We
have many lingering objects in our domain (we have a main domain and 18
subdomains), Microsoft´s support detected that. I am trying to rehost informations
from a good server (GC) to another that has a wrong information.
I have
already done that last year because we had the same
How can you programatically lockout an account?
Do i have to manipulate the userAccountControl attribute or lockoutTime attrib?
Can you just do this using Adsiedit.msc or LDP.exe as well?
Just curious.
Thanks
When testing, I simply use a "net use" command and provide
the correct userID but wrong pw. Repeat until the account
locks.
Simple but effective :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: 18 April 2006 14:31To:
activedirectorySubject:
I guess what I want to know is what attrib you can set to just lock it out...
Thanks
On 4/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
When testing, I simply use a net use command and provide the correct userID but wrong pw. Repeat until the account locks.
Simple but effective :)
neil
On 4/17/06, Al Mulnick [EMAIL PROTECTED] wrote:
When you talk about deleting and such are you thinking about the newsgroups
posts like this one:
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-05/msg00245.html
???
Yes, along those lines. But, the zone
Seems to be areplication
issue.
You could manually forcereplication to your
DC(s) and member serversusing the active directory sites and
services.
-Shariff
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: Monday, April 17, 2006 9:30 PMTo:
After you run the below command to set the
registry and restart the time service, it fails the time service advertising:
w32tm /config /syncfromflags:domhier
/manualpeerlist:pdc /reliable:yes
If you use the
below with /reliable:no
stating it is NOT a reliable time source, it works
See Microsoft KB 327378 (Exchange 2000 and Exchange 2003
mailbox size limits are not enforced in a reasonable period of time; fix
requires Exchange 2000 SP3)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Egbert
Sent: Monday, April 17, 2006 6:50 PM
To:
All
Could someone please explain how Non-indexed queries (e.g.
objectClass=user) fall in this category? I saw this mentioned in
some slides by Gil and couldnt quite understand what he meant. Isn't
objectclass indexed as part of the partial attribute set?
Thanks
M@
List info :
Anybody out there have any experience with the PassFilt Pro software by
Altus Networks Solutions, Inc.?
TIA,
Mike Thommes
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
You can try setting the lockout bit (below) on
userAccountControl but Im nearly positive only the system can set
that bit. What is your end goal/why are you trying to do this?
ADS_UF_LOCKOUTADS_UF_LOCKOUT The account is currently locked
out. = 16, // 0x10
Thanks,
Brian Desmond
Not sure I understand the question fully, but, no objectClass is not
indexed. objectCategory is. So if you want to get all users you do:
((objectCategory=person)(objectClass=user))
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL
Anyone experience the following
NT 3.51 to 2000 Native mode trust
Nltest validates the trust
GUI validates the trust
Cannot enumerate users of 3.51 domain from domainA
Can enumerate users of 3.51 from another 2000 native mode domain... domainB
Trust no longer validates to domainA after about 30
Only the sytem can change that.
Just curioisity.
No real reason.
I was just interested that if you wanted to lockout an account for testing purposes, you could do it with a script or mainipulating an attrib instead of making ldap or net use calls with bad passwords.
Thanks a lot for all your
Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write
sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
Thanks for the reply. In that case why does
adfind -schema -f
bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE)
I think you are confusing indexed with "is in the global
catalog". They are not synonymous. You can have one without the other just
fine.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
WeerasingheSent: Tuesday, April 18, 2006 11:14 AMTo:
You are kidding, right? Please say yes. 3.51 You work in a museum or
something? :)
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
No. isMemberOfPartialAttributeSet just means that the attribute
is replicated into the GC. Being in the GC does not imply that the attribute is
indexed. Theres an attribute (I think isIndexed) which
says the attribute should be indexed in the database.
