RE: [ActiveDir] Overlapping AD Subnet Boundaries
I think that someone knowing this wouldn't have post the question. I don't agree with this part. A lot of people don't think you can supernet AD subnets. In fact I have had people tell me outright it is impossible to do that in AD even when I tell them it has been my standard practice since Windows 2000 RTM'ed. They think it is just like the routing subnets where you have to very careful what you are doing or you will break packet routing. I see this question on a pretty regular basis in various forums, at least once per month. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 3:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries I know there is not a direct relation, but i don't know if the original poster understand that this can't work if it's the real implementation. I think that someone knowing this wouldn't have post the question. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: joe mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, January 27, 2007 9:03 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries You are mistaking machine subnetting and subnetting defined in AD. They are not connected. The definitions in AD do not have to reflect what is really happening at the routing layer. They are generally close but there isn't any technical reason why they have to be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Friday, January 26, 2007 4:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries is it really 10.10.0.0/16 or a mistake (/24) ? Because your first site won't be able to joint the other one as it will think it's local and won't sent packet to the gateway (if it's really a /16). If it's a real /24, then it will works as expected (10.10.41.104 will be attached to the secondary site). If it's a /16 and you need router between both site, your configuration can't work from a network point of view. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Brian Cline mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 10:19 PM Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
I agree that MIIS could be convenient but only if it is already there or you have other plans for it. If this was the only reason for it I would be more apt to put something else together that had a far lower bar of entry such as some basic scripts that are scheduled through task scheduler or made into a service (Perl PSDK) or LDSU or some basic low end syncing tools that don't require setting up a full blown SQL and MIIS server. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, January 27, 2007 7:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT You can whack notes with ldifde or something. MIIS is a convenient way to do it though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 27, 2007 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Ewww. :) Unless there are other needs that require MIIS I don't think I would deploy it for this. MIIS is a 50 caliber when all that was probably needed was foam pellet gun. I have seen folks doing this before, usually they get an LDIF extract from Notes and just slam that into AD as contacts or mail-enabled users. Actually getting the info out of Notes... no clue, I didn't even want to start touching Exchange let alone any other messaging apps. I am happy just with Windows Server 2003 SMTP and looking at the text files. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, January 26, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir
RE: [ActiveDir] AD Security Auditing
You probably also want to specify the attribute ntsecuritydescriptor so you don't have to see the other attributes, but maybe you do want to see them, obviously each person will be different. You can also have that put into CSV format if wanted so it could be imported into Excel or Access or something. ACLs can be fun to figure out how to best display or work with. Something else that can be done here you can tell adfind to only output the explicit ACEs which can clean up the output considerably. If you don't do much or any blocking then you can still get a great idea of what is going on but have to look at less actual data. You can filter out the inherited ACEs with -sddlnotfilter ;inherited So say you just wanted the ACLs for the one level scope from the root of a domain just displaying the security descriptor and the explicitely set ACEs... It would look something like G:\Tempadfind -default -f * -s one ntsecuritydescriptor -sddl++ -resolvesids -sddlnotfilter ;inherited AdFind V01.35.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) January 2007 Using server: r2dc2.test.loc:389 Directory: Windows Server 2003 Base DN: DC=test,DC=loc dn:CN=Builtin,DC=test,DC=loc nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;Everyone nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BUILTIN\Administrators nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BUILTIN\Administrators nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BUILTIN\Administrators nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;TEST\Enterprise Admins nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;user;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;user;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;user;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;user;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;user;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Domain Password Lockout Policies;;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible
RE: [ActiveDir] Adfind + Admod help
Sorry for how long it took me to respond to the lure... :) I am completely swamped anymore. Just got back from a weeklong customer visit. Good visit, the tech people at that company are very good, still I dislike going on the road for anything. I agree with what the folks said and Hunter's logic below. Not going to be doing this with a single simple command line. Adfind combined with a tool that generates a unique list _could_ cover the first couple of items. Check out this post http://www.mail-archive.com/activedir@mail.activedir.org/msg31542.html That unique.exe tool is still out on my website and Guido's request is still in the list of requests for AdFind. Still be troublesome though using that to get both the Section and Dept in an efficient way. All that being said, that wouldn't be the way I would likely go myself as it would require multiple queries. The way to tackle this efficiently is with a good data structure. VBScript would likely be challenging to do this in. Note though if you have a massive domain (hundreds of thousands of users) and running the script on an underpowered machine this may have to be reworked for scale. Most likely I would query all of the objects with dept and section populated and then build a nice data structure that represented that layout... Something like Dept24 Sect242 Member1 Member2 Member3 Sect243 Member1 Member2 Dept69 Sect691 Member1 Member2 Member3 Member4 Sect692 Member1 etc. Then it would be a simple loop through the data structure to do the work. Perl would be my choice for this. I would use a multilevel hash like $hash{dept#}{sect#}{members} which will unique the data while building the structure. Again, the key to do this efficiently is the data structure. This is often the case in programming, the data structures used can make or break the entire solution. I have seen seemingly impossible problems that have been made possible with great ideas about how to structure the data and I have seen simple problems made nearly impossible because of bad data structures. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm
RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Oh I am always about perl... TIMTOWTDI baby! ;o) Perl is installed on my machines even before reskit and support tools. I can't count the number of months it has saved me nor the number of $$$ on third party tools. I know for a fact that there are enterprise level companies out there still running in daily operations perl scripts I wrote 10 years ago that were supposed to be replaced with something better (their words not mine) that are still flexible enough to do what they need and haven't even been challenged with something better. This includes monitoring scripts running as NT services, application launch helpers, software delivery, intelligent logon scripts, file backup systems, etc. Most everything I write though doesn't take a full blown perl install, just a perl EXE and a perl DLL and the script. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 28, 2007 12:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT What? Like simplesync? I was beginning to wonder if anyone was going to bring up perl for this particular application. It strikes me as the common glue for this particular application that doesn't require the gnotes client software to be installed. i.e. self-sustaining. I think if I were not going to go with a COTS application I'd likely choose something like perl to write it. I have to agree that MIIS is way overkill for this if this is your only usage scenario. Just curious, but why do you want to populate that data in AD? Seems silly if nobody is using it for a directory other than admins. Was there an application that wants it? On 1/28/07, joe [EMAIL PROTECTED] wrote: I agree that MIIS could be convenient but only if it is already there or you have other plans for it. If this was the only reason for it I would be more apt to put something else together that had a far lower bar of entry such as some basic scripts that are scheduled through task scheduler or made into a service (Perl PSDK) or LDSU or some basic low end syncing tools that don't require setting up a full blown SQL and MIIS server. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, January 27, 2007 7:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT You can whack notes with ldifde or something. MIIS is a convenient way to do it though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 27, 2007 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Ewww. :) Unless there are other needs that require MIIS I don't think I would deploy it for this. MIIS is a 50 caliber when all that was probably needed was foam pellet gun. I have seen folks doing this before, usually they get an LDIF extract from Notes and just slam that into AD as contacts or mail-enabled users. Actually getting the info out of Notes... no clue, I didn't even want to start touching Exchange let alone any other messaging apps. I am happy just with Windows Server 2003 SMTP and looking at the text files. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, January 26, 2007 12:52 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond
RE: [ActiveDir] adsiedit question
Just an FYI, I kept reading in the responses about move... This doesn't move the mailbox, it creates a new one at the new HomeMDB URL location and the old mailbox is sitting there disconnected in the old store location. This is something that can be done for normal users to get dialtone back quickly in the event of a failure. I have written utilities that can get a whole server worth of users (4000+) redirected to another Exchange server for dialtone recovery in event of failure of a first Exchange server in usually less than a minute. Of course later someone gets to have the fun of merging the mailboxes. But if someone doesn't want to pay for full mailboxes always being available and just needs a mailbox at any given time it is a decent solution. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 5:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] How to find non-primary SMTP addresses?
To change the previous perl script to give the same output it would look something like open ofh,QueryOutput.csv or die(ERROR: Can't open CSV output file: $!\n); print ofh First Name, Last Name, ID, Primary Mail Address,,Additional Email Addresses\n; @out=`adfind -nodn -sc exchaddresses:smtp -csv -csvq \\ -csvmvdelim , -nocsvheader givenname sn samaccountname mail`; foreach $thisline (@out) { $thisline=~s/smtp://ig; # strip smtp: and SMTP: print ofh $thisline; } :) Then to take it a step further for the later conversation about a disjoint between mail and proxyaddresses primary SMTP (yes this is possible I see it pretty regulary in companies, it is only enforced I believe by ADUC, nothing in Exchange) you can make the script identify cases where you have a disjoint between mail and the primary SMTP with something like open ofh,QueryOutput.csv or die(ERROR: Can't open CSV output file: $!\n); print ofh Disjoint Mail Attribs, First Name, Last Name, ID, Primary Mail Address,,Additional Email Addresses\n; @out=`adfind -nodn -sc exchaddresses:smtp -csv -csvq \\ -csvmvdelim , -nocsvheader givenname sn samaccountname mail`; foreach $thisline (@out) { ($mail,$primarysmtp)=($thisline=~/,([^,[EMAIL PROTECTED],]+),.*SMTP:([^,[EMAIL PROTECTED],]+)[\n,]/) ; $disjoint=($mail ne $primarysmtp)?TRUE:FALSE; $thisline=~s/smtp://ig; # strip smtp: and SMTP: print ofh $disjoint,$thisline; } joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Friday, January 26, 2007 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Here is a cheesy VB script to list email addresses and kick them to a CSV file***. It's not horribly efficient, tight coding, or cleaned up very much but it has worked for me. Remember to replace the LDAP Path with yours and you may have to adjust the page size if you have more than 2000 objects. Also watch for line feeds in the code that may be email caused. Have fun.. _Stuart Fuller (***Full disclaimer of liability - use at own risk) --- '-- 'ListUsers Email Script 'Stuart Fuller '7/7/05 '-- Dim adsComputer Dim adsOU Dim operatingSystem Dim osVersion Dim servicePack Dim fileSys Dim fileTxt Const ForReading = 1, ForWriting = 2, ForAppending = 8 wscript.echo Start 'Create the output file set fileSys = CreateObject(Scripting.FileSystemObject) Set fileTxt = fileSys.OpenTextFile(QueryOutput.csv, ForWriting, True) fileTxt.Writeline(First Name, Last Name, ID, Primary Mail Address,,Additional Email Addresses) 'Create the connection to AD Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject(ADODB.Connection) Set objCommand = CreateObject(ADODB.Command) objConnection.Provider = ADsDSOObject objConnection.Open Active Directory Provider Set objCOmmand.ActiveConnection = objConnection 'Set the SQL type query against AD 'REPLACE LDAP PATH with OU or domain you want to query in the objCommand.Commandtext line 'Example 'LDAP://ou=users,dc=joeware,dc=com' objCommand.CommandText = Select givenName, sn, sAMaccountName, mail, ADsPath from 'LDAP PATH' _ where objectClass='user' AND objectCategory='Person' objCommand.Properties(Page Size) = 2000 objCommand.Properties(Timeout) = 60 objCommand.Properties(Searchscope) = ADS_SCOPE_SUBTREE objCommand.Properties(Cache Results) = False Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst 'Loop through the returned records Do Until objRecordSet.EOF strGName = objRecordSet.Fields(givenName).value strSName = objRecordSet.Fields(sn).value strMail = objRecordSet.Fields(mail).value strSAM = objRecordSet.Fields(sAMaccountName).value 'In order to get the multi-varied attribute go get the user object 'and then query the proxyaddress attribute set objUser = GetObject(objRecordSet.Fields(ADsPath).value) on error resume next For each strProxyAddress in objUser.ProxyAddresses strAdd = Left(strProxyAddress,4) If ((strAdd = SMTP) OR (strAdd = smtp)) Then strAddress = Right(strProxyAddress, LEN(strProxyAddress) - 5) strAddAll = strAddAll strAddress , End If Next fileTxt.WriteLine(strGName , strSName , strSAM , strMail , , strAddAll ) 'Since we are using strAddAll as additive - clear the vars strAddress = null strAddAll = null 'Go grab the next record and restart loop objRecordSet.MoveNext Loop wscript.echo DONE -Original Message- From: [EMAIL
RE: [ActiveDir] Overlapping AD Subnet Boundaries
Active directory will use the most specific network address that applies to it. For instance, I set up a class-A address (or multiple in some companies) that applies to all of the network space of the company and assign that to the primary data center location. Then I start making more focused subnets that route clients / replication to more specific locations. That way you don't run into the issue where clients can't find their own subnet so choose a random DC. I have set up subnets all the way from 8 bit down to 32 bit as needed and it all works fine. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 4:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Overlapping AD Subnet Boundaries
You are mistaking machine subnetting and subnetting defined in AD. They are not connected. The definitions in AD do not have to reflect what is really happening at the routing layer. They are generally close but there isn't any technical reason why they have to be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Friday, January 26, 2007 4:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries is it really 10.10.0.0/16 or a mistake (/24) ? Because your first site won't be able to joint the other one as it will think it's local and won't sent packet to the gateway (if it's really a /16). If it's a real /24, then it will works as expected (10.10.41.104 will be attached to the secondary site). If it's a /16 and you need router between both site, your configuration can't work from a network point of view. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Brian Cline mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 10:19 PM Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Ewww. :) Unless there are other needs that require MIIS I don't think I would deploy it for this. MIIS is a 50 caliber when all that was probably needed was foam pellet gun. I have seen folks doing this before, usually they get an LDIF extract from Notes and just slam that into AD as contacts or mail-enabled users. Actually getting the info out of Notes... no clue, I didn't even want to start touching Exchange let alone any other messaging apps. I am happy just with Windows Server 2003 SMTP and looking at the text files. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, January 26, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org
Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as ADSI likes to use Windows auth by default and depends on the LDAP directory to support the LDAP V3 subschemaSubentry rootDSE attribute to express its abstract schema in order for ADSI to map LDAP data types to COM datatypes. It might work, but I'd be more surprised if it did than didn't. A lower level LDAP tool like ADFind might make more progress, though. Having done a lot of Domino programming back in the day, my suggestion would be to write a LotusScript program that goes against the NAB and gets the addresses that way. It would probably be less effort in the long run. If I was asked to do the exact same thing, that is definitely how I'd do it. If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious to hear about it. :) Joe K. - Original Message - From: Douglas W Stelley To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 3:13 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I really don't see that much in the enterprise version of MIIS that'll justify the cost. We have some tools/program files that query LDAP for valid email addresses (GFI for one). I'd just like to be able to pull all email addresses out of Lotus/Domino so I can populate AD correctly. Of course I could do it manually. And Domino does support and use LDAP, but I don't have enough experience with Domino to build a script. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Laura A. Robinson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 12:51 PM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else
Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
That's basically the same thing I was trying to get at. I'm aware that you can call the Domino object model from COM. I wrote so much LotusScript back in the day that I always tended to think of them as being synonymous. :) My overall point was that I didn't think you'd have much success with using ADSI and LDAP to query the Domino directory, but I'd love to see someone try it and prove me wrong. I do like your idea of using COM to glue the two things together, either through script or some other thing that can do COM like PowerShell, VB6 or .NET (or C++ if you like that sort of thing). Joe K. - Original Message - From: Dave Wade [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 6:30 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT If you want to query Notes and AD in the same script you don't need to use LotusScript you can use VBSCRIPT. There is a a set of objects that allow access to NOTES provided you have the notes client installed. They are documented in the Notes help file. Basically they are the same as the interfaces LotusScript uses. I seem to recall that LotusScript is virtually the same as VB Script/VBA but tweaked enough so Lotus/IBM does not have to pay MS license for VBA/Vbscript. I used to have some examples to do that and if you need them I could probably fish them out... Dave. From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Fri 26/01/2007 22:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as ADSI likes to use Windows auth by default and depends on the LDAP directory to support the LDAP V3 subschemaSubentry rootDSE attribute to express its abstract schema in order for ADSI to map LDAP data types to COM datatypes. It might work, but I'd be more surprised if it did than didn't. A lower level LDAP tool like ADFind might make more progress, though. Having done a lot of Domino programming back in the day, my suggestion would be to write a LotusScript program that goes against the NAB and gets the addresses that way. It would probably be less effort in the long run. If I was asked to do the exact same thing, that is definitely how I'd do it. If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious to hear about it. :) Joe K. - Original Message - From: Douglas W Stelley To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 3:13 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I really don't see that much in the enterprise version of MIIS that'll justify the cost. We have some tools/program files that query LDAP for valid email addresses (GFI for one). I'd just like to be able to pull all email addresses out of Lotus/Domino so I can populate AD correctly. Of course I could do it manually. And Domino does support and use LDAP, but I don't have enough experience with Domino to build a script. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Laura A. Robinson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 12:51 PM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian
Re: [ActiveDir] How to find non-primary SMTP addresses?
In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] How to find non-primary SMTP addresses?
