfo2.
joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Isenhour,JosephSent: Friday, September 08, 2006 11:36
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication
MetadataI'm using Robbie Allens example for using IADSTools.DCFunctions
to readgroup object meta data. I just realized that now that we've
upgraded to2003 I can no longer look at the member last changed field to
determinewhen group membership last changed.I know that RepAdmin can
look at the individual group changes so theremust be some updated API that I
can use to do the same thing, I justcan't seem to find it.Can anyone
point me in the right direction?ThanksList info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.activedir.org/ml/threads.aspxList
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive:
RE: [ActiveDir] How are folks setting hidden user attribs?
where is the [ActiveDir] part in the subject... (there goes my Outlook filter) ;-) for attribs not shown in the ADUC GUI, you can extend the GUI (search the archives for the MSDN link that shows how to do this) or you can add a VBS script to READ or WRITE the attribs. One of the examples can be found here: http://www.kouti.com/scripts.htm search for employeeID.vbs this of course also applies to other attribs cheers, jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Alex Fontana Sent: Thu 2006-09-21 09:03 To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] different version of R2 available?
When we spoke with the PM out in Redmond it was said that the feature that allows you to copy a file on one replica and that file get made up on another with very little replication traffic, e.g. a comparison taken on the local source and then only the deltas replicated (just like the rest of the RDCengine but without having done an initial source of the original file from the upstream partner) required an Enterprise version of Windows in the mix (somehwere in the DFSR topology). There seems to be some confusion about this. I'm not talking about RDC, but a feature that utilises that technology. For example, you have a VHD (hdd01) and you copy it to the same folder locally and rename to hdd02. That file isn't replicated in its entirety. Rather, the hdd01 on the replica is used to create that file and only the necessary bits that represent the filename change are replicated. A couple of people have tried to shoot me down in flames when I mentioned this, but I know what I heard... : ) (although I might not be correct) --Paul - Original Message - From: Chong Ai Chung To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 12:29 AM Subject: Re: [ActiveDir] different version of R2 available? Refer to following KB article: Media for Windows Server 2003 R2 is released by using various SKUs, such as Windows Server 2003 R2 Standard Edition, Windows Server 2003 R2 Enterprise Edition, and Windows Server 2003 R2 Datacenter Edition. CD2 must be the same SKU as what is currently installed. For example, only Windows Server 2003 R2 Standard Edition CD2 can be applied to Windows Server 2003 Standard Edition. http://support.microsoft.com/kb/912309/en-us On 9/21/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: My officemate and I were discussing whether there are different versions of the R2 CD depending on whether you're running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes
RE: [ActiveDir] How are folks setting hidden user attribs?
Common question its fairly difficult to extend ADUC with a new tab that allows you to edit the attributes you want, but its fairly easy to add a context menu (e.g. when right-clicking on a user account) to start a script that would pop up a dialog box and allows to enter the appropriate data for the object. The latter is done by displayspecifiers. More info found here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, September 21, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, Im curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex
Re: [ActiveDir] DC Establishing Session to client on TCP139
It's probably SMB (CIFS). The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). The first to reply is what is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). Note. It doesn't use all three of the NetBT3, I just don't remember what's what. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 2:53 AM Subject: [ActiveDir] DC Establishing Session to client on TCP139 Im seeing a lot of hits in firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT Session Service). Does anyone know why this is happening or if its necessary? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
Re: [ActiveDir] How are folks setting hidden user attribs?
We populate this on user creation because we use provisioning systems (bespoke stuff that was written for the project(s)). For some of our smaller customers, there were scripts that were run to populate this stuff. Initially a bulk import, followed by monthly updates or adhoc updates via the script or web front end. Other options are using a different admin tool, e.g. Quest Active Roles to create users and configure that to allow you to write this attribute. --Paul - Original Message - From: Alex Fontana [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 8:03 AM Subject: [ActiveDir] How are folks setting hidden user attribs? Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] How are folks setting hidden user attribs?
Perfect. Thanks for all the replies! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, September 21, 2006 1:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How are folks setting hidden user attribs? Common question its fairly difficult to extend ADUC with a new tab that allows you to edit the attributes you want, but its fairly easy to add a context menu (e.g. when right-clicking on a user account) to start a script that would pop up a dialog box and allows to enter the appropriate data for the object. The latter is done by displayspecifiers. More info found here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, September 21, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, Im curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex
RE: [ActiveDir] DC Establishing Session to client on TCP139
netbios-ns
137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS
Name Service netbios-dgm
138/tcp NETBIOS Datagram
Servicenetbios-dgm 138/udp NETBIOS
Datagram Servicenetbios-ssn
139/tcp NETBIOS Session
Servicenetbios-ssn 139/udp NETBIOS
Session Service
It's been a while, but you may find that all 3
are needed.
