[ActiveDir] OT: Network latency on VBScript-mapped drive letters.

[Laura E. Hunter]

So I have a VBScript that I use to map a network drive to a DFS share,
as follows:

strDriveLetter  = S:
strBaseDrivePath = \\domain name\dfs root\share name\
Set objNetwork  = CreateObject(WScript.Network)
objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath
set objNetwork  = nothing

When I map the DFS root using a drive letter using this code in a
login script, I get isolated-but-consistent client reports of network
latency when opening or saving a file; Word/Excel/whatever will choke
up for a good 5 or 6 seconds at a time.

If I disconnect the script-mapped drive and access this resource from
the same machine using any other method:

* map the drive using the GUI,
* map the drive from the CLI using 'net use', or
* manually enter the UNC path from the Run line

...all latency goes away.  It's not OS-specific as far as I can tell;
the machines currently reporting the latency are a handful of XPSP2
and 2KSP4 machines that don't have much else unique in common.

I've determined that it's not specifically DFS-related, as I've tested
mapping directly to the physical servername instead of the DFS
sharename and produced identical results.

Neither is it relevant that the script is being run as part of a login
script/GPO, as running the script manually from an affected desktop
also produces the same behaviour.

So it's either a VBScript thing, or it's something client-specific
that I haven't isolated on the half-dozen desktops that are
experiencing the issue.

Google has thus far yielded no joy, has anyone run into this before?

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Is ADAM free?

[Laura E. Hunter]

Free download for 2K3 or Windows XP (with some feature limitations on
the latter), integrated into R2 and later.

http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4displaylang=en

On 1/2/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Is ADAM free? If not, how much does it cost?

Thanks!
-James
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] OT: M$

[Laura E. Hunter]

 Duro
Sent: Sunday, November 12, 2006 10:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: M$


being conciliatory is laudable, but I think you're missing the point.  It's
not wether anybody is offended or not -- the question is why does someone
come into a peaceful gathering casting offense.  Especially when it's not
necessary.  If someone deliberately spits on the dinner table, do you say
'oh, well, he didn't hit any plate, let's just forget it' ?  or even worse,
'he hit someone else's plate -- no worries.'





- Original Message -


From: [EMAIL PROTECTED]


To: ActiveDir@mail.activedir.org


Sent: Friday, November 10, 2006 9:08 AM


Subject: RE: [ActiveDir] OT: M$





I highly doubt that any MS employee takes offence at what is surely as
tongue in cheek expression.





Let's not get _too_ PC please :/





neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Laura A. Robinson
Sent: Thursday, November 09, 2006 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$


Just out of curiosity, what makes people think it's appropriate to refer to
Microsoft as M$ on an MS-focused mailing list whose participants include
Microsoft employees, Microsoft contractors, Microsoft MVPs and various other
people who may have a relatively positive view of Microsoft?





Laura






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra Kalyankar
Sent: Thursday, November 09, 2006 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?


This is the link to M$ to start with...very good info





http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/scriptinga.asp






--
Sincerely,
J




On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote:

Hello everyone.  After reading through a lot of the posts on this mailing
list, I realize I could make my job easier if I knew how to script.  I have
no experience in scripting, but would like to know what books do you
recommend as a beginner's book on scripting?  Also, I don't really know the
difference between WSH and VBScript, so if anyone could explain that, I'd
appreciate that.  After browsing through Amazon, I saw several books on WSH
and VBScript, but don't know where I should focus on.  I'm also open to
computer based training (CBT) videos of any exist.  Thanks in advance.





PLEASE READ: The information contained in this email is confidential and


intended for the named recipient(s) only. If you are not an intended


recipient of this email please notify the sender immediately and delete your


copy from your system. You must not copy, distribute or take any further


action in reliance on it. Email is not a secure method of communication and


Nomura International plc ('NIplc') will not, to the extent permitted by law,


accept responsibility or liability for (a) the accuracy or completeness of,


or (b) the presence of any virus, worm or similar malicious or disabling


code in, this message or any attachment(s) to it. If verification of this


email is sought then please request a hard copy. Unless otherwise stated


this email: (1) is not, and should not be treated or relied upon as,


investment research; (2) contains views or opinions that are solely those of


the author and do not necessarily represent those of NIplc; (3) is intended


for informational purposes only and is not a recommendation, solicitation or


offer to buy or sell securities or related financial instruments. NIplc


does not provide investment services to private customers. Authorised and


regulated by the Financial Services Authority. Registered in England


no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,


London, EC1A 4NP. A member of the Nomura group of companies.



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: M$

[Laura E. Hunter]

As we find that, once again, the answer to all of the world's problems
is Blame Laura.  (Only make sure that you're blaming the -correct-
Laura, as we've just learned.) ;-)

- The Other Laura, wondering how on Earth she got dragged into this. :-)


On 11/15/06, Rich Milburn [EMAIL PROTECTED] wrote:




No you don't understand… Laura Hunter really has a web site called
www.shutuplaura.com – did you click on it to see?  And he was trying to be
ironic, but had the wrong Laura.  I admit I didn't get it at first either, I
read that line and my jaw dropped a little, because I tend to agree somewhat
with Laura R and respect her intensity for the subject and thus thought that
was a bit harsh … but I forgot about that site and the other Laura J



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: M$

[Laura E. Hunter]

You're not a fake employee, I've seen you.  :-)  BrettSh, too.

It's that Stuart Kwan guy whose existence I'm doubting.


(Come on, was that enough to inspire the rarity that is a Stuart Kwan
ActiveDir post?  Please? PLEASE?!?!?!?!?!?!?!?!?!?!?  ;-))

On 11/9/06, Eric Fleischman [EMAIL PROTECTED] wrote:




Not that I really care if people say M$ or not, but I thought I'd comment on
one thing, in the name of full disclosure….



My participation on this list has __nothing__ to do with money. I don't get
compensated on any level for this. Heck, I don't even work on AD anymore, so
this is like 2 degrees of separation away from anything that MS compensates
me for.



So, is MS out to make $? Sure.

Is AD part of that money-making strategy? Sure.

Does that have anything to do with MS employee participation on this list? I
don't think so. Others (at least those that I can recall posting here as I
type this mail) on this list fall in to the same boat. A couple of them
don't work on AD anymore either.



Why do I hang out here? I do it because I care about customers and about
AD/ADAM. It has nothing to do with my salary.

It's also why I still blog about AD, answer newsgroup questions, answer
internal questions (DLs, PSS, MCS, other PGs, etc.), handle direct emails
from a myriad of non-MS people (some I know, some are totally out of the
blue), fix code for people that ask for help, etc. I don't get paid for any
of this.



~Eric

Borg #145719302





Insert conspiracy theory here about how this whole mail is a lie and the
man actually wrote it on behalf of the fake employee that goes by Eric
Fleischman









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Vinnie Cardona
Sent: Thursday, November 09, 2006 11:30 AM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$





I believe we all know that your statement is correct like any other big
company they are out to make $, what I inferred from what she was implying
(did I get that right?J) is that although we all know that Microsoft is not
perfect (…anyone want to cast the first stone?)…a grey-toned comment made on
this mailing list is probably not appreciated…especially when this mailing
list is used to help others.  I'm sure there are a myriad of other forums to
take your personal opinions to.





--vC





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Condra, Jerry W Mr HP
Sent: Thursday, November 09, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$



I have a mostly positive view of M$ and like their products. Heck, I'm
certified in their products. But that doesn't make them inexpensive and like
any other big company they are out to make $. J





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Laura A. Robinson
Sent: Thursday, November 09, 2006 12:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$




Just out of curiosity, what makes people think it's appropriate to refer to
Microsoft as M$ on an MS-focused mailing list whose participants include
Microsoft employees, Microsoft contractors, Microsoft MVPs and various other
people who may have a relatively positive view of Microsoft?





Laura






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra Kalyankar
Sent: Thursday, November 09, 2006 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?


This is the link to M$ to start with...very good info





http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/scriptinga.asp






--
Sincerely,
J




On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote:

Hello everyone.  After reading through a lot of the posts on this mailing
list, I realize I could make my job easier if I knew how to script.  I have
no experience in scripting, but would like to know what books do you
recommend as a beginner's book on scripting?  Also, I don't really know the
difference between WSH and VBScript, so if anyone could explain that, I'd
appreciate that.  After browsing through Amazon, I saw several books on WSH
and VBScript, but don't know where I should focus on.  I'm also open to
computer based training (CBT) videos of any exist.  Thanks in advance.







--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] [OT] Best. KB. Article. Ever. (done in the voice of the Simpsons comic book dude, naturally)

[Laura E. Hunter]

http://support.microsoft.com/kb/228001

Network Adapter Does Not Work if Unplugged

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: TechED 2007

[Laura E. Hunter]

The transportation at Tech Ed Boston 2006 made insert name of poorly
orchestrated event, take your pick, really look like a well-oiled
machine.

And that would be why I just booked the hotel that's directly across
the street from the Orlando Convention Center.  No busses for me this
year, no way.

- Laura

On 10/19/06, Tim Vander Kooi [EMAIL PROTECTED] wrote:




It was beautiful weather there for TechEd 2000. I had thought that the
transportation was less than great, but after Boston this year it wasn't bad
at all in retrospect.




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Akomolafe, Deji
Sent: Thursday, October 19, 2006 12:35 PM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: TechED 2007

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: TechED 2007






I hope you are kidding. Orlando was The.Worst.TechEd.Ever





Muggy as hell.







Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon






From: Mark Parris
Sent: Thu 10/19/2006 9:49 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] OT: TechED 2007
4-8th June

Regards,



Mark Parris



Base IT Ltd

Active Directory Consultancy

Tel +44(0)7801 690596





-Original Message-

From: Figueroa, Johnny [EMAIL PROTECTED]

Date: Thu, 19 Oct 2006 08:38:12

To:ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] OT: TechED 2007





Any dates?



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of
Mark Parris

Sent: Thursday, October 19, 2006 4:29 AM

To: ActiveDir.org

Subject: [ActiveDir] OT: TechED 2007



It's Florida !