Yeah JoeK is right on, nothing in LDAP will help you with this. The proxyAddresses attribute is case insensitive so there is no way to query to just get addresses that are secondary. AdFind can help with this in a small perl script. You use the CSV capability of AdFind combined with its ability to only display the multivalue attributes that have a string match to smtp (AdFind isn't case sensitive either for this query). That simply outputs just smtp addresses so it is nice and clean. The perl script would look something like @out=`adfind -sc exchaddresses:smtp -csv -nocsvheader`; foreach $thisline (@out) { next unless $thisline=~/smtp:.+/; $thisline=~s/(SMTP:.+)([\;])/$2/; # strip out primary $thisline=~s/;{2,}/;/; # cleanup multiple semicolons $thisline=~s/;\/\/; # cleanup semicolon/quote print $thisline; } -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, January 25, 2007 7:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
Cool, thanks Lee. It works. :) Joe - Original Message - From: Lee Flight [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 5:13 AM Subject: Re: [ActiveDir] Who Am I request Using ldp.exe; rootDSE query for supportedExtension will you the OID: 4 supportedExtension: 1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID ); 1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID ); 1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID ); 1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID ); Then it's (post bind to be useful) Browse - Extended Op and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value. Lee Flight On Mon, 22 Jan 2007, Joe Kaplan wrote: It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try it. :) Joe R.: When will this be added to Adfind (or is it already)? Joe K. - Original Message - From: Dmitri Gavrilov [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 22, 2007 9:07 AM Subject: RE: [ActiveDir] Who Am I request ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Lee Flight __ Lee Flight ([EMAIL PROTECTED]) Tel: +44 (0)116 252 2257 IT Services, Computer Centre, University of Leicester Leicester LE1 7RH, United Kingdom List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
I know nothing about Oracle (never seen it, never touched it), so I can't help at all there. However, I'd suggest going back to the vendor to help you troubleshoot this. The fact that the issue seems to be restricted to their LDAP/SSL stack suggests that they should be able to help troubleshoot the problem. Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:43 AM Subject: Re: [ActiveDir] Search over SSL hangs Joe, List, yes! It does sound like it is something with Oracle SSL engine. I let the process (search) running for more than 3 hours (so I think it is not a problem of slow communication/authentication) and it never returned. When it was issued a CTRL+C to abort the procedure (which was running from a sqlplus), the stack error it returned pointed to a Oracle package (SYS.DBMS_LDAP_API_FFI) in its last level (upper level). The code in Pl/Sql follows (SECURITYSOX is our schema user and LDAP is our user package): ## SQL 1 declare 2 X number; 3 begin 4 X := -1; 5 X := LDAP.VALIDA_USUARIO_LDAP(2,'ldapuser','ldappass'); 6 dbms_output.put_line(X); 7* end; SQL / declare * ERROR at line 1: ORA-01013: user requested cancel of current operation ORA-06512: at SYS.DBMS_LDAP_API_FFI, line 134 ORA-06512: at SYS.DBMS_LDAP, line 253 ORA-06512: at SECURITYSOX.LDAP, line 221 ORA-06512: at SECURITYSOX.LDAP, line 581 ORA-06512: at SECURITYSOX.LDAP, line 181 ORA-06512: at line 5 ## Nothing appears in oracle's alert.log. No traces are generated in bdump, cdump or udump directories like it had nothing to do with/for oracle. The certificates used were provided by our customer and were tested by them and as we can init the session, open the ssl support for that session and even authenticate a ldap user/pass, the certificates are out of the possible causes of this issue. And even more because, as mentioned, we can perform a search over SSL using JXplorer and it is almost immediate, no hangs (for the little they could be), no delays, nothing, just direct to the result! I am trying to contact out customer's LDAP admin in order to get additional info from the server logs. As soon as I can get this, I will update the thread. Thanks you all for your help! Em Ter, 2007-01-23 às 10:51 -0600, Joe Kaplan escreveu: If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] Who Am I request Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ
Re: [ActiveDir] Who Am I request
Thanks for clearing that up. I appreciate it. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 5:52 PM Subject: RE: [ActiveDir] Who Am I request You can do an x-domain simple bind within the forest. You can not do it x-forest. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Apache LDAP authentication oddity
Get a network trace of the LDAP calls and responses. Possibly it is an apache issue, possibly the developer is a knucklehead. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] Unsubing
http://www.activedir.org/List.aspx Careful... some affairs can get you jail time... An affair with a tiger or leopard is likely one of them... Plus once you have gone that direction, you may find your overall pool of possible dates shrinks drammatically, especially if you admit where you have been. Certainly a majority of the business world frowns on affairs with those creatures. lol. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups attachment: winmail.dat
RE: [ActiveDir] Largest AD DIT
I am aware of a 20GB DIT or two. Generally most of the DITs seem to be 10GB or smaller for many/most companies even with hundreds of thousands of users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT I'm curious about a production DIT. A DIT that some poor soul is losing sleep over at night ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 19, 2007 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Export Group's Members details
All attributes for a given user can be given by querying the user for the attribute allowedAttributes. If you want to know what attributes you can manipulate you can query for allowedAttributesEffective. There are also some ADSI functions around that too to get the generic attribute set but note that it will not reflect the attributes on a specific user due to dynamic auxillary classes that may be attached to the individual user object. For instance, say I have an app called joeware-something and I have a dynamic aux class called joewareSomethingClass1 with attributes joewareSomethingAtt1 and joewareSomethingAtt2 and I dynamically attach that aux class to user bob but not user steve. Getting the generic list of attributes will not show those additional attribs but querying the user bob for the attribute allowedAttributes will show them. The difficult part about what you are asking for in terms of the info for the members is that groups store DNs only. So you will query for a group and return members and you will get DNs. You then have to go look up those DNs and get the additional attributes. The problem with CSVDE and LDIFDE is that you can't really do that directly, you could do it through a script that gets the results of the query for the DNs and then goes back and calls out an additional time for each member to get the additional attributes. This will work, it will be slow depending on how many members there are though with a lot of overhead spinning up the apps for every query. You could do this using dsquery and dsget piping as well as mentioned by Phil, again, lots of overhead for app instantiation. Consider if you have 100 members, that will be 1 query to get the group and the members, then another 100 queries to get the info for each member. This gets even more involved if you have group nesting or you want to get primary group membership as well. Quite honestly, you can use just a raw LDAP app to easily get this kind of info, you need an app that is dedicated to getting this info OR a script with intelligence. With K3 MSFT helped *a little* with something called attribute scoped queries. This will allow you to specify a group and tell the DC to get the additional info for the members. The issue here though is that it only works for members who have presence in the current scope. It won't chase DNs to other DCs to get info on them so if you just do that without validating the return set you could be missing info. Good try but generally, it is too dangerous for many people to use unless they are really up on what can happen. I haven't seen many people using this and those that I have, a good percentage of them are not aware of the implications. See the following example, three queries, one normal LDAP ASQ query that misses the Child1 group, one GC query that hits the group, and one phantom root query that hits the group. If I had been querying a DC that wasn't a GC, the last two would have failed as well. [Sun 01/14/2007 22:06:29.53] F:\Dev\CPP\AdModadfind -e -default -f name=administrators member AdFind V01.34.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=Administrators,CN=Builtin,DC=joe,DC=com member: CN=newadmin,CN=Users,DC=joe,DC=com member: CN=fastmofo,CN=Computers,DC=joe,DC=com member: CN=Domain Admins,CN=Users,DC=child1,DC=joe,DC=com member: CN=Domain Admins,CN=Users,DC=joe,DC=com member: CN=Enterprise Admins,CN=Users,DC=joe,DC=com member: CN=administrator,CN=Users,DC=joe,DC=com 1 Objects returned [Mon 01/15/2007 1:08:56.90] F:\Dev\CPP\AdModadfind -e -b CN=Administrators,CN=Builtin,DC=joe,DC=com -f * -asq member name AdFind V01.34.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=administrator,CN=Users,DC=joe,DC=com name: administrator dn:CN=Enterprise Admins,CN=Users,DC=joe,DC=com name: Enterprise Admins dn:CN=Domain Admins,CN=Users,DC=joe,DC=com name: Domain Admins dn:CN=fastmofo,CN=Computers,DC=joe,DC=com name: fastmofo dn:CN=newadmin,CN=Users,DC=joe,DC=com name: newadmin 5 Objects returned [Mon 01/15/2007 1:09:38.57] F:\Dev\CPP\AdModadfind -e -gc -b CN=Administrators,CN=Builtin,DC=joe,DC=com -f * -asq member name AdFind V01.34.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:3268 Directory: Windows Server 2003 dn:CN=administrator,CN=Users,DC=joe,DC=com name: administrator dn:CN=Enterprise Admins,CN=Users,DC=joe,DC=com name: Enterprise Admins dn:CN=Domain Admins,CN=Users,DC=joe,DC=com name: Domain Admins dn:CN=Domain Admins,CN=Users,DC=child1,DC=joe,DC=com name: Domain Admins dn:CN=fastmofo,CN=Computers,DC=joe,DC=com name: fastmofo dn:CN=newadmin,CN=Users,DC=joe,DC=com name: newadmin 6 Objects returned [Mon 01/15/2007 1:09:48.78] F:\Dev\CPP
RE: [ActiveDir] Domain Admin
LOL. I am with you with the view access, whenever I walk into a location I ask for normal user and exchange view to start and if they have actually locked down pre-w2k access (rare in my experience) then I ask for whatever group allows me to view the attributes that are now no longer available to normal users to see. If they say that is the admin groups then I start talking about the idea of not using Domain Admin rights to try and troubleshoot, only to actually change things. Especially for AD troubleshooting, much if not most of the info you would likely need is available through normal user rights and I try very hard to do everything in terms of looking at info as a normal user or a normal user with additional read access granted and if I can't do it as a normal user with that access I try to understand why not so I can later. The admin accounts in general scare me because people make mistakes too easily (including me) which is why I don't want anything to do with admin rights when I walk into a place to help them. You can't blame me for breaking your stuff if you didn't give me rights to break it. I don't feel I am special enough to have DA rights when I walk into someone else's environment. Anymore, now that I do more consulting than real work, I don't have DA rights anywhere but at home and even there I am not sure I should have them. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 11, 2007 10:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admin I've seen consultants ask for that level of access before to gain access to the local machine. They reason that because the domain admins are added to the local administrators group that they'll have full access to the machine. They also are not aware of the rights needed to view or otherwise administer AD. Just not familiar with rights at all for that matter. GPO'shGood point. But if it were me, I wouldn't want to have change access to anything in production at all. I would much prefer to have the local admins step and fetch and do my bidding. I guess that's my power trip, though it has the nice added benefit of not letting me, the consultant, get blamed for any issues or data theft or damage that may occur before, during, or after my engagement. It's way too easy to ask for the details in a particular format vs. collecting it with DA rights. DA is just way too much IMHO. It's lazy to ask for the keys to the kingdom to gain access to the kitchen. But I'm with you joe, I hope it's a translation thing. I shudder to think that somebody may have been given the DA rights to look at a local server or two. Oh, and if you take away any more fun I'll have to stop reading some of those posts. I mean c'mon, not changing and reconfiguring a server at logon? How can you possibly expect me to get my email if I can't use Outlook on my servers? Sheesh... (o; On 1/11/07, joe [EMAIL PROTECTED] wrote: Hopefully the guy means the person needs administrator rights over the two servers. Not sure how you would give domain admin rights over two servers and even what that would buy you. At the member level a domain admin isn't any more powerful than a local admin. The domain powers come in with the GPOs and computer account in AD which likely this bonehe... err consultant needs. :) Unless the admin tools are tied to some GPO software installation (something I never liked though I thought, that is kind of cool when I initially saw it) that is tied to DAs then what ID is used to log into the server shouldn't come into play. If it is tied to a policy, scrub the policy and just install the tools on the servers in your base install process. Servers, IMO, are not devices that should be getting reconfigured everytime someone different logs on or logs off. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 11, 2007 7:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admin Am I the only one that would suggest escorting the consultant out the door? Asking for domain admin level privs to access two servers is WAY over the top IMHO. Heck, just to read and report and make suggestions (consultants tend to do that from what I recall) the consultant doesn't need anywhere near that level of privs. Just for asking is grounds for dismissal based on the information presented anyway. Having been a consultant, I feel qualified to make such statements in case you wondered where I am coming from :) Perhaps the original postee can add some information about what the consultant needs to be able to do and why domain admin privs would be needed? On 1/10/07, Lee, Wook [EMAIL PROTECTED
RE: [ActiveDir] Win 2000 Remote Desktop Users
You can't use it Rocky. You hit the nail on the head with built-in. It has a well known SID (S-1-5-32-555) which has no domain affinity so adding that to a member machine is useless as the member machine would not be able to chase it back to anything. I.E. If you have a forest with 4 domains and you were able to add that group from Domain1, how would the member know it wasn't actually from Domain2 or Domain3 or Domain4? Answer... It wouldn't, the SID is the same for all of them. It is just another reason to try and avoid use of the builtin groups as much as you can and creating and using your own specific groups. You see this question in the newsgroups a lot but it is usually around Server Operators... i.e. I have people that are server operators on the domain and I want them to have rights on the members when I try to do xyz with the server operator group it doesn't work... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, January 11, 2007 12:55 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Win 2000 Remote Desktop Users Guys, I am trying to add the Remote Desktop Users group (Builtin Domain Local Group) to the Power Users group on my Windows 2000 Server SP4 Terminal Server. I can't. I can't navigate to it, I can't see it. Would anyone be able to tell me why? I would be grateful. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Win 2000 Remote Desktop Users
lol, n/p -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, January 11, 2007 2:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win 2000 Remote Desktop Users joe, YMYMYM Thanks. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: 11 January, 2007 2:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win 2000 Remote Desktop Users You can't use it Rocky. You hit the nail on the head with built-in. It has a well known SID (S-1-5-32-555) which has no domain affinity so adding that to a member machine is useless as the member machine would not be able to chase it back to anything. I.E. If you have a forest with 4 domains and you were able to add that group from Domain1, how would the member know it wasn't actually from Domain2 or Domain3 or Domain4? Answer... It wouldn't, the SID is the same for all of them. It is just another reason to try and avoid use of the builtin groups as much as you can and creating and using your own specific groups. You see this question in the newsgroups a lot but it is usually around Server Operators... i.e. I have people that are server operators on the domain and I want them to have rights on the members when I try to do xyz with the server operator group it doesn't work... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, January 11, 2007 12:55 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Win 2000 Remote Desktop Users Guys, I am trying to add the Remote Desktop Users group (Builtin Domain Local Group) to the Power Users group on my Windows 2000 Server SP4 Terminal Server. I can't. I can't navigate to it, I can't see it. Would anyone be able to tell me why? I would be grateful. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Adfind and ADMOD question
AdMod will not populate membership that way currently unfortunately. You could populate a list of groups with a single member or export membership for a group to a CSV file, change the DN on the group and then use AdMod to import. It is something that I think about occasionally on how to get it in there without really whacking the parameter structure too much. Shouldn't that be dsget instead of dsquery? Interesting on the no output if the group is 1586 members... If you have K3 that is just after the value ranging cut off but I would expect the ds* tools would do ranging... I have never really played with them that much to find out, the command line parameter system annoys me, I much prefer adfind. :) Anyway, you should be able to get a quoted list of members of a group which is what I believe dsmod wants for that command with something like adfind -b whatever_base -f whatever_filter member -qlist Like so G:\adfind -default -f name=domain admins member -qlist CN=user\, test,OU=Users,OU=TestOU,DC=test,DC=loc CN=$joe,OU=Users,OU=My,DC=test,DC=loc CN=Administrator,CN=Users,DC=test,DC=loc And if it doesn't return a list that exceeds 1500 members, let me know because it absolutely should. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Thursday, January 11, 2007 2:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adfind and ADMOD question Joe got an idea on how to use Adfind and Admod to do this one. I have a group with an _ in it, that I cant seem to dump the members from the group with the dsget group and dsmod group commands. The syntax of the command I am using is such, and I have tried it with other groups with _ and it works fine. (Note this group has 1,586 users) other groups I have queried have a lot less. Dsquery group CN=Group_Name,OU=Groups,OU=Mydomain,DC=ChildDomain,DC=RootDomain,DC=ORG -members | dsmod CN=Group2,OU=Groups,OU=MYDomain,DC=ChildDomain,DC=RootDomain,DC=ORG -addmbr It seems I get no input on the first part of the query, Dsquery group CN=Group_Name,OU=Groups,OU=Mydomain,DC=ChildDomain,DC=RootDomain,DC=ORG -members But I can do an easy showmbrs Childdomain\Group_Name and dump all the members. Any ideas, totally stuck, looks like an issue with the number of users in the group being too large. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Domain Admin
Hopefully the guy means the person needs administrator rights over the two servers. Not sure how you would give domain admin rights over two servers and even what that would buy you. At the member level a domain admin isn't any more powerful than a local admin. The domain powers come in with the GPOs and computer account in AD which likely this bonehe... err consultant needs. :) Unless the admin tools are tied to some GPO software installation (something I never liked though I thought, that is kind of cool when I initially saw it) that is tied to DAs then what ID is used to log into the server shouldn't come into play. If it is tied to a policy, scrub the policy and just install the tools on the servers in your base install process. Servers, IMO, are not devices that should be getting reconfigured everytime someone different logs on or logs off. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 11, 2007 7:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admin Am I the only one that would suggest escorting the consultant out the door? Asking for domain admin level privs to access two servers is WAY over the top IMHO. Heck, just to read and report and make suggestions (consultants tend to do that from what I recall) the consultant doesn't need anywhere near that level of privs. Just for asking is grounds for dismissal based on the information presented anyway. Having been a consultant, I feel qualified to make such statements in case you wondered where I am coming from :) Perhaps the original postee can add some information about what the consultant needs to be able to do and why domain admin privs would be needed? On 1/10/07, Lee, Wook [EMAIL PROTECTED] wrote: Assuming the servers are at least Windows 2000 or newer, the administrative tools can be installed using adminpak.msi which is found in %systemroot%\system32 which is usually c:\winnt\system32 or c:\windows\system32. It is also possible to delegate control in the AD over a couple of servers either individually or by OU, but the best practice would be to use a separate account for the admin tasks as Daniel describes and use a group to delegate control in the AD if that's really necessary. You want to be careful not to delegate too much control. Full control over the OU gives the delegated administrators too much since they would be able to create additional OUs and any kind of objects that they would want. Very bad in most enterprises. Only delegate control in AD if you absolutely have too and then audit those activities closely to avoid disasters of forest-wide proportions. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Wednesday, January 10, 2007 6:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admin I might go so far as to create a new account for the consultant. Inform the consultant to only use the new account when they need to perform the work on the two servers. A new account will allow you to audit their work and also watch for creep. Also, do not give the elevated account e-mail or anything like so that there is no way those servers can pick up anything like a virus or spyware. Dan Original Message Subject: [ActiveDir] Domain Admin From: Patrick mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tue, January 09, 2007 10:19 pm To: ActiveDir@mail.activedir.org I have a consultant that is asking for domain admin rights on 2 member servers. I have google it but nothing seems to work out right. The servers are on the domain but the consultant just has a domain user account. He can logon on to the servers while they are on the domain but the administrative tools is not there (as it should). I want to creat an OU and put the two machines in that ou and delegate control to the consultants domain user account. Any other way to do this without registry hacks or scripts? All assistance welcomed List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
What is the version? Current version of AdFind that is publicly available is V01.35.00. The -resolvesids option made it into AdFind around V01.31.00 or so which was a year ago. Plus if you really want something readable you likely want -sddl++ joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Tuesday, January 09, 2007 5:59 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Oh, thanks Joe ! the command adfind -b DN_OU -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -adcsv works fine. But when I add -resolvesids as this adfind -b DN_MyOU -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -resolvesids -adcsv It shows an error ERROR: Bad Command Line Arg(s) ERROR: resolvesids Thanks, Yann joe [EMAIL PROTECTED] a écrit : Yes it is a binary octet string, it is a normal security descriptor and can be manipulated like you would manipulate security descriptors in compiled apps normally. If you are scripting, then use adfind to dump the attribute with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL encoded secprins decoded use -resolvesids. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 5:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
