RE: [ActiveDir] AD Reports
Quest's Reporter may help. They offer a free version as well as a full, retail version. neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo Sent: 18 December 2006 16:45 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Reports What,s the best AD reporting tool. My boss want´s a report of all the users who are allowed to send and recieve Internet Mail in exchange 2003. I can go and check user by user but we have over 500 users. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] AdminSDHolder orphans
The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] Exchange reconnect(OT)
I know. I have write/read perms to all those attributes. Thats why i'm confused as to why its not working... Thanks On 12/18/06, Tony Murray [EMAIL PROTECTED] wrote: I don't know for sure - I haven't tested it. Even if you don't need Send As permissions on the object to which you want to reconnect you will need permissions to write a whole bunch of attribute values on the object (homeMDB, proxyAddresses, legacyExchangeDN, etc.). Tony -- Original Message -- From: Tom Kern [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 18 Dec 2006 17:59:16 -0500 I'm almost positive you dont need Send As perms to reconnect a mailbox but i may be wrong... Thanks, I'll give it a test. I hate asking the AD guys for more perms... :( On 12/17/06, Tony Murray [EMAIL PROTECTED] wrote: Does the account you are using to perform the reconnect have Send As permissions on the user object? See the link below for the correct application of Send As permissions. http://msexchangeteam.com/archive/2005/01/07/348596.aspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Sunday, 17 December 2006 2:22 p.m. To: activedirectory Subject: [ActiveDir] Exchange reconnect(OT) I have Exchange delegated full admin rights on the ex2k3 sp2 org and i have all the read/write perms to mailbox-enabled user attributes listed here- http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc1 19c9-961a-4e78-acf8-97099256f452.mspx?mfr=true However,I'm running into this issue- I delete a users mailbox, which works fine. When i try to reconnect this orphaned mailbox to a different user, i get this error- you do not have the rights required to complete the operation Id no: c1030728 Reconnecting back to the old user works fine. I have the exact same rights to the exchange attributes on both user objects. Is there more to permissions under the hood when reconnecting a mailbox to a diff user than mailbox enabling a user that i'm running into. I notice there is nothing in the Working with AD permssions white paper about reconnecting a mailbox to a diff user but i just thought it was the same exact rights needed for mailbox-enabling a user. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Schema Extension Question
Guys (and Gals) I am far from an LDAP expert and we have not modified our Windows 2003 FFL Schema at all. I don't even have SP1 running as I am just still a little gunshy about it. But now me and my network engineer are under heavy pressure to move our POP 3 email clients to a Server Centric Web based model that will allow internet access to email. So my network engineer and *nix expert is testing a *nix based program to do that. We are having trouble with it connecting to AD to authenticate Users because it is popping errors that state I can't find the Schema extensions. He is chasing that and I'm not really happy about modifying the shema, if indeed we end up having to do that, but here is my question. Will this app need an elevated credential (Domain or Enterprise Admin) to simply LDAP query the AD from this *nix box to get usernames or passwords or can it be done without that power? I know you don't know the app, but the question is a generic one relative to *nix boxes querying an AD. Thanks in advance. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Schema Extension Question
Surely if the service account used by the app has [only] the rights to read the data in the attributes and objects that it needs to access, then you should be fine. Whether an app or an admin, the least privilege rule still applies :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: 19 December 2006 13:41 To: activedir@mail.activedir.org Subject: [ActiveDir] Schema Extension Question Guys (and Gals) I am far from an LDAP expert and we have not modified our Windows 2003 FFL Schema at all. I don't even have SP1 running as I am just still a little gunshy about it. But now me and my network engineer are under heavy pressure to move our POP 3 email clients to a Server Centric Web based model that will allow internet access to email. So my network engineer and *nix expert is testing a *nix based program to do that. We are having trouble with it connecting to AD to authenticate Users because it is popping errors that state I can't find the Schema extensions. He is chasing that and I'm not really happy about modifying the shema, if indeed we end up having to do that, but here is my question. Will this app need an elevated credential (Domain or Enterprise Admin) to simply LDAP query the AD from this *nix box to get usernames or passwords or can it be done without that power? I know you don't know the app, but the question is a generic one relative to *nix boxes querying an AD. Thanks in advance. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Cross-Forest Kerberos Delegation
If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AdminSDHolder orphans
