* DNTs (to me) are _not_ a component of the directory
IIRC they are like a (primary/foreign) key in a database. Technically not
needed by the database layer, and not needed by the application, but needed
to keep the data together for the application. So if you look at AD from the
outside it won't
Folks,
Is any one setting wireless
configurations using the features in AD 2003? We currently use the 3-COM tool
and their proprietary security. As they have stopped supporting this we need to
move on. Thanks for any input on this.
Dave
Wade
it all comes down to:
- what are you trying to protect yourself from?
- what are your procedures or tools for restoring the objects?
- what are the risks involved and potential costs for recovery?
protecting from accidental deletion of a single object is different from
trying to protect
yep, and it works quite well
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave
WadeSent: Mittwoch, 19. April 2006 10:29To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless
Config via GPO
Folks,
Is any one setting wireless
configurations using the
yep, thanks Dean - quite useful, as was the whole thread.
It's always interesting to see how much discussion a simple question
can cause :-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Mittwoch, 19. April 2006 01:18
To: Send
Hi all
I was wondering if anyone had any pointers for the following
schema upgrade scenario:
I have a single domain, single site forest with 2 DCs
Both DCs are currently running Windows 2003 RTM code without Service Pack
1 but fully patched otherwise. Ive got two new IBM servers
I have a logon script which changes the description of the current user
when they logon, or rather it should do. Whenever I pop that script in
to a logon script it fails with a general access denied error.
The line it fails on it the last of these two;
objUser.Description = strMessage
1. As mentioned, Partial Attribute Set (PAS) attributes are not necessarily
indexed. These are not related in AD. However if you put something in the
PAS because you want to do searches against that attribute, you will often
see the object indexed as well.
2. Most every query that only specifies
Exactly, you can tell you AD to do it efficiently versus
trying to train everyone who writes a query that goes against AD. I mean you
want to try and train everyone because there are other bad things they can do
that you can't easily handle but this is a nice quick easy thing to do to
help.
Is that going to also address his problem?
Al
On 4/18/06, Michael B. Smith [EMAIL PROTECTED] wrote:
See Microsoft KB 327378 (Exchange 2000 and Exchange 2003 mailbox size limits are not enforced in a reasonable period of time; fix requires Exchange 2000 SP3)
From:
[EMAIL PROTECTED]
The Exchange 5.5 directory
should be listening on another port since it is running on a DC that is already
listening on 389 for AD LDAP operations.
If possible it would probably be a lot
safer and easier to build a new Exchange 2003 server and just migrate to the new
machine...if
DNTs are reusable in ESE, however ADs implementation does not allow
DNTs
to be released / reused on a single server, and the database will only
reuse them if you recreate the DB by repromoting (cause the data is
replicated from other servers into a virgin ESE, and DNTs are assigned
from the
hi guys,
it's possible to make a automatic lockout in user accounts by
inactivity, or I need a third party tool?
thanks
Myke
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
In place of Exchange 5.5 to Exchange 2003? Check the readme, release notesand migration path scenarios again. Last I checked, that was not a supported upgrade path (2000 to 2003 is supported although not always preferred).
Al
On 4/18/06, Dan DeStefano [EMAIL PROTECTED] wrote:
We are
Inline ...
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf
B. Simon-Weidner
Sent: Wednesday, April 19, 2006 2:40 AM
To: ActiveDir@mail.activedir.org
Subject:
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO. Scripts, etc can also be used successfully.
Al
On 4/19/06, Myke [EMAIL PROTECTED] wrote:
hi
Only way to fly, imho.
Push it all via GPO, Certs for the users and IAS Radius
Auth from our Cisco 1100 AP's.
User needs wireless, I just add them to the user group that
allows them to install/request the Cert and I dont have to do anything
else.
From: [EMAIL PROTECTED]
one of the tools that could help you with that is OLDCMP from Joeware.net. But
first you need to define for your own what the defintion is of period of
inactivity and how long.
Search the archives as previous threads are available that also mention the
deprovisioning of accounts.
cheers,
Third-party.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP -
What happens when you run the script interactively, as opposed to within
the login script?
You can (should?) tighten the security on this...granting Self allow on
Write Description should be sufficient.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
What criteria are you using to determine that a user is inactive?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myke
Sent: Wednesday, April 19, 2006 8:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] automatic account disable
hi guys,
it's
Would you not disable the account instead of locking
it?
A locked account may be unlocked in time (depends upon
policy), whereas a disabled account needs admin
intervention.
my 2 penneth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: 19 April 2006
You really got that to work well?
I've had great success setting it up as well, however,
I have a problem when users roam from one access point to the next. they get
dropped for a fewseconds for reauthentication which is not acceptable to
most users. Are you using EAP? I would love to get
Because this is AD-Integrated, I would more likely suspect that there's a problem with one of the records or a configuration issue vs. wholesale corruption. The recommendation to remove the entire zone would flush that problem out but as you mentioned it would likely throw the baby out with the
Myke,
You could write a script to do such a thing I suppose. Something to the effect of if lastLogonTimeStamp value is greater than 180 days, disable account kind of thing.
We utilize MIIS in house for this and for SOX deactivations, but it is certainly something you could write a script or a
Adding indices will start you down the
slippery slope that ultimately leads to custom schema extensions. Do you like
new OIDs? J
Wook
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, April 19, 2006 4:19 AM
To: ActiveDir@mail.activedir.org
If I run it interactively as a normal user, it fails with the same error
on the same line.
If I run it as an admin, it works.
Can I allow Write Description to SELF on an entire OU? I have hundreds
of users to mod, and I don't fancy doing each one by hand :)
-Original Message-
From:
We are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they
Dear collective intelligence,
Is there any difference in functionality if you join a workstation to
a domain by specifying the old NT4 domain, as opposed to specifying
the fully qualified domain?