If memory serves - 137 is used to resolve names; 138 to
send/receive data; 139 to establish and maintain the
session.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 21 September 2006 09:30To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC Establishing
Session to client on TCP139
It's probably SMB (CIFS). The NT5.x
client service attempts to establish SMB sessions using both 445 and 137/8/9
(whichever one). The first to reply is what is used. If 445, it's
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP
(NetBT).
Note. It doesn't use all three of
the NetBT3, I just don't remember what's what.
--Paul
- Original Message -
From:
Brian
Desmond
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 21, 2006 2:53
AM
Subject: [ActiveDir] DC Establishing
Session to client on TCP139
Im seeing a lot of hits
in firewall logs for DCs trying to establish sessions to clients on TCP139
(NBT Session Service). Does anyone know why this is happening or if its
necessary?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work?
Joe,
How is the DS calculating these
values? The reason I ask is I've always found it to be way off. For
example, take a look at the following output against one of my ADAM
instances:
D:\dev\dotnet\vb\dsadfind -h .:5
-b ou=people,dc=test-lab,dc=com -s one -f
"|(objectcategory=organizationalunit)(objectcategory=container)"
msDS-Approx-Immed-Subordinates
AdFind V01.31.00cpp Joe Richards
([EMAIL PROTECTED]) March
2006
Using server:
adlds01.test-lab.com:5Directory: Active Directory Application
Mode
dn:OU=Test-Batch-01,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates:
2742
dn:OU=Test-Batch-02,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates:
37507
dn:OU=Test-Batch-03,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates:
52809
3 Objects returned
D:\dev\dotnet\vb\dsadfind -h .:5 -b
ou=test-batch-02,ou=people,dc=test-lab,dc=com -s one -c
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March
2006
Using server: adlds01.test-lab.com:5Directory:
Active Directory Application Mode
5 Objects returned
D:\dev\dotnet\vb\dsadfind -h .:5 -b
ou=test-batch-03,ou=people,dc=test-lab,dc=com -s one -c
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March
2006
Using server: adlds01.test-lab.com:5Directory:
Active Directory Application Mode
75000 Objects
returned
Thanks,
--Paul
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 18 September 2006 16:12To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ad Reporting
Tools
-enabled is definitely on the list to be added to oldcmp.
I will have to thinkabout the summary switch...
So you just want counts... I have something in my script
repository that is probably pretty close to what you want... I used it for
some testing once. It is perl, but you are welcome to convert it to what you
need or modify as you see fit...
##*
ObjSum.PL
*#*==*#*
Author : [EMAIL PROTECTED] (Joe
Richards)
*#* Version:
V01.00.00
*#* Modification
History:
*#* V01.00.00 2004.01.15
joe Original
Version
*#*--*#*
This script counts objects matching a filter + approx children of each
container/OU
*#*--*#*
Notes:
*#* This script will output the container DN, container name, an
approximate guess at the*#* number of child objects in the container and
then an exact count of the objects in *#* the container for
the filter specified. If a base is not selected, the default
NC *#* of the default DC will be used. If a filter is
not specified, the
filter
*#* objectclass=* will be
utilized.
*##
##*
Packages:
*#*--*#*
None
required
*#
##*
Definitions:
*#*--*#*
None
required
*#
## Display header#print "\nObjSum
V01.00.00pl Joe Richards ([EMAIL PROTECTED]) January
2004\n\n";
##
Get args# ex: Arg1: dc=test,dc=local
# Arg2:
"(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"#my
$base=shift;my $filter=shift;
##
Process args# Set defaults if nothing specified -
default NC and all objects#if ($base!~/\w/) {$base="-default"} else
{$base="-b $base"};if ($filter!~/\w/) {$filter="*"};
## Build container/OU query and
execute# We want all OUs and any containers that are
"default", # i.e. shown in
basic views, this skips adminsdholder et alii.#my $cmd="adfind $base
-f \"(|(objectcategory=organizationalunit)" .
"(objectcategory=container))(!showInAdvancedViewOnly=TRUE)\" name
" . "msDS-Approx-Immed-Subordinates -csv -csvdelim %%SPLIT%%
-csvq \"\"";my @containers=`$cmd`;shift @containers; # lose the header
linechomp @containers; # lose crlf
##
Print header for CSV#print "\"dn\",\"name\",\"Aprox Child Obj
Count\",\"$filter count\"\n";
## Quote filter in case it needs to be#if
($filter!~/\"/)
RE: [ActiveDir] How are folks setting hidden user attribs?