Paul, On a side note, this part of your response caught my eye... ...and then retriggered SDPROP. Is there a way to manually trigger SDPROP? There have been times when I have wanted to do this but didn't know how or if it was possible. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 19, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AdminSDHolder orphans The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony
RE: [ActiveDir] Vista GPO
I'd totally agree with you Laura. Look at how Apple has approached the backwards compatibility issue with Mac OS X. Or rather, how they haven't. Want to stay compatible with an older version? Stay on that version. Pretty simple. I'm not saying that is 100% the right way to go, but they avoid a lot of problems that way. Out of the 50 million lines of code in Vista, I'm sure at least half of that is to provide backwards compatibility. In any event, like you say, Laura, there's no point editing Vista GPOs if you're not running Vista. And if you need to set up Vista policy, then why not run on it yourself and just do the editing from there? Or is this the case of the tech who says, I don't need no stinkin' eye candy, you can't make me run it? One other thing that I really hate to hear is a complaint about how something works, with the comment that Microsoft forces people to do things they way Microsoft wants people to do them. That's a pretty naïve comment - I hear it more from kids on the public newsgroups though. I'm surprised hearing it in the context of not logging into a DC to edit GPOs though. Are there any MVPs here who really think logging into a DC for GPO editing (or for anything else that can be done remotely, for that matter) is a good practice? So if Microsoft did force people to use a workstation to do configuration tasks such as GPO editing, that would be enforcement of what most experts agree is best practice - yet they don't force this. The issue is that they released Vista [client] before Server is out, and they enhanced things in Vista beyond the previous OS (I say hooray for them), and there has not been a new release of any prior OS service pack since Vista's release. In fact, Vista is barely out there now. But IMHO, Microsoft does not come up with ways to do things, generally, that are some attempt to force people into doing things in some manner that has, as their ultimate goal, to 'try and take over the world.' [1] Rather, they try to adhere to best practices and most requested features in their software design, when they can, as determined by various industry experts - not by some idea that they can make people do this or that if they cut this feature. At least, I believe this to be the case most of the time. [1] if you think that, maybe you watched too much Pinky and the Brain --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _
RE: [ActiveDir] AdminSDHolder orphans
See this KB Manually initializing the SD propagator thread to evaluate inherited permissions for objects in Active Directory http://support.microsoft.com/kb/251343 steve -- Original message -- From: WATSON, BEN [EMAIL PROTECTED] Paul, On a side note, this part of your response caught my eye... ...and then retriggered SDPROP. Is there a way to manually trigger SDPROP? There have been times when I have wanted to do this but didn't know how or if it was possible. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 19, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AdminSDHolder orphans The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond To: Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across
RE: [ActiveDir] Schema Extension Question
It should be fine with normal credentials. Why are you so scared of SP1 or a schema extension? Neither of them are going to end the world... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, December 19, 2006 8:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Schema Extension Question Guys (and Gals) I am far from an LDAP expert and we have not modified our Windows 2003 FFL Schema at all. I don't even have SP1 running as I am just still a little gunshy about it. But now me and my network engineer are under heavy pressure to move our POP 3 email clients to a Server Centric Web based model that will allow internet access to email. So my network engineer and *nix expert is testing a *nix based program to do that. We are having trouble with it connecting to AD to authenticate Users because it is popping errors that state I can't find the Schema extensions. He is chasing that and I'm not really happy about modifying the shema, if indeed we end up having to do that, but here is my question. Will this app need an elevated credential (Domain or Enterprise Admin) to simply LDAP query the AD from this *nix box to get usernames or passwords or can it be done without that power? I know you don't know the app, but the question is a generic one relative to *nix boxes querying an AD. Thanks in advance. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AdminSDHolder orphans
Either: http://support.microsoft.com/kb/251343 Or create an LDIF file which performs the same actions. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: 19 December 2006 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Paul, On a side note, this part of your response caught my eye... ...and then retriggered SDPROP. Is there a way to manually trigger SDPROP? There have been times when I have wanted to do this but didn't know how or if it was possible. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 19, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AdminSDHolder orphans The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync
RE: [ActiveDir] Vista GPO
Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2 /index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we