Regards,



Mark Parris



Base IT Ltd

Active Directory Consultancy

Tel +44(0)7801 690596

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx



[EMAIL PROTECTED])




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
[EMAIL PROTECTED]   ��V�r�y���-�÷Š¹ï¿½ï¿½V��+�v*��

Re: [ActiveDir] [OT] Exchange 2007 Schema

[Laura E. Hunter]

Oh come on, just go ahead and stick the changes in.  It's a Microsoft
product, how bad could it -possibly- be?  :-)

On 10/6/06, joe [EMAIL PROTECTED] wrote:

You are definitely funny Brett, some would just argue whether it is in the
ways you think. =)

I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in
fact. But with the crazy that can only be Brett hairdo, not the big boy
hairdo. ;o)

I do kind of agree with Tony though, unless you are one of the TAP folks
with specific agreements with MSFT to bail you out in the event of a nasty
fire, you probably shouldn't be installing heavily AD integrated beta
products into your production forest. I would assume that
ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for MSFT IT
have the necessary support agreements in place. :) Plus they have Brian, not
much he isn't going to be able to fix by himself I think.

 joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, October 05, 2006 11:58 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema

Oh crap!  Brian Puhl, you reading?  Tony says E2k7 is a beta product, I
hope you didn't load that schema on our main forest?  Too late to get it
backed out (via forest restore)?

Thanks for the heads up Tony,
BrettSh [msft]

P.S. - Does anyone think I'm as funny as I think I am ... probably not ...


On Thu, 5 Oct 2006, Tony Murray wrote:

 Hi all

 There are apparently schema changes post Beta 2 - just in case anyone was
considering pre-loading the schema changes into production [1].

 I don't have any further details on what the changes are.

 Tony

 [1] Which of course you wouldn't contemplate with a Beta product :-)




 
 Sent via the WebMail system at mail.activedir.org




 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Groups membership question

[Laura E. Hunter]

Can memberof.exe do this?  (Another joeware gem.)  I've never tried to
run it against multiple domain memberships, but I know it chases
nested memberships beautifully - if I'm not mistaken, that's why joe
originally whipped it up.

- Laura

On 10/11/06, Aaron Steele [EMAIL PROTECTED] wrote:




I have one for you guys. I have been puzzling over for a while. Seems
simple, but I haven't found a good solution.



Domain A one way trusts Domain B



Group in Domain A, contains members from Domain B.



Enumerate groups in Domain A, include membership for all members in Domain
B.

Or for the real answer.  Find user in Domain B, and tell me all group
memberships from Domain A and Domain B.



Any ideas? I've tried adfind queries, I've visited the windows scripting
center and am at a loss.



Thanks for your help.



/aaron



Aaron Steele

Mobile: 773.580.8099

[EMAIL PROTECTED]

Main: 312.334.1900Fax: 312.224.4789

_

pointbridge.com

-   Microsoft's 2005 Advanced Infrastructure Partner of the Year

-   Microsoft's 2005 Exchange Solution of the Year Winner





--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: wikis

[Laura E. Hunter]

/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

[Laura E. Hunter]

For no good reason other than a pure hunch, I find myself betting on
Dallas.  (I like Austin better as a city, but DFW provides better
airport coverage.)

It's been on the East Coast for 2 years running, so I would imagine
it'll be somewhere Midwest-ish.  (Chicago's not outside the realm in
that case.)  The largest planning issue in the States is the airport
question - you want to be sure that it's being held in a city with a
hub airport so that international attendees aren't trying to make
multiple connecting flights. So think Chicago, Dallas, Raleigh-Durham,
Atlanta, San Francisco, etc.

On 10/10/06, Brian Desmond [EMAIL PROTECTED] wrote:

Chicago is one...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: A short and sweet KB

[Laura E. Hunter]

Or a corrolary KB to that one:

What you are trying to do is downright foolish.  Please stop.

On 10/10/06, Dmitri Gavrilov [EMAIL PROTECTED] wrote:




Do you mind writing a KB with the following content:



Whatever you are trying to do is not supported.



It would be a great KB to refer folks to. I really need it quite often. I
would memorize the KB number. Hell, I would include it into my signature.




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
Sent: Tuesday, October 10, 2006 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: A short and sweet KB




LOL that is great...



I have thought about using my MVP Super Powers to write small KBs like that
in the past so I could point at it for people to read when I said something
simple that isn't specifically documented but they wanted to see documents
on Microsoft's site stating what I said... In the end I didn't do it
because, well it just doesn't seem right. ;)



  joe




--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm










From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
Mulnick
Sent: Tuesday, October 10, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: A short and sweet KB

It's tough to decide what to do with so much information.  The symptoms or
introduction section really does overload one's information bucket. :)


On 10/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:

Do not run a service by using a service account that belongs to a
different domain:
http://support.microsoft.com/?kbid=925099

--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx





--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] FIle/Folder ACL's(OT)

[Laura E. Hunter]

Go to the Technet Script Repository and browse around. You'll see a
number of examples of how to enumerate and loop through all disk
drives on a particular system.

On 9/18/06, Tom Kern [EMAIL PROTECTED] wrote:


Actually, the real issue with these scripts, is that how does cacls.exe know
how many drives are on each server?

Say one server has a C: partition while another  has a C: and E: and
F:,etc.

How can I accurately enumerate all perms on all folders/files on all these
servers/paritions via a vbscript?

Thanks again.


On 9/18/06, Tom Kern [EMAIL PROTECTED] wrote:


 Thanks.

 What would be the best readable format to dump it to(for management).?






 On 9/18/06, Brian Desmond [EMAIL PROTECTED]  wrote:
 
 
 
 
 
  The Cacls command line tool and a VBScript to walk the tree (using
FileSystemObject) will do the trick. ACLs aren't really spreadsheet type
data IMHO.
 
 
 
  Thanks,
 
  Brian Desmond
 
  [EMAIL PROTECTED]
 
 
 
  c - 312.731.3132
 
 
 
 
 
 
  From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tom Kern
  Sent: Monday, September 18, 2006 1:49 PM
  To: activedirectory
  Subject: [ActiveDir] FIle/Folder ACL's(OT)
 
 
 
 
 
  Can someone direct me to a vbscript that I can run remotely which will
dump the ACl's of all file/folders on a bunch of remote servers(250) to a
central Excel spreadsheet?
 
 
  I assume using wmi.
 
 
 
 
 
 
 
 
 
 
 
  Thanks, sorry for the bother but I can't seem to be able to google
anything deifinitive on this.
 
 
 
 
 
 
 
 
 
 







--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Interview Techniques

[Laura E. Hunter]

*
  [EMAIL PROTECTED] wrote:
  
   I've got no second thoughts about being an asshole
  during a tech
   interview. I ask the question, you either answer
  it or tell me you don't
   know. If you choose not to tell me you don't know
  and demonstrate that
   you don't know through what you tell me instead,
  I'm already pretty much
   through. If you're arrogant like this candidate
  you describe, I'm likely
   through as well.
  
   My favorite exchange as of late goes like this:
  
   Me - Tell me a little bit about your experience
  migrating Exchange 5.5
   orgs to 2003
   Them - blah blah blah
   Me - Ok, can you name the three types of
  connection agreements in the
   ADC?
   Them - well uh blah blah well uh excuse excuse
   Me - other questions
   Me - So would you be comfortable migrating a 10K
  user 5.5 org to 2003?
   Them - Absolutely
   Me - How can you be comfortable doing that when
  you can't even explain
   the first step of the migration to me?
  
  
   In any case, others have put some really good
  advice here. What you want
   in a technical lead is someone who can get their
  hands dirty without
   getting scared or screwing up. They should also
  have no second thoughts
   about delegating work and asking their
  subordinates for help. That
   person needs to be able to deal with upper
  management, and they also
   need to make sure their self esteem is in check -
  none of that I did X
   when all they did is watch. Hiring your new
  manager can be a little
   difficult on both sides from the point of view of
  why wasn't someone on
   your team promoted to that position?
  
 


 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx






--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] All Accounts Locket Out -- Including Domain Admin

[Laura E. Hunter]

The built-in administrator account should still be accessible (if
you've renamed it, log on using the renamed friendly name) - you can
log on using that to troubleshoot the issue.

To quickly unlock your accounts, go download joe's unlock utility from
www.joeware.net.

On 7/5/06, Ravi Dogra [EMAIL PROTECTED] wrote:

Hi,

I have a critical situation here. Suddenly all domain accounts locked
out including domain admins account.

What should i do? Is there any information which could be helpful.

Thanks
--
Ravi
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Ammunition, please!

[Laura E. Hunter]

Off the top of my head, I might recommend searching the phrases
physical security and domain controller on the microsoft site.

The first hit returned on such a search is
http://technet2.microsoft.com/WindowsServer/en/Library/05db0f72-0e18-453b-b294-49cfc8f9d6d21033.mspx?mfr=true,
which includes the phrase In addition, ensure the physical security
of domain controllers in hub locations so that unauthorized personnel
cannot access them. Do not place domain controllers in a location in
which you cannot guarantee the physical security of the domain
controller.

And that was just the first hit on the results page.


On 6/28/06, Larry Wahlers [EMAIL PROTECTED] wrote:

I am being asked to install a single server in a remote location (about
20 miles from here, 20 users) that will be a DC for our entire network,
running DHCP and DNS, acting as a file server and print server for this
remote location. And, this server will be in an unlocked rack in a
semi-public area where literally anyone could gain physical access to
the box. At the very least, the 20 employees will be walking past it
every day.

There are many red flags about this scenario. I can think of a few. But,
what I need is documentation from an *external* source that tells
management just how bad an idea this is. After all, they won't believe
me, but they might believe an expert.

At the very least, I would want the rack in which this server is placed
to be locked 24/7. Better would be a locked room.

All help welcomed with many thanks.

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] pw reset domain account

[Laura E. Hunter]

I don't even need to give you a black hat tool scenario, just a human one:

You're checking your Event Logs one day and see that
DOMAIN\SharedAccount has accessed a file share that it shouldn't have.
Given the fact that everyone in your enterprise has the password for
DOMAIN\SharedAccount, how are you going to determine who did it?
Since there's no way to do so, you reset the SharedAccount password
and re-communicate it to your userbase. (How are you doing that, by
the way? The method to do so will unavoidably be either [a] awful to
manage, [b] inherently insecure in itself, or more than likely both.)

Then you're monitoring your log files a few days later and notice that
the SharedAccount account has accessed another file share that it
shouldn't have. Given the fact that everyone in your enterprise has
the password for SharedAccount, how are you going to determine who did
it?  Since there's no way to do so, you...

...repeat until insane.

I'm being humourous in my response, but please don't let that take
away from the larger point, which is that that's a horribly insecure
way to implement a solution like that - if that were the vendor's
recommended implementation, I'm thinking I'd run -far- in the
opposite direction.