Unless you have a pretty small environment, hundreds of users maybe tops, you should be looking at moving from ADUC to some form of provisioning system or scripts. Not only does this make the whole process considerably faster it makes it consistent so your admins aren't looking for little niggling typoes, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, September 21, 2006 3:04 AM To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex attachment: winmail.dat
RE: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work?
It would be better if the likes of Eric or Brett responded to the details here, I will simply give my experiences. Asthe attribute says and as I mentioned in the previous post it is an approximate mostly to give you scale info. The raw number will be off generally more and more (in a one by one counting scheme) as the numbers get bigger but rough scale should be close. Liken it to the hit count you get when using a search engine like google or MSN or something, it will say you have 50,000 pages that match and when you view the 500th one it says there are no more. So it is more accurate than that at least. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, September 21, 2006 6:51 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work? Joe, How is the DS calculating these values? The reason I ask is I've always found it to be way off. For example, take a look at the following output against one of my ADAM instances: D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=people,dc=test-lab,dc=com -s one -f "|(objectcategory=organizationalunit)(objectcategory=container)" msDS-Approx-Immed-Subordinates AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5Directory: Active Directory Application Mode dn:OU=Test-Batch-01,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 2742 dn:OU=Test-Batch-02,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 37507 dn:OU=Test-Batch-03,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 52809 3 Objects returned D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=test-batch-02,ou=people,dc=test-lab,dc=com -s one -c AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5Directory: Active Directory Application Mode 5 Objects returned D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=test-batch-03,ou=people,dc=test-lab,dc=com -s one -c AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5Directory: Active Directory Application Mode 75000 Objects returned Thanks, --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 September 2006 16:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ad Reporting Tools -enabled is definitely on the list to be added to oldcmp. I will have to thinkabout the summary switch... So you just want counts... I have something in my script repository that is probably pretty close to what you want... I used it for some testing once. It is perl, but you are welcome to convert it to what you need or modify as you see fit... ##* ObjSum.PL *#*==*#* Author : [EMAIL PROTECTED] (Joe Richards) *#* Version: V01.00.00 *#* Modification History: *#* V01.00.00 2004.01.15 joe Original Version *#*--*#* This script counts objects matching a filter + approx children of each container/OU *#*--*#* Notes: *#* This script will output the container DN, container name, an approximate guess at the*#* number of child objects in the container and then an exact count of the objects in *#* the container for the filter specified. If a base is not selected, the default NC *#* of the default DC will be used. If a filter is not specified, the filter *#* objectclass=* will be utilized. *## ##* Packages: *#*--*#* None required *# ##* Definitions: *#*--*#* None required *# ## Display header#print "\nObjSum V01.00.00pl Joe Richards ([EMAIL PROTECTED]) January 2004\n\n"; ## Get args# ex: Arg1: dc=test,dc=local # Arg2:
[ActiveDir] Search Mailbox
Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] How are folks setting hidden user attribs?
If you are doing it manually you can use a tool like the one at ldapeditor.com to manually add the attributes. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: September 21, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How are folks setting hidden user attribs? Unless you have a pretty small environment, hundreds of users maybe tops, you should be looking at moving from ADUC to some form of provisioning system or scripts. Not only does this make the whole process considerably faster it makes it consistent so your admins aren't looking for little niggling typoes, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, September 21, 2006 3:04 AM To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex attachment: winmail.dat
RE: [ActiveDir] Search Mailbox
I don't really understand your question... You can connect to mailboxes in exchange programmatically, is this an answer? Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 9:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] [ActiveDir[OT]] Search Mailbox
ExMerge allows you to search on certain parameters such as subject, attachments, date/time, etc. It runs with privileged credentials to access and search through the mailboxes. Downloadable from the MS download page Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 6:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Search Mailbox
http://www.microsoft.com/downloads/details.aspx?FamilyID=55fdffd7-1878-4637-9808-1e21abb3ae37DisplayLang=en MFCMapi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: September 21, 2006 9:02 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] DC Establishing Session to client on TCP139
Yeah I know about going
client à DC. Im trying to figure out why the *DC* is
establishing connections to the client.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent:
Thursday, September 21, 2006 6:05 AM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] DC Establishing Session to client on TCP139
netbios-ns
137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name
Service
netbios-dgm 138/tcp NETBIOS Datagram
Service
netbios-dgm 138/udp NETBIOS Datagram
Service
netbios-ssn 139/tcp NETBIOS Session
Service
netbios-ssn 139/udp NETBIOS Session
Service
It's been a while, but you may find that all 3 are needed.
If memory serves - 137 is used to resolve names; 138 to
send/receive data; 139 to establish and maintain the session.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Williams
Sent:
21 September 2006 09:30
To:
ActiveDir@mail.activedir.org
Subject:
Re: [ActiveDir] DC Establishing Session to client on TCP139
It's probably SMB (CIFS). The NT5.x
client service attempts to establish SMB sessions using both 445 and 137/8/9
(whichever one). The first to reply is what is used. If 445, it's
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP
(NetBT).