[ActiveDir] Filter out a certain group of users from the GAL
I have been trying to filter out a certain group of users from the GAL, these users should not appear in the GAL. I have used the ! sign but it looks simpler than it infact is. This is the Default GAL: ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) I want to exclude people who are a member of a group called XYZ Users and thought about doing it with: (!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl) The complete query is now: ( (mailnickname=*) (| ((objectCategory=person)(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) The above query outputs exactly the same objects as the first query, the one of the Default GAL. So somehow the group is not being filtered out. Probably just me overlooking something. Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
If I remember correctly, there were no real compelling reasons to go to XP until after SP2 was released. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 19, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2 /index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /)
Re: [ActiveDir] Vista GPO
Win23 AD Machines: ThinkCentre 8215. Vista Enterprise: So far my 4 test machines in my lab have been loosing the CD/DVD Rom drives. Have to delete registry and restart machines each time. This is also occurring at home. Also half of my network printers do not work. No Vista print drivers on the server yet. Other than that, GPO is locking down the desktop pretty good. Control Panel items all removed, IE 7 is locked down, etc. -Z.V. Rich Milburn wrote: Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Vista GPO
Depends on what you define as compelling. I killed off Win2k way before XP sp2 was released. Todd Hofert wrote: If I remember correctly, there were no real compelling reasons to go to XP until after SP2 was released. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 19, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2 /index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like
RE: [ActiveDir] Filter out a certain group of users from the GAL
I didn't look it over completely to see what you are doing but noticed the (!attr=val) and wanted to comment on that specific piece... When making AL filters, Exchange is picky and if you put in a ! you need to do use long form of (!(attr=val)) and not (!attr=val). While AD will not have a problem with the filter, AD isn't interpreting that filter, Exchange is pulling everything from AD and doing the filtering itself. That is why ESM will show you one result and what you really get could be something completely different. I once got a crap answer from a Alliance Exchange PSS that someone made up about the RFC standards etc but that reason was, as I said, crap. It is just something you have to be aware of when working with those filters. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Filter out a certain group of users from the GAL I have been trying to filter out a certain group of users from the GAL, these users should not appear in the GAL. I have used the ! sign but it looks simpler than it infact is. This is the Default GAL: ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) I want to exclude people who are a member of a group called XYZ Users and thought about doing it with: (!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl) The complete query is now: ( (mailnickname=*) (| ((objectCategory=person)(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) The above query outputs exactly the same objects as the first query, the one of the Default GAL. So somehow the group is not being filtered out. Probably just me overlooking something. Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
So did we, where I was at the time. Now I can't recall what the driving factors were, but it was pre-SP2. There were enough to convince some hard-core captains to do it, though, and that was a tough sell. With XP SP2, Vista is a tough sell to people who believe everything they read about Vista but haven't checked out for themselves. I thought it was just kinda cool looking but not compelling, till I started digging deep into it. That's when I saw a lot of well it's about time they fixed that issues, and various things that for me, would be selling points on their own merit. But alas, those around me who have not taken the time to find out for themselves, get hung up on the reviews saying it takes a Cray supercomputer to run it, all so you can get some eye candy that's overrated at best. I'm not going to go into it all right now, but depending on your environment, there are compelling reasons to get familiar with Vista. With SP1, I expect it to be widely deployable (and compelling to do so). And I would expect [1] SP1 in the mid-2007 Longhorn RTM time frame. [1] I have no privileged knowledge about that, it's just a guess based on the fact that the Vista/Longhorn code is closely related, the two OS's are meant to go hand-in-hand, and W2K3 Server SP1 and XP SP2 were closely related. In a way, some of the Vista code which is shared with Longhorn is getting a longer beta run, and will likely be fixed in Longhorn and the fixes will apply to Vista - especially as relates to how the Vista client is used in conjunction with the server, including admin tasks. Again, that is a guess, not inside info. I could be way off. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 19, 2006 12:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO Depends on what you define as compelling. I killed off Win2k way before XP sp2 was released. Todd Hofert wrote: If I remember correctly, there were no real compelling reasons to go to XP until after SP2 was released. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 19, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out