Oh great, like the water needed to be any muddier... Thanks Lee, I hadn't seen this yet. I will have to look into it. Something that makes Exchange even more special. Have I complained recently on how much I dislike the Exchange permissioning model. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee Flight Sent: Monday, January 08, 2007 8:35 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. One example that I would highlight that can muddy the water in attempting tracking of resolvable SIDs is that the SID might be from an Authority that does not resolve by a native windows mechanism/api e.g. an SD that contains a SID from the SECURITY_RESOURCE_MANAGER_AUTHORITY (S-1-9-etc). I had not seen an example of this until a few months ago when I noticed such SID appearing in DSACLS output in an Exchange 2007 deployment[1]. Lee Flight [1] See Table 3 in http://technet.microsoft.com/en-us/library/315d9c42-1ab4-4ef4-9292-12cdcb9c9 8cf.aspx On Sun, 7 Jan 2007, joe wrote: Because as mentioned in my post, this is a very difficult and complex task given the current security infrastructure. There is nothing maintaining backlinks into where specific SIDs are used for ACLing. Even so, as Wook and Deji and I all mentioned, there are times where something could have a SID in an ACL and be perfectly valid but some sort of burb or in progress issue causes the SID to be temporarily unavailable. This kind of thing happens pretty regularly and people don't tend to catch it because MSFT, intelligently, didn't go through and scrub the ACLs when this occurred. If they did, people would be posting all of the time how some group or user or other security principal lost access to something or in the case of DENY ACEs all of a sudden had access to something. It is a very fine line between being helpful and being destructive. In order to implement this so it was effective and efficient I would visualize something that would have to track ALL uses of SIDs (not just file system or AD) with a backlink table and would somehow get notifications when a security principal was truly deleted and it was intended to be so and wouldn't be coming back (i.e. someone didn't pull a whoops). The first is extremely involved but likely possible from a technical standpoint though it would cause bloat somewhere where that info is stored. The second is near impossible, IMO, because it involves people not screwing up and I don't expect to see that day happen. A couple of other items to think about, you have more than ACes that have the SIDs in a security descriptor, you also have the owner and the group. You don't just want to zap the old value out, you want something there, what do you put there? Administrators? LocalSystem? What? Now what if you want to go clean all those up and reassign them to someone else? You are in the same place you were when you had the old missing user/group object. I have posted this before (slightly different because then it included DNs), but here is a portion of the list list of objects that can have SIDs embedded: 1. Windows Security Descriptors - this includes any kernel securable objects that can accept a security descriptor as well as many other objects that have customized ACL-like definitions like the customSD for event logs. A partial list of the official securable objects off the top of my head: O Active Directory Objects O SAM Objects (users and groups on member machines) O File System Objects (files/directories) O Threads/Processes O Synchronization objects (mutexes, events, semaphores, timers) O Job Objects O Network shares O Printers O Services O As of 2003 SP1 the Service Control Manager itself O Registry keys O Windows Desktops and Windows Stations O Access tokens O File Mapping objects O Pipes (named or anonymous) Basically anything that allows you to pass in a SECURITY_ATTRIBUTES structure when creating the object plus more 2. Microsoft supplied Windows based applications. This includes things like ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum. 3. Third party applications that run on Windows and were written properly to take advantage of Windows security. This list could be long and wide, there are hundreds of thousands of Windows applications out there. 4. Third party applications that run on Windows and were written incorrectly to take advantage of Windows security. These apps don't use Windows security descriptors, they use custom security structures that are based on Windows Security Descriptors or are completely different but rely on SIDs. An example here would be how the event log security stuff was implemented in K3 which uses a basic Windows Security Descriptor SDDL format type that isn't quite standard. 5
RE: [ActiveDir] Risks of exposure of machine account passwords
If an attacker gets access to a machine account password they can connect to AD as that computer which is usually just normal user access rights. In fact, if you set up an auth as the computer and tap an ADAM instance and look at the RootDSE it will show you the groups you are a member of that are right for that context. For example: tokenGroups: TEST\TESTCMP$ tokenGroups: TEST\Domain Computers tokenGroups: Everyone tokenGroups: BUILTIN\Users tokenGroups: NT AUTHORITY\NETWORK tokenGroups: NT AUTHORITY\Authenticated Users tokenGroups: NT AUTHORITY\This Organization I don't think overall that computer accounts are any more risky than normal userids. On the flip side, I think it is silly to leave enabled machine accounts lying around for computers that you are relatively sure will never reconnect. That is why I wrote oldcmp and make it available to everyone. The key part is as Al mentioned, how did they get that password? I don't recall seeing anything that will extract that from a machine and even so, I expect it is much easier and useful to target user passwords than computer passwords - primarily admin type user's. A dirty trick I have used in the past to disprove how secure an environment was was to set up a web site on a workstation, enable basic auth only, write a little perl cgi script to write the creds sent to the website to a log file and throw up a website unavailable screen and then tell admins that I have a web site that doens't seem to authenticate users properly could they try to logon to see if it is just my test IDs or a permission problem. I would say at least 50%-60% of the time the admins will go to the page and type in their creds. Alternately try to get an admin to log into a workstation I control. In far too many cases I think you will find admins are user's too... :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Monday, January 08, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Risks of exposure of machine account passwords What are the risks associated with the exposure of machine account passwords in Active Directory? Passwords are changed for machine accounts regularly, but they don't really expire and can get rather old. If an attacker has access to this password, what sort of access would he have to other systems on the network via Kerberos? i.e., would he be able to forge service tickets as other users and elevate his access elsewhere? The laxness of policy surrounding these accounts suggests that this is not a huge risk. Should we be more concerned with these old passwords? Otis
RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
Yes it is a binary octet string, it is a normal security descriptor and can be manipulated like you would manipulate security descriptors in compiled apps normally. If you are scripting, then use adfind to dump the attribute with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL encoded secprins decoded use -resolvesids. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 5:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: [ActiveDir] Risks of exposure of machine account passwords
You can't treat everyone inside your network like criminals or you'll never get anything done. I don't completely agree with this. When you are an admin, especially a DA, you need to be etxremely paranoid about things and trust very little that you don't directly control when using your ID. When I see folks who aren't running separate accounts for admin work and normal work I know they aren't paranoid enough. Then if someone had two accounts the next question is are the passwords synced which is pretty normal to see but almost as bad as using your DA ID to log into your PC and doing work in which you aren't specifically making changes. The next thing to do to cut down on risk is do interactive auth as well as application auth to servers and DCs as little as possible with enhanced IDs. Just too many possible ways to get screwed whether on purpose or by accident to treat anything but proven trusted systems and people as anything but a danger. Yes it slows you down, but folks need to be very careful with their most powerful IDs. If people follow these guidelines it is considerably more difficult to compromise them through social engineering types of attacks such as outlined. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 5:35 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Risks of exposure of machine account passwords On Mon, 8 Jan 2007 15:33:01 -0500 joe [EMAIL PROTECTED] wrote: A dirty trick I have used in the past to disprove how secure an environment was was to set up a web site on a workstation, enable basic auth only, write a little perl cgi script to write the creds sent to the website to a log file and throw up a website unavailable screen and then tell admins that I have a web site that doens't seem to authenticate users properly could they try to logon to see if it is just my test IDs or a permission problem. I would say at least 50%-60% of the time the admins will go to the page and type in their creds. Alternately try to get an admin to log into a workstation I control. In far too many cases I think you will find admins are user's too... :) If you already own a machine with an FQDN and you can send email to people as someone internal then it would be pretty hard to keep you out since you're already somewhat trusted. You can't treat everyone inside your network like criminals or you'll never get anything done. And if you do have a criminal inside you should take it up with HR not IT. But I can add an improved permutation to your dirty trick. Send out an email with a link to your site but use NTLM SSO pass-through to create a bogus account with a predefined password. If someone with domain admin privs so much as stumbles across your site they will create the said account and not even know they did it. No credentials necessary and no SSO account necessary. Just a website with an FQDN. There is one simple security setting that will thwart this attack though. For bonus points, does anyone know what it is? :- Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] ADfind to find locked accounts
The userAccountControl is not used for indicating a locked status when using LDAP, this applies both to LDAP and the LDAP ADSI interface. If you want the status of an account using that mechanism, with K3 you can use msDS-User-Account-Control-Computed however note the constructed... You cannot query that attribute, only retrieve it as an attribute in another query. The only way to query, and how unlock does it, is via the lockoutTime attribute. As the others mentioned, you can do lockoutTime that has a value greater than 0, however it needs to be in the filter as lockoutTime=1 since lockoutTime0 is an invalid filter. Note that that will return both accounts that are locked as well as accounts that are already unlocked due to the lockout period expiring but no one has logged into them yet. I.E. If you are looking for accounts locked out right this second, you will get false positives. The proper way to get currently locked out accounts, the method used by unlock, is to get the domain policy for lockout duration and calculate the proper value for lockoutTime which will be the current time minus lockout duration, anything locked after that time stamp is currently locked. That is the value you use to query AD for. If I absolutely had to do it with adfind with a single command line I would use CSV mode with grep or findstr like so adfind -default -f (samaccounttype=805306368)(lockouttime=1) msDS-User-Account-Control-Computed -samdc -csv |grep LOCKED That would be a list of currently locked accounts. It would be relatively efficient unless you have a lot of accounts that have passed the lockout duration but no one ever logged into them afterward. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, December 19, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADfind to find locked accounts I'm using a bitwise filter to search for locked accounts using ADFind. I have one particular account, a service account, that is locked out and also has Password No Expire set. In ADFind it comes up as such. C:\toolsadfind -default -bit -f samaccountname=servaccount -alldc useraccountcontrol AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Transformed Filter: samaccountname=servaccount Using server: dc.appsig.com:389 Directory: Windows 2000 Base DN: DC=appsig,DC=com dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)] Why does the userAccountControl read as 512+65536 only? Shouldn't it be 512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064? In fact, I cannot even find this account when searching for locked accounts via ADFind. The only reason I realized it was locked out was because I also used Joe's Unlock utility to search for all locked accounts and it returned this account as part of the search. C:\toolsunlock . * -view Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004 Processed at dc.appsig.com Default Naming Context: DC=appsig,DC=com 1: servaccount12/15/2006-10:52:45 LOCKED VIEW_ONLY I'm probably just missing something here, but was hoping for some clarification. Thanks, ~Ben
RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
messy situation. Anyone who thinks that ad hoc is the best way to run their technology stuff, well they are in for some challenges. Certainly it can be done properly, but it requires discipline. Unfortunately in many of the ad hoc just get it done do whatever it takes environments I have been in, discipline is not a common trait. It isn't a problem until cleanup or reporting/auditing becomes an issue or things are just such a trainwreck that the system isn't performant As an example of that trainwreck One company I was in had a very strict policy about how security was to be applied to project shares... One day (actually I can say I had this story times about 100 for that one company) the folks in a Chicago plant are complaining because AD has been getting slower and slower over the months and now it is unbearably slow. Of course I knew more about how well AD was running than the person complaining because it was my job to know and very few folks knew we monitoring things very closely because most of them didn't themselves but as many of you know, the AD admins are usually the admins that have to figure out everyone else's issues or the issues don't get figured out and people just whine. I dug into it and sure enough, the very well published and documented standards weren't being followed at all and they had literally hundreds of unresolvable SIDs on the root folder of the file share and once you dived down into the subfolders you found thousands of unresolvable SIDs which of course propogated to hundreds of folders and tens of thousands of files. Had they followed the standard there would have been maximum of about 5 fully resolveable SIDs on the top level folder and the direct subfolders would have had an additional 2-3 SIDs that almost certainly were always resolveable... This obviously was impacting the speed at which the ACLs could be displayed when someone needed to look but it also impacted the access to the objects because Windows was forced to wade through all of that garbage to verify access when anyone did anything with the folders or files. Could something be written third party of via scripts to clean these kinds of things up, yes. If you intend to do so make sure the utility has belt, suspenders, super glue, rubber bands and anything else you can think of to doublecheck and validate and verify before changing anything because it could be a nightmare for someone. Also it should be able to completely undo what it did quite quickly because again, lots of security problems could come up. Both in lack of access and for those folks who were silly with Deny ACEs people getting access that they shouldn't. The main thing is that the only folks who need SIDs to be resolvable to names are people, Windows doesn't resolve a SID to a name to figue out if someone has access to something, SIDs are compared, not names. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj Sent: Thursday, January 04, 2007 10:18 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. But still the actual discussion is pending. If someone is having a single folder which is mapped to a single user. So in that case how we can use groups suppose tomorrow this user left the organization his account got deleted, SID will come on to the permission of that folder. If I am not wrong the actual discussion was why SID is coming after deleted an account. Why its not getting deleted automatically. Dhiraj Haritwal _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 04, 2007 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat
RE: [ActiveDir] ADFind help
Yep that will do it. It can be further refined. :) I put in a special shortcut for this specific case adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses If you just want the SMTP addresses, I.E. you don't care about X400 addresses which is most people, you can do the following: adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses:smtp Which will only diplay SMTP addresses from proxyAddresses. The filter below will only return objects with SMTP addresses but it will still display any other types of addresses in the proxyaddresses attribute such as X400, SIP, X500, SNADS, etc. For the curious that expands out to the following switches/args: Selected Switches -b ou=myou,dc=mydomain,dc=com -f ((mailnickname=*)(proxyaddresses=smtp*)) -gc -mvfilter proxyaddresses=smtp Selected Attributes proxyAddresses I am planning on releasing a new version of AdFind (V01.35.00) in the next day or three (may even upload it tonight still if I don't run out of gas). It has a couple bug fixes around the ACL output and some additional ACL options. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 05, 2007 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind help Set your filter to (proxyAddresses=smtp*) to get all the smtp addresses. Just do * for stuff like x400 also. Adfind -b ou=myou,dc=mydomain,dc=com -f (proxyAddresses=*) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, January 05, 2007 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind help Hello, colleagues, I'm sorry to have to ask this, but I can't figure out how to get this information for a particular client. She wants a list of all the primary email addresses and their secondary email addresses (aliases) for a particular OU in Active Directory. This OU is named FND, and it is at the top of mydomain.mydepartment.local. It has sub-OU's as well. I figure ADFind will do the job, but I just am not familiar enough with the tool to get the information out. Can somebody help me? -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Filter out a certain group of users from the GAL
Excellent, good to hear. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Thursday, January 04, 2007 3:15 PM To: ActiveDir@mail.activedir.org Cc: 'joe' Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL Joe, This worked, thanks. Just as you suggested I should do, I used (!(attr=val)) instead of (!attr=val) and pulled the memberOf check out to the top level along with mailnickname. Cheers, Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 23, 2006 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL A couple of items to look at for all issues like this: Is the group a universal group[1]? Are the users direct members of the group or in the group via nesting? Specifically here I would look at the filter in a cleaner format such as what adfind will give you with the -stats+ and -stats+only switches. Here is your query below against one of my test domains with the guests group specified. ( (mailNickname=*) (| ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) (! (memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com) ) (objectClass=user) (! (homeMDB=*) ) (! (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=contact) ) (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D C=com) (objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat ion,DC=joe,DC=com) ) ) The filter is kind of messy. Under the OR (|) block you have 6 main components. The last four (easy ones) 3. Any Contacts 4. Any Dynamic DLs 5. Any Public Folders 6. Any groups All of those tied with the initial mailnickname mean Exchange enabled versions of each. Then the first one says give only user objects that aren't in the group specified and don't have homeMDB and msExchHomeServerName populated. This would be mail enabled users that are NOT in the group you are concerned about. Then the second one says give all users with homeMDB or msExchHomeServerName populated. This would be all mailbox enabled users period. If you want to set it so that if something is in that group, despite the object type, it won't be in the GAL you would want to pull the memberOf check out to the top level along with mailnickname. Maybe something like ( (mailNickname=*) (! (memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com) ) (| ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) (objectClass=user) (! (homeMDB=*) ) (! (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=contact) ) (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D C=com) (objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat ion,DC=joe,DC=com) ) ) joe [1] Not important if a single domain forest. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Wednesday, December 20, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL Thanks, this got me closer to the correct query. It sure saved me a lot of tries, trying to get the query right using (!attr=val), instead of using (!(attr=val). I however did not get to managed to get it working completely. Even with the (!(attr=val) The query outputs exactly the same. The query below does perhaps look more complex than it in fact is. It is in fact the Default GAL from Exchange as it comes out of the box. I have been trying to filter out a certain group from appearing in this GAL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 19, 2006 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL I didn't look it over completely to see what you are doing but noticed
RE: [ActiveDir] ADFind help
Oh you mean like the -rb switch aka relative base... That went in for V01.19.00 back in August 2004. adfind -default -rb ou=myou blah blah blah blah It is a great especially for making generic scripts. This is from adfind /?? -null Use null base. -root Determine and use root partition for BaseDN. -config Determine and use configuration partition for BaseDN. -schema Determine and use schema partition for BaseDN. -default Determine and use default partition for BaseDN. -rb xxRelative Base, use with special BaseDN's above. So you could specify -default and -rb cn=users. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, January 06, 2007 1:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind help Do you have such a feature that combines ou=myou with whatever searchroot -default resolves? It occurred to me today that that would save a lot of typing. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 06, 2007 12:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind help Yep that will do it. It can be further refined. :) I put in a special shortcut for this specific case adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses If you just want the SMTP addresses, I.E. you don't care about X400 addresses which is most people, you can do the following: adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses:smtp Which will only diplay SMTP addresses from proxyAddresses. The filter below will only return objects with SMTP addresses but it will still display any other types of addresses in the proxyaddresses attribute such as X400, SIP, X500, SNADS, etc. For the curious that expands out to the following switches/args: Selected Switches -b ou=myou,dc=mydomain,dc=com -f ((mailnickname=*)(proxyaddresses=smtp*)) -gc -mvfilter proxyaddresses=smtp Selected Attributes proxyAddresses I am planning on releasing a new version of AdFind (V01.35.00) in the next day or three (may even upload it tonight still if I don't run out of gas). It has a couple bug fixes around the ACL output and some additional ACL options. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 05, 2007 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind help Set your filter to (proxyAddresses=smtp*) to get all the smtp addresses. Just do * for stuff like x400 also. Adfind -b ou=myou,dc=mydomain,dc=com -f (proxyAddresses=*) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, January 05, 2007 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind help Hello, colleagues, I'm sorry to have to ask this, but I can't figure out how to get this information for a particular client. She wants a list of all the primary email addresses and their secondary email addresses (aliases) for a particular OU in Active Directory. This OU is named FND, and it is at the top of mydomain.mydepartment.local. It has sub-OU's as well. I figure ADFind will do the job, but I just am not familiar enough with the tool to get the information out. Can somebody help me? -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat up CPU and that would be a different complaint) just constantly walking the ACLs and verifying them. 2. Mistakes. Since we don't have a change notification capability for deleted security principals, and quite honestly you wouldn't (could you imagine 300,000 machines registering with every domain in your forest for change notifications of security principal changes) so that leaves polling and lets say you have a tempory network glitch that makes a SID unresolvable to a friendly name... Do you then just start stripping the SIDs from the ACLs because a name can't be resolved once, twice, three times? What about when an account gets undeleted or restored because it was accidently deleted for an hour? I can think of even more bad things but don't have the time to write about them. If you want to, think through how you would build an application to do what you are suggesting. It is always a good thought exercise before being surprised at what MSFT has done. Keep in mind they are a collection of really bright programmers that often have to work in committee, they aren't necessarily miracle workers. Could this be done? Maybe. I think could visualize mechanisms to possibly help here but would really have to think it through even more than I have and I have thought a lot about things like this... But it would take serious rework with how security is implemented on Windows and I would be quite fearful of the scaling capabilities. The Windows security system is difficult to work with and can be quite a pain but it is extremely flexible and powerful at the same time. I have started and stopped several times to write all inclusive security tracking tools, it is a big big deal and if done wrong will really make someone have a bad day. As someone else mentioned, use groups. Don't use users. When you go to delete a group, make it a point to clean up where that group has been used. If you don't know where it has been used, that is a process issue and one of the reasons why I am not a fan of universal and global groups because the scope of use is huge. Alternately write your own tools to scan all of the various ACLs looking for unresolvable SIDs and clean them up, but I would be shy on how agressive you are with the cleanup. You can easily screw yourself up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, January 04, 2007 5:35 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission. Thanks for replying. You say that it is normal that the sid still remains in file directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD-file server) leave this dirty sid and that there is no synchronisation that updates the link between the AD object and the ACE What is the reason ? could this behavior be altering ? I'd like sid disappears after deletion of the corresponding group in AD in order to not have this dirty SIDs... Thanks. Yann Akomolafe, Deji [EMAIL PROTECTED] a écrit : It's normal. You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services x-excid://3277/uri:http://www.akomolafe.com www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow
Re: [ActiveDir] DirectoryServices vb.net is broken.