Note. It doesn't use all three of the
NetBT3, I just don't remember what's what.
--Paul
- Original Message -
From: Brian Desmond
To: ActiveDir@mail.activedir.org
Sent:
Thursday, September 21, 2006 2:53 AM
Subject:
[ActiveDir] DC Establishing Session to client on TCP139
Im seeing a lot of hits in
firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT
Session Service). Does anyone know why this is happening or if its necessary?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender
immediately and delete your
copy from your system. You must not copy, distribute or
take any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that
are solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a
recommendation, solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered
in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of
companies.
RE: [ActiveDir] Search Mailbox
ExMerge? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 8:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Search Mailbox
No not without a third party product (e.g. Veritas Enterprise Vault or EMC Legato). This feature is native to Exchange 2007. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, September 21, 2006 9:02 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] Search Mailbox
2000? You *could* use the m: drive, but you may have already disabled that. POP or IMAP if you know how to use that via the command line (it's not tough, but can be time consuming). It wouldn't be as much a search as an output to screen piped to a text file and then searched. Could be size prohibitive as well. Programmatically (as Ramon indicated) is the way to do this task. Either one that's already built else a roll-your-own product. There have been no versions of Exchange that allow searching within mailboxes from the administrator console that I'm aware of. AlOn 9/21/06, Dan DeStefano [EMAIL PROTECTED] wrote: Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation [EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] [ActiveDir[OT]] Search Mailbox
whoops. Forgot about exmerge doing that. D'oh :)On 9/21/06, Ayers, Diane [EMAIL PROTECTED] wrote: ExMerge allows you to search on certain parameters such as subject, attachments, date/time, etc. It runs with privileged credentials to access and search through the mailboxes. Downloadable from the MS download page Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 6:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED] http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Urgent DFS Configuration
All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan
RE: [ActiveDir] DC Establishing Session to client on TCP139
Its very to extremely common to see
this traffic hitting a firewall. Its one of the first places nmap, nessus,
et. al. will look. Best practice would be to block this unnecessary traffic
from the internet segment both incomming and outgoing. Unless your connecting
directly through the Internet to another site. Then I'd suggest using an
encrypted VPN.
For fun you can see what DShield, part of ISC SANS has reported via firewall
logs to them from around the world. Heres the link for port 137:
http://isc.sans.org/port_details.php?port=137repax=1tarax=2srcax=2percent=Ndays=40
You check all your favorite ports this
way. As you can see your not alone in seeing a great deal of interest on
this port, eventhough it didn't make todays 'Top 10'
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology Solutions,
Inc.) does not warrant that the contents of any electronically transmitted
information will remain confidential. If the reader of this email is not
the intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the email in
error, please reply to us immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system.
No warranty is made that this material is free from computer virus or any
other defect.
Any loss/damage incurred by using this material is not the sender's responsibility.
Liability will be limited to resupplying the material.
Brian Desmond
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/21/2006 09:36 AM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] DC Establishing Session
to client on TCP139
Yeah I know about going
client à
DC. I’m trying to figure out why the *DC* is establishing connections
to the client.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 21, 2006 6:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139
netbios-ns
137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service
It's been a while, but you may
find that all 3 are needed.
If memory serves - 137 is used
to resolve names; 138 to send/receive data; 139 to establish and maintain
the session.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 21 September 2006 09:30
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139
It's probably SMB (CIFS).
The NT5.x client service attempts to establish SMB sessions using
both 445 and 137/8/9 (whichever one). The first to reply is what
is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then
it's SMB over NetBIOS over TCP/IP (NetBT).
Note. It doesn't
use all three of the NetBT3, I just don't remember what's what.
--Paul
- Original Message -
From: Brian
Desmond
To: ActiveDir@mail.activedir.org
Sent: Thursday, September
21, 2006 2:53 AM
Subject: [ActiveDir]
DC Establishing Session to client on TCP139
I’m seeing a lot of
hits in firewall logs for DCs trying to establish sessions to clients on
TCP139 (NBT Session Service). Does anyone know why this is happening or
if it’s necessary?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
PLEASE READ: The information
contained in this email is confidential and
intended for the named recipient(s)
only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You
must not copy, distribute or take any further
action in reliance on it. Email
is not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any
virus, worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard copy. Unless otherwise stated
this email: (1) is not, and
should not be treated or relied upon as,
investment research; (2) contains
views or opinions that are solely
RE: [ActiveDir] different version of R2 available?