Re: [ActiveDir] Exchange reconnect(OT)
Which version of Exchange? Are the users you want to connect to in the same OU's? Any customizations to your Exchange org? How long in between the operations are you waiting? I wouldn't expect Send As rights to make a difference. I would expect inherited permissions to make a difference. I would also expect that your administrative tools should be as current as the Exchange servers. Al On 12/19/06, Tom Kern [EMAIL PROTECTED] wrote: I know. I have write/read perms to all those attributes. Thats why i'm confused as to why its not working... Thanks On 12/18/06, Tony Murray [EMAIL PROTECTED] wrote: I don't know for sure - I haven't tested it. Even if you don't need Send As permissions on the object to which you want to reconnect you will need permissions to write a whole bunch of attribute values on the object (homeMDB, proxyAddresses, legacyExchangeDN, etc.). Tony -- Original Message -- From: Tom Kern [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 18 Dec 2006 17:59:16 -0500 I'm almost positive you dont need Send As perms to reconnect a mailbox but i may be wrong... Thanks, I'll give it a test. I hate asking the AD guys for more perms... :( On 12/17/06, Tony Murray [EMAIL PROTECTED] wrote: Does the account you are using to perform the reconnect have Send As permissions on the user object? See the link below for the correct application of Send As permissions. http://msexchangeteam.com/archive/2005/01/07/348596.aspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Sunday, 17 December 2006 2:22 p.m. To: activedirectory Subject: [ActiveDir] Exchange reconnect(OT) I have Exchange delegated full admin rights on the ex2k3 sp2 org and i have all the read/write perms to mailbox-enabled user attributes listed here- http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc1 19c9-961a-4e78-acf8-97099256f452.mspx?mfr=true However,I'm running into this issue- I delete a users mailbox, which works fine. When i try to reconnect this orphaned mailbox to a different user, i get this error- you do not have the rights required to complete the operation Id no: c1030728 Reconnecting back to the old user works fine. I have the exact same rights to the exchange attributes on both user objects. Is there more to permissions under the hood when reconnecting a mailbox to a diff user than mailbox enabling a user that i'm running into. I notice there is nothing in the Working with AD permssions white paper about reconnecting a mailbox to a diff user but i just thought it was the same exact rights needed for mailbox-enabling a user. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Group Restrictions
Not sure if this is possible, but in the Exchange General tab of a Distribution group, I am able to restrict messages from certain individuals. Is it possible to restrict people from sending mail to that group using the To: or Cc: field? I only want them to use BCC:. Reason is, I want to prevent people from replying ALL to Distribution Groups that contains members of the whole company. -Devon This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] [OT] ORDB shutting down
Good riddance. On 12/18/06, Tony Murray [EMAIL PROTECTED] wrote: Some news about ordb.org shutting down for those of you that might use it. http://ordb.org/news/?id=38 Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] [Now OT] SBS Dies Twice in Four Days
Well, it appears that in this case, the AD is not the culprit. Joe, please note that I have updated the Subject line ;-) It appears that the issue was the attachment of APC’s USB cable to connect to the UPS. (Hey, three acronyms in one sentence!) After the server died a few more times, it finally spit something out that pointed to USB. After disconnecting that, it has not had an issue. Thanks again. -- nme _ From: Susan Bradley [mailto:[EMAIL PROTECTED] Sent: Saturday, December 16, 2006 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS Dies Twice in Four Days (I suck at lurking what can I say) The other day someone was arguing about SBS saying what are you going to do if the AD gets corrupted and got to say Well, according to the AD gurus I know, it's very rare for AD to get corrupted and typically is not AD that has gone wrong but something else. They came back and said Oh well I meant overall corruption joe [EMAIL PROTECTED] wrote: SBS... uh oh there goes the neighborhood... This one could possibly get the [OT] badge I expect and/or go to the SBS specific groups. If an SBS server died, AD would be one of the last things on it I would suspect with everything it runs. ;o) joe -- O'Reilly Active Directory Third Edition - HYPERLINK http://www.joeware.net/win/ad3e.htmhttp://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, December 14, 2006 1:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS Dies Twice in Four Days Hi – I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday’s crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the “Enabled Journal Wrap Automatic Restore” key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server – twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don’t seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I’ve got to feel comfortable with leaving this server for a week – or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.25/593 - Release Date: 12/19/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.25/593 - Release Date: 12/19/2006