Thanks,
Brian Desmond
[EMAIL
Lol. Yeah, I am serious. Probably over 20 3.51 domains. Part of a migration
project
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 18, 2006 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT 3.51
Man, you sure are brave :)
Anywhoo, I was going to suggest that you whip out the trusty lmhosts magic
file and see if that helps you. That used to solve a lot of trust and
resolution issues for us in those days. But then I read that DomainB has no
beef with the 3.51. So, I don't know what to
I never understood why Microsoft chose not
to index objectclass by default. I indexed it in our directory as soon as we
got the go ahead from Microsoft that it was supported. That was years ago.
Wook
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
I
did the same after I saw some of the activedir folks post about doing it
J
:m:dsm:cci:mvp|
marcusoh.blogspot.com
From: [EMAIL
Hi there
all,
Does anyone here
know why Microsoft chose not to include the attributes related to user password
and sidHistory in the tombstone of an object upon deletion?
Was it a security
decision?
I would like to get
some input from people here before I go and update my schema to enable
Steele, Aaron [BSD] - ADM wrote:
Hi there all,
Does anyone here know why Microsoft chose not to include the attributes
related to user password and sidHistory in the tombstone of an object
upon deletion?
Was it a security decision?
I would like to get some input from people here before I go
Thanks all for the clarification!M@On 4/18/06, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
I
did the same after I saw some of the activedir folks post about doing it…
J
:m:dsm:cci:mvp|
marcusoh.blogspot.com
In addition to what Tomasz said...
How objects are deleted / tombstoned (simplified!)
* The isDeleted attribute is set to TRUE (which marks the object as a
tombstone - an object that has been deleted but not fully removed from the
directory).
* The relative distinguished name (RDN) of the
It seems like an obvious idea to implement. Sad we never thought about it. :)
Has anyone done any tests to reveal what performance gains this yields on queries?
Thanks,
Jef
Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To:
Unfortunately the passwords is the same attribute for users and computers. I
thought recently to put the password in the tombstone to ease computer
account reanimation - after the account is deleted the computer is not able
to change it's password, and if it was deleted accidentally it's easy to
Ulf B. Simon-Weidner wrote:
Unfortunately the passwords is the same attribute for users and computers. I
thought recently to put the password in the tombstone to ease computer
account reanimation - after the account is deleted the computer is not able
to change it's password, and if it was
Agreed - as I said I'd put procedures in place to protect user account
passwords, but would use tombstones to ease computer account restores.
Ulf
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
|Sent: Wednesday, April 19, 2006 12:43
Inline is my take on an IM conv. Brett and I just had, the result and
content of which turned up some interesting (to me at least) implementation
details. The short story is -
* DNTs (to me) are _not_ a component of the directory
- they _are_ a component of the layer that bridges the two
I have taken over administration of a w2k AD domain running
Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve
all the errors in the event logs, but now they are just about all resolved and the
DC/Ex5.5 server passes all netdiag/dcdiag tests.
My current
Could be all sorts of things here, but lets start simple. Can
you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar)
from the support tools?
You cant do an inplace upgrade from 5.5 to 2003 which is
what it sounds like youre doing when you get the
Yes, I can connect to the dc/ex5.5 box
from the new ex2k3 member server using ldp on both ports 389 and 38900. I can
also bind using the enterprise/domain admin account and the ex service account.
I am not trying to do a direct upgrade
from 5.5 to 2k3, rather I am trying to do an
Why are you doing this interim upgrade when your end goal is a
2k3 native environment?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 9:05 PM
To:
We are planning a complete domain
migration and restructuring, but that takes a while and the client has not
signed off yet, but they want ex2k3 features quickly. So we determined the
fastest way to implement ex2k3 would be to do an in-place upgrade of their
server.
From:
[EMAIL
Itd the same relative gain running a
query using objectcategory versus objectclass. Most of the time, I would run
into queries that people were using, utilizing objectclass instead of
objectcategory. Indexing objectclass made this moot.
:m:dsm:cci:mvp| marcusoh.blogspot.com
39 matches
Mail list logo