Thanks for all of the replies! I actually was able to get a hold of the Standard and Enterprise versions of R2 (aka Disk 2) to do a compare (windiff.exe) and there are differences. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, September 20, 2006 5:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] different version of R2 available? My officemate and I were discussing whether there are different versions of the R2 CD depending on whether youre running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes
RE: [ActiveDir] How are folks setting hidden user attribs?
I totally agree. The project for automating new user creation is in the works, however it looks like the powers that be want this data to start appearing in a couple of weeks. Fat (or phat) fingering is not an uncommon thing here so itll be a blessing to get all those little fingers away from new account creation. Thanks again From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 21, 2006 5:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How are folks setting hidden user attribs? Unless you have a pretty small environment, hundreds of users maybe tops, you should be looking at moving from ADUC to some form of provisioning system or scripts. Not only does this make the whole process considerably faster it makes it consistent so your admins aren't looking for little niggling typoes, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, September 21, 2006 3:04 AM To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, Im curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex
RE: [ActiveDir] Search Mailbox
Thanks for all your help. I appreciate it. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, September 21, 2006 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Search Mailbox No not without a third party product (e.g. Veritas Enterprise Vault or EMC Legato). This feature is native to Exchange 2007. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, September 21, 2006 9:02 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] Assign User rights overs computers with AD
Thanks for your help. really useful.Is it a good practice to move computer objects to OU where the user of the computer resides?On 9/20/06, Dave Wade [EMAIL PROTECTED] wrote: Alberto, Even though we made our users PowerUsers we found that we needed to make a number of tweaks to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to cater for applications that write to places on the C drive (other than the windows folders, of course) where applications should not write. We also refreshed permissions on the all users profile to make sure users don't delete items from the all users desktop or start-menu. I guess the last thing to note is that we rolled the policy outin manageable chunks of PCs,say 100 at a time, so if there were issues we could cope with the service calls, Hope this is useful, Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 20 September 2006 14:13To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD You can, but I've yet to see it be so simple. The information you're looking for is restricted groups but I HIGHLY advise you to be careful and to TEST that prior to using it on your workstations. I also highly advise that you only apply that type of setting to workstations and not on servers (separate them into different OU's). Another way to do this is with a logon script that adds an account to the local administrators group and removes the user from that group. The testing is a way to ensure that you don't break applications on the workstations. Some of the more poorly written applications require special access and as a default prefer administrative access rights. They work poorly without them. You'll want to test thoroughly so that you can remove the unneeded rights and still allow your user community to work as expected. I'm sure there's more cautions I can suggest, but you get the idea. On 9/20/06, Alberto Oviedo [EMAIL PROTECTED] wrote: Hello. My name is Alberto, I'm from NicaraguaIn our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300 users and I don't want to visit every single one of them. Thanks for your help. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] Urgent DFS Configuration
which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] DC Establishing Session to client on TCP139
Yeah this is an internal firewall and the hosts are well known. I’m certainly not allowing NBT traffic from the Internet to anything… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139 Its very to extremely common to see this traffic hitting a firewall. Its one of the first places nmap, nessus, et. al. will look. Best practice would be to block this unnecessary traffic from the internet segment both incomming and outgoing. Unless your connecting directly through the Internet to another site. Then I'd suggest using an encrypted VPN. For fun you can see what DShield, part of ISC SANS has reported via firewall logs to them from around the world. Heres the link for port 137: http://isc.sans.org/port_details.php?port=137repax=1tarax=2srcax=2percent=Ndays=40 You check all your favorite ports this way. As you can see your not alone in seeing a great deal of interest on this port, eventhough it didn't make todays 'Top 10' Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Brian Desmond [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2006 09:36 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] DC Establishing Session to client on TCP139 Yeah I know about going client à DC. I’m trying to figure out why the *DC* is establishing connections to the client. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 6:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139 netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service netbios-dgm 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service It's been a while, but you may find that all 3 are needed. If memory serves - 137 is used to resolve names; 138 to send/receive data; 139 to establish and maintain the session. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 21 September 2006 09:30 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139 It's probably SMB (CIFS). The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). The first to reply is what is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). Note. It doesn't use all three of the NetBT3, I just don't remember what's what. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 2:53 AM Subject: [ActiveDir] DC Establishing Session to client on TCP139 I’m seeing a lot of hits in firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT Session Service). Does anyone know why this is happening or if it’s necessary? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of
[ActiveDir] I'm Baaaaaaack!
Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-ussource=hmtagline List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DC Establishing Session to client on TCP139
I'm seeing a lot of hits in
firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT
Session Service). Does anyone know why this is happening or if it's necessary?To your clients or is there just a firewall between your DC's and the clients on your trusted networks? Have you checked to see if it's the computer browser that's initiating the calls?