Don't the Quest and/or NetPro self-service password tools write a hook
into the GINA to alleviate the I don't know my password, so how do I
log on to reset my password? question? *waits patiently for a
vendory-type person on the list to fill in details I don't have*

Laura


On 6/25/06, AWS [EMAIL PROTECTED] wrote:


There's a proposal at my company for a self service password reset website
which uses a shared domain account. It's similar to a kiosk configuration,
but the intent is to publicize the account and password so that it can be
used from any users' pc when needed.

They have an account-specific OU/GPO configuration which locks down the
typical stuff you would expect, but my position is that there are too many
unknown vectors for such an account to be abused.

Since I don't dabble in the various black hat utils du jour, does anyone
have any thoughts on how a globally known domain account could be hacked
upon? Conversely, is there any way such an account could be effectively
locked down?

Thanks,
AW



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DC Configuration

[Laura E. Hunter]

.

 Any thoughts, opinions, suggestions?

tia, al
 --

 Al Lilianstrom
 CD/CSS/CSI
 [EMAIL PROTECTED]
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx


 --
 No virus found in this incoming message.
 Checked by AVG Free Edition.
 Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006


 --
 No virus found in this outgoing message.
 Checked by AVG Free Edition.
 Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx






--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Laura E. Hunter]

Based on the trace you posted, I'm also raising an eyebrow about your
SMB signing levels. IE, you may have SMB signing mandatory on the
server service on the 2K3 boxen, while SMB signing isn't enabled on
the client service on the 2K box. Look for mismatches in the following
two settings on both the 2K and 2K3 box:

Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)

- Laura E. Hunter


On 6/20/06, Al Mulnick [EMAIL PROTECTED] wrote:


Shot in the dark, but can you reboot the 2K dc and try again/check for
errors?




On 6/20/06, Al Lilianstrom [EMAIL PROTECTED] wrote:
 Al Mulnick wrote:
  I'm with joe on getting that network trace.  I'm curious if replication
  has been working and if you made any adjustments for having a windows
  2000 dc in a W2K3 environment? Any other applications?
 

 Replication is working - both AD and FRS. GPOs apply. Everything seems
 to work except for the ability to access the admin$ share on the w2k3
 DCs so that I can demote the machine cleanly and remove it from the
domain.

 The trace is in my message sent around 11:00am Central.

 No other apps running.

 
  On 6/20/06, *joe*  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
  wrote:
 
  What do you see in the network trace? Is it attempting the
  connection? Is it
  establishing the TCP/IP connection and then blowing out in the
NetBIOS
  handshake? Does it get through the handshake and then fail?
 
 
  --
  O'Reilly Active Directory Third Edition -
  http://www.joeware.net/win/ad3e.htm
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED]
  [mailto: [EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED]] On
Behalf Of Al Lilianstrom
  Sent: Tuesday, June 20, 2006 10:53 AM
  To: ActiveDir@mail.activedir.org
mailto:ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
  domain
 
  Al Mulnick wrote:
Denying access?  Hmm so logged on to the w2K machine you
can't
access the admin$ share of either of the DC's right?
 
  Correct.
 
  I can access any member server admin$ share from the w2k machine. I
can
  access the w2k3 DC admin$ share from any other w2k3 machine in the
  domain.
 
  I just can't access the w2k3 DC admin$ share from the w2k DC.
 
 al
 
   
On 6/20/06, *Al Lilianstrom*  [EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
  mailto: [EMAIL PROTECTED] wrote:
   
Robert Rutherford wrote:
  Hi,
 
  It does sound like our old pal DNS.
 
  If you run a dcdiag and netdiag, do they both run clean?
  If not
  then
  please post the results.
   
Both clean. Every test I can think of comes up clean. The
  only real
symtom was in the orginal message - lack of admin access to
  the w2k3
  DCs
from the w2k DC. Checking the event log on the w2k3 DC I see
the
computer and user log in and out successfully. Just something
  denying
access.
   
  If all is clean and it's a test environment then pull it
and
clean it up
  with ntdsutil et al.
   
Sounds like a fun way to spend the morning. :-)
   
   al
   
  If it's a new situation then just replicate and see if you
  still
  have
  the issue. I have always found a couple of hours helps
  many ills.
 
  BR
 
  Rob
 
  Robert Rutherford
  QuoStar Solutions Limited
 
  The Enterprise Pavilion
  Fern Barrow
  Wallisdown
  Poole
  Dorset
  BH12 5HH
 T:  +44 (0) 8456 440
331
  F: +44 (0) 8456 440 332
  M: +44 (0) 7974 249 494
  E:[EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED]
mailto: [EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED]
  W:www.quostar.com http://www.quostar.com
  http://www.quostar.com 
  -Original Message-
  From: [EMAIL PROTECTED]
  mailto: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
  mailto: [EMAIL PROTECTED]
 
[mailto:[EMAIL PROTECTED]
  mailto: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
  mailto: [EMAIL PROTECTED]] On
Behalf Of Al
  Lilianstrom
  Sent: 19 June 2006 20:52
  To: ActiveDir@mail.activedir.org
  mailto:ActiveDir@mail.activedir.org
mailto: ActiveDir@mail.activedir.org
  mailto:ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Problem removing

Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Laura E. Hunter]

Well would you look at that? Seems that I'm moving up in the world. ;-)

On 6/20/06, joe [EMAIL PROTECTED] wrote:

That's scary. Laura and I agree on something. ;)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RDP Over SSL (No Security tab in Client)

[Laura E. Hunter]

If you're not getting a Security tab on your clients, update their
client RDP software from the 2003 R2 CD (I think that 2003 w/SP1 will
do as well, but I don't have a representative box in front of me to
confirm.)

On 6/16/06, Ravi Dogra [EMAIL PROTECTED] wrote:

Hi All,

I have configured RDP Over SSL and its working fine when i tested it
from my Servers using tsmmc.msc

Whereas when i am trying to install a client (RDP 5.2) it is not
giving me any option to select Authentication Mode (Require
Authentication) in the client installed.

What should i do to resolve the issue.

Attached are both snapshots.
I am getting it without security tab. it should be with security tab
as shown in snapshots.

--
Thanks and Regards
Ravi Dogra
9899647200






--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: WMA Files

[Laura E. Hunter]

R2 gives you the new File Screen templates, which let you allow/deny
users saving files of particular file extensions to network drives.
You can either create a soft screen that will only log violations,
or a hard screen that will actually prevent the user from saving the
errant file.

It's only based on the .??? file extension, so a savvy user could
rename song.wma to song.txt and save it. (But if that behaviour were
taking place, I would consider it more of an HR issue than a technical
one.)

Technet mag did a nice write-up of it in May:
http://www.microsoft.com/technet/technetmag/issues/2006/05/GetControl/default.aspx



On 6/16/06, Salandra, Justin A. [EMAIL PROTECTED] wrote:




How can I make is to that users are unable to send WMA files to their user
drives?



Justin A. Salandra

MCSE Windows 2000  2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]





--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Active Directory Cookbook 2e

[Laura E. Hunter]

Go buy the new edition, all the cool people are doing it!  ;-)

But seriously, folks, there's some pretty nice changes in existing
content as well as a bunch of new stuffs. We tried to add at least a
handful of new recipes in each chapter, as well as updating the
existing recipes with command-line stuff (lots of adfind/admod) as
well as fixing various errata.

The new content is a chapter on Exchange (mostly courtesty of joe), a
chapter on MIIS from Gil Kirkpatrick and Steven Plank, and a chapter
each on ADAM, ADFS, and the new File/Print stuff in R2.

I for one think that it's a substantial update to the
already-wonderful 1st Edition. Robbie found me a wonderful group of
reviewers - joe and Al Mulnick in particular kicked my butt from here
into next week during the TR process.  Also much good help from TonyM,
RBuike and Rick Kingslan, and Darren Mar-elia kept us all honest on
the Group Policy chapter.

So anyway.  Go buy it so that I can afford that new yacht I've been
eyeing up lately.  ;-)

- Laura



On 6/14/06, joe [EMAIL PROTECTED] wrote:


Laura will have to stop by and explain what has really changed. However I
know that the chapter I wrote for the Windows Server Cookbook for Exchange
tasks got pulled into it and extended (and probably some corrections as
well). That same chapter went into AD3E as well but I trimmed it down
considerably for AD3E as the format didn't fit right. Obviously it fit
perfectly for the AD Cookbook.

I believe there is an ADAM chapter now.

I am sure some errata got input as well as issues I and probably others
found on the second pass that we didn't find on the first or maybe we did
find on the first but for some reason or another didn't make it into the
final. (that never happens smirk)

Ummm I know Laura added a ton of adfind/admod examples because she would
write me an email every week with a list of questions for the week and I
would respond to it for her. Plus if I saw places it could be added in the
chapters themselves I put in notes for her.

Sheeoot. I used to know what was changed as I reviewed the darn thing and
was doing Word compares between the chapters but I'll be darned if I can
recall everything now... I must be gettin' old.

I recall Laura was really busting ass on it.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Mark Parris
Sent: Wednesday, June 14, 2006 7:10 PM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbook 2e


To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbook 2e




I have had a look at the O'Reilly website and cannot see what the
differences between the 1st and 2nd editions are. Is it Errata or new
content?



So I am now wondering – why should I buy this, apart from the Authors and
the Blue Fin Tuna on the front?





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tony Murray
Sent: 14 June 2006 06:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbook 2e



…is now out.



http://www.oreilly.com/catalog/activedckbk2/



TonyThis communication, including any attachments, is confidential. If you
are not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the purposes
of the Electronic Transactions Act 2002.




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Domain Controller - Location Move

[Laura E. Hunter]

A good place to start is the following checklist that Jorge posted awhile back:

How to move a DC to another site?:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx

There have also been a number of discussions that you can find in the
list archives: http://www.activedir.org/ml/threads.aspx

HTH

Laura

On 6/8/06, Contreras, Robert [EMAIL PROTECTED] wrote:



Hello everyone,

Simple question - just want to verify:

Single forest\single domain comprised on 2 domain controllers physically in
one location.  We would like to physically move one of the domain
controllers (the 2nd one promoted) to a new location (eventually both -
during the complete data center relocation).  The DC will most likely change
IP's after the move - so configuring a site in the new location and
assigning the appropriate  subnets for the new location is important -
anything else other than shutting it down and bringing it over?

Thx!
RC










--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Security Policy Thoughts

[Laura E. Hunter]

The thing I'm not wild about with third-party clients (OSX etc.) is
that they often don't play well with security features like SMB
signing - if the Macs are hitting a Windows file server, most of the
Apple documentation will tell you to turn it off entirely.  Similar
things can also happen if you've got Windows clients needing to hit
Samba shares.