It doesn't do the change tracking, except with some special case stuff in terms of how the new security descriptor stuff works. However, ADSI itself might track that for you. Basically, CommitChanges calls SetInfo, so if the underlying IADs is clever enough to not send an LDAP request if there are no mods, then the result is likely no network traffic. Try it with ethereal and see. :) If I were to guess, my guess would be that if there are no modification operations queued up in the property cache, then no LDAP modification operations would be sent. It is an interesting question and one that I never really thought much about before, so don't be disappointed when you don't find it discussed in ch 3 or 6. :) Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 02, 2007 10:30 AM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. Thanks for the explanation Joe. I am currently on chapter three of your book. Can't read it fast enough. Do you know if 'deUser.commitchanges' is smart enough not to send an update request to AD if the collection is not dirty? Thanks Y List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Cross-Forest Kerberos Delegation
That is what I was thinking of. I couldn't find where I read that and went from memory. Thanks for the clarification. Joe K. - Original Message - From: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 6:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says that it allows multiple values, but the DS itself will only allow it to contain a single value for backward compatibility with previous DS APIs. That might be part of the problem here. In any event, it is generally always good practice to use the .Value property to set a single value. There is more info on this in ch 6 of our book (www.directoryprogramming.net). Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 10:13 AM Subject: [ActiveDir] DirectoryServices vb.net is broken. I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
I'm saying that those two are not equivalent functions under the hood. Add typically does a PutEx with the append flag, while Put just does a put, which is essentially an LDAP update operation. I think you would have the same problem if you invoked PutEx and used the Append flag. .Value uses PutEx, but with the ADSI replace flag, which boils down to an LDAP update operation. Aren't all of the layers fun? :) You can dig into the details a little more by using Reflector to reverse compile System.DirectoryServices into your language of choice. That is how Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP is pretty hard unless you have access to the Microsoft source code. Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll stand by the more detailed stuff on attribute modification in Ch 6. Thanks for buying it and I hope it helps more than hurts. There is an inevitable amount of hair loss that must occur with any new LDAP programming project, but hopefully it won't require prescription drugs or surgery to replace. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 12:06 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. It worked. Thanks a million. Hopefully my hair won't take to long to grow back. I bought your book last week from amazon. I currently reading chapter 3. Actually took your example code. See 3.13.vb. Isn't that funny? I thought DirectoryServices was a wrapper to ADSI? Why do you say they are not equivalent? Y They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says that it allows multiple values, but the DS itself will only allow it to contain a single value for backward compatibility with previous DS APIs. That might be part of the problem here. In any event, it is generally always good practice to use the .Value property to set a single value. There is more info on this in ch 6 of our book (www.directoryprogramming.net). Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 10:13 AM Subject: [ActiveDir] DirectoryServices vb.net is broken. I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DirectoryServices vb.net is broken.
That is a problem only on SAM based objects (groups, users, computers). Anything that isn't SAM based can have multiple values. :) That makes it even more fun. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, December 28, 2006 12:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says that it allows multiple values, but the DS itself will only allow it to contain a single value for backward compatibility with previous DS APIs. That might be part of the problem here. In any event, it is generally always good practice to use the .Value property to set a single value. There is more info on this in ch 6 of our book (www.directoryprogramming.net). Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 10:13 AM Subject: [ActiveDir] DirectoryServices vb.net is broken. I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
I'm not sure if it is a bug or not. Generally, I always use .Value to set a value and only use Add if I'm explicitly trying to add an additional value to a multi-valued attribute that already has values. Same basic approach for Remove. That helps keep me out of trouble. :) It is interesting, because there have been MANY problems with the various techniques used to modify the property cache in S.DS over the years. I think the current design is the least problematic. The issue really stems from the way S.DS tries to represent the property cache as a stateful collection of collections on the DirectoryEntry, but ADSI does this in a non-stateful way using Put and PutEx to modify. The other issue has to do with the fact that each ADSI provider does stuff slighly differently under the hood when it talks to the actual API doing the work (LDAP for LDAP, Net* for WinNT, ABO for IIS provider, etc.). The alternative is to just switch over to using System.DirectoryServices.Protocols. That basically talks directly to LDAP via wldap32.dll (like the www.joeware.net tools do, but going through .NET first). However, you tend to have to write more code to do the same thing and learn a lot more about LDAP that you might want to, so it is a two-edged sword. The most difficult things are learning how to use the advanced LDAP controls to do things like paged searches and security descriptor read/modify operations. ADSI tries to make that stuff easy for you. Note also that there is nothing really new and exciting in DS programming in .NET 3.0. The next wave of stuff for DS will be in the next .NET rev that ships with the next Visual Studio. .NET 3.0 is actually the .NET 2.0 runtime with additional assemblies that support WCF, WPF, WWF and CardSpace. Many of the assemblies are unchanged and actually run straight from the .NET 2.0 install directory. The good news is that our book is not out of date for at least another year. :) The next version is supposed to have strongly typed support for users and groups, kind of like S.DS.ActiveDirectory adds strongly typed support for concepts like Forests, Domains, Trusts, Schema, Replication etc. There are a few minor tweaks to ADSI in Windows Vista (remember that ADSI comes with Windows, so it is on a different release cycle than S.DS, which comes with .NET and usually cycles with Visual Studio but sometimes cycles with Windows). However, these are pretty low key. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 1:40 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. One last comment Joe, Do you think that is a bug with DSS? That now means depending of the attribute, you have to use different method? Kinda makes it complicated don't you think?. Now I have to hard code attribute names in my program. if attribute=description do this else do it this way. That sucks Microsoft. Y From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Thu 28/12/2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. I'm saying that those two are not equivalent functions under the hood. Add typically does a PutEx with the append flag, while Put just does a put, which is essentially an LDAP update operation. I think you would have the same problem if you invoked PutEx and used the Append flag. .Value uses PutEx, but with the ADSI replace flag, which boils down to an LDAP update operation. Aren't all of the layers fun? :) You can dig into the details a little more by using Reflector to reverse compile System.DirectoryServices into your language of choice. That is how Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP is pretty hard unless you have access to the Microsoft source code. Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll stand by the more detailed stuff on attribute modification in Ch 6. Thanks for buying it and I hope it helps more than hurts. There is an inevitable amount of hair loss that must occur with any new LDAP programming project, but hopefully it won't require prescription drugs or surgery to replace. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 12:06 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. It worked. Thanks a million. Hopefully my hair won't take to long to grow back. I bought your book last week from amazon. I currently reading chapter 3. Actually took your example code. See 3.13.vb. Isn't that funny? I thought DirectoryServices was a wrapper to ADSI? Why do you say they are not equivalent? Y They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says
RE: [ActiveDir] Automatic user disable based on criteria
I didn't read the whole chain of responses, I was just skimming and saw these questions Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. Yes it can show you the metadata from AD (assuming K3+) and that metadata does indeed contain originating write into. Now that I have read it... To solve the specific issue that I read; find enabled users who haven't changed their passwords and logged in the period defined, you can use the metadata to help with that decision. Obviously having DFL2 would help as well. Neither in and of themselves I think would be authoritative on their own except in specific cases. The problem with DFL2 and lastLogonTimeStamp is that not everything sets that value. Try a simple LDAP bind sometime, it doesn't update lastLogon so it in turn doesn't update lastLogonTimeStamp. It will, however, update it if a bad auth attempt occurred prior. I never bugged that as I assume it is by design as it is very specific and it helps cut the overhead of the auth attempts which the simple bind is supposed to be helping with. That way apps that do a ton of simple binds don't cause a ton of writes to a DC. So how would this be done? Well obviously you can't query the metadata, it is constructed. So you need a query to give you an initial roundabout set to work with that you can test further. I would do something like ((samaccounttype=805306368)(pwdlastset=0)(whencreated=7 days). ((samaccounttype=805306368)(pwdlastset=0)(whencreated=[date 7 days ago])(!(useraccountcontrol:AND:2)) Obviously that last field would need to be generated at the time of the query being run. So now you have a list of possibles... You could give up here and reasonably assume that everything is fine and take on the resulting help desk calls. I wouldn't have much if any issue with this method unless it had already been proven there was too much collateral damage. I would have to decide whether I wanted to be more concerned about the method or the fact that new people need to be reset again so soon which likely indicates a process issue or overly agressive password policy or underly agressive hiring policy. So you decide you need to be more fine tuned... So you look at metadata. Right off if the unicodePwd version is 1 then the password has never been changed and that is as authoritative as it is going to get. You definitely know this person has NEVER changed that password. However, the obverse is not true, you cannot assume that if the version is higher than 1 that the password HAS been changed. The password versioning can vary based on the creation method. Here is the metadata from two accounts created in three different ways: [Sun 12/24/2006 11:42:20.45] G:\repadmin /showmeta CN=al-testuser0,CN=Users,DC=test,DC=loc r2dc1 31 entries. Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute === === = = === = 441322Default-First-Site-Name\R2DC2406847 2006-12-24 10:53:001 objectClass 441322Default-First-Site-Name\R2DC1441322 2006-12-24 10:53:011 cn 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 description 441322Default-First-Site-Name\R2DC2406847 2006-12-24 10:53:001 instanceType 441322Default-First-Site-Name\R2DC2406847 2006-12-24 10:53:001 whenCreated 441322Default-First-Site-Name\R2DC2406849 2006-12-24 10:53:002 displayName 441322Default-First-Site-Name\R2DC2406847 2006-12-24 10:53:001 nTSecurityDescriptor 441322Default-First-Site-Name\R2DC2406847 2006-12-24 10:53:001 name 441322Default-First-Site-Name\R2DC2406849 2006-12-24 10:53:003 userAccountControl 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 codePage 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 countryCode 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 homeDirectory 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 homeDrive 441322Default-First-Site-Name\R2DC2406849 2006-12-24 10:53:002 dBCSPwd 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 scriptPath 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 logonHours 441322Default-First-Site-Name\R2DC2406848 2006-12-24 10:53:001 userWorkstations 441322Default-First-Site-Name\R2DC2406849 2006-12-24 10:53:002 unicodePwd 441322Default-First-Site-Name\R2DC2406849 2006-12-24 10:53:002 ntPwdHistory 441322Default-First-Site-Name\R2DC2406849 2006-12-24 10:53:002 pwdLastSet 441322Default-First
Re: [ActiveDir] Mapping Groups within AD
I'm of the opinion that Ryan and I have written a very good book on LDAP programming in .NET. You can find more info here, including free code samples and a free sample chapter in PDF, at www.directoryprogramming.net. Ryan wrote a bunch of pretty useful stuff for expanding group membership in ch 11 and has followed up with a few additions on his blog showing other techniques. I can't help with the Visio stuff, but if you can find some samples that show how to plug data into the model to produce diagrams, it shouldn't be too hard to put it all together. Best of luck, Joe K. - Original Message - From: Cothern, Jeffrey D Mr CTR USSOCOM HQ [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, December 23, 2006 12:12 PM Subject: [ActiveDir] Mapping Groups within AD Does anyone know a good location to find visual studio coders that have worked with both AD and Visio. I found some resources at Microsoft Generating Active Directory Diagrams with Visio 2003 and Visual Studio .NET 2003 http://msdn2.microsoft.com/en-us/library/aa662190(office.11).aspx The problem being they show you how to search for users in a certain OU that match a job title and department. Doesn't quite get what I want. I need to create a nice Visio drawing that show the respective groups and groups that group is a member of and any groups that are a member of that group. I would really hate to do the 400 or so groups by hand specially when it needs updated down the road because of changes. i.e. DL-FinanceCompany ALL || GL-Finance | GL-Finance Managers I have looked at NetDOC AD http://www.dataassist.de/en/index.php?id=84 and while it might do some of it, it doesn't recursively look up the line to see what the groups might be members of. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
I understand. For a long time I was very go native delegation but as I saw more and more folks doing it, usually poorly, and then trying to figure out who was doing what and how they were doing it and a long chat with Stuart about the possibility of business rules and triggers in AD and getting back the answer of no you won't see it, that is what you should be using MIIS for then I started moving away from the native delegation camp. It is still nice that it can be done and there are times where it is fine and you don't need anything else but there are times when you just don't want that investment in trying to train those low level admins or offshore resources so giving them a nice simple web page with a big EASY button makes more sense. As for specifics, unlocks need to get to the DC the user hits but password must be changed shouldn't be a problem. That is one of the things I fought for and got fixed in 2K SP4 / K3 Gold with the Replicate Single Object capability they put together for that issue. Even for unlocks I would rather just have a script that cleans it up on all DCs it can reach simultaneously than have an admin who may or many not truly understand how things work well enough to pick DCs, even with tools that can help and give the likely suspect DC. In larger environments, as you are used to, it isn't uncommon for a user to be tying into all sorts of different resources so the DC that handles interactive auth isn't the only one that could cause impact due to an account not getting unlocked. IMO, provisioning is definitely where it is at, unfortunately for many companies, it seems that is about 3 large steps away from anything they are at. You start to ask about common points to retrieve info from and workflow processes and they start chuckling at you. That is where the proxy tools really start coming in useful. My personal favorite layout though would be full provisioning / work flow setup and a password kiosk. It can be a good amount of work to get there though. There is also the idea of easily tracking the resets alone... If someone is regularly needing their password reset, that is a good candidate for training. Getting a report of all password resets with anyone over X resets in a given year being highlighted could be a useful item. Easy to create such a report if you have a system that proxies all of the resets. Also you don't have to worry about the guy taking scripting 101 who accidently changes everyone's password he has delegated access to... Yeah... that is for real, saw it take out about 100k users for a day or so while it got fixed back in about 97/98. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, December 22, 2006 1:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools. But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Filter out a certain group of users from the GAL
A couple of items to look at for all issues like this: Is the group a universal group[1]? Are the users direct members of the group or in the group via nesting? Specifically here I would look at the filter in a cleaner format such as what adfind will give you with the -stats+ and -stats+only switches. Here is your query below against one of my test domains with the guests group specified. ( (mailNickname=*) (| ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) (! (memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com) ) (objectClass=user) (! (homeMDB=*) ) (! (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=contact) ) (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D C=com) (objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat ion,DC=joe,DC=com) ) ) The filter is kind of messy. Under the OR (|) block you have 6 main components. The last four (easy ones) 3. Any Contacts 4. Any Dynamic DLs 5. Any Public Folders 6. Any groups All of those tied with the initial mailnickname mean Exchange enabled versions of each. Then the first one says give only user objects that aren't in the group specified and don't have homeMDB and msExchHomeServerName populated. This would be mail enabled users that are NOT in the group you are concerned about. Then the second one says give all users with homeMDB or msExchHomeServerName populated. This would be all mailbox enabled users period. If you want to set it so that if something is in that group, despite the object type, it won't be in the GAL you would want to pull the memberOf check out to the top level along with mailnickname. Maybe something like ( (mailNickname=*) (! (memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com) ) (| ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) (objectClass=user) (! (homeMDB=*) ) (! (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ) ) ( (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectClass=contact) ) (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com) (objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D C=com) (objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat ion,DC=joe,DC=com) ) ) joe [1] Not important if a single domain forest. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Wednesday, December 20, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL Thanks, this got me closer to the correct query. It sure saved me a lot of tries, trying to get the query right using (!attr=val), instead of using (!(attr=val). I however did not get to managed to get it working completely. Even with the (!(attr=val) The query outputs exactly the same. The query below does perhaps look more complex than it in fact is. It is in fact the Default GAL from Exchange as it comes out of the box. I have been trying to filter out a certain group from appearing in this GAL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 19, 2006 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL I didn't look it over completely to see what you are doing but noticed the (!attr=val) and wanted to comment on that specific piece... When making AL filters, Exchange is picky and if you put in a ! you need to do use long form of (!(attr=val)) and not (!attr=val). While AD will not have a problem with the filter, AD isn't interpreting that filter, Exchange is pulling everything from AD and doing the filtering itself. That is why ESM will show you one result and what you really get could be something completely different. I once got a crap answer from a Alliance Exchange PSS that someone made up about the RFC standards etc but that reason was, as I said, crap. It is just something you have to be aware of when working with those filters. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED
RE: [ActiveDir] Built in Security groups
Yep the reference is Error Code 0x55B (1371) in winerror.h ERROR_SPECIAL_ACCOUNT # Cannot perform this operation on built-in accounts. An alternate reference is isCriticalSystemObject: TRUE Send back up to the above that they should be setting overall generic security policies and the technical people should be figuring out how to interpret them. Telling you to delete certain groups is deeper into the details than they likely should be based on this requirement. Course my response probably would have been a chuckle or two and Yeah I'll get right on that ;o) The basic concept is silly. Correct me if I am wrong but I am guessing you have delegated the same rights to other groups so they feel that leaving the original groups is a security issue? Obviously this is silly on the surface and actually at any level. Any group that has the same rights represents the same security risk. I wouldn't even bother taking the schema admins group and delegated those rights to some other group I made, I don't see the point and I could visualize tools that will actually break if you did that because they may look at the token or directory to verify someone is a member of that group directly to continue on. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 22, 2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
RE: [ActiveDir] Automatic user disable based on criteria
Yes actually adfind can show you metadata... Look at the attributes msDS-ReplAttributeMetaData msDS-ReplValueMetaData I actually have a DCR for AdFind (submitted by me which means it for sure will get done) that will display that info in a better way than that XML format they use. When it does, it will also use the binary format of the attribute so it won't be so slow nor require as much network bandwidth. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Monday, December 18, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automatic user disable based on criteria Hi All, DFL FFL : Win2k-Native DCs : Win2k3-SP1 User accounts are automatically provisioned as enabled with Change Password at Next logon. And management wants to disable new accounts which have not logged into domain within next 7 days of creation. And they want it to happen automatically. I have problem at hand as I can't use LastLogonTimeStamp as DFL is not supportive. I can't connect to each DC and search for lastlogon as number of DCs are too large, can't go by whenchanged, as that is generic attribute, which could get changed for any other attribute also. Any other attribute would help me? Currently LDAP filter checks for account created on specific day (say current day - 7) and whose Change Password at next logon is still ticked i.e. pwdlastset=0 But this doesn't take care of scenario, where users are created on that same day (current - 7) and logged into network, changed their password, but around the time of running script, had forgotten password and helpdesk had resetted their password and set Change Password at next logon I hope I am not confusing you all. :-) I know, simple solution would be to change criteria to say 15 days, raise DFL and use LLTS, but I am taking this as a scripting challenge at Win2k-native DFL. Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. -- Kamlesh ~ You teach best what you most need to learn. ~
RE: [ActiveDir] Schema Extension Question
You won't need anything other than a normal userid unless you have put weird ACEs in place to hide user objects and then you just need to have the normal userid in the right group and that right group shouldn't have to be Administrative level. Note though that no group membership is going to give you rights to see passwords. You can get all of the userids you want but if the app needs to pull the password or a password hash you are SOL. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, December 19, 2006 8:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Schema Extension Question Guys (and Gals) I am far from an LDAP expert and we have not modified our Windows 2003 FFL Schema at all. I don't even have SP1 running as I am just still a little gunshy about it. But now me and my network engineer are under heavy pressure to move our POP 3 email clients to a Server Centric Web based model that will allow internet access to email. So my network engineer and *nix expert is testing a *nix based program to do that. We are having trouble with it connecting to AD to authenticate Users because it is popping errors that state I can't find the Schema extensions. He is chasing that and I'm not really happy about modifying the shema, if indeed we end up having to do that, but here is my question. Will this app need an elevated credential (Domain or Enterprise Admin) to simply LDAP query the AD from this *nix box to get usernames or passwords or can it be done without that power? I know you don't know the app, but the question is a generic one relative to *nix boxes querying an AD. Thanks in advance. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
That is precisely why that group existed in NT4. Now it is a holdover for the migration periods when you have NT4 and AD deployed. Honestly I wish the group would vanish the instant you clicked native mode. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 10:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? _ From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
Re: [ActiveDir] Delegate Password Resets
This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Filter out a certain group of users from the GAL
I didn't look it over completely to see what you are doing but noticed the (!attr=val) and wanted to comment on that specific piece... When making AL filters, Exchange is picky and if you put in a ! you need to do use long form of (!(attr=val)) and not (!attr=val). While AD will not have a problem with the filter, AD isn't interpreting that filter, Exchange is pulling everything from AD and doing the filtering itself. That is why ESM will show you one result and what you really get could be something completely different. I once got a crap answer from a Alliance Exchange PSS that someone made up about the RFC standards etc but that reason was, as I said, crap. It is just something you have to be aware of when working with those filters. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Filter out a certain group of users from the GAL I have been trying to filter out a certain group of users from the GAL, these users should not appear in the GAL. I have used the ! sign but it looks simpler than it infact is. This is the Default GAL: ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) I want to exclude people who are a member of a group called XYZ Users and thought about doing it with: (!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl) The complete query is now: ( (mailnickname=*) (| ((objectCategory=person)(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) The above query outputs exactly the same objects as the first query, the one of the Default GAL. So somehow the group is not being filtered out. Probably just me overlooking something. Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Cross-Forest Kerberos Delegation
My understanding is that you can get the actual protocol transition logon to work, but you cannot use delegation (which is what you really need) because PT is tied to constrained delegation and it only works in a single domain, not even in multiple domains in a forest. Your understanding is basically correct. This is a documented limitation and not something I've played with personally, so I'm not sure if there is more to it than that. I honestly don't know if this can be made to work with unconstrained delegation/kerb auth in IIS, as I've never tried that either. However, giving out unconstrained delegation privileges is a bit icky. This may be one of those situations where it is easier to just pass the plaintext credentials around between the tiers using basic auth/SSL and such. Joe - Original Message - From: Ken Schaefer To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 5:29 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says any protocol, but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Group Membership Update Frequency
Unfortunately I haven't delved extremely deeply into the application of Group Policy. I am not sure how membership is being checked/maintained for it. As for what group memberships a given machine currently knows about itself, you should be able to fire up a localsystem command prompt (K3/XP or before you use AT service with /interactive) and then use sectok (joeware) or whoami /groups to see what is in the interactive token. If you want to see what other machines think of your access, fire up ADAM on a member of the domain you care about and fire the localsystem command prompt again as above and then query the tokenGroups attribute of the rootdse like so adfind -h ADAMSERVER -rootdse -resolvesids tokengroups joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Michael Heß Sent: Saturday, December 16, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: AW: [ActiveDir] Group Membership Update Frequency Joe, thanks a lot for your helpful reply and sorry that my reply took so long. I am still waiting for a response because of my Microsoft Support ticket. Its my goal to combine GPO´s with Security Groups to manage different actions of the servers in the same OU. For this reason I created some Security groups and distributed the servers to the groups. Then I checked servers by GPRESULT for the group membership and some servers updated it without measurable delay, some servers after a week and some servers never. I cant understand this behaviour and so I started a support request at MS for what I am still waiting for. As soon as I will get a official reply I will let you know. Thomas PS: IS there a another chance to check group membership for a server except GPRESULT -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von joe Gesendet: Sonntag, 10. Dezember 2006 17:41 An: ActiveDir@mail.activedir.org Betreff: RE: [ActiveDir] Group Membership Update Frequency It depends what you mean by this. The off the cuff answer is the server knows what it has based on its local security token so it actually never recognized the change. However Machines and users can have both local security tokens and kerb certs. The kerb certs are refreshed, the security token never is. Plus add in NTLM and if it is used to access remote resources you can have three answers... So the more full answer is It depends. So briefly: If the security group is needed in the local security token, it will never get updated, you need to reboot. This will impact the machine's determination locally of what groups it has if the application is looking at the token OR trying to access something with Windows security locally (say like the group allows it to read a file locally). I have asked several folks inside of MSFT if there is anything that could be used to force this refresh of the security token and no one has been able to tell me there is indeed something that will do it and here is how... If so, I would have written the tool to do it if it were something they could point at. If the security group is needed for remote kerberos operations or someone is reading the kerb cert directly local to the machine, it will occur when the ticket refreshs. You can purge the kerb cache to speed this up. If the security group is needed for remote operations where NTLM is being used (say it is accessing a resource by IP instead of name so it can't do the SPN lookup), it will be used depending on whether or not the DC being used by the remote resource has the group membership or not (whether or not the DC the server itself uses has it or not is immaterial in this case because the server doesn't tell the remote resource what accessed it has, the remote resource asks its DC when it auth's the account). This could be immediately to seconds after the group update or even weeks depending on the OS revs of the DCs and the replication topology and max theoretical latency for the environment. This is all exactly the same as it is for users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Thursday, December 07, 2006 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Membership Update Frequency hi there, when does a server recognize that he is part of AD global Security group? Do i have to reboot every system or is there an update frequency where the server checks the AD? I need this to know because i want to use the Security Group Filtering with GPO´s Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org
RE: [ActiveDir] Vista GPO
I don't know of anyone officially moving to Vista any time soon. Folks are playing with it, usually IT folks are just looking to get the latest and greatest to feel cool, they don't generally really and truly need any of the features. Several places I have heard with any kind of plans are talking 2008 soonest for Vista and Office 2007. I was chatting with some other folks about this recently and I expect a lot of companies will find the migration to Vista to be even more difficult than their migration from Win9x to NT based technology. At least with NT Technology you usually had a bunch of people that had a lot of NT knowledge already and could leverage it or could go out into the newsgroups and find folks who have been running NT stuff in production for years and years. You don't really have that with Vista (and LongHorn) and the changes are sufficient enough that it will break quite a few things. I am not saying that is bad necessarily, that is what everyone started screaming for when they said MSFT wasn't secure enough. Now people will get to find out what that really means... I know quite a few developers who are hopping mad over a lot of the changes and some are even more concerned over where code signing is going, etc. Especially folks with low priced or free software that they may available because if code signing becomes absolutely required, you have to pay for that as a developer/company. Anyway, my thoughts are that there will be quite a few companies with custom mechanisms for managing things that they have developed over the years that will all completely fail or nearly completely fail with Vista and will have to be reworked or outright replaced which could take a lot of time. This doesn't even start to get into the realm of just plain old line of business apps. Don't get me wrong, some leading edge people will move fast and take the black eyes and bloodied noses in stride, most folks though I expect to follow the old wait for SP1 rule and then wait even longer as they realize it isn't a simple forklift of the binaries. I wouldn't be surprised to see most large companies deploying Longhorn heavily into production before Vista even. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 8:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2/ind ex.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS2b= 0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS2b= 0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org
RE: [ActiveDir] AD admin tool for Vista
Any answers would simply be guesses but I honestly wouldn't expect anything until Longhorn release time frames. Note that those Petri instructions initially were posted to this list by Steve Linehan (Microsoft). -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lu, WeiMing Sent: Friday, December 15, 2006 7:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD admin tool for Vista Does anyone know when Microsoft will release Adminpak for Vista? The following link is the only solution now? I followed the instruction, and was able to snap in to MMC, but all AD objects become not-recognizable icon. Thanks. http://www.petri.co.il/running_win_2003_adminpak_on_vista_rtm.htm
RE: [ActiveDir] SBS Dies Twice in Four Days
SBS... uh oh there goes the neighborhood... This one could possibly get the [OT] badge I expect and/or go to the SBS specific groups. If an SBS server died, AD would be one of the last things on it I would suspect with everything it runs. ;o) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, December 14, 2006 1:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS Dies Twice in Four Days Hi - I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday's crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the Enabled Journal Wrap Automatic Restore key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server - twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don't seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I've got to feel comfortable with leaving this server for a week - or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
RE: [ActiveDir] LDAP query
If I understand what you are asking, no I don't believe this is something that can be queried. I expect you are looking to be able to do something like what you can do with net sessions or net files You could maybe do something with the event tracing stuff or SPA2. But that wouldn't be a query, that would be running and collecting info and then you generate the report from the output generated. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Friday, December 15, 2006 4:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query hi, Does anyone know how to query active LDAP sessions on a Win 2003 Domain Controller. I need to know the functional users which are used to query the AD by application or unix systemsy Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix
I am not so sure he needs to be able to actually understand what is in the blob so decoding of any part of the security descriptor shouldn't be necessary. Sounds like he simply wants to copy from one object to another and that should be possible using the LDAP_SERVER_SD_FLAGS_OID control which really shouldn't be all that difficult to build and submit to the server assuming you have ber_printf available and I believe most LDAP APIs do have it. If copying the entire SD and the app has the appropriate rights (i.e. something with rights to modify the SACL as that is generally the touchy part), it may be possible to do it without using the control even. It isn't something I have tried to do personally. Now seeing the domain from which the original poster is writing and having some detailed understanding of that specific environment and knowing all of the Enterprise/Domain Administrators, I am curious what exactly they want to do from UNIX and Java with machine accounts and whether they are chatting with anyone as they may find they really don't have rights to do what they are wanting to do or are specifically disallowed from mucking with it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Tuesday, December 12, 2006 11:00 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix On Tue, 12 Dec 2006 14:49:46 -0500 Santiago, Felderi (F.) [EMAIL PROTECTED] wrote: I know this may sounds crazy, but I need to write to the ntSecurityDescriptor attribute on a computer account from Unix via LDAP. Any clues? Essentially, what I am trying to do is query the ntsecuritydescriptor attribute of an object already in AD to see the value and would like to moving forward to set the same value to a specific object moving forward. Why ldap from Unix? Well, I am dealing with Unix Admins who hate Windows and want to do everything Unix. Any tips or tricks would be greatly appreciated. Doubt it. Basically you need two things: an LDAP client that supports the LDAP_SERVER_SD_FLAGS_OID control and a library that understands how to decode and manipulate the binary array of ACEs that makes up a security descriptor. The first part is easy. The second part is very difficult unless you're confortable hacking in C or Java. As LDAP clients on UNIX go the best ones are: 1) OpenLDAP's C library which give you low level access to build controls and therefore will definitely allow you to set LDAP_SERVER_SD_FLAGS_OID flags. 2) Java's JNDI which should also have low level access but I'm not sure. 3) The Perl binding for OpenLDAP is pretty good but again I'm not sure you can do an arbitrary LDAPControl. As security descriptor libraries go there are only two that I'm aware of: 1) Samba has a C api and a Python binding but it could be difficult trying to decipher how to use it as it most likely is not designed specifically for generic use such as this. 2) JCIFS has code to get security descriptors and resolve names of SIDs but it only has code to decode security descriptors not encode them. But the only reason that I mention JCIFS is because if *I* had to do this, I think JNDI/JCIFS would be the path of least resistance and you would end up with a pretty nice and flexible solution. Or, if they ok with using a web interface you could write a ASP to do the work and protect it with Kerberos SSO which Firefox can do. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Is it possible to determine who created an AD object?
