Title: [ActiveDir] maxPwdAge property on AD2003
I have an interesting observation about this one. If by
default your MaxPwd policy is set to 42 days, then you will get (using
theLDAP)0 for LowPart and -8640 for High Part. If you change your
MaxPwd policy to something else (ex. 45 days), then
Title: [ActiveDir] maxPwdAge property on AD2003
Thats exactly the situation. Thank
you very much!! J
Rich
From: Matja Ladava
[mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003
5:19 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] maxPwdAge
property on AD2003
Jef,
Thank you very much for your reply. Your thought is really pointing me to
a closer track now.
Nope, I have not done ageallrecords. If I am reading you right, it
sounds like in addition to turn on the aging/scavenging at dns level, zone
level , I also need to do ageallrecords to
Beginning of Time.. At least our Calendar. You can safely ignore it. It
means that the records haven't been stamped with a time stamp yet.
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 12, 2003 3:35 PM
To: [EMAIL PROTECTED]
I came across something strange while dealing with a write operation against
the AD. It appears we have a web form that opens a session to the AD to
write changes to the AD. If a change happens when the session closes, it
appears to drop the changes and never make them. Is this a common issue
Cant find anything on this and wondered if anyone has
a solution. Im using subinacl to change permissions on a registry key in
a script. The problem is that by default the key has Inherit Permissions checked,
which seems to negate the change. Is there a way I can
1. programmatically
Title: Message
Dsrevoke is a command-line tool that can be used on domain
controllers that are running Windows Server 2003 or Windows 2000 Server to
report the existence of all permissions for a specific user or group on a set of
OUs in a domain and optionally remove from the DACLs of a set
I run in to this all the time. I am in a
large enterprise 400+ DCs and we have one or more machines a day that
have various issues I know for me sometimes to save time I use \forceremoval and then:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q216498
The clean its a LONG
Ok, I have now run the dnscmd /ageallrecords in one reverse lookup zone.
With this command , I see the time stamp on each record under this zone
has been changed to today's date. But my question is still not answered.
The Timestamp for the zone ( at zone aging/scavengign property page) is
Title: Message
Interesting - I'd start looking around for the AD
Delegation WhitePaper, as that was one of the tools that came with that bad
boy. It's either out, or very close.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryLAN Administration - Windows 2000West
Turns out that the DCs we sent out
were Service Pack 4 and the rest of our DCs are SP3. SP4 does not like Single-Layer
DNS names so the DC in question needed a registry hack to fix the problem
Here is the KB link:
Sandy,
Sorry for no Reply...
The Scavenge date will be on the Zone properties. The TS on the record tells the zone
that the record is availiable to be scavenged. So if the Scavenge date on the record
is greater than the date for the zone, it will be scavenged.
So If the Scavenge date on
Sandy,
I just re-read thatit's the ZONE that doesn't have a TS on it,eh?
Hmmyou could try changing the Server scavenging period, then changing it back.
This is an Integrated zone or a stand-a-lone?
I'm curious about it's details. would you mind posting a ZoneInfo output for that
Jef,
Thank you very much for taking time to detail the flow of aging and
scaveging.
So If the Scavenge date on the zone is 11-14-2003, it will be availiable
to be scavenged on that date/time.
--- this has been my problem. The zone can be scavenged after is still
showing 01/7/1601 but my
Title: Message
Ohhh yea!
Joe
Pelle
Systems Analyst
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI
48152
Tel 734.591.7324 Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
This message may have included
proprietary or protected
Title: Message
Does DSREVOKE work for the registry as
well??
Al
From: Myrick, Todd (NIH/CIT)
[mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 10:26
AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir]
New Tool... DSREVOKE.
Dsrevoke is a command-line tool that can be used on domain
Title: Message
Exch 2k, SP3 on Win
2K SP3 plus patches and hotfixes.
I am completing a
migration from Exch 55. I had to remove an errant 3rd-party connector using
ADSIEdit. The connector was successfully removed, but I caused a greater problem
in the process. I can no longer view the
A computer consultant in a remote dept decided to promote his member server
to a DC without telling anyone in advance. Since the dept was part of the
default first site, that is where the DC was placed. Not good. Users started
authenticating across the WAN. I created a site for that dept, linked
Cindy,
Verify the Subnet data is replicated, and then trigger the KCC (repadmin /kcc
server or in Replmon)
you can just delete the connection that was created by the KCC, and whe nti rusn again
it will add them if needed.
If you moved it to a new site, and you created the proper site-link,
We are moving to AD in January. We currently have two
domains. One domain has exchange 5.5 and most of the user accounts, the
other has the rest of the user accounts.
We will be using an empty root domain for political
reasons. Once we have our basic upgrade completed we are going to
Return Receipt
Your [ActiveDir] cleanup AD connections after move server to
document different site
:
21 matches
Mail list logo