It's really just one of those basic tenets: complexity is the
arch-enemy of security, etc. etc.

- Laura

On 6/8/06, Noah Eiger [EMAIL PROTECTED] wrote:




Thanks, Brian. Don't you sleep? It's late in Chicago ;-)



802.1x is the direction they are heading. Right now, it is cost-prohibitive.
So the question is less can I control this access but should I? Is that
over-reacting?



Again with the VPN. My thoughts were to push it with an MSI, so I see how to
control its distribution. The question is should I limit it to just the
domain computers? How big is the risk? If the risk from home computers is
virus and malware, how do I justify preventing folks from running it on
their home Macs?



Thanks.



-- nme





From: Brian Desmond [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 07, 2006 10:43 PM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Security Policy Thoughts


To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Security Policy Thoughts





My suggestion is that you implement 802.1x port auth to implement port based
authentication. You can use this to implement guest vlans with the policy
routing you describe.



Isn't the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can
do some NAC stuff with Cisco VPN as well as the personal firewall built into
it.



I don't see how you plan to prohibit OS X at least – put it on the guest
vlan if you must, but, realize that the marketing, pr, etc people may live
in a Mac world.




Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Noah Eiger
Sent: Thursday, June 08, 2006 12:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Security Policy Thoughts



Hi:



I am facing some IT policy questions and wanted to get some perspectives. In
each of these areas, I am trying determine how restrictive I need to be. The
client has four sites connected over high-speed links. I have good backing
from management but will undoubtedly get resistance on some of these.



The client is small, under 200 employees with most in one office. Some small
field offices are not managed (i.e., have workgroup networks, often with a
small server, but no AD). There are no SOX requirements and the data are not
sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC's run
W2k3.



Any thoughts on these topics welcome.



Connecting to the wired network. They do not run any IDS or machine-based
authentication. Given that, written policy carries some weight. I want to
require all non-domain machines to connect only to a public VLAN that goes
only to the Internet. I would apply this even to staff personal computers,
those of contractors (including me), and machines from those field offices
that are not on the domain.



VPN. They run a Cisco VPN. I want to distribute the client only to
domain-based machines. Others want the client for their home computers, etc.



Other Operating Systems. I don't want to allow other OS's on the network,
unless we manage them. But what is the threat posed by a Linux or OS X box
on the network?



As always, many thanks.



-- nme







--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006



--
No virus found in this incoming message.

Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006



Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006





--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Machine Psswd Age

[Laura E. Hunter]

Or you could just use OLDCMP.  (www.joeware.net)  Why roll your own
when joe's already done the work?  :-)

On 5/24/06, Brian Cline [EMAIL PROTECTED] wrote:

So if I wanted to write a utility to seek out stale computer objects in
the domain that were never properly unjoined, could I simply look at
each computer's pwdLastSet attribute? And mayhaps use a value more than
30 days (as we have a few traveling laptops), perhaps 90 or 180?

--
Brian Cline


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday 24 May 2006 11:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age

30 Days

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Za Vue
 Sent: Wednesday, May 24, 2006 11:04 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Machine Psswd Age

 Anyone know how often machine passwords are renew/reset in the domain?

 -Z.V.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-
 archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS on a DC or NOT

[Laura E. Hunter]

On 5/17/06, joe [EMAIL PROTECTED] wrote:


But enough about DNS, I don't speak about services that start with D. You
have to draw the line somewhere. DFS, DNS, DHCP, Damn SQL Server... You
get the drift. ;)



Doesn't 'Exchange' start with an 'E', though?  Or are we dismissing
that as an Off by 1 error?

Laura
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir][OT] DNS on a DC or NOT

[Laura E. Hunter]

BTW, anyone know what a mucker is? I am trying to figure out if I am
supposed to be morally outraged. eg

 joe



I use mucker as a compliment, but in my vernacular it's used in
reference to a semi-skilled hockey player whose lack of scoring
ability is balanced by his ability to check an opposing player into
sometime next week.

So I guess what I'm saying is...draw your own conclusions.  :-)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Intermittent 680 events.

[Laura E. Hunter]

So this one is puzzling me.

Brand new 2003 R2 AD, all XPSP2 workstations.  A few user accounts are
getting continually locked out with Event 680, error code 0x006a
(invalid password.)

The usual culprits don't seem to be at fault since there are no
services or scheduled tasks running under the credentials that are
getting locked out. It also doesn't seem to be workstation-specific,
since the account lockouts follow these unlucky few from one
workstations to another.

Turning up USERENV logging to the Oh holy schnikes that's going to
generate a lot of entries setting on the PDCe produces entries such
as the following:

04/27 14:05:23 [LOGON] DomainNetBIOSName: SamLogon: Transitive
Network logon of DomainNetBIOSName\User1 from
WorkstationNetBIOSName (via MemberServerNetBIOSName) Returns
0xC06A

as well as

04/27 14:06:56 [LOGON] DomainNetBIOSName: SamLogon: Network logon of
DomainNetBIOSName\User2 from WorkstationsNetBIOSName Returns
0xC06A

In both cases, the bad password event was generated from the correct
workstations while the users were logged on interactively.

The only KB I found that was even -close- to relevant (305822) talked
about disabling the XP Welcome Screen, which isn't in use here.

This doesn't feel like a password attack is going on, but I can't
figure out where these errant bad passwords are coming from, or what
else is distinguishing these few accounts from their counterparts who
aren't experiencing lockout fun.

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] exporting list of members of a security group

[Laura E. Hunter]

Try:

dsget group GroupDN -members -expand  foo.txt

On 5/2/06, Antonio Aranda [EMAIL PROTECTED] wrote:

Is there a way to export to text file a list of the members of a security
group?

Thanks

Antonio


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] logging users out

[Laura E. Hunter]

If you're dealing with XP boxen, you can also look at the XP Shared
Computing Toolkit, it has an automatic logout function as well as a
logout after X minutes of idle time dealie.  You can deploy it to
standalone machines or to AD-joined machines using GPO.

On 4/27/06, joe [EMAIL PROTECTED] wrote:

Review the sysinternals EULA... It has come to my attention it has changed
recently and it may make it a little more difficult to use these tools.

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Monday, April 24, 2006 3:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] logging users out

On Mon, 24 Apr 2006 08:08:08 +0200, Ulf B. Simon-Weidner wrote
 Did you try shutdown.exe? The parameters /l /f /t 3600 allow you to
 time it for an hour after executing it, and to force a logoff. No need
 to script around using additional timers or scripts.

Same functionality, but for me more comfortable in use - psshutdown.exe from
www.sysinternals.com

--
Tomasz Onyszko - [EMAIL PROTECTED]
http://www.w2k.pl

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] List problems - resolved

[Laura E. Hunter]

Hey Tony, did you know that the list was broken for like 4 days?

*runs FAR away*  :-)

- Laura

On 4/11/06, Tony Murray [EMAIL PROTECTED] wrote:



 You will have noticed that messages are now coming through again.   The
 problem has been resolved and all should be back to normal.  Any emails sent
 to the list during the outage will not have been queued, so please send
 again.



 Thanks to the 732 of you who alerted me to the fact that the list was not
 operational J



 Tony

 This communication, including any attachments, is confidential. If you are
 not the intended recipient, you should not read it - please contact me
 immediately, destroy it, and do not copy or use any part of this
 communication or disclose anything about it. Thank you. Please note that
 this communication does not designate an information system for the purposes
 of the Electronic Transactions Act 2002.





--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)

[Laura E. Hunter]

Hmmm, trying to figure out how to make the logistics of a Sydney
junket work.  The European contingent would be flying east via
Heathrow/Frankfurt/deGaulle--Hong Kong--Sydney or something, while
the damn Yankees would fly west via LAXI suppose we could all meet
up in Hong Kong and start from there, but oh -my- would that be an
exercise in herding cats.  :-)

As for what to talk about?  It may sound like a cop-out to say The
stuff you talked about in the slide deck, but it's not, really.  The
people who were dazed by jadonex talking a mile a minute about group
caching and app partitions and what not would probably have a big
collective AHA! Gestalt moment if we rolled up some corresponding
VPC exercises where everyone could see the stuff in action.  Example:
do a lab where you actually get to see the creation of the phantom
objects that are managed by the IM, and maybe you get half the room
saying Wow, I've been reading about the IM/GC interaction for 3
years...but never really grokked it until now.

That's just a hip-shot first thought, anyway.

- Laura


On 4/2/06, joe [EMAIL PROTECTED] wrote:
 Yes, Tony should have been there. That was part of my idea about Sydney. If
 he was still not present we could take a puddle jumper over to NZ and drag
 him out kicking and screaming. Plus I have a lot of friends I made in NZ and
 Australia from back when I worked with XYZ Widget company that really want
 me to come down for beers. I figure I could get a multimonth vacation out of
 it until the Aussie authorities chased me down and booted me out. :o)

 Would also like to see physical presence of -ajm, ~Eric, Garage Door
 clicker, DmitriG, and several others that I can't bring to mind this exact
 second.

 Yes tacit acceptance, that would be pretty accurate. :o) Start talking about
 First Class airfare, suites, and also flying in our posse's and we could
 move up to just about maybe[1]. BFEG Watch out Tony, Gil can certainly
 twist an arm, I still can't use chopsticks with my right hand
 thankyouverymuch and you do NOT want to see me eating with chopsticks with
 my left hand, Yum Talay flying all over the place g

 I guess that also brings up the topic of if people had Dean and I in a room
 together again what would you want to hear about? I saw several comments of
 doing the pre-session but again, what would you want to see and/or hear
 about? One of the big things that slowed Dean and I down on this was the
 fact that we couldn't think of anything we thought people would be
 interested in hearing about. Maybe we should just pick up with where we left
 of with our slide deck from this year? Seriously though, folks should be
 pretty familiar by now with Dean and I and what we talk about in posts etc,
 what things would you want to hear from us in a presentation? I think the
 presentation name will have to be something like Humour, Opinions, and
 Serious Tech 2007 but what goes into it?

 I expect the other speakers wouldn't mind this kind of feedback as well.
 Well except for maybe Wook, not sure anyone could be as creative as Wook in
 topic selection for his technical session.

  joe


 [1] Of course I am sort of kidding around here. :)


 --
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Quiet? DEC? Related?