So what was the overall outcome here? Did the PDC -vs not-PDC end up making a difference? Administrators -vs- Domain Admins? etc etc etc -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, December 05, 2006 8:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Well, I've done some more testing and the results are interesting. In both instances I have the policy in place and set to Object Creator. 1. If the account used for AD object creation is a member of Domain Admins the owner is shown as Domain Admins. 2. If the account used for AD object creation is a member of Administrators the owner is shown as the account used to create the object. Tony _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, 6 December 2006 12:00 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? sorry to say, but I have different results...mailed them offline to Laura Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 23:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Just to make sure everybody understands what I am saying, I'm going to summarize this one last time. If I create an object in AD while I am logged on with an account that is a member of Domain Admins, Domain Admins becomes the owner of the object. NOT the Administrators group. NOT the object creator. DOMAIN ADMINS. If I create an obect in AD while I am logged in with an account that is NOT a member of Domain Admins and IS a member of the built-in Administrators group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the object. NOT Administrators, and NOT the object creator. Period. End of story. The group policy setting System objects: Default owner for objects created by members of the Administrators group DOES NOT AFFECT DIRECTORY OBJECTS. Test. It. Yourself. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? just like I wrote it and tony confirmed it do you have other experiences? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 21:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Test what I wrote in my other response. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY
RE: [ActiveDir] Resending because I kept sending via the wrong account.
Ah. And the PDC verus non-PDC? Red Herring? Cross-contamination? Crossed the streams and the sta-puff marshmallow man wasn't in sight. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, December 05, 2006 8:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resending because I kept sending via the wrong account. Okay, folks, I think I may have an answer to the behavior I've been seeing with an account that is NOT a Domain Admin but IS an Administrator not showing as the individual owner of the object when the policy is set to object creator. The only thing I can think of is this- I've been doing this all via TS connections. I'm not sure how I managed to do it, but I'm guessing that I never actually logged off the TestLaura account after I removed it from Domain Admins and made it a member of Administrators instead. I could have sworn that I'd logged the darn thing off a whole buncha times, but that's the only possibility that could explain why I was seeing the behavior I was seeing. I feel like an idiot now. :-) (No agreement from the peanut gallery, please; everybody has a bad day. I just tend to have mine very publicly.) In any case, PLEASE DO NOT USE DOMAIN ADMIN ACCOUNTS FOR ROUTINE TASKS THAT CAN BE PERFORMED USING NON-DA ACCOUNTS. (sorry, not yelling, just too lazy to do psuedo-italics) None of this ownership stuff and policy changing has any effect on accounts that are members of Domain Admins, only on accounts that are members of the domain's Administrators group without being DAs. You will still not be able to use ownership as a reliable indicator of object creator REGARDLESS. Since object owners can *give* ownership to anybody they desire (this has been possible since the NT days, just not exposed in the GUI until post Win2K), there's nothing to guarantee that that hasn't been done. If you want to know which user account was used to create objects in the directory, use the event logs and auditing. Do not use object ownership. Thank you very much, and we now return you to your regularly-scheduled programming. I'm gonna go eat. :-D Laura P.S. There were a bunch of rambling posts I sent before this one, but I think this one actually sums stuff up well enough, and I'm sure you're tired of seeing posts from me at this point! :-) To summarize: If you're not as dain bramaged as I am and you set the System Objects: Default owner...: policy to object creator, accounts that are members of Administrators but are NOT members of Domain Admins will show as the initial owner of the objects they create. Accounts that are members of Domain Admins will be unaffected by the policy. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Send As(OT)
In Exchange nothing comes from the DL, it comes from the user who sent to the DL. I believe you cannot in actualality (sp?) send from a DL because a DL is an alias, not a mailbox. I could easily be wrong not being an Exchange guy but I don't expect I am. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, December 05, 2006 6:12 PM To: activedirectory Subject: [ActiveDir] Send As(OT) I have given a user send As perm directly on a universal distribution group in AD. However, whenever this user slects the group from the GAL in the From: field of Outlook 2k3 and attempts to send an email as that group, he gets an error of You do not have the permission to send the message on behalf of the specified user. The group is NOT nested in any of the AdminSDHolder protected groups. The user has been given send as perms directly on the UDG. He is in no groups with expilict denys. I have also tried giving my account send as perms to the group and I get the same error. I have waitied over 24hrs so its also not a info store cache/replication issue. I'm running exchange 2k3 sp2 with the latest hotfixes(including the send as one) in a win2k3 forest(win2k3 FFL/DFL). Any ideas would be great. Thnaks for your time. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD Schema Extensions and Exchange System Manager
I am not positive on this, but I think you need to look at mAPIIDs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike) Sent: Tuesday, December 05, 2006 5:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema Extensions and Exchange System Manager Excellent mail list ... keep up the good work! But can anyone help me .. For various reasons we have extended the schema in our Active Directory (test only at present) to add further local attributes to users. All is working well until I attempt to make use of the data in these extra attributes within Exchange System Manager (ESM). Specifically, I would like to extend the user template visible from Outlook Address Book to display information contained in the schema extensions Unfortunately, the ESM only allows a handful of attributes to be picked for display and none of them our extensions. Anyone know how to coerce ESM to allow other user attributes to be chosen? Regards Mike Waters
RE: [ActiveDir] Tombstone.
Note that not all objects can be reanimated, there is a little bug I found that impacts objects (mostly config objects if I recall properly) created with specific settings that will not allow you to move them out of the deleted objects container once they have been deleted/tombstoned. I believe I ran into that while doing mass testing of AdMod which will also reanimate tombstones. The bug is officially bugged and should be corrected eventually. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 04, 2006 2:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Tombstone. Hi Ajay Not sure what network objects you are interested in, but you do have the ability to reanimate tombstoned objects. The main issue with this is that not all of the attributes are preserved when the object is tombstoned, which means you won't get back everything that was lost using this method. For some tools leveraging the reanimation API, have a look at: http://www.microsoft.com/technet/sysinternals/utilities/AdRestore.mspx http://www.quest.com/object_restore_for_active_directory/ Also have a look at the discussion thread below. Dean Wells shows how to modify the schema to include additional attributes in tombstone reanimation. http://www.mail-archive.com/activedir@mail.activedir.org/msg30802.html Tony -- Original Message -- From: Ajay Kumar [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 5 Dec 2006 00:33:21 +0530 Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Tombstone.
Difficult to replicate a deleted object... If you send a null to your replication partner, it doesn't know what to remove. :) You can get around the whole tombstone thing though if you use dynamic objects. Those really and truly do delete with no chance of reanimation. However, the time to die info is (well usually) on the object from the very beginning so you don't need to replicate around a notification of a tombstone, each DC will know when it needs to remove the object. This is actually a fun way to build lingering objects in your directory. There are a couple of ways it can be leveraged to do so if you really want to work at dorking your forest up. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, December 04, 2006 4:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Tombstone. Brett, because of the way the question was asked it might be a good idea to mention why that's important vs. just deleting an object and replicating that. My $0.04 for the day. Al On 12/4/06, Brett Shirley [EMAIL PROTECTED] wrote: By default it is not possible to recover an AD object from an AD tombstone. The AD tombstone mechanism is used to support AD replication. The way AD replications works, is that in a sense a delete is really like a modify by setting the isDeleted attribute (really the metadata, maybe the attr too, don't remember OTOH). By setting this attribute the AD object turns into an AD tombstone, a change that can replicate normally around to make the delete global. Cheers, Brett Shirley On Tue, 5 Dec 2006, Ajay Kumar wrote: Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] mailNickName(OT)
Hmm I think you echoed all of the thoughts I had when I read that post. I can now retire. I have been replaced by a younger model. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, November 23, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] mailNickName(OT) Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out of necessity. If you fit in that scenario, your stuff is a tested scenario. If not, it's something they may have thought of but didn't think enough customers would use and so didn't spend time testing thoroughly - aka if it works, it was meant to do that. If it does not, what the ^%$# were you thinking? Don't you read that (often non-existent
RE: [ActiveDir] mailNickName(OT)
Excellent points David. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 22, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] mailNickName(OT) While I firmly agree that guidance should never be blindly followed, regardless of the source, I'd add that customers who say Microsoft reviewed this or something like that should not necessarily be taken to mean the design was in any way developed by or recommended by MS (I can't speak for the OP; I'm just making a general statement.) I've seen many a customer fight for a MS stamp of approval on a design that in no way is best practices but works and meets the bare bones supportability requirements. Also, recommendations to change a design are often met with but it works and I don't want to possibly break it just to comply with best practices so unless you tell me it's completely broken we're not changing it. But that's rarely disclosed when problems come up down the road. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] mailNickName(OT) I have to admit some surprise that you have that large of an org and haven't hit issues in collisions on the name space when using firstname.lastname. Actually I find it more than surprising, I expect you have some exceptions or some folks got a display name that isn't something they totally prefer, like a Ted became a Theodore or something for example... On the MSFT helped with the design comment... I realize you weren't around for it but don't confuse someone from MSFT helped with the design with MSFT helped with the design. It is something I learned a long time ago to separate. Not every MSFT resource is as knowledgeable as they should be in every area they may be called in to work on... i.e. When using say MCS or PSS to help with things, don't blindly follow, understand what they are designing or asking you to do. Obviously this isn't strictly limited to MSFT, this goes for every company that has experts that come in and help. While you hope you get all of the experience of Microsoft in every Microsoft employee (or all of the experience of Company X from every Company X employee) who visits you, the simple and obvious truth of the matter is that you don't. You get a person with some level X of experience who has some level X of access to other people. Some of these people will be extremely experienced in what you are doing (or some aspect of what you are doing), some will pretend they are. Some will know who to contact to verify plans/ideas, some won't, some won't even care to because they feel they know enough themselves. I have met all versions of these. My favorites are those who are comfortable enough in themselves to actually say I don't know the anwers to that or I am not sure that is quickly followed by But I will find out. Interestingly, the people willing to say I don't know tend to be the ones that most of the other MSFT folks consider to be some of the brightest folks working on those things... Imagine that. At any point if you get the feeling that the person is more of a shyster than an expert, call them out and ask for them to get someone else on the phone to talk it out as well. If you are in a 100k+ org, you should have the weight to even get someone from Redmond on the phone to help answer questions. Also don't be afraid to just ask here, say someone said X and Y and we aren't exactly sure if that is accurate... People here will either say yes, no, it depends, or where %#$ are your smilies... All of that to say, even if someone from MSFT helped with some design of something, don't rely on that meaning it authoritatively the most optimal configuration or even how it should be done at all. You are on better ground if you get an official design review from PSS because then several folks should be looking at it, but even still... I have seen some funny recommendations even in those that I have completely ignored. Basically you need to have some good understanding of what you are doing as well. In a small company the repercussions and actually the need for special thinking is greatly reduced, Microsoft Redmond targets those situations. In larger companies above the 30/50/80/100k user marks, IMO, someone better have a good understanding of AD unless all of your support is farmed out to another company and then someone there better have a really good understanding. If you want to read on, there is a funny story I have of an MSFT Exchange Alliance Premier person who had an issue saying I don't know and radically impacted his image and how the customer viewed him... This just came up in a chat I had with someone recently so since it is fresh in my head... I was in a training
RE: [ActiveDir] OT: Find a use of an account in AD
I seem to recall Dean Wells posting a batch file to the list to gather all of the service accounts being used across a forest, might want to peek at the archives. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Thursday, November 30, 2006 3:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Find a use of an account in AD Hello all, I have a few user accounts which are used as service accounts which are member of the Domain Admins group but I have no idea what they are for. Does anyone know of a way of identifying where these accounts are used e.g as a service etc. using a script or something? if so does anyone have a script they could share ;-) It's a windows 2003, single forest, single domain Ta! Amy Send instant messages to your online friends http://uk.messenger.yahoo.com
RE: [ActiveDir] ActiveDir.Org Web Site Update [List Admin]
Hmmm I almost missed this post Ok Matty goes on the list ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matty Sent: Wednesday, November 22, 2006 5:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ActiveDir.Org Web Site Update [List Admin] Hi All, I just want to update you on some recent changes to the ActiveDir.Org http://www.activedir.org/ site. As you may know, the last attempt at publishing the Mail List's archives on ActiveDir.Org was a complete disaster. The software we were using (Mhonarc) just couldn't keep up with the volume (I actually suspect it was also due to the length of some of Joes mails - only joking ;-)). The good news is we finally got around to developing our own solution (this time with extremely long field lengths ;-)) so you can now find the archives back on-site again here http://www.activedir.org/ma/default.aspx . The archive is updated hourly. Its fully RSS'd so you can subscribe to the main archive feed if you prefer to view posts in that way. If you are that keen on following a particular thread, we also maintain a separate feed for each separate thread. Another recent update that is also related to the List Archive is the new Posters http://www.activedir.org/ma/posters.aspx feature. This feature categorises the lists archive by sender and will publish all threads that you have ever been involved in. You need to be registered with http://www.activedir.org/register.aspx ActiveDir.org (with the same email address as you use to subscribe to the list) in order publish your threads to the Posters page. Here's an example of Tony's posts Posters page: http://www.activedir.org/ma/posters.aspx?id=2 It's kind of like having your own ActiveDir Mail List Blog. We encourage you to join in the fun ;-). Again there is a feed so you can subscribe to only specific posters messages if you choose to do so. The nice option here is you can link this feed from your own blog/web site or from your message footer when posting to the list. What about an archive/site search? There isn't one at the moment. This will be implemented early in the New Year but for now we are counting on Google. If you think of other features you would like to see on the site or find issues with existing functionality then let us know. Hope you find the new pages useful. Cheers, Matty (General ActiveDir Dogsbody #2) Site: http://www.activedir.org/ Register: http://www.activedir.org/register.aspx Posters page: http://www.activedir.org/ma/posters.aspx Archive page: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Is it 2000 or 2003?