Re: [ActiveDir] Exchange reconnect(OT)
Exchange 2k3 sp2 no customization Waiting about 4 days now :) I did 2 tests- 2 users in diff ou's and 2 users in diff domains. The AD guys gave use perms on all exchange attributes in all domains in our forest at the domain level and inherited down. According to the MS docs, we really have more perms than we need. None of the users are protected(AdminSDHolder). Thanks On 12/19/06, Al Mulnick [EMAIL PROTECTED] wrote: Which version of Exchange? Are the users you want to connect to in the same OU's? Any customizations to your Exchange org? How long in between the operations are you waiting? I wouldn't expect Send As rights to make a difference. I would expect inherited permissions to make a difference. I would also expect that your administrative tools should be as current as the Exchange servers. Al On 12/19/06, Tom Kern [EMAIL PROTECTED] wrote: I know. I have write/read perms to all those attributes. Thats why i'm confused as to why its not working... Thanks On 12/18/06, Tony Murray [EMAIL PROTECTED] wrote: I don't know for sure - I haven't tested it. Even if you don't need Send As permissions on the object to which you want to reconnect you will need permissions to write a whole bunch of attribute values on the object (homeMDB, proxyAddresses, legacyExchangeDN, etc.). Tony -- Original Message -- From: Tom Kern [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 18 Dec 2006 17:59:16 -0500 I'm almost positive you dont need Send As perms to reconnect a mailbox but i may be wrong... Thanks, I'll give it a test. I hate asking the AD guys for more perms... :( On 12/17/06, Tony Murray [EMAIL PROTECTED] wrote: Does the account you are using to perform the reconnect have Send As permissions on the user object? See the link below for the correct application of Send As permissions. http://msexchangeteam.com/archive/2005/01/07/348596.aspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Sunday, 17 December 2006 2:22 p.m. To: activedirectory Subject: [ActiveDir] Exchange reconnect(OT) I have Exchange delegated full admin rights on the ex2k3 sp2 org and i have all the read/write perms to mailbox-enabled user attributes listed here- http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc1 19c9-961a-4e78-acf8-97099256f452.mspx ?mfr=true However,I'm running into this issue- I delete a users mailbox, which works fine. When i try to reconnect this orphaned mailbox to a different user, i get this error- you do not have the rights required to complete the operation Id no: c1030728 Reconnecting back to the old user works fine. I have the exact same rights to the exchange attributes on both user objects. Is there more to permissions under the hood when reconnecting a mailbox to a diff user than mailbox enabling a user that i'm running into. I notice there is nothing in the Working with AD permssions white paper about reconnecting a mailbox to a diff user but i just thought it was the same exact rights needed for mailbox-enabling a user. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Group Restrictions
No. Limit who can send to it to people who aren't stupid. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 19, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Group Restrictions Not sure if this is possible, but in the Exchange General tab of a Distribution group, I am able to restrict messages from certain individuals. Is it possible to restrict people from sending mail to that group using the To: or Cc: field? I only want them to use BCC:. Reason is, I want to prevent people from replying ALL to Distribution Groups that contains members of the whole company. -Devon This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] AD Schema Extensions and Exchange System Manager
You are correct. However, there is not a supported way to add an additional mAPIID. I've bugged this twice and it's been closed twice. A private-only KB documents the process (used to be public, but it was deemed to be too dangerous). Jim McBee (another Exchange MVP and author) documents the process on his blog: http://mostlyexchange.blogspot.com/2005/03/adding-attributes-to-exchange -details.html But it isn't supported. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema Extensions and Exchange System Manager I am not positive on this, but I think you need to look at mAPIIDs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike) Sent: Tuesday, December 05, 2006 5:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema Extensions and Exchange System Manager Excellent mail list ... keep up the good work! But can anyone help me .. For various reasons we have extended the schema in our Active Directory (test only at present) to add further local attributes to users. All is working well until I attempt to make use of the data in these extra attributes within Exchange System Manager (ESM). Specifically, I would like to extend the user template visible from Outlook Address Book to display information contained in the schema extensions Unfortunately, the ESM only allows a handful of attributes to be picked for display and none of them our extensions. Anyone know how to coerce ESM to allow other user attributes to be chosen? Regards Mike Waters
RE: [ActiveDir] Send As(OT)