[Laura E. Hunter]

 of it was spent
 showing Guido how US slot machines worked in the Belagio. $20 was spent when
 I was passing a $1 Wheel of Fortune progressive slot on the way to the rest
 room because it called out to me and said it would make me financially
 independent for the rest of my natural born life (it lied), and finally $20
 was spent while I sat at a bar playing Jacks or Better waiting on Dean and
 company to go to dinner not realizing that they didn't see me sit down next
 to them and were waiting on me to get there. I was up $80 bucks on that
 thing and then gave it all back.


  joe (The joe of the Dean and joe show, the j in www.jadonex.com)


 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
 Sent: Wednesday, March 29, 2006 6:07 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quiet? DEC? Related?

 Just wrapped up Day 3. 530 people. General consensus is that it was the best
 DEC ever. More to follow when I can type on something bigger than a credit
 card.

 -gil


 -Original Message-
 From: Ayers, Diane [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
 Sent: 3/29/06 1:23 PM
 Subject: RE: [ActiveDir] Quiet?  DEC?  Related?

 Maybe we should ask a question on the merits of doubling down on an 11 when
 the dealer has a face card showing...  :-)

 Diane

 

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
 Jorge de
 Sent: Wednesday, March 29, 2006 9:35 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quiet? DEC? Related?


 Don't worry we're still here.. ;-)

 Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior
 Infrastructure Consultant MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Moon, Brendan
 Sent: Wed 2006-03-29 19:26
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Quiet? DEC? Related?


 Hmm.. everyone must be having fun at DEC... this list has been very quiet
 this week!

 - Brendan Moon

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Re Service Pack Level

[Laura E. Hunter]

 Note you have to use a script, it
 won't run by pasting it into a CMD prompt. Be sure to change the domain
 info listed in all caps to your respective domain.

 @for /f %%i in ('dsquery.exe *
 cn=partitions,cn=configuration,dc=SUBDOMAIN,dc=DOMAIN,dc=COM -filter
 ((objectcategory=crossref)(systemflags=3)) -attr nCname') do
 dsquery.exe * %%i -Filter
 ((objectCategory=computer)(objectClass=computer)(primaryGroupID=516))
 -Scope Subtree -Limit 0 -Attr dnshostname operatingsystem
 operatingsystemservicepack | find /v /i operatingsystem
 DC-Inventory-OS-Version.LOG


Unless I'm completely misremembering my for-do syntax, I think you can
run that from a plain old command prompt by changing the '%%'
instances to just '%'.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] MVP mini summit at DEC 2006

[Laura E. Hunter]

I think the statement works either with it or without it.  :-)

(And remember, it's in -Henderson-, not Las Vegas!  No gambling, no
showgirls, just a quiet little geek conference in the middle of the
desert.  Nothing to see here, move along.  ;-))

On 2/23/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:
 Forgot the ;-)

 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
  I believe Vegas comes standard with Drugs, booze and loose women.
 
  [EMAIL PROTECTED] wrote:
  Daft question maybe, but is this open to MVPs only?
 
 
  neil
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
  Sent: 23 February 2006 00:09
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] MVP mini summit at DEC 2006
 
  Alym has scheduled a MVP mini summit session at the conclusion of DEC
  2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of
  the DEC session rooms (tbd). Drugs, booze, and loose women will
  follow... or at least that's what I was led to believe. :)
 
  Alym is swamped with another project, but will be providing the official
  announcement in a few days. I just wanted to make MVPs aware of it in
  case you had scheduled a flight out on Wednesday afternoon.
 
  -gil
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
  PLEASE READ: The information contained in this email is confidential and
  intended for the named recipient(s) only. If you are not an intended
  recipient of this email please notify the sender immediately and
  delete your
  copy from your system. You must not copy, distribute or take any further
  action in reliance on it. Email is not a secure method of
  communication and
  Nomura International plc ('NIplc') will not, to the extent permitted
  by law,
  accept responsibility or liability for (a) the accuracy or
  completeness of,
  or (b) the presence of any virus, worm or similar malicious or disabling
  code in, this message or any attachment(s) to it. If verification of
  this
  email is sought then please request a hard copy. Unless otherwise stated
  this email: (1) is not, and should not be treated or relied upon as,
  investment research; (2) contains views or opinions that are solely
  those of
  the author and do not necessarily represent those of NIplc; (3) is
  intended
  for informational purposes only and is not a recommendation,
  solicitation or
  offer to buy or sell securities or related financial instruments.  NIplc
  does not provide investment services to private customers.
  Authorised and
  regulated by the Financial Services Authority.  Registered in England
  no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St
  Martin's-le-Grand,
  London, EC1A 4NP.  A member of the Nomura group of companies.
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] repadmin info oddity

[Laura E. Hunter]

 (or a scotch if you'd prefer ;o) ...

Double shot of Glen Livett, a nice spritz of Sprite, inch and a half
of water and a couple of ice cubes, in a highball glass.

And the fact that I still remember this begs two questions:

[1] What do we order if the bar doesn't have Glen Livett?

and

[2] What critical piece of information has -not- been encoded into my
long-term memory so that I can instead remember how Dean takes his
Scotch?  :-)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Authentication for kiosk machines - straw poll

[Laura E. Hunter]

So for those of you that need to put Internet kiosks in place
somewhere in your organization, in a lobby or a dining hall or
something, how do you handle the initial authentication when that
machine boots up?  Hardcoding the account credentials in the Registry
under the ~\Winlogon key?  (Clear-text embedded password. Bleach.)  Or
do you use a third-party add-on to make that bit go?

Just curious to see what other people are doing.

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

[Laura E. Hunter]

 will be appreciated.



 Thanks
 Lakshmi

 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-
 archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-
 archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] distributing large service pack files

[Laura E. Hunter]

There's also the liability issue of I host my own copy of some bits. 
My copy of those bits gets hacked or otherwise b0rked.  Random
customer uses my bits, hoses their machine, sues Redmond.

At least, that's the reasoning I encountered when I had the
conversation about higher ed being able to hand out SP2 CDs.  Whatever
the reason, it's not kosher under any licensing terms that I'm
familiar with.  Based on your description of your environment, I'd
definitely go the distributed WSUS route if your WAN links are getting
overloaded.

- L

On 2/2/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:
 Not to mention it's my understanding that it's not legal to distribute
 service packs outside the MS cloud and host MS code like service
 packs/hotfixes like that.

 This is why universities cannot hand out SP cdroms and some such things.

 Since the Department of Justice... it's been my impression that MS tends
 to want to control the bits so they can yank parts if need be [see
 recent SP update notifications for Office due to stupid lawsuit between
 guy and MS on Access]

 WSUS had to get some eula's rewritten to allow the geeks to do allow
 consultants to do patching and what not.

 Molkentin, Steve wrote:

  Mark,
  WSUS (and SMS for that matter) uses the Background Intelligent
  Transfer Service (that's what it's called) to do just this on large
  files, in that it is smart enough to recognise downtime on your
  network to send files, and manages the resumption of large files if it
  had to stop transferring them. It is pretty seamless in my experience
  - all our links are less than T1 (except for the internet pipe into
  our head office), and we manage to push a lot of stuff around using
  WSUS quite well with no interruption to business.
  It's not hard to setup an older PC as a local WSUS cache - it needs
  little in the way of processor and RAM (really), and will get over any
  cost issue and give you the ability to distribute, etc. Additionally,
  it takes away all the responsibility of the staff member to
  install/connect/download the service pack (and don't start me on the
  fact that they shouldn't have admin rights to install it in the first
  place).
  My $0.02 inc GST...
  themolk.
 
  
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of
  *Creamer, Mark
  *Sent:* Friday, 3 February 2006 6:18 AM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* [ActiveDir] distributing large service pack files
 
  The structure of our WAN is such that we have lots of small
  offices all over the country, each with a few to a hundred or so
  PCs, connected by not-so-fast links. The biggest locations have
  T1s, but many don't. Keeping these things patched is a nightmare.
  We do not have distributed servers, and really nothing except the
  PCs themselves to cache something for local delivery. Which brings
  me to my question…is it even conceivable that something like an
  internal-only BitTorrent could be leveraged to distribute
  something as large as a service pack? I think it might be more
  efficient than a 3^rd party patch management solution or WSUS,
  which I can't use because of not having distributed file caches.
  If this is nutty, dish out the dirt, but I'll want to understand
  why it's nutty too J
 
  Thanks
 
  ***Mark Creamer*
 
  *Systems Engineer*
 
  Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040
 
  Email: [EMAIL PROTECTED] | http://www.cintas.com
 
 
  This e-mail transmission contains information that is intended to
  be confidential and privileged. If you receive this e-mail and you
  are not a named addressee you are hereby notified that you are not
  authorized to read, print, retain, copy or disseminate this
  communication without the consent of the sender and that doing so
  is prohibited and may be unlawful. Please reply to the message
  immediately by informing the sender that the message was
  misdirected. After replying, please delete and otherwise erase it
  and any attachments from your computer system. Your assistance in
  correcting this error is appreciated.
 

 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)

Re: [ActiveDir] Reset Local Admin Passwords

[Laura E. Hunter]

  We currently have about 4 different passwords floating around our domain
  and we'd like to get it down to a single standard. Any help would be
  appreciated.
 
 

Okay, just to offer a counterpoint to your underlying plan - you do
realise that by using a single local admin password across your
enterprise, if even -one- of those workstations gets the admin
password compromised, the attacker who did so now has local admin
rights to every workstation on your network?  With apologies to Jesper
Johannsen[1], it's one of those How to get your network hacked in 10
easy steps things - if I've just compromised the local admin password
of WorkstationA, what do you think is going to be the very first
password I try when I move on to try and compromise WorkstationB?


[1] And additional apologies for the fact that I'm sure I just spelled
his name wrong.

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Congrat Jorge !!!!!

[Laura E. Hunter]

*throws more confetti*  It's a good week for ActiveDir.  :-)

Congratulations, Jorge.  Well-deserved.

On 1/13/06, joe [EMAIL PROTECTED] wrote:
 Heh. I was wondering if he knew or not when I saw your blog. ;o)

 The program isn't always real fast at letting people know. g


 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Gil Kirkpatrick
 Sent: Friday, January 13, 2006 4:35 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Congrat Jorge !


 Amazingly I blogged this a week ago
 (http://www.gilsblog.com/index.cfm?commentID=44 ) How did
 Jorge not find out till today? Don't they have email over there? :)

 Congratulations Jorge, you certainly deserve it.

 -g
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 TIROA YANN
 Sent: Friday, January 13, 2006 12:00 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Congrat Jorge !


 Just read jorge's blog @
 http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx

 Congrat jorge for your nomination as a MVP. :o)
 Will u have a microsoft professional card as the MCP/MCSE one ?

 Yann



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Brain Freeze - export list of mail enabled groups and memberships.