AlOn 9/21/06, Brian Desmond [EMAIL PROTECTED] wrote:
Yeah I know about going
client à DC. I'm trying to figure out why the *DC
* is
establishing connections to the client.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent:
Thursday, September 21, 2006 6:05 AM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] DC Establishing Session to client on TCP139
netbios-ns
137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name
Service
netbios-dgm 138/tcp NETBIOS Datagram
Service
netbios-dgm 138/udp NETBIOS Datagram
Service
netbios-ssn 139/tcp NETBIOS Session
Service
netbios-ssn 139/udp NETBIOS Session
Service
It's been a while, but you may find that all 3 are needed.
If memory serves - 137 is used to resolve names; 138 to
send/receive data; 139 to establish and maintain the session.
neil
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Paul
Williams
Sent:
21 September 2006 09:30
To:
ActiveDir@mail.activedir.org
Subject:
Re: [ActiveDir] DC Establishing Session to client on TCP139
It's probably SMB (CIFS). The NT5.x
client service attempts to establish SMB sessions using both 445 and 137/8/9
(whichever one). The first to reply is what is used. If 445, it's
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP
(NetBT).
Note. It doesn't use all three of the
NetBT3, I just don't remember what's what.
--Paul
- Original Message -
From: Brian Desmond
To:
ActiveDir@mail.activedir.org
Sent:
Thursday, September 21, 2006 2:53 AM
Subject:
[ActiveDir] DC Establishing Session to client on TCP139
I'm seeing a lot of hits in
firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT
Session Service). Does anyone know why this is happening or if it's necessary?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender
immediately and delete your
copy from your system. You must not copy, distribute or
take any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that
are solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a
recommendation, solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered
in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of
companies.
RE: [ActiveDir] Urgent DFS Configuration
That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, September 21, 2006 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Thursday, September 21, 2006 17:34 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Urgent DFS Configuration Importance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] I'm Baaaaaaack!
Rick Kingslan wrote: Be afraid Be very afraid! :-) I'm scared :) -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] I'm Baaaaaaack!
Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: A link to send to your vendors
http://www.microsoft.com/downloads/details.aspx?familyid=ba73b169-a648-49af-bc5e-a2eebb74c16bdisplaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=ba73b169-a648-49af-bc5e-a2eebb74c16bdisplaylang=en Details how to develop User Account Control (UAC) compliant applications for Windows Vista. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DC Establishing Session to client on TCP139
And it's not the computer browser service that's initiating the calls? On 9/21/06, Brian Desmond [EMAIL PROTECTED] wrote: Yeah this is an internal firewall and the hosts are well known. I'm certainly not allowing NBT traffic from the Internet to anything… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139 Its very to extremely common to see this traffic hitting a firewall. Its one of the first places nmap, nessus, et. al. will look. Best practice would be to block this unnecessary traffic from the internet segment both incomming and outgoing. Unless your connecting directly through the Internet to another site. Then I'd suggest using an encrypted VPN. For fun you can see what DShield, part of ISC SANS has reported via firewall logs to them from around the world. Heres the link for port 137: http://isc.sans.org/port_details.php?port=137repax=1tarax=2srcax=2percent=Ndays=40 You check all your favorite ports this way. As you can see your not alone in seeing a great deal of interest on this port, eventhough it didn't make todays 'Top 10' Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Brian Desmond [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2006 09:36 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] DC Establishing Session to client on TCP139 Yeah I know about going client à DC. I'm trying to figure out why the *DC* is establishing connections to the client. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 6:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139 netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service netbios-dgm 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service It's been a while, but you may find that all 3 are needed. If memory serves - 137 is used to resolve names; 138 to send/receive data; 139 to establish and maintain the session. neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul Williams Sent: 21 September 2006 09:30 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139 It's probably SMB (CIFS). The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). The first to reply is what is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). Note. It doesn't use all three of the NetBT3, I just don't remember what's what. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 2:53 AM Subject: [ActiveDir] DC Establishing Session to client on TCP139 I'm seeing a lot of hits in firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT Session Service). Does anyone know why this is happening or if it's necessary? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You
Re: [ActiveDir] I'm Baaaaaaack!
Welcome back, Rick. :) -ASB On 9/21/06, Rick Kingslan [EMAIL PROTECTED] wrote: Be afraidBe very afraid!:-)Rick
RE: [ActiveDir] I'm Baaaaaaack!
:) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Urgent DFS Configuration
OK, explain the following: "I am configuring server1 with a standalone root, when asked for the host server I enter server2 " Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] I'm Baaaaaaack!