You can send-as anything with a SD in the store. :-P Very commonly used to send from group mailboxes and DGs, such as [EMAIL PROTECTED] (we use the feature here). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 7:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Send As(OT) In Exchange nothing comes from the DL, it comes from the user who sent to the DL. I believe you cannot in actualality (sp?) send from a DL because a DL is an alias, not a mailbox. I could easily be wrong not being an Exchange guy but I don't expect I am. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, December 05, 2006 6:12 PM To: activedirectory Subject: [ActiveDir] Send As(OT) I have given a user send As perm directly on a universal distribution group in AD. However, whenever this user slects the group from the GAL in the From: field of Outlook 2k3 and attempts to send an email as that group, he gets an error of You do not have the permission to send the message on behalf of the specified user. The group is NOT nested in any of the AdminSDHolder protected groups. The user has been given send as perms directly on the UDG. He is in no groups with expilict denys. I have also tried giving my account send as perms to the group and I get the same error. I have waitied over 24hrs so its also not a info store cache/replication issue. I'm running exchange 2k3 sp2 with the latest hotfixes(including the send as one) in a win2k3 forest(win2k3 FFL/DFL). Any ideas would be great. Thnaks for your time. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD Reports
Or NetPro's ReportADMin (http://www.netpro.com/products/reportadmin/index.cfm) -gil CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 2:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Reports Quest's Reporter may help. They offer a free version as well as a full, retail version. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo Sent: 18 December 2006 16:45 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Reports What,s the best AD reporting tool. My boss want´s a report of all the users who are allowed to send and recieve Internet Mail in exchange 2003. I can go and check user by user but we have over 500 users. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] ADfind to find locked accounts
Try querying where lockoutTime is 0. Here's an article ... http://support.microsoft.com/kb/250873 :m:dsm:cci:mvp | marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, December 19, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADfind to find locked accounts I'm using a bitwise filter to search for locked accounts using ADFind. I have one particular account, a service account, that is locked out and also has Password No Expire set. In ADFind it comes up as such... C:\toolsadfind -default -bit -f samaccountname=servaccount -alldc useraccountcontrol AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Transformed Filter: samaccountname=servaccount Using server: dc.appsig.com:389 Directory: Windows 2000 Base DN: DC=appsig,DC=com dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)] Why does the userAccountControl read as 512+65536 only? Shouldn't it be 512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064? In fact, I cannot even find this account when searching for locked accounts via ADFind. The only reason I realized it was locked out was because I also used Joe's Unlock utility to search for all locked accounts and it returned this account as part of the search. C:\toolsunlock . * -view Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004 Processed at dc.appsig.com Default Naming Context: DC=appsig,DC=com 1: servaccount12/15/2006-10:52:45 LOCKED VIEW_ONLY I'm probably just missing something here, but was hoping for some clarification. Thanks, ~Ben
RE: [ActiveDir] ADfind to find locked accounts
Search for lockoutTime0. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, December 19, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADfind to find locked accounts I'm using a bitwise filter to search for locked accounts using ADFind. I have one particular account, a service account, that is locked out and also has Password No Expire set. In ADFind it comes up as such... C:\toolsadfind -default -bit -f samaccountname=servaccount -alldc useraccountcontrol AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Transformed Filter: samaccountname=servaccount Using server: dc.appsig.com:389 Directory: Windows 2000 Base DN: DC=appsig,DC=com dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)] Why does the userAccountControl read as 512+65536 only? Shouldn't it be 512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064? In fact, I cannot even find this account when searching for locked accounts via ADFind. The only reason I realized it was locked out was because I also used Joe's Unlock utility to search for all locked accounts and it returned this account as part of the search. C:\toolsunlock . * -view Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004 Processed at dc.appsig.com Default Naming Context: DC=appsig,DC=com 1: servaccount12/15/2006-10:52:45 LOCKED VIEW_ONLY I'm probably just missing something here, but was hoping for some clarification. Thanks, ~Ben
RE: [ActiveDir] Strange Lock Out Issue
Windows XP SP2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Monday, December 18, 2006 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue What client OS? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, December 18, 2006 1:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Lock Out Issue I have a user, who is not logged in anywhere else, and while surfing the web or access a program is getting locked out of her account for no reason. I have checked the logs on all three domain controllers and nothing is showing a failed logon attempt or bad password. It doesn't even show when the account got locked. Any ideas on how to rectify this? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Re: [ActiveDir] Vista GPO