[Laura E. Hunter]

Except for the entire readership of ActiveDir, you mean.  ;-)

- L

On 1/12/06, Mark Parris [EMAIL PROTECTED] wrote:
 Thanks for this, all done and nobody knows that I am hungover.
 -Original Message-
 From: joe [EMAIL PROTECTED]
 Date: Thu, 12 Jan 2006 08:27:11
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Brain Freeze - export list of mail enabled groups 
 and memberships.

 This all assumes Exchange but...

 Mail *should* be populated but I am not positive if there is a hard req for 
 it.

 A mailenabled group won't have a homeMDB value since it isn't a mailstore but 
 a redirection.

 I would key off of mailnickname or legacyExchangeDN myself. Both are 
 singlevalued indexed attributes so should yield good speed.

 Also I would probably dump the mailNickname and displayname as well in the 
 dump.

 Note that this will not give nested results for a group and will not tell you 
 which members aren't mailbox/mail-enabled which affects who will receive the 
 message. To do those things would require a script or tool that goes looking 
 for additional things. Not sure if one has been written for Exchange 200x.

  joe



  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
 PROTECTED]
 Sent: Thursday, January 12, 2006 8:13 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Brain Freeze - export list of mail enabled groups 
 and memberships.




 Jorge, is there any dependency on mail as a mail-enabled attribute?  Maybe 
 population of proxyaddresses may be better?  Or having a homemdb value?




 :m:dsm:cci:mvp  marcusoh.blogspot.com



 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
 Jorge de
 Sent: Thursday, January 12, 2006 8:04 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Brain Freeze - export list of mail enabled groups 
 and memberships.





 ADFIND -GC -B  -F ((objectCategory=group)(mail=*)) sAMAccountname member





 Jorge


 From: [EMAIL PROTECTED] on behalf of Mark Parris
 Sent: Thu 2006-01-12 13:40
 To: ActiveDir.org
 Subject: [ActiveDir] Brain Freeze - export list of mail enabled groups and 
 memberships.


 I have got a major hangover today and I have been asked to export a list of 
 mail enabled groups and memberships.

 Can anyone please remind me what the utility is to do this or give me a 
 pointer to a script.

 Thanks

 Regards

 Mark
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] [List Owner] Mailing list is 5 today!

[Laura E. Hunter]

*throws confetti*

Happy Birthday to...ActiveDir
Happy Birthday to...ActiveDir

...okay, I'll stop singing now.

:-)

- L

On 1/12/06, Kat Collins [EMAIL PROTECTED] wrote:
 Whoo-hoo!  I was there and I'm still here.  This is indeed one of the
 best spots for AD information out there!!  Congratulations Tony, and
 please keep up the great work you do!

 Kat

 On 1/12/06, Tony Murray [EMAIL PROTECTED] wrote:
  Hi all
 
  I started this list on 13th January 2001. Thanks to everyone out
  there for making it a great place to hang out and learn about AD (and
  more besides!).
 
  Tony
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 


 --
 Kat Collins - The Email of the species is more powerful than the Mail!

 The human voice is the organ of the soul. Henry Wadsworth Longfellow
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OU Delegation

[Laura E. Hunter]

It's a bit dated by this point, but I still consider Sanjay Tandon's
delegation white paper to be one of the better treatments on the
subject:

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en

- Laura

On 1/11/06, Harding, Devon [EMAIL PROTECTED] wrote:


 We're in the process of consolidating 21 child domains into just one and one
 root.  We want to separate the divisions (domains) into different OUs.  Is
 there a guide or best practice out there on delegating admin permissions on
 OUs?  Also, we've got Exchange permissions to deal with too.



 Devon Harding

 Windows Systems Engineer

 Southern Wine  Spirits - BSG

 954-602-2469



 




 __
 This message and any attachments are solely for the intended
 recipient and may contain confidential or privileged information.
 If you are not the intended recipient, any disclosure, copying, use
 or distribution of the information included in the message and any
 attachments is prohibited. If you have received this communication
 in error, please notify us by reply e-mail and immediately and
 permanently delete this message and any attachments. Thank You.


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Prob not relevant here ...but -implement system policies in non AD

[Laura E. Hunter]

...a single Domain Controller WITH EXCHANGE RUNNING ON IT, you mean?

:-)

On 1/11/06, joe [EMAIL PROTECTED] wrote:
 BLASPHEMY!

 Non-AD Environments! That's almost as bad as having a single Domain
 Controller!!!

  :)


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
 aka Ebitz - SBS Rocks [MVP]
 Sent: Wednesday, January 11, 2006 2:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Prob not relevant here ...but -implement system
 policies in non AD

 How to implement system policies for Windows XP-based, Windows 2000-based,
 and Windows Server 2003-based client computers in non-Active Directory
 environments:
 http://support.microsoft.com/?kbid=910203

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Looking for group policy setting

[Laura E. Hunter]

Computer Settings\Administrative Templates\System\Logon

A good resource here is the Policy Settings.xls spreadsheet
downloadable from
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14displaylang=en
(watch wrapping on that URL). Gives you a list of all the GPO settings
that are available, where they're located in the tree, and what OSs
they are supported by.

- Laura

On 1/10/06, klas9574 [EMAIL PROTECTED] wrote:


 Does anyone here happen to know where the setting is to turn off new users
 on a computer getting the Getting Started popup on windows 2000?



 Scott Klassen


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Strange deleted object issue

[Laura E. Hunter]

You need to set the LDAP control flags in LDP to view deleted objects.
 (It's what the -showdel switch is doing for you in adfind.)  It's
under Options somewhere, look for it and you'll see it.

- Laura

On 1/10/06, Tom Kern [EMAIL PROTECTED] wrote:
 Thanks.

 That worked.

 Now my question is, why didn't LDP show that?

 is it because i'm running the win2k3 verison against a win2k forest?
 what am i doing wrong with ldp?

 Thanks again


 On 1/10/06, Coleman, Hunter [EMAIL PROTECTED] wrote:
 
  Try adfind with the -showdel flag
 
  
 From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Tuesday, January 10, 2006 8:11 AM
  To: activedirectory
  Subject: [ActiveDir] Strange deleted object issue
 
 
 
 
  I have this weird issue-
 
  A user object is missing from my win2k native mode domain.
  I know because this user has complained that he can't log in and i can't
 find the object anywhere in AD.
 
  I've checked the deleted objects container in AD with ldp and he is not in
 there as well.
  He's not in the Lost and Found container either.
 
  His exchange mailbox is oprhaned in ESM.
 
  Sometime last nite this user was deleted but i have no way of finding him.
  we don't have auditing turned on for that but i figured if an object was
 deleted it would definetely be in the deleted objects container.
  is there anyway to bypass that?
  where else can i look?
 
  Any help would be great because this is just plain bizzare.
 
  Thanks
 




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: DEC 2006

[Laura E. Hunter]

Because you knew full well that if you'd scheduled the conference on
the strip, you would've had 500 geeks walk into the casino that stood
between them and the conference rooms...and maybe 3 of us would've
come out the other side.  :-)

- L

On 1/10/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote:
 
 Its not Vegas the Green Valley Resort is in Henderson, NV. :)

 Nope, nothing to see here. No gambling, no shows, no fast women. Just boring
 technical sessions. Move along.

 -gil
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Rich Milburn
 Sent: Tuesday, January 10, 2006 7:55 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: DEC 2006




 Ditto for me… My title doesn't start with a C _ _ so I'm afraid to even ask
 for a paid trip to Vegas J




 ---
 Rich Milburn
 MCSE, Microsoft MVP - Directory Services
 Sr Network Analyst, Field Platform Development
 Applebee's International, Inc.
 4551 W. 107th St
 Overland Park, KS 66207
 913-967-2819
 --
 I love the smell of red herrings in the morning - anonymous
 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Jose Medeiros
 Sent: Monday, January 09, 2006 1:27 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OT: DEC 2006




 I would love to go, unfortunately as most people on the list unless our
 employeers pay for it, we just can not afford to attend.





 Jose


 - Original Message -


 From: McLeod, Scotty


 To: ActiveDir@mail.activedir.org


 Sent: Monday, January 09, 2006 7:45 AM


 Subject: RE: [ActiveDir] OT: DEC 2006




 Am attending again, looking forward to it.



 Scotty


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Mark Parris
 Sent: 05 January 2006 22:17
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: DEC 2006



 Of the list how many people are going to DEC this year?
 www.directoryexpertsconference.com



 Tomorrow is the last day for the early bird registrations if anyone wants to
 day some $£€'s.



 Mark



 This e-mail and any attachments may contain confidential and privileged
 information. If you are not the intended recipient, please notify the
 sender immediately by return e-mail, delete this e-mail and destroy any
 copies. Any dissemination or use of this information by a person other
 than the intended recipient is unauthorized and may be illegal.


 
 ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
 PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
 any attachments. This information is strictly confidential and may be
 subject to attorney-client privilege. This message is intended only for the
 use of the named addressee. If you are not the intended recipient of this
 message, unauthorized forwarding, printing, copying, distribution, or using
 such information is strictly prohibited and may be unlawful. If you have
 received this in error, you should kindly notify the sender by reply e-mail
 and immediately destroy this message. Unauthorized interception of this
 e-mail is a violation of federal criminal law. Applebee's International,
 Inc. reserves the right to monitor and review the content of all messages
 sent to and from this e-mail address. Messages sent to or from this e-mail
 address may be stored on the Applebee's International, Inc. e-mail
 system.
 ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
 PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
 any attachments. This information is strictly confidential and may be
 subject to attorney-client privilege. This message is intended only for the
 use of the named addressee. If you are not the intended recipient of this
 message, unauthorized forwarding, printing, copying, distribution, or using
 such information is strictly prohibited and may be unlawful. If you have
 received this in error, you should kindly notify the sender by reply e-mail
 and immediately destroy this message. Unauthorized interception of this
 e-mail is a violation of federal criminal law. Applebee's International,
 Inc. reserves the right to monitor and review the content of all messages
 sent to and from this e-mail address. Messages sent to or from this e-mail
 address may be stored on the Applebee's International, Inc. e-mail system.

 





--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)

Re: [ActiveDir] OT: DEC 2006

[Laura E. Hunter]

On 1/6/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:

 Hope that Vegas is a more fun place – in Orlando they were shutting
 everything down at 1am, in Barcelona at least the Hilton did the same.