I smell sulfur... ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Urgent DFS Configuration
Are you trying to access the folders that DFS created or the actual shares themselves? See this (it applies to 2003 also): http://support.microsoft.com/default.aspx?scid=kb;en-us;q246888 Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Thursday, September 21, 2006 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, September 21, 2006 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Thursday, September 21, 2006 17:34 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Urgent DFS Configuration Importance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] DC Establishing Session to client on TCP139
Brian- You might want to run TCPView on the DC (http://www.sysinternals.com/Utilities/TcpView.html). It will tell you which process owns the communication on that port. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, September 21, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC Establishing Session to client on TCP139 And it's not the computer browser service that's initiating the calls? On 9/21/06, Brian Desmond [EMAIL PROTECTED] wrote: Yeah this is an internal firewall and the hosts are well known. I'm certainly not allowing NBT traffic from the Internet to anything Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, September 21, 2006 12:01 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Establishing Session to client on TCP139 Its very to extremely common to see this traffic hitting a firewall. Its one of the first places nmap, nessus, et. al. will look. Best practice would be to block this unnecessary traffic from the internet segment both incomming and outgoing. Unless your connecting directly through the Internet to another site. Then I'd suggest using an encrypted VPN. For fun you can see what DShield, part of ISC SANS has reported via firewall logs to them from around the world. Heres the link for port 137: http://isc.sans.org/port_details.php?port=137repax=1tarax=2srcax=2percent=Ndays=40 You check all your favorite ports this way. As you can see your not alone in seeing a great deal of interest on this port, eventhough it didn't make todays 'Top 10'Brent EadsEmployee Technology Solutions, Inc.Office: (312) 762-9224Fax: (312) 762-9275The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect.Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Brian Desmond" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2006 09:36 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] DC Establishing Session to client on TCP139 Yeah I know about going client à DC. I'm trying to figure out why the *DC* is establishing connections to the client. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, September 21, 2006 6:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Establishing Session to client on TCP139 netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Servicenetbios-dgm 138/udp NETBIOS Datagram Servicenetbios-ssn 139/tcp NETBIOS Session Servicenetbios-ssn 139/udp NETBIOS Session Service It's been a while, but you may find that all 3 are needed. If memory serves - 137 is used to resolve names; 138 to send/receive data; 139 to establish and maintain the session. neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul WilliamsSent: 21 September 2006 09:30To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC Establishing Session to client on TCP139 It's probably SMB (CIFS). The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). The first to reply is what is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). Note. It doesn't use all three of the NetBT3, I just don't
Re: [ActiveDir] I'm Baaaaaaack!
Yeah, good to have you back on board, Rick. What have you been up to? Tony -- Original Message -- From: ASB [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 21 Sep 2006 15:37:45 -0400 Welcome back, Rick. :) -ASB On 9/21/06, Rick Kingslan [EMAIL PROTECTED] wrote: Be afraid Be very afraid! :-) Rick Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] SID History.
Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
RE: [ActiveDir] Assign User rights overs computers with AD
I prefer to keep them in seperate trees. In fact we are just doing that at present... From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Thu 21/09/2006 17:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Assign User rights overs computers with AD Thanks for your help. really useful. Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade [EMAIL PROTECTED] wrote: Alberto, Even though we made our users PowerUsers we found that we needed to make a number of tweaks to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to cater for applications that write to places on the C drive (other than the windows folders, of course) where applications should not write. We also refreshed permissions on the all users profile to make sure users don't delete items from the all users desktop or start-menu. I guess the last thing to note is that we rolled the policy out in manageable chunks of PCs, say 100 at a time, so if there were issues we could cope with the service calls, Hope this is useful, Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 20 September 2006 14:13 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Assign User rights overs computers with AD You can, but I've yet to see it be so simple. The information you're looking for is restricted groups but I HIGHLY advise you to be careful and to TEST that prior to using it on your workstations. I also highly advise that you only apply that type of setting to workstations and not on servers (separate them into different OU's). Another way to do this is with a logon script that adds an account to the local administrators group and removes the user from that group. The testing is a way to ensure that you don't break applications on the workstations. Some of the more poorly written applications require special access and as a default prefer administrative access rights. They work poorly without them. You'll want to test thoroughly so that you can remove the unneeded rights and still allow your user community to work as expected. I'm sure there's more cautions I can suggest, but you get the idea. On 9/20/06, Alberto Oviedo [EMAIL PROTECTED] wrote: Hello. My name is Alberto, I'm from Nicaragua In our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300 users and I don't want to visit every single one of them. Thanks for your help. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** winmail.dat
RE: [ActiveDir] DC Establishing Session to client on TCP139
