RE: [ActiveDir] Delete ad object without Tombstone lifetime.
WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
If you would have come to the summit you would have gotten to find out. Dean gave his one man forest destruction show. He hit me with the concept about 15 minutes after I got off the plane which instantly put me into shock (which prepared me for Jimmy's driving actually). Later he showed it to me in action and I said, Yep, I trusted you in the airport, can't we just forget that and I teach you perl?. Too late for you now. No soup for you. I 125% agree with Dean on his warning but hope he doesn't explain it on the list. This isn't info that should be readily and openly distributed just like my forest destruction idea. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Friday, August 13, 2004 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
To clarify, I should have said deliberate misuse. Inadvertent misuse would require so many convoluted steps that it would end up being nigh on deliberate. As I mentioned earlier on, I'd like to know the original poster's reason for doing this (having been prodded by somebody else to find out). With any luck, the nasty scenario has been mitigated by SP1 ... not tried myself as yet. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 13, 2004 8:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. If you would have come to the summit you would have gotten to find out. Dean gave his one man forest destruction show. He hit me with the concept about 15 minutes after I got off the plane which instantly put me into shock (which prepared me for Jimmy's driving actually). Later he showed it to me in action and I said, Yep, I trusted you in the airport, can't we just forget that and I teach you perl?. Too late for you now. No soup for you. I 125% agree with Dean on his warning but hope he doesn't explain it on the list. This isn't info that should be readily and openly distributed just like my forest destruction idea. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Friday, August 13, 2004 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
Hmmm ... sorry about that. I would suggest giving the MS definitions of dynamic object and dynamic auxiliary class a read ... they're really pretty good. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 11:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. hahaha crud. I didn't understand one bit of that! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 11, 2004 10:36 AM To: [EMAIL PROTECTED]; 'Send - AD mailing list' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Ah. Oh yeah. Very good very good. Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 10:32 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you don't, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
No apologies man. I'm still trying to learn this stuff... :) I'll earmark your post for whenever I read your suggestions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 13, 2004 9:35 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Hmmm ... sorry about that. I would suggest giving the MS definitions of dynamic object and dynamic auxiliary class a read ... they're really pretty good. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 11:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. hahaha crud. I didn't understand one bit of that! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 11, 2004 10:36 AM To: [EMAIL PROTECTED]; 'Send - AD mailing list' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Ah. Oh yeah. Very good very good. Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 10:32 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you don't, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
hahaha crud. I didn't understand one bit of that! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 11, 2004 10:36 AM To: [EMAIL PROTECTED]; 'Send - AD mailing list' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Ah. Oh yeah. Very good very good. Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 10:32 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you don't, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
Eww, I can't wait to see this response... Give good tech detail Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 8:41 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
Ah. Oh yeah. Very good very good. Dean. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 10:32 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
Following a worthy request from a colleague at Microsoft - what exactly are you trying to do? Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delete ad object without Tombstone lifetime.
OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