(I liked the way ADFIND and ADMOD output this info. so thought I'd steal Joe's idea and wrap this info. Thanks, it was something I came up with on the fly because I was testing something and not paying as close attention to the server name as I should have been and actually was hitting the wrong OS version box. So I was like, ok, I'll fix that! -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Friday, November 17, 2006 5:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? Interesting, you're more than likely doing it in a more efficient manner than I then. Here's the code I use in all of my scripts (for anyone who's interested in this) these days (I liked the way ADFIND and ADMOD output this info. so thought I'd steal Joe's idea and wrap this info. into all my scripts that do something with the DS): ' *** ' Sub printDirectoryInfo(RootDSE) ' ' Sub prints the DC that is being used and the ' level of the directory service. ' ' Note. Sub calls func getDSFunctionality ' ' *** Private Sub printDirectoryInfo(oRootDse) Dim sServer, sDSFunctionality sServer = oRootDse.get(dNSHostName) sDSFunctionality = _ getDSFunctionality(oRootDse.get(domainControllerFunctionality), _ oRootDse.get(supportedCapabilities)) echoUsing server: sServer echoDirectory: sDSFunctionality vbCrLf End Sub ' *** ' Func getDSFunctionality(int) ' ' get the domain functional level for info. ' purposes function returns a string defining the ' current value of the DC queried (via serverless ' bind) ' ' *** Private Function getDSFunctionality(iDSFunctionality, _ cSupportedCapabilities) Dim oBase, dsf, nTMixedDomain, supportedCapability, bFlag bFlag = False Select Case iDSFunctionality Case 0 Set oBase = oRootDse.get(defaultNamingContext) nTMixedDomain = oBase.get(nTMixedDomain) If(nTMixedDomain=1)Then dsf = Windows 2000 Native Else dsf = Windows 2000 Mixed End If Case 1 dsf = Windows Server 2003 Interim Case 2 For Each supportedCapability In cSupportedCapabilities If(supportedCapability = _ LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID)Then bFlag = True End If Next If(bFlag)Then dsf = Active Directory Application Mode (ADAM) Else dsf = Windows Server 2003 End If End Select getDSFunctionality = dsf End Function ' *** ' Sub echo(String) ' ' Sub prints the passed string to the console ' (if run from CSCRIPT) or to the shell via ' message box (if run from WSCRIPT). ' ' *** Private Sub echo(sOuputString) WScript.Echo(sOuputString) End Sub --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 6:32 PM Subject: RE: [ActiveDir] Is it 2000 or 2003? AdFind only determines the Directory level, it doesn't look for functional modes or mixed mode. The way I get directory level is through the supportedCapabilities attribute of the rootdse of the DC. Of course it is possible to hit one DC looking for info and I pull the ROOTDSE from that DC and then in the background a referral is processed which ends up getting the info from another DC in another domain (or same domain if looking at app parts). You can get functionality modes from the rootdse attributes domainFunctionality and forestFunctionality. For all of those, just do an AdFind -rootdse And you will see what I am decoding and logically how I ascertain directory level. Mixed mode versus native you simply use the domain NCs nTMixedDomain attribute. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, November 16, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? I don't understand where you are seeing this info. Are you referring to the applet that is used to raise the FL? Or something else? As for the flag that is used to identify the directory, it is usually a combination of: msDS-Behavior-Version nTMixedDomain supportedCapabilities Or at least, that is the way I put info. such as server and directory in each of my scripts. Just like Joe does in ADFIND and ADMOD. I believe he does it the same way too. Basically, check msDS-Behavior-Version. If it's 0, check nTMixedDomain. If it's 2, check supportedCapabilities to see whether or not it is ADAM (it's ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851
RE: [ActiveDir] supportedsaslmechanisms
I am not aware of being able to do so no. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Monday, November 06, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] supportedsaslmechanisms Is it possible to disable one (or more) of these mechanisms? I ask as I see the following on my 2 remaining w2k DCs supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO and on my w2k3 DCs supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 I have a misbehaving Unix app that exits right after it gets a list of the supported SASL mechanisms on a w2k3 DC but works fine with a w2k DC. I'd like to rule out some sort of overflow in the app. al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: Deleting an OU in AD and AD/AM with 1,000,000++ users (WAS: RE: [ActiveDir] )
Hmm I swear I responded to this but I don't see it... So... The progress dots is only for reading in the CSV pipe... Not for what it is currently working on. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of F. Javier Jarava Sent: Thursday, November 02, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: Deleting an OU in AD and AD/AM with 1,000,000++ users (WAS: RE: [ActiveDir] ) Duh!! Sorry for answering myself, and also for forgetting to set a subject to my previous email (Sould-ve been Deleting an OU in AD and AD/AM with 1,000,000++ users) I have taken the time to re-read the help screens (I did read them all, I swear. I mean, how did I learn about -sc adau if not? ;) and I have found about the -treedelete switch that seems to be what I am looking for (I knew it had to be there somewhere; admod would not *really* let you shoot yourself in the foot if there was no way to really wipe a domain from it). In any case, my previous question about progress signs stands. In this case, I have two instances of admod happily chugging away (one is deleting the users in AD; other in ADAM) but no sign of what they are doing, other than the fact that the VM hosting the domain and ADAM is seriously tasked. Thanks a lot, and sorry for the unnecesary blunder. J -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de F. Javier Jarava Enviado el: jueves, 02 de noviembre de 2006 18:38 Para: ActiveDir@mail.activedir.org Asunto: [ActiveDir] Hi all!! I've been stress-testing some utilities we use internally, specifically a tool to sync users from AD to AD/AM (ok, not exactly sync; we just need a user/computer object with the same names that those in AD). For the purpose, I have created an OU in AD that I then filled with 100+ users (admod -sc adau:100;SomePassword1;CN= a couple of times ). The tool survived the beating, but now I want to delete the OU and the users within, both in AD and ADAM. I thought that: admod -b OU_DN -rm Would do the trick but it complains that it can't delete a non-leaf (otherwise understandable). ADUC and ADAM-ADSIEdit let me say delete, but they take in the order of ages (they are at it now). UsersComp. seems to hang, and ADSIEdit every now and then comes up with a message box saying: --- ADAM-ADSIEdit --- The tree deletion is not finished. The request must be made again to continue deleting the tree. --- OK --- I click OK, select delete again on the OU, and on it goes... My question is, I know that there has to be a better/quicker way to do this that does not involve listing all objetct and piping them to admod? Thanks a lot. Javier Jarava PS: For bonus points, I seem to recall some post on joe's blog about having progress dots in admod that show objetcts being modified.. But I wasn't able to find the proper switch in the docs, so when I created 100 users I got 100 DNs shown on screen. So, what is the proper option to say don't print all progress, just a running % or something like that?? Thanks a bunch again. J List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AB Views Export/Import
Hey Jerry, I am not exactly sure what you are asking for here. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch Sent: Thursday, November 02, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AB Views Export/Import Would like to build a AB Views on an AD directory that stores Contacts from multiple AD Forests. Export these views to a file and Import them to each of the Forests. Does Joe's ADFind support this, or is there another tool someone can suggest. Many thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( http://www.skype.net/ www.skype.net )
RE: [ActiveDir] Send As(OT)
Odd, like I said, I could easily be wrong. I will have to play with it if I can find any time. Unlikely of course, at least for the next few months. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, December 16, 2006 8:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Send As(OT) Actually, it just started to work a few days ago. In Exchange, you can send as a mail-enabled group so that an email appears to be from the group(security or distribution). I think this was some weird replication/info store cache issue that for some reason took 4 days to resolve itself. Thanks On 12/16/06, joe [EMAIL PROTECTED] wrote: In Exchange nothing comes from the DL, it comes from the user who sent to the DL. I believe you cannot in actualality (sp?) send from a DL because a DL is an alias, not a mailbox. I could easily be wrong not being an Exchange guy but I don't expect I am. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, December 05, 2006 6:12 PM To: activedirectory Subject: [ActiveDir] Send As(OT) I have given a user send As perm directly on a universal distribution group in AD. However, whenever this user slects the group from the GAL in the From: field of Outlook 2k3 and attempts to send an email as that group, he gets an error of You do not have the permission to send the message on behalf of the specified user. The group is NOT nested in any of the AdminSDHolder protected groups. The user has been given send as perms directly on the UDG. He is in no groups with expilict denys. I have also tried giving my account send as perms to the group and I get the same error. I have waitied over 24hrs so its also not a info store cache/replication issue. I'm running exchange 2k3 sp2 with the latest hotfixes(including the send as one) in a win2k3 forest(win2k3 FFL/DFL). Any ideas would be great. Thnaks for your time. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] LDAP query assistance
It would be nice if there were some easy way to know when not all of the info was represented when you do the ASQ... i.e. A referral or something that gets tossed so you know that there were DNs in the attribute you were ASQ'ing that couldn't be reached. Kind of scary aspect to using ASQ. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Monday, September 25, 2006 5:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query assistance Great answer Joe. I completely missed the multi-domain issue, thinking (as I wrote) that was only an issue for DLGs. Oh well, you've certainly refreshed my memory and answered the question admirably. As you can tell from this, and from our off-line conversation, I'm just using ASQ all the time ('cause it's great!) -sometimes it's not appropriate : ) --Paul - Original Message - From: joe mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:53 PM Subject: RE: [ActiveDir] LDAP query assistance This unfortunately isn't going to work... 1. Global group membership is not maintained in the GC. Depending on the domain the GC you query hosts, your results will vary. If you hit a parent DC GC then you will see memberships for the parent (and Unis). If you hit a child DC GC, then you will see memberships of the child (and Unis). 2. An ASQ query query will only work against objects in the linked attribute that are immediately available. Depending on whether you hit a GC port or the local LDAP port and depending on the info present in that GC instance (see comments above) the results again could vary. The ASQ query does NOT cross DCs to return info. Again since the global group membership of a domain is only maintained on a DC of that domain this will only resolve part of the membership. A couple of examples of ASQ in action... G:\Temp\deleteadfind -e -b CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com member AdFind V01.31.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com member: CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com member: CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com member: CN=Domain Users,CN=Users,DC=joe,DC=com 1 Objects returned G:\Temp\deleteadfind -e -b CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 2 Objects returned Note that the member attribute of the group has 3 members but the ASQ objectclass=* query only returns 2, that is because doing the LDAP port 389 query, the child1 object is not available. Now change that to a GC query to a GC that is a DC for joe.com and it works G:\Temp\deleteadfind -h 2k3dc02 -gc -b CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268 Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 3 Objects returned But if I wanted the membership of those three global groups and tried against the same GC you will note that the membership of the child1 domain group is not enumerated... G:\Temp\deleteadfind -h 2k3dc02 -gc -b CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268 Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com member: CN=Domain Admins,CN=Users,DC=joe,DC=com member: CN=administrator,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com member: CN=2K3EXC02,CN=Computers,DC=joe,DC=com member: CN=2K3EXC01,CN=Computers,DC=joe,DC=com 3 Objects returned But turn it around and use a child1 GC and what do you think you get? G:\Temp\deleteadfind -h 2k3dc10 -gc -b CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]) March 2006 Using server: 2k3dc10.child1.joe.com:3268 Directory: Windows Server 2003 0 Objects returned That's right... nothing. That makes perfect sense correct
RE: [ActiveDir] running scripts via group policy using alternate accounts
It encodes, not encrypts. I am not aware of anyone cracking it and based on the number of folks who ask me to try and unpack the encoded files to get the password back that they forgot I would guess no one has. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, December 09, 2006 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] running scripts via group policy using alternate accounts The logon script will run in the context of the user who runs it. My suggestion is that you rethink your process because this sounds like a really crappy plan that you've got. I believe Joe Richards' cpau utility on joeware.net supports some type of encryption of credentials that you could use if you must do this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anuj Attree Sent: Saturday, December 09, 2006 2:29 AM To: activedir@mail.activedir.org Subject: [ActiveDir] running scripts via group policy using alternate accounts Hi, Is there a way to run user logon scripts via Group Policy using alternate credentials (say domain admins)? i m putting this question because i want to (for example) install some s/w (yes i can use s/w installation feature from GPMC, i know) or want to run a command which can be run only by administartor (say ipconfig /registerdns or something else) through the script but as the user logging in should have administrator priveleges to install the s/w etc and which is not the case generally. please correct me if i m wrong. -- Regards Anuj Attree
RE: [ActiveDir] running scripts via group policy using alternate accounts
CPAU is an EXTREMELY popular tool being used all over the world by literally hundreds of thousands of users at this point. While there are some things it cannot do, it tends to work pretty well for most stuff especially in logon scripts which has likely become its main use though I know of several companies, police departments, governments, and universities that use it for automated install packages as well. I would be curious what didn't work for you, feel free to email me separately if you haven't already. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaspreet Jolly Sent: Saturday, December 09, 2006 4:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] running scripts via group policy using alternate accounts Anuj, I do understand what you are trying to accomplish, and I know there is no other way of doing this so you have to get this done using login scripts only. As for joe's CPAU I tried it sometime back but unfortunately it didn't worked for me. Maybe I was doing something wrong, please do give it a shot or alternatively you can use runas command in script the only problem here being that you will have to write a script which automatically passes password to the command. You can tell the programmer to do so. Or you can use kiXtart script which would encrypt the script containing userid password. You can also use paid tools like TCQRunas I know your organization will never allow this but you should try this for your own knowledge. Regards, Jaspreet Jolly _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, December 09, 2006 1:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] running scripts via group policy using alternate accounts The logon script will run in the context of the user who runs it. My suggestion is that you rethink your process because this sounds like a really crappy plan that you've got. I believe Joe Richards' cpau utility on joeware.net supports some type of encryption of credentials that you could use if you must do this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anuj Attree Sent: Saturday, December 09, 2006 2:29 AM To: activedir@mail.activedir.org Subject: [ActiveDir] running scripts via group policy using alternate accounts Hi, Is there a way to run user logon scripts via Group Policy using alternate credentials (say domain admins)? i m putting this question because i want to (for example) install some s/w (yes i can use s/w installation feature from GPMC, i know) or want to run a command which can be run only by administartor (say ipconfig /registerdns or something else) through the script but as the user logging in should have administrator priveleges to install the s/w etc and which is not the case generally. please correct me if i m wrong. -- Regards Anuj Attree
RE: [ActiveDir] running scripts via group policy using alternate accounts
I like psexec but I have a big problem with it in that it always installs a service on the fly. This is more intrusive than it should be or even needs to be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Saturday, December 09, 2006 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] running scripts via group policy using alternate accounts I'd agree with Brian that this sounds like a bad idea. There are too many ways to do it right; the cheapest (free) easiest is probably to use psexec to run a script that launches your install in silent mode from a network share, under whatever context you choose. The exact way to do that depends on the install program, but you can get a lot of info from http://www.appdeploy.com/ and a few other sites. A Google search for remote silent install your app should give you some ideas. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaspreet Jolly Sent: Saturday, December 09, 2006 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] running scripts via group policy using alternate accounts Anuj, I do understand what you are trying to accomplish, and I know there is no other way of doing this so you have to get this done using login scripts only. As for joe's CPAU I tried it sometime back but unfortunately it didn't worked for me. Maybe I was doing something wrong, please do give it a shot or alternatively you can use runas command in script the only problem here being that you will have to write a script which automatically passes password to the command. You can tell the programmer to do so. Or you can use kiXtart script which would encrypt the script containing userid password. You can also use paid tools like TCQRunas I know your organization will never allow this but you should try this for your own knowledge. Regards, Jaspreet Jolly _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, December 09, 2006 1:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] running scripts via group policy using alternate accounts The logon script will run in the context of the user who runs it. My suggestion is that you rethink your process because this sounds like a really crappy plan that you've got. I believe Joe Richards' cpau utility on joeware.net supports some type of encryption of credentials that you could use if you must do this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anuj Attree Sent: Saturday, December 09, 2006 2:29 AM To: activedir@mail.activedir.org Subject: [ActiveDir] running scripts via group policy using alternate accounts Hi, Is there a way to run user logon scripts via Group Policy using alternate credentials (say domain admins)? i m putting this question because i want to (for example) install some s/w (yes i can use s/w installation feature from GPMC, i know) or want to run a command which can be run only by administartor (say ipconfig /registerdns or something else) through the script but as the user logging in should have administrator priveleges to install the s/w etc and which is not the case generally. please correct me if i m wrong. -- Regards Anuj Attree
RE: [ActiveDir] Delegate join computer to domain
Ability to create/delete does not allow join. When the machine account is precreated, have them specify the group/user who gets to do the join and that security principal will get additional ACEs added to the computer object that is created. You could also look and see what is done and grant those additional perms at the OU level and let them inherit down so they don't have to deal with it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, December 07, 2006 2:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate join computer to domain Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT:What is Websence
LOL, everyday I learn more and realize how much I don't know. :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, December 08, 2006 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:What is Websence You don't know I though you knew it all, this is sad day. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 08, 2006 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence I don't know but I bet it deserves [OT] in the subject. :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Global Catalog /DNS Question
A relatively popular solution I have seen for things like this is to have some small perl script that is launched instead of the app itself and that perl script does a site based lookup on the spot for the SRV record, tests to make sure the GC is responding, and then slams that into the configuration and then starts the app. That way if there is an issue, you simply restart the app and all is well. You can also set up a CNAME that points to GCs, but if you have a GCs out in sites, you will probably be setting up quite a few aliases. Then every site selects the proper alias for their site. That is seriously a pain to keep all synced up properly and is a likely place for maintenance to fall behind and cause issues unless someone automates those updates. The problem is simply that the app isn't SRV record aware, that isn't a Microsoft thing, that is an RFC thing. Not so evolved eh? But it is open source, someone could always quickly and easily add proper SRV lookup capability. eg joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Friday, December 08, 2006 12:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Global Catalog /DNS Question Hi, I have a mix of Windows and Linux users. Most of my Linux users use Evolution as a mail client which needs to point to a GC for its configuration. My question is does anyone know a way to basically round robin a wildcard entry for those mail clients? So in case the DC/GC they're pointing to crashes half my users won't have to re-point their clients. Thanks in advance - Mike
RE: [ActiveDir] Quest Recovery Manager
a lot of innovation going on anymore, so it is pretty hard to make a mistake choosing one of these products. Todd _ From: Tim Onsomu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 2:06 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Does anybody know what independent rankings look like for AD DR tools? -Original Message- From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Wed 12/6/2006 9:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager shamelss plug NetPro has an AD data recovery product called RestoreADmin that competes very well with the Quest product. It's solves the AD object recovery problem nicely. See http://www.netpro.com/products/restoreadmin/index.cfm. /shameless plug -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:37 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Todd, thanks for your insight. Good points to think about. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 9:14 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Same here... Good stuff. To be fair though, most of the major AD players have these tools now. The thing about the Quest (Aelita) tool was its use of their own APIs to address issues like Domain Local Groups etc. I haven't kept up with the latest versions so I am not sure what direction they have gone since 2003. Latest information I remember was they offered you the option to use the MS API methods for recovery, or their special brew for more advanced recovery options. Now if put some extra effort into your query, you might get this thread nice and hot, and generate input from people like Stuart Kwan discussing supportability issues using the various recovery methods, Guido Vladimir discussing in great depth the inherent problems of group recovery, various opinions on how to use isolates sites with rubber chickens, MIIS, ADAM to reanimate deleted objects (This seems to be a favorite topic of Gil's to use to fill in spots at DEC)... did I forget anyone... hmm maybe Robbie might take time away from work on his fields medal or latest cookbook to write you a Monad shell script that Joe will find a way to compile into a .exe to execute from a ADFIND query pipe. In all seriousness though, when evaluating DR feature for AD you will have a lot of things to consider, technologies being just one. The nature of the type of AD objects you want to recover and in what state should be considered (Groups, GPO's, etc, attribute data). How much time you want to dedicate to this operation? How much you want to spend? And who will support you if the recovery operations fail or seem to cause more problems. If you are looking just to recover deleted users, the various free tools out there will do just fine. I highly recommend that you start your DR project today by just using the good'old MS backup utility at a minimum to make a MST formatted backup of the system state and data from a domain controller in each of your domains you think has the most current AD data in your organization. That pretty much guarantees you can recover every object given that you have the data in some backup. And to all the people I mentioned above. Happy Holidays... and New Year. Todd -Original Message- From: Day, James (NPS) Sent: Wednesday, December 06, 2006 8:03 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Quest Recovery Manager Hi James We bought this when it was an Aelita tool and loved the product - it pretty much paid for itself in one step the second month we were using it. The product is still good but I have nothing good to say about Quest support (but I could complain for hours about it if I am allowed to). There are a couple of other similar ones that may also be worth. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-354-1464 202-230-2983 (CEL) [EMAIL PROTECTED] [EMAIL PROTECTED] ger.com Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 12/05/2006 05:11 [ActiveDir] Quest Recovery Manager PM EST Please respond to [EMAIL PROTECTED] tivedir.org Does anybody have anything particularly good or bad to say about Quest's Recovery Manager product? We
RE: [ActiveDir] What is Websence
I don't know but I bet it deserves [OT] in the subject. :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] [OT] Can you run DHCP on a XP computer??