Could be? I’m just looking at the logs on a pix. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 21, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139 And it's not the computer browser service that's initiating the calls? On 9/21/06, Brian Desmond [EMAIL PROTECTED] wrote: Yeah this is an internal firewall and the hosts are well known. I'm certainly not allowing NBT traffic from the Internet to anything… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139 Its very to extremely common to see this traffic hitting a firewall. Its one of the first places nmap, nessus, et. al. will look. Best practice would be to block this unnecessary traffic from the internet segment both incomming and outgoing. Unless your connecting directly through the Internet to another site. Then I'd suggest using an encrypted VPN. For fun you can see what DShield, part of ISC SANS has reported via firewall logs to them from around the world. Heres the link for port 137: http://isc.sans.org/port_details.php?port=137repax=1tarax=2srcax=2percent=Ndays=40 You check all your favorite ports this way. As you can see your not alone in seeing a great deal of interest on this port, eventhough it didn't make todays 'Top 10' Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Brian Desmond [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2006 09:36 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] DC Establishing Session to client on TCP139 Yeah I know about going client à DC. I'm trying to figure out why the *DC* is establishing connections to the client. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 21, 2006 6:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Establishing Session to client on TCP139 netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service netbios-dgm 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service It's been a while, but you may find that all 3 are needed. If memory serves - 137 is used to resolve names; 138 to send/receive data; 139 to establish and maintain the session. neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Paul Williams Sent: 21 September 2006 09:30 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Establishing Session to client on TCP139 It's probably SMB (CIFS). The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). The first to reply is what is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). Note. It doesn't use all three of the NetBT3, I just don't remember what's what. --Paul - Original Message - From: Brian Desmond To:
RE: [ActiveDir] I'm Baaaaaaack!
Hide the cheap stuff too! Original Message Subject: Re: [ActiveDir] I'm Baaack! From: Laura E. Hunter [EMAIL PROTECTED] Date: Thu, September 21, 2006 1:25 pm To: ActiveDir@mail.activedir.org Quick! Hide the good silverware! On 9/21/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick Kingslan Sent: Thu 9/21/2006 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-ussource=hmtagline List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] I'm Baaaaaaack!
Crap, what did we do wrong -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, September 21, 2006 2:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] I'm Baaaaaaack!
Random is Deji's middle name. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, September 21, 2006 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! :) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Urgent DFS Configuration
Additionally.. there are many catches with DFS when you start replicating files (if you were intending to). As a (R1 speak) root link, it is pretty simple, however you have to ensure you have your NTFS and share permissions set correctly before you create the DFS root and additional links or folders, etc, etc, etc. If you are planning to replicate files, then MAKE SURE you are running R2 otherwise you'll have all sorts of file replication traumas using FRS... I love DFSR! themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, AnthonySent: Friday, 22 September 2006 6:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration Are you trying to access the folders that DFS created or the actual shares themselves? See this (it applies to 2003 also): http://support.microsoft.com/default.aspx?scid=kb;en-us;q246888 Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 2:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] SID History.
Matt, Can you elaborate a bit; probably with an example? At what stage are you migrating groups? Is this intra-forest or inter-forest? Also, is the source domain NT4.0 or 200x. And are you using ADMT v 2 or 3? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: September 21, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID History. Conceptual situation: User domain Resource domain (s) I bring all users into a single AD environment, bringing over SID History information. Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
RE: [ActiveDir] I'm Baaaaaaack!
Not according to my birth certificate. See anything "random" here: Dèjì Akómöláfé? Me neither ;-p Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/21/2006 3:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Random is Deji's middle name. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, September 21, 2006 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! :) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] I'm Baaaaaaack!
All those odd characters youve got lined up on top of the letters seem pretty random to me. ;) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, September 21, 2006 10:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] I'm Baaack! Not according to my birth certificate. See anything random here: Dèjì Akómöláfé? Me neither ;-p Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joe Sent: Thu 9/21/2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] I'm Baaack! Random is Deji's middle name. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, September 21, 2006 3:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] I'm Baaack! :) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, September 21, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick Kingslan Sent: Thu 9/21/2006 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-)Rick_Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="">List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] [OT] IIFP GAL Sync: X.500 Addresses
Two forest scenario. IIFP 1a. Both forests Windows 2003 SP1 and Exchange 2003 SP2. After initial setup and synchronisation I notice that my synced users (and their corresponding Contact objects in the second forest) acquire two new X500 addresses (one for each Exchange org). Simple question really. Is this normal and expected or have I misconfigured something? I assume the X500 address is to uniquely identify them in the metaverse, but having two seems excessive! Thanks Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SID History.
not sure if this is the answer to your Q (not clear what you mean), but lets give it a try... if you migrate a user with sidhistory, it will not include the group memberships of the object in the source domain just because the users old sid is in sidhistory. if you need to have the group memberships as well, you need to migrate the groups to preserver the group membership and to preserve the access to resources protected by those groups you need to include the sidhistory as well during migration is this the answer? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Thu 2006-09-21 22:58To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