Las Vegas (at least on the main strip) is a 24x7 town - the casinos
intentionally crank down the air-conditioning, display no clocks, and
keep the lights going full blare so that you have no way of knowing
what time it is - all the better to keep you there gambling longer.  A
common occurence  is to walk out of a casino thinking that it's around
11pm, only to find that it's more like 4am.  It even happens to me,
and I usually have a pretty good internal clock.  :-)

- L
[EMAIL PROTECTED]   šŠV«r¯yÊý§-Š÷�Š¾4™¨¥iËb½çb®Šà

Re: [ActiveDir] OT: adfind syntax

[Laura E. Hunter]

This may sound whacky, but did you type the command in manually, or
did you copy/paste all or part from here or the joeware site?  I've
had adfind/admod get cranky on me when I do a copy/paste, but then
work perfectly when I type in the exact same thing manually.

Just a thought.

- Laura

On 1/6/06, Douglas M. Long [EMAIL PROTECTED] wrote:


 It tells me 'DC=domain,DC=com'





 Of course with the correct domain for domain though.
 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Friday, January 06, 2006 9:31 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: adfind syntax




 What does the part at the bottom say... the part that says



 Best Match of:



 That will tell you how much of the DN it knows to be valid.


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Douglas M. Long
 Sent: Friday, January 06, 2006 9:06 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: adfind syntax

 Man, can someone tell me what I am doing wrong here. I just cannot figure
 this out. Don't laugh; I am sure it is something stupid.



 adfind -default -rb ou=wsusclients,ou=xpclients -f
 (objectcategory=computer)





 I assume this should search for all computer objects on
 ou=wsusclients,ou=xpclients,dc=domain,dc=com





 I am getting ldap_get_next_page_s: [dc1.domain.com] Error 0x20 (32) - No
 Such Object


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: DEC 2006

[Laura E. Hunter]

I'll be there, can't hardly wait.

- Laura

On 1/5/06, Kat Collins [EMAIL PROTECTED] wrote:
 Unfortunately, no - just speaking from past MECs and TechEds!!

 My attendance at morning sessions usually was obliterated by attendance at
 evening soirees!!  Many here have been witnesses, such as the Tampa Lulu's
 Bait Shack and the Atlanta Hard-Rock (many years ago...) after the B-52's
 concert!!

 Ahhh - sweet memories!!  :-)

 Kat


 On 1/5/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:
 
 
 
  Did we meet?
 
 
 
  (Just kidding)
 
 
 
  Ulf
 
 
  

 
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Kat Collins
  Sent: Friday, January 06, 2006 1:19 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] OT: DEC 2006
 
 
 
 
 
  (aka significant alcohol comsumption)!!
 
 
 
 
 
  Kat Collins
 
 
 
 
  On 1/5/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:
 
 
  I'll be there. I'm looking forward to meet everyone (again) – I love those
 Conferences with a lot of community interaction!
 
 
 
 
  Gruesse - Sincerely,
 
  Ulf B. Simon-Weidner
 
MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile:
 http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D

 
  

 
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Mark Parris
  Sent: Thursday, January 05, 2006 11:17 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: DEC 2006
 
 
 
 
  Of the list how many people are going to DEC this year?
 www.directoryexpertsconference.com
 
 
 
  Tomorrow is the last day for the early bird registrations if anyone wants
 to day some $£€'s.
 
 
 
  Mark
 
 
 
  This e-mail and any attachments may contain confidential and privileged
  information. If you are not the intended recipient, please notify the
  sender immediately by return e-mail, delete this e-mail and destroy any
  copies. Any dissemination or use of this information by a person other
  than the intended recipient is unauthorized and may be illegal.
 
 
 
 
  --
  Kat Collins - The Email of the species is more powerful than the Mail!
 
  The human voice is the organ of the soul. Henry Wadsworth Longfellow



 --
 Kat Collins - The Email of the species is more powerful than the Mail!

 The human voice is the organ of the soul. Henry Wadsworth Longfellow


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)

Re: [ActiveDir] FSMO Role Transfer GUI

[Laura E. Hunter]

Come on, you two, can't we all just get along?  ;-)

On 12/17/05, joe [EMAIL PROTECTED] wrote:
 Bite me Wells.
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Dean Wells
 Sent: Saturday, December 17, 2005 3:40 PM
 To: Send - AD mailing list

 Subject: RE: [ActiveDir] FSMO Role Transfer GUI


 I used to use LDIFDE (I imagine that still works)

 ... oops, typo'd it again ... what I meant to say was I use to ADmod.exe
 (he's sensitive you know ;o)

 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com

 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Brian Desmond
 Sent: Thursday, December 15, 2005 9:05 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] FSMO Role Transfer GUI




 You can't transfer the schema or domain naming fsmo's from ADUC. Personally
 I just use ntdsutil and know the syntax off the top of my head, but, if you
 don't do this often it might be useful to have a central point of control.




 Thanks,
 Brian Desmond

 [EMAIL PROTECTED]



 c - 312.731.3132




 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Thursday, December 15, 2005 3:45 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] FSMO Role Transfer GUI



 What are the advantages/benefits of this UI vs UC?



 I can transfer all domain roles from that UI today?



 Thanks,

 neil


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 WILLIAMS, J.D.
 Sent: 14 December 2005 17:27
 To: 'ActiveDir@mail.activedir.org'
 Subject: [ActiveDir] FSMO Role Transfer GUI

 Anyone interested in testing a FSMO Role Transfer GUI? If so, please email
 me at [EMAIL PROTECTED] and I'll send you a copy.

 Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an
 exercise in working with external exe and discovering the McAfee sees some
 of the .net code as buffer overflows and keeps text from showing up in
 combo-boxes.  That was fun. I'd rate the app towards the novelty side of the
 Novelty ßà Useful continuum.  But hey, it's a better use of email and time
 than Elf Bowling!  Works in both my test and production environment.

 Oh, also only transfers the domain roles.  Does not transfer the schema
 owner or domain role owner, but does list the DCs holding those roles.

 Thanks,

 JD


 PLEASE READ: The information contained in this email is confidential and


 intended for the named recipient(s) only. If you are not an intended


 recipient of this email please notify the sender immediately and delete your


 copy from your system. You must not copy, distribute or take any further


 action in reliance on it. Email is not a secure method of communication and


 Nomura International plc ('NIplc') will not, to the extent permitted by law,


 accept responsibility or liability for (a) the accuracy or completeness of,


 or (b) the presence of any virus, worm or similar malicious or disabling


 code in, this message or any attachment(s) to it. If verification of this


 email is sought then please request a hard copy. Unless otherwise stated


 this email: (1) is not, and should not be treated or relied upon as,


 investment research; (2) contains views or opinions that are solely those of


 the author and do not necessarily represent those of NIplc; (3) is intended


 for informational purposes only and is not a recommendation, solicitation or


 offer to buy or sell securities or related financial instruments. NIplc


 does not provide investment services to private customers. Authorised and


 regulated by the Financial Services Authority. Registered in England


 no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,


 London, EC1A 4NP. A member of the Nomura group of companies.


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Ntds.dit file corruption

[Laura E. Hunter]

On 12/6/05, joe [EMAIL PROTECTED] wrote:
 LOL. I enjoyed it which means it is all good as you all exist for my
 personal entertainment. ;o)

 Well except for Laura, she exists to hound me to the end of my existence on
 commas.

 very glad that you can't throw virtual vegetables at list posters

Keep it up, joe, and I'll start proofreading your activedir posts as
well.  (Note the appropriate comma usage.)  :-)

- Laura
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Knowing when users were deleted.

[Laura E. Hunter]

Various thoughts from this thread:

[1] I agree with Al and Paul[1] on a desire for that sort of metadata.
 I'm not as convinced of the trade-off value of bloating the DIT for
full undelete information, particularly in monster big environments. 
For my teeny-tiny single domain it probably wouldn't be that bad of a
hit, but I imagine that the laws of diminishing returns would quickly
set in.

[2] Please finish the thought, Brett, I'm sure I'd find it
helpful/enlightening/informative even if it's only speaking in
hypotheticals.

[3] It's Gil and Darren's turn to crack me up today, I guess joe is
taking a break.


[1] *waves*  Hi Paul!  Glad to see you alive post-Summit.

- L
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LegalNoticeText maximum value

[Laura E. Hunter]

On 10/14/05, Free, Bob [EMAIL PROTECTED] wrote:
  you will make Penn State proud!

 Don't folks at the University of Pennsylvania take umbrage when you call
 it Penn State ?? They did when I lived there :-]

 /Child of 2 Penn State alums


We most certainly do, that's why he does it to me.  ;-)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] salary(OT)

[Laura E. Hunter]

: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Wednesday, October 12, 2005 9:37 PM
  To: activedirectory
  Subject: [ActiveDir] salary(OT)
 
 
 
  well, i've been consulting for 2 months full time for a company and
  now they want to make me an offer to work for them(yeah,i'm amazed
  too..)
 At first it was a head/senior AD position  but now they want to throw in
 Exchange in the mix.
  they used to outsource all their windows infrastructure and during my
 tenure there, they took it back so they have no AD/Exchange people.
 
  This is a 3000 user finanical corp in Manhattan.
 
  my question is, what kind of salary would one expect for a such a
 position, taking into account the bussiness and location and size.
 
 
  thanks

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/

 
 #
 This communication, including any attachments, is confidential. If you are
 not the intended recipient, you should not read it - please contact me
 immediately, destroy it, and do not copy or use any part of this
 communication or disclose anything about it. Thank You.

 Please note that this communication does not designate an information system
 for the purposes of the NZ Electronic Transactions Act 2002.

 This email has been scanned for Viruses and Content and cleared by NetIQ
 MailMarshal at Gen-i.
 
 #

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/



 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LegalNoticeText maximum value

[Laura E. Hunter]

You know, there's a reason nobody likes you, Richards.  ;o)

- L

On 10/14/05, joe [EMAIL PROTECTED] wrote:
 Sounds like something you could find on www.shutuplaura.com

 BTW, it is annoying that I have to get an account to leave a comment. I
 don't need any more accounts.

 So congrats on signing up for the run, you will make Penn State proud!



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
 Sent: Thursday, October 13, 2005 9:00 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] LegalNoticeText maximum value

 Forgive me if this is an obvious thing and my Google-fu is just failing me,
 but can someone remind me of the maximum string length on this when running
 2003?  I'm finding conflicting references between
 255 and 512 characters.

 Thanks all.

 - Laura

 --
 ---
 Laura E. Hunter
 Microsoft MVP - Windows Server Networking
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LegalNoticeText maximum value

[Laura E. Hunter]

Forgive me if this is an obvious thing and my Google-fu is just
failing me, but can someone remind me of the maximum string length on
this when running 2003?  I'm finding conflicting references between
255 and 512 characters.