On the hacking certainly. :) As for the open source code, I don't think so but I haven't looked that closely into it. Isn't the licensing strictly on number of connections, not the use? DHCP could run without more than 10 consecutive licenses. When you get right down to it though, I expect MSFT would be happier for people to run DHCP on XP than FreeBSD. I also think MSFT would be happier to see Open Source OS use in larger orgs versus smaller because larger orgs are better at compartmentalizing stuff like that. A smaller company that starts using a Linux or a BSD is likely going to start moving towards that OS if they like it as they are more apt to be homogenius, most large companies don't really expect to be so. I have seen that happen in several smaller 1000 seat companies where Linux gets used for one thing and the next thing you know it is going out into every aspect of the business and the desktops are being replace and of course I have seen lots of OS-OS use in enterprise (100k+ seat) environments as well and with that it is usually dedicated to specific functions and people laughing when discussing doing the desktops unless they are discussing that possibility with MSFT in order to get a licensing cost break which MSFT is only so happy to do to keep the desktops. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Saturday, December 02, 2006 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Can you run DHCP on a XP computer?? Which would probably be a licensing violation. :-) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 02, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Can you run DHCP on a XP computer?? Yes, I believe there are at least one or two DHCP Server Open Source projects that will run on Windows XP. The Windows DHCP server won't from my knowledge, though I would surmise it may be possible to hack a machine to do so if someone really wanted to. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Friday, December 01, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can you run DHCP on a XP computer?? Hi all Someone told me you can run DECO on a computer running Windows XP. I was totally unaware of this. Does any one have any information about this? -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.4/563 - Release Date: 12/2/2006 9:59 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.4/563 - Release Date: 12/2/2006 9:59 AM
RE: [ActiveDir] Bulk of client going to PDC
I would recommend doing a trace of one of the problem clients logging on and watch the whole referral process, etc. Actually I would probably just turn on a sniffer and let it watch everything from one of those machines from boot up for some time so you catch refreshes and everything else. At least then you should be able to nail down whether the clients are being referred to something incorrectly or they are off making their own incorrect decisions. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Saturday, December 02, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Bulk of client going to PDC Yes checked the correct subnets are attached to correct sites. All clients are connected via Ethernet 100/Full Duplex. Its like mass exodus of swarm of computers, going to PDCe, and in turn choking the WAN links. It happened like once a day.. and everyday it would be random site. Have asked different site people to install netmon on some PCs and keep it running..on Monday..hoping that one of those sites.. and in them.. one of those PCs misbehaves. Anything else, I should look at? -- Kamlesh On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: Site definitions - are your site definitions up to date? How are your clients connected - Are they ethernet, 802.11x, tokenring, ?? On 12/2/06, Kamlesh Parmar [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Am sorry, I didn't follow what you are asking.. could you be more specific. On 12/2/06, Al Mulnick [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: How are your clients connected? Site definitions? On 12/1/06, Kamlesh Parmar [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Appreciate the efforts taken. AFAIK, this would be more of a DFS issue then authentication, as clients are pulling policies and files from PDCe. When I look into details of DFS link targets for sysvol or netlogon, PDCe is listed as distance 9th in the list of servers which clients should contact in case there primary link target failed. And this happens so randomly, from clients that I am not able to setup a network trace also. -- Kamlesh On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files? To turn on Netlogon service logging, type the following Nltest command at the command line: nltest /dbflag:2080 Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: nltest /dbflag:0 Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63 -8629-B999ADDE0B9Edisplaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63- 8629-B999ADDE0B9Edisplaylang=en . http://www.winnetmag.com/Files/42850/Figure_01.gif Figure 1 shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. . . . HtH Thomas _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kamlesh Parmar Gesendet: Donnerstag, 30. November 2006 20:51 An: ActiveDir@mail.activedir.org Betreff: [ActiveDir] Bulk of client going to PDC Hi Guys, We are facing some strange issue, randomly clients from some sites are going to PDCe for group policy refresh,along with screensaver and wallpaper stored in netlogon. Clients are ignoring their nearest DC, and approaching PDCe. All DCs : Win2k3 SP1 All Clients: XP SP2 I verified, 1) DNS entries for site DC are correct. 2) Netlogon and Sysvol folder of site DC are accessible. 3) Verified the clients are authenticating with site DC by : nltest.exe /sc_query:DOMAIN 4) Verified DFS info for netlogon and sysvol on clients is correct : dfsutil.exe /pktinfo I am clueless
RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
Good post but yuck. Amazing how many issues you avoid by avoiding ADSI, WMI, CDOEXM, and the other MSFT frameworks designed to make life easier... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Saturday, December 02, 2006 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Let me step in here to give you some more background ... J WMI is a 3-tier architecture (See figure at http://msdn.microsoft.com/library/en-us/wmisdk/wmi/wmi_architecture.asp http://msdn.microsoft.com/library/en-us/wmisdk/wmi/wmi_architecture.asp). The SMS client runs at the level of the client API (3) and submits the WQL query to WMI at layer 2 (Core WMI service). This query is handled by WMI core. WMI Core looks after the class in the WQL query (i.e. Win32_Account) and locates the provider supporting it. In this case, the provider is CIMWin32 implemented by CIMWin32.DLL (I skip the explanation about how WMI does that unless someone is interested). Because that CIMWin32 provider does not support WQL query parsing and is not handling them by itself, WMI core takes the initiative to actually converts this query into a full enumeration request to the provider, meaning that the provider is actually building ALL instances of Win32_Account with all their characteristics. Once the collection is built, WMI core receives the result set and is then post-filtering the enumeration set to match the WHERE clause of the WQL query, which in turn returns the result set requested by the client (SMS in this case). This is the way how WMI core works with all WMI providers not supporting WQL queries natively (I mean supporting query at the level of the provider itself). Actually, this enumeration technique is implemented to support WQL queries even for providers not supporting WQL queries in their code by design. A WMI provider may have many capabilities (i.e. Get, Put, enumerations, events, etc) and one of them is to support WQL queries (which actually is off-loading WMI core do to the job I just described). This explanation does not solve your issue, here, but it gives you the explanation of the why where the actual solution is to implement a WMI provider that supports natively WQL queries and actually performs the right SAM or LDAP queries against AD (I mean properly scoped). It would be a sort of WMI provider converting WQL queries into SAM/LDAP queries to put it short. This class was created way before AD did exist. The presence of AD increases dramatically the number of accounts available. Although this class with this provider was working fine during the NT 4.0 time (yes, this class dates from that period), it is challenged in large AD infrastructure, Make a test with a small AD infrastructure where you have only 2000 accounts, and everything will be fine. I can bet that your AD installation is way bigger ... Now, if you use WMI a lot to query the SAM and AD and if you feel this is an area where some enhancements can be made, let it me know and I will be pleased to communicate this data point to the team in charge of WMI and the team in charge of Active Directory, So, we can let them know that it is an important scenario to enhance and support better. No commitments here, but I will be pleased to convey the message. Hope this helps a bit ... PS: However, if you feel you have WMI issues, you can always use the WMI Diagnosis Tool 1.0. You can find pointers to it (+Webcast) at http://www.lissware.net. Note, we will release the version 2.0 early next year. Regards, /Alain Alain LISSOIR blocked::http://www.LissWare.Net cid:114265316@01122006-02BE _ mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Home Page: http://www.LissWare.Net blocked::http://www.LissWare.Net Where am I? http://map.LissWare.Net blocked::http://map.LissWare.Net _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, December 01, 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Thanks Susan, but I think this case is different - we are talking about different WMI class and in my case the query hangs and never returns results. The ITMU issue is probably a result of intensive load on the CPU when performing the query you pointed to, but in my case if I let it run for hours it still never finishes. I am far from being well versed in WMI, but I'd suspect that here the problem is caused by WMI not using paging in the query or very inefficient processing when using both LocalAccout=True and SidType=1 keys. Guy From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 01, 2006 5:12 PM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] [OT] Can you run DHCP on a XP computer??
Yes, I believe there are at least one or two DHCP Server Open Source projects that will run on Windows XP. The Windows DHCP server won't from my knowledge, though I would surmise it may be possible to hack a machine to do so if someone really wanted to. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Friday, December 01, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can you run DHCP on a XP computer?? Hi all Someone told me you can run DECO on a computer running Windows XP. I was totally unaware of this. Does any one have any information about this?
Re: [ActiveDir] Child domain for external SharePoint users
This is also a good application for federation (ADFS). It gives you the flexibility of provisioning your dealer accounts in ADAM instead of AD (which can give you a lot more flexibility in terms of how to allocate hardware) and can give you the ability to allow the dealers to log on with their own accounts if they can create a federation server on their end to provide access to their own domain resources. This may or may not be possible/desireable, but in many cases it is because you don't have to provision and manage their identities. Unfortunately, this is much more complex to implement though. From a security perspective, though, Brian is right. If you just want to do this with AD and trusts, you should do a separate forest and do a forest trust. Otherwise, you aren't buying much in terms of real security. You might as well just put the accounts in a separate OU. Joe K. On 11/30/06, Group, Russ [EMAIL PROTECTED] wrote: Hi all We are in the process of creating a SharePoint site that external users (dealers) can access to obtain shipping information. I have the SharePoint server in my LAN with a reverse proxy appliance in the DMZ that the dealers will use to access the SharePoint server. The discussion came up about using a child domain for these dealers to authenticate to the SharePoint server. Is this an accepted practice (create a child domain for the external users)? How safe is this compared to creating a separate OU for the dealer in the parent domain? Thank you Russ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Scaling up with AD or ADAM?
I personally don't have any experience with ADAM at big scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Joe Kaplan wrote: That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're
Re: [ActiveDir] Scaling up with AD or ADAM?
That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're thinking separate directories BTW - a live one for the 2M users, and an archive one for the 10M historical records. Would you recommend ADAM? With how many DCs if so? (the web apps would likely be hosted at a single site). Perhaps full-fledged AD? How many DCs? Thanks! -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Lee Flight wrote: Hi I think the problem is with But the user installing the ADAM instance is already member of administrators. The ADAM answer file reader does not seem to check that; if it sees the Administrator parameter in the answer file it assumes that the user running the install is not an ADAM administrator and as this is a unique instance installing the LDIFs will not be possible due to lack of permissions to modify the local schema. It might be possible to circumvent this using an explicit SourceUsername and SourcePassword in the answer file, but I think your workaround is more secure. Lee Flight On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already
RE: [ActiveDir] Question regarding active directory and restricting information
Is this an information security risk to our company especially related to employees information? Only you and your company can answer that question. Is it maybe just a subset of the total info - either some info for all users? All info for some users? What is bad for others to have and what isn't? One thing I have always considered to be some level of risk is the fact that people tend to populate business phone numbers, email addresses, mail drop info, and the hierarchy of their business in their AD. Say someone within one of a large company like a Wallmart or a Sears or Toyota or a Ford and just exports that info and hands it over to someone who likes to spam people or someone looking for info on the internal structure of the company... With many of those companies you could figure out most everyone with the power to make decisions and where to find them and how to contact them with a simple AD dump... Now that you have determined whether it is a risk or not, you have to go the next step and determine how much of a risk there is and whether it should be stopped or not or if certain parts of it should be stopped. So you define your risk, identify it in all its gory parts, work out what is and isn't acceptable, then mitigate the parts that are unacceptable. Mitigation can range from trying to protect it with simple ACLing or obfuscation to outright removing it or using a tremendously involved cipher. To be quite honest, blocking people from being able to read info in AD can be a bit of a pain. AD came along prior to the security lightbulb going off at MSFT so things are pretty open as you have found and worse, many apps sort of depend on that openness and don't really give you any info on what they actually need to function properly, they just sort of leverage ACLs that are the defaults[1]. If you truly want to lock info down, I suggest pulling the info into an alternate store, say like ADAM which doesn't give everyone with an ID the ability to read everything by default. If you must keep the info in AD and you must lock it down, you are in for a good amount of work trying to figure out which things you can safely lock down and which things you cannot; Exchange/Outlook can be especially fun to tip toe around. Also it is a little tough to do this generically as what you may be using or wanting to lock down may be different from someone else and there testing may show it safe to lock down but yours could find it unsafe to lock down. If you want to do this, I would recommend taking your production environment, cloning it into a segregated lab with ALL applications that use AD and then start testing lockdown scenarios to see what breaks and go from there. joe [1] Exchange for example and by default relies on authenticated user permissions on global catalogs for access to a great deal of data by the Exchange servers themselves. I received a considerable surprise many years ago when I ran into that as what I had locked down resulted in Outlook blowing up horribly and regularly in the lab and Exchange not functioning quite right. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sunny Sent: Wednesday, November 22, 2006 12:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question regarding active directory and restricting information Hi , I am just beginning to program ADSI. I have been following your emails and they are always very informative and in detailed. I had a quick question. I work in a financial and we have Microsoft Active Directory and users are authenticated against this. Using an ADSI brower I am able to see all dominains in the ADSI forest, all users, and their information such as machine mac address, last login, name, phone number and other office details. I can create something that can export this data out to Excel or some database. Is this an information security risk to our company especially related to employees information? Is there a mechanism by which we can prevent users from using ADSI browsers to extract such information from the Active Directory? Also are there any articles related to this? I want to thank you in advance for your help. Thanks and Regards, Sunny Sponsored Link $200,000 mortgage for $660/ mo 30/15 yr fixed, reduce debt http://yahoo.ratemarketplace.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: DL is this to be expected?
Excellent news. I debated the fact that that was what happened with someone from PSS (I was holding a network trace absolutely showing it and the PSS person was going off of what he knew) for some time before they finally admitted it wasn't optimal behavior and potentially quite dangerous especially since it is difficult to determine what rules everyone is using and there is really nothing that tells the Exchange admins what is happening when this problem hits them. If you dislike your Exchange admins, it is a great way to make them feel pain. ;o) If you know the KB I would like to take a peek. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, November 21, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DL is this to be expected? There is a fix for this. I'm pretty sure it's public at this point. Don't ask me the KB/patchid. It's too late on the east coast after I've already started having a few -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, November 21, 2006 6:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DL is this to be expected? Yes actually it is if you are talking about Exchange DLs... Consider how email is marked when it comes from an Exchange DL... It isn't coming from the DL, it is coming from the user who specified the DL as an address... The DL is simply used for routing and hiding the TO: list from immediate view... It isn't like say this listserv where the messages come FROM the actual DL. If I recall correctly, Exchange actually expands the group every time it processes the rule for every single message you receive and there is no caching of that expansion... You actually need to be quite careful with this, I reported this as a bug to MSFT some time ago as I watched a series of rules like that that about took out a very high end high perf Exchange server that was scaled to support about 4000 users which only had about 100 on it... If you want to play with it, select some HUGE DL you have, like say an everyone in the company DL and set up a couple of server side rules with that DL. Early last year in some testing I was able to actually cause mail delivery in a production enterprise class environment to be slowed down by hours doing that... Even if I sent a message to myself... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, November 21, 2006 4:05 AM To: ActiveDir.org Subject: [ActiveDir] OT: DL is this to be expected? Morning, When I setup an outlook 2003 rule to move all mails from a DL to a subfolder in my inbox, I see that all mails from this DL go into this folder no problem, but anyone who is also a member of this DL - their mail ends up in there too and not in the inbox. Is this added value? Rule is move all mails as they arrive from DL to subfolder. No other logic. Many thanks. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Its not viewable/searchable under ADUC even with advanced features turned on That is an incorrect statement. Maybe... maybe not... Unless you have actually looked at that directory instance you cannot possibly know for sure. You can expect it should follow a certain pattern you have perceived in the past, but you can't be 100% sure it is the case for every instance. I can show a bitmap right now that shows that group doesn't exist in FSPs... All that proves is that my test directory doesn't have it and your test directory does have it. Enterprise Domain Controllers is a well known security principal, it lives initially in the configuration container with other well known security principals in the WellKnown Security Principals container. That container isn't viewable from ADUC... It doesn't become something you can view as an actual object in ADUC until it gets added to a group in a domain NC - specifically/usually the group Windows Authorization Access Group. Even if added, someone could delete it and then something has to re-add the Well Known Security Principal to a group again to get the FSP to be created and add it to the Authorization Access Group for things to be right. Also note that if someone is looking for the name of the group, like they would with any normal regular group, that will obviously fail because the name in the domain NC is a SID, not the group name. This isn't a normal case, it is a very specific special implementation. There are special little implementation details all throughout AD that you don't know about until you actually encounter them. I would not be suprised by even experienced admins to be tripped up on this one. It isn't worth really knowing about unless you have had a reason to have to know about it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Wednesday, November 22, 2006 1:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Its not viewable/searchable under ADUC even with advanced features turned on That is an incorrect statement. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services x-excid://3277/uri:http://www.akomolafe.com www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --- ---| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Pub time already. Phew this day went by fast! Let's go! -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Thanks, I'll get my coat ... :) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: 22 November 2006 09:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Neil, You responded to the thread where Steve already corrected himself. Read the doc you cited again. Only the EDC membership changes during the process you described. EDC itself is NOT created at this point. It is merely made a member of the newly-created Windows Authorization Access group. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services x-excid://3277/uri:http://www.akomolafe.com www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: [EMAIL PROTECTED] Sent: Wed 11/22/2006 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... I believe SteveL may have already suggested that this group is only available post w2k, and only after the PDC in the domain has been upgraded. Further info here: http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0 5-b919-c9311bafae351033.mspx?mfr=true neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 November 2006 05:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --- ---| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create