Well its about time item no 1: Granular control of removable devices. http://www.sbslinks.com/vista.ppt As I showcased in that slide deck that I just did to a bunch of CPAs.. I can't do the 3d view thingy on my..what now nearly two year old tablet. Uh huhSo what. When I do that view it makes me seasick anyway. And UAC isn't that annoying. Rich Milburn wrote: So did we, where I was at the time. Now I can't recall what the driving factors were, but it was pre-SP2. There were enough to convince some hard-core captains to do it, though, and that was a tough sell. With XP SP2, Vista is a tough sell to people who believe everything they read about Vista but haven't checked out for themselves. I thought it was just kinda cool looking but not compelling, till I started digging deep into it. That's when I saw a lot of well it's about time they fixed that issues, and various things that for me, would be selling points on their own merit. But alas, those around me who have not taken the time to find out for themselves, get hung up on the reviews saying it takes a Cray supercomputer to run it, all so you can get some eye candy that's overrated at best. I'm not going to go into it all right now, but depending on your environment, there are compelling reasons to get familiar with Vista. With SP1, I expect it to be widely deployable (and compelling to do so). And I would expect [1] SP1 in the mid-2007 Longhorn RTM time frame. [1] I have no privileged knowledge about that, it's just a guess based on the fact that the Vista/Longhorn code is closely related, the two OS's are meant to go hand-in-hand, and W2K3 Server SP1 and XP SP2 were closely related. In a way, some of the Vista code which is shared with Longhorn is getting a longer beta run, and will likely be fixed in Longhorn and the fixes will apply to Vista - especially as relates to how the Vista client is used in conjunction with the server, including admin tasks. Again, that is a guess, not inside info. I could be way off. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 19, 2006 12:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO Depends on what you define as compelling. I killed off Win2k way before XP sp2 was released. Todd Hofert wrote: If I remember correctly, there were no real compelling reasons to go to XP until after SP2 was released. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 19, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To:
RE: [ActiveDir] Strange Lock Out Issue
That is just the thing, no event IDs exist for the account lockout on any DC even though I have Auditing turned on. This is why it is a strange lockout. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 18, 2006 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue Eventcombmt the DCs for whatever the lockout ID is also works. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, December 18, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue Download the Account Lockout and Management Tools from Microsoft. More specifically, from the downloaded EXE, extract the LockoutStatus.EXE file and use it to query for the user account that is having issues. It will tell you how many bad password attempts have been made, what time/date the lockout occurred, and on what DC. Furthermore, you can directly manage the Domain Controller from the tool and pull up the event viewer to look for the security entry pointing you to the source of the bad credentials. It's always worked like a charm for me when dealing with issues like these. Good luck, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, December 18, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Lock Out Issue I have a user, who is not logged in anywhere else, and while surfing the web or access a program is getting locked out of her account for no reason. I have checked the logs on all three domain controllers and nothing is showing a failed logon attempt or bad password. It doesn't even show when the account got locked. Any ideas on how to rectify this? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says any protocol, but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken http://www.adopenstatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken
Re: [ActiveDir] Cross-Forest Kerberos Delegation
My understanding is that you can get the actual protocol transition logon to work, but you cannot use delegation (which is what you really need) because PT is tied to constrained delegation and it only works in a single domain, not even in multiple domains in a forest. Your understanding is basically correct. This is a documented limitation and not something I've played with personally, so I'm not sure if there is more to it than that. I honestly don't know if this can be made to work with unconstrained delegation/kerb auth in IIS, as I've never tried that either. However, giving out unconstrained delegation privileges is a bit icky. This may be one of those situations where it is easier to just pass the plaintext credentials around between the tiers using basic auth/SSL and such. Joe - Original Message - From: Ken Schaefer To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 5:29 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says any protocol, but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
I've got boatloads of customers, who do development themselves, who are rolling out Vista on production desktops. My staff and I have already become quite facile at loading up XP VMs to run the stuff that doesn't work on Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 8:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2 /index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Laura A. Robinson *Sent:* Fri 12/15/2006 12:50 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Laura A. Robinson *Sent:* Friday, December 15, 2006 2:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all
RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely upfront about the web server component in my original diagram. That is actually several dozen different web applications - some of which do not have an option to use Basic (either technical limitation -or- a security standard). The aim of the project is to (a) see if transparent logons can be made available to users (i.e. via IWA challenges) and (b) see if SSO can be enabled (so users do not need to authenticate to different applications behind the proxy) and (c) get away from Basic Auth. So I'm going to have to keep looking at Kerberos related solutions :-) Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need) : because : PT is tied to constrained delegation and it only works in a single : domain, : not even in multiple domains in a forest. Your understanding is : basically : correct. : : This is a documented limitation and not something I've played with : personally, so I'm not sure if there is more to it than that. : : I honestly don't know if this can be made to work with unconstrained : delegation/kerb auth in IIS, as I've never tried that either. However, : giving out unconstrained delegation privileges is a bit icky. : : This may be one of those situations where it is easier to just pass the : plaintext credentials around between the tiers using basic auth/SSL and : such. : : Joe : : - Original Message - : From: Ken Schaefer : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 5:29 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Steve, : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : not : sure how to tell whether I would need it or not. Are you saying below : that : protocol transition can be used cross-forest? I thought protocol : transition : was tied to constrained delegation (in a user/computer account's : properties, : on the delegation tab there is an option that says any protocol, but : that's : only available in the section for constrained delegation. If that's the : case, then how can protocol transition work cross-forest? : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] : Sent: Wednesday, 20 December 2006 12:37 AM : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org : Cc: Ken Schaefer : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : If I understand your scenario correctly : : In order for S4U2self ( protocol transition ) to work in this sceanrio : you : will need a 2 way forest trust. : If you do not need S4U2self you can get by with the one way trust. : : steve : -- Original message -- : From: Ken Schaefer [EMAIL PROTECTED] : : Hi all, : : I am looking at a slightly tricky situation, at least for me - I'm : sure : you : guys would find this a walk in the park :-) : : I have a situation where there are two forests (2003 Forest : Functional : Level). Each contains a single domain. One domain is a resource : domain : (DomainB), and the other contains the user accounts (DomainA). There : is a : one-way forest trust, such that the resource forest/ domain trust the : user : forest (and domain). : : The situation I have is as follows: : : Client --- ISA Server 2006 --- Web Server --- App Server : : The user that is logged on to the client is from DomainA. All the : servers : belong to DomainB. The user's credentials need to be passed from the : web : server back to the app server. So I could use Basic Authentication : all the : way through. Or I can try to use Kerberos delegation. : : Now, ISA Server can use protocol transition, so that Client --- ISA : Server : can be something other than Kerberos (e.g. forms authentication), : however : Protocol Transition then requires the use of constrained delegation. : Am I : right in thinking that constrained delegation is limited to accounts : in : the : same domain? If so, then the fact that the user is in a different : domain : to : the ISA Server will cause this to fail. : : On the other hand, if I didn't use constrained delegation, just : regular : delegation (and no protocol transition), does that work across : Forests : though? I have read conflicting reports on this. I'm having some : difficulty : getting it working, so either the answer is no, or my skills aren't : up : to : the task (probably the latter, in
[ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw Poster:
Download details: TechNet Magazine Active Directory Component Jigsaw Poster: http://www.microsoft.com/downloads/details.aspx?familyid=c236336d-ab43-44b1-ad6f-a2f668fb8c02displaylang=en -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Let's see how many wrong things are in this web site
http://utools.com/help/MovingSBS.asp SBS is limited to 5-20 users -- try 75 users or devices Because SBS does not allow a second domain controller, there is no supported way to back up Active Directory to protect against failure of the SBS computer. --- Firstly, SBS supports additional domain controllers.. and have for years... as far as a supported way to backup AD... last I checked there's this new fangled thing called System state backup... kinda a reliable way to back up AD last I heardand in fact there's a SBS wizard that backs up the entire system. UMove is the *only* utility that can recover Active Directory when running a standalone Small Business Server. --- my guess is there are some guys on this list that would disagree with that statement List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/