Thanks all.

- Laura

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LegalNoticeText maximum value

[Laura E. Hunter]

Thanks all...I did find that KB, but thought I'd seen another
reference that quoted 255.  I can't find it now, though, so will
assume that I was hallucinating.  :-)

- L

On 10/13/05, Webster [EMAIL PROTECTED] wrote:
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
  Subject: RE: [ActiveDir] LegalNoticeText maximum value
 
  Laura, you probably found this anyway, but here is specifies 512.
 
  http://support.microsoft.com/?kbid=310430

 And from the bottom of that KB:

 Note If you do not use carriage returns in your display message, the maximum
 number of characters that you can add to the logon box is 512. If you add
 carriage returns, you can and add up to 2048 characters (512 characters per
 line).


 Should have just read it and saved myself the work.  Laura you owe me some
 Hagan Daaz in Boston next year. :)


 Webster

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  Laura E. Hunter
  Subject: [ActiveDir] LegalNoticeText maximum value
 
  Forgive me if this is an obvious thing and my Google-fu is
  just failing
  me, but can someone remind me of the maximum string length on
  this when
  running 2003?  I'm finding conflicting references between
  255 and 512 characters.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LegalNoticeText maximum value

[Laura E. Hunter]

Ah, that's the one.  The link I found wasn't the KB itself, though,
but another site that had partially quoted it (without the
ever-critical Applies to the following operating systems part.) 
Thanks for clearing up some momentary confusion, Tony.

(And what's up with the list-serv, man?  I'm seeing your reply to a
message I sent, but haven't actually seen the message itself.  (Or are
you just -that- much of a mindreader?  :-)))

With many nested parentheses,

Laura

On 10/13/05, Tony Murray [EMAIL PROTECTED] wrote:
 This one perhaps?

 http://support.microsoft.com/default.aspx?kbid=225087

 It's more NT-ish.

 Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] ADFIND mods

[Laura E. Hunter]

 and why you would like to test it and I will put you in the hat. Oh here is
 what the csv output looks like at the moment

 F:\Dev\CPP\AdFindadfind -h 2k3dc01 -default -s one  name objectclass
 whenchanged -csv -sort name dn,name,objectclass,whenchanged
 CN=Builtin,DC=joe,DC=com,Builtin,top;builtinDomain,20040625234526.0Z
 OU=CleanOU,DC=joe,DC=com,CleanOU,top;organizationalUnit,2005080401461
 3.0Z
 CN=Computers,DC=joe,DC=com,Computers,top;container,20040625234526.0Z
 OU=contacts,DC=joe,DC=com,contacts,top;organizationalUnit,20050821222
 039.0Z
 OU=Domain Controllers,DC=joe,DC=com,Domain
 Controllers,top;organizationalUnit,20040625234526.0Z
 OU=Exchange,DC=joe,DC=com,Exchange,top;organizationalUnit,20040625234
 707.0Z
 CN=ForeignSecurityPrincipals,DC=joe,DC=com,ForeignSecurityPrincipals,to
 p;container,20040625234526.0Z
 CN=Infrastructure,DC=joe,DC=com,Infrastructure,top;infrastructureUpdate
 ,20050613155937.0Z
 CN=LostAndFound,DC=joe,DC=com,LostAndFound,top;lostAndFound,200406252
 34526.0Z
 CN=Microsoft Exchange System Objects,DC=joe,DC=com,Microsoft Exchange
 System
 Objects,top;container;msExchSystemObjectsContainer,20050330022442.0Z
 CN=NTDS Quotas,DC=joe,DC=com,NTDS
 Quotas,top;msDS-QuotaContainer,20040625234526.0Z
 CN=Program Data,DC=joe,DC=com,Program
 Data,top;container,20040625234655.0Z
 OU=Sales,DC=joe,DC=com,Sales,top;organizationalUnit,20050920020829.0Z
 
 OU=someapp,DC=joe,DC=com,someapp,top;organizationalUnit,2005082405111
 4.0Z
 CN=someapp2,DC=joe,DC=com,someapp2,top;person;organizationalPerson;user
 ,20050824051145.0Z
 CN=System,DC=joe,DC=com,System,top;container,20040625234526.0Z
 OU=TestOU,DC=joe,DC=com,TestOU,top;organizationalUnit,20050715071524.
 0Z CN=Users,DC=joe,DC=com,Users,top;container,20050805051458.0Z


joe



 [1] Yes that Jerry, Jerold Schulman, of the reghacks / JSI Inc web site.
 http://www.jsiinc.com/aboutJSI.htm

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] BlackComb Super Forest Functional Mode

[Laura E. Hunter]

://www.mail-archive.com/activedir%40mail.activedir.org/


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] [OT] OU permissions for user object

[Laura E. Hunter]

Actually I've always done that, used to get me in trouble in high
school English class.  (And grey is spelled with an e, dammit!)

The amusing part of Saturday's discussion, I thought, was the
determination that the British Empire began losing some of its
holdings because of all the time everyone was wasting writing out all
of those superfluous u's.  :-)

On 10/5/05, Brian Desmond [EMAIL PROTECTED] wrote:
 You missed the discussion on Saturday. Apparently she spells everything in
 the ou manner now.


 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Tuesday, October 04, 2005 10:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] [OT] OU permissions for user object

 I certainly try to. :)

 BTW, you are spending too much time around Dean, you spelled favorite wrong.

  joe


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
 Sent: Wednesday, September 07, 2005 1:44 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OU permissions for user object

  snip 
 I would rather work 80 hours a week because I choose it than give out
 permissions that cause me to work 80 hours a week because I have to hold the
 environment together.
 / snip 

 As joe-isms go, I think that one just became my favourite, and one to live
 by.

  Laura
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Restore Problem

[Laura E. Hunter]

 to authoritatively restore any objects, click Yes to
 restart the computer. The system will restart and replicate any new
 information that is received since the last backup with its replication
 partners.



 If you need to authoritatively restore any objects or if you need to create
 an LDAP Data Interchange Format (LDIF) file to restore back-links on this
 domain controller, click No to remain in Directory Services Restore Mode.
 For information about how to proceed with authoritative restore, see
 Performing an Authoritative Restore of Active Directory Objects.


 If the server fails to boot properly:
 Boot the computer off the Windows 2003 server CD
 The repair operation begins after you accept the license agreement and after
 the Setup program searches for previous installations of Windows to repair
 When the Setup program finds the damaged installation, press R to repair the
 installation  (DO NOT USE THE RECOVERY CONSOLE)
 Following the onscreen steps to complete the repair.
 When the repair completes, reboot the server.


 If the server fails to boot past BIOS:
 Book the computer off the Windows 2003 server CD.
 Select the appropriate HAL option for you computer hardware.
 After the HAL loads, select R for the Recovery Console.
 Logon to the Windows directory that you need to repair by selection the
 appropriate number (default of 1).
 Logon using the DSRM password.
 At the command prompt type disable acpi and hit enter
 Make a note of the registry change.
 Type exit and hit enter to reboot the machine.
 When the machine boots, follow step 17 to complete the HAL recreation.


 Install the Windows 2003 Admin Pack.  (You do not need to install this prior
 to this point as the dlls will be overwritten if you are forced to follow
 step 17).


 If you run ADUC and receive an error connecting to the active directory.
 Reboot the server.  During the initial reboot some installation process have
 not yet completed so the Active Directory does not fully execute.  The
 secondary reboot will correct this issue.

 Verification

 After a restore is completed verification must be done to ensure that it is
 functioning correctly.  The easiest way to conduct the verification is to
 use a laptop that was on the network before the backup was taken.  Simply
 connect the laptop to the switch that server is on and attempt to
 authenticate and access resources on the server (a file share could be
 placed on the restored server to ensure that the authentication process is
 working correction).  The greatest test would be to down the server that is
 being restored and plug in the current machine.  Although this will allow
 the best functional test, if something in the backup went wrong then you
 could possibly corrupt the production sever.



 You will want to test the logon scripts and a number of different users (to
 include administrative user accounts, delegated security user accounts and
 service accounts).  Once you are fully satisfied with the restore process,
 this document should be updated and forwarded to the bank for safekeeping.


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Notes/Domino LDAP

[Laura E. Hunter]

Unless I'm misunderstanding the question, I'm going to say that
that'll be a tough compare since Notes/Domino maps much more closely
to Exchange and Groupwise in terms of functionality.  IE, it's a
groupware/messaging/collaboration environment rather than a proper
directory service.  In most cases, in fact, a Notes/Domino environment
will run on top of AD just like Exchange does, though I think you can
hook Domino into a Linux infra as well.

My personal recollection of Domino, though this is from several revs
ago, was that it was close-but-not-quite-so-good as Outlook in terms
of being a cool messaging client, but it gave you more options in
terms of collaboration apps.  (Sharepoint has likely rendered this
comparison obsolete in the intervening years since I was a Notes
admin.)

A quick Google doesn't return what I'd consider a vendor-neutral
comparison of Exchange and Domino, but here's the market-speak from
both sides of the house.  (Maybe compare them and split the
difference.  :-)):

http://www-03.ibm.com/servers/eserver/iseries/domino/inotes/compare.html
http://www.lotus.com/lotus/offering1.nsf/wdocs/messagingcompetitive?OpenDocumentcwesite=lotusnotesdom
http://www.microsoft.com/exchange/evaluation/compare/METAEx2k3vNotes.mspx

- Laura

On 10/5/05, Tony Murray [EMAIL PROTECTED] wrote:

 Can anyone point me at an independent source of information on the
 capabilities and limitations of the Notes/Domino directory as compared with
 AD?

 Tony


--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] New tool - script to count objects within a partition and provide a breakdown of their classes and the count of each

[Laura E. Hunter]

And as the guinea-pigger (is that a word? It is now), please allow me to say:

What an awesome script.  Thanks, Dean!

- L

-- 
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)


On 9/8/05, Dean Wells [EMAIL PROTECTED] wrote:
 Per the subject line ... hope it proves as useful to some of you as it has
 been to me this week.  As always, please verify its successful execution in
 a lab before use in a production environment.
  
 Thanks to Laura Hunter for guinea-pigging it for me!
  
 Kindest regards.
  
 Dean
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OU permissions for user object

[Laura E. Hunter]

 snip 
I would rather work 80 hours a week because I choose it than give out
permissions that cause me to work 80 hours a week because I have to
hold the environment together.
/ snip 

As joe-isms go, I think that one just became my favourite, and one to live by.

 Laura
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/