Eg - adding a machine to CORPDOM, rather than corporatedomain.com ?
Cheers,
--
AdamT
A: Because
AD Gurus,
I am trying to create a script that adds TS accounts for W2K AD domain.
I have tried eolwtscom and wts_admin.dll with no luck.
Iam lookingforsomething like this below but this one
only works in 2003 server.
Ok - thinking over it it's understandable that IFM does not touch DNTs but
rather use the backup as default dit to start from. Obviously you are not
creating a default dit and open up a second dit to do a local sync. How are
you handling server specific settings? Delete/change those right at the
Try
editing the extraColumns attribute on the default-Display object, adding the
property of your choosing as follows-
LDAP name,display name,default
visibility,pixel width,0 - IIRC,
this is reserved and must be 0 for now.
...
highlighting the Saved Query in question and selecting
With all access points set as root with WEP and MAC.
The ol way..( I know, I know).we have a very stingy app that will drop
you like a hot potato with even the slightest drop in network. We are also using
the cico airnet client utilities on all machines. Seems if I don't use the
The ADC is set to use port 38900 and the
LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server
level it is set to use 389 (when I change this, mail stops flowing). Regardless,
when I try connecting in ADC tools to the Ex5.5 box it fails on either port.
I am trying
I am not trying to upgrade from Ex5.5 to
Ex2k3, but rather from Ex5.5 to Ex2k, then, from Ex2k to Ex2k3.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 19, 2006
10:45 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Quick Question,
I was teaching a class the other day when the question came up about
what group scope should you use for delegated permissions of an OU. I
was teaching an earlier class where I explained how to use Domain Local
Groups on Files Shares and Printers to centralize management of these
I missed the part about the ADC then. :)
Try the event log - what do you see at startup of the machine? If you connect to tcp 389 of that machine, what answers? (try LDP and just connect - you should see what you're looking for there.) Until you can connect to the Exchange directory via LDAP,
In general, I would make the decision based on who needed to be allowed
access and who needed to control that access.
Assuming that you want to have a point of control to be in the domain
where the OU and groups are, then here's what I'd do.
Admins can only be from the same domain as the OU: use
I think the rational for using domain local groups is that memberships
can be from outside the domain and this group only exists for purposes
within the domain of origin. The way I see it DLG's can act as a
poor-person's Role based security model and as you point out be used to
reduce the ACL's
Would this help?
http://marcusoh.blogspot.com/2006/04/misc-enabling-terminal-services.html#links
Teo
On 4/19/06, Adeel Ansari [EMAIL PROTECTED] wrote:
AD Gurus,
I am trying to create a script that adds TS accounts for W2K AD domain. I have tried eolwtscom and wts_admin.dll with no luck.
Iam
I have noticed what appears to be an anomoly in the way that adminSDHolder
is applying object permissions and was wondering if anybody else has seen
something similar or has a workaround.
We want our internal helpdesk staff to be able to unlock any users account,
even privliged accounts that are
LOL. You're right, it is often advisable to disable first. I got caught up in the moment ;)
Myke, there was a long conversation about such things a few months ago. You might want to search the archives to see what was said and see if you agree about what it says and suggests.
An additional
Hm...that's exactly what I was planning to do,
and did do about 2 hours ago,but am a little suprised to find it hasn't
worked (waited for repl). Hereyou can seemy edits [
"joeware automatic update service" hasn't kicked in on my machine yet : -
) ]
I'm not sure how many pixels these things
If you look through the archives, you will find links to external blogs
documenting this behavior and how to overcome it.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) //
Still, there is nothing automatic natively in the OS to let him do this.
Policy or no policy, he is looking at external intervention - third-party or
a roll-your-own. Rolling his own may be burdensome because now he has to
account for the number of ways an account can be active without necessarily
OK, so
the 1st trailing 0 says "don't show by default" ... which I assume is what you
want on the default displaySpecifier. You may also find it useful to know
that when these columns do appear, they have a habit of initially being 0 pixels
wide so you have to go dragging columns widths
Hi Richard,
You can change the settings by delegating write access to lockoutTime on the
adminSDHolder-Object in the system container. After doing that your helpdesk
will be able to unlock any administrative account anywhere in the domain.
For more information query my blog for adminSdHolder or
I'm curious, how would you show activitity other than the last time the user authenticated? Since disabling the account would only affect the ability to authenticate (not including any external logic or process built on account status), I'm curious what other ways you would show account
Whoops...I should have clarified two items -
sorry.
1 - What suprised me was that these three new
"extras" don'teven show up in the "available columns" dialog to select
them!
2 - I haven'ttested a "Saved Query" view
yet. I figured that since this was default I would just pick any OU or
None. This is where the policy/process element come in. You know which of
your accounts are Service accounts and which of your users are on vacation.
You do a periodic query of your lastlogon/timestamp, you filter out your
services accounts and your vacationing users from the list, send emails to
Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :)
Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :)
Thanks,
Jef
Subject: RE: [ActiveDir] automatic account disable Date:
Peter Johnson wrote:
Hi all
I was wondering if anyone had any pointers for the following schema
upgrade scenario:
I have a single domain, single site forest with 2 DC’s Both DC’s are
currently running Windows 2003 RTM code without Service Pack 1 but fully
patched otherwise. I’ve
I can connect and bind successfully to the
ex5.5 machine from the new ws2k3 machine using the domain admin account and the
service account and via both ports: 389 and 38900.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 19, 2006
Which directory answers though? They don't both answer on both ports do they?
On 4/19/06, Dan DeStefano [EMAIL PROTECTED] wrote:
I can connect and bind successfully to the ex5.5 machine from the new ws2k3 machine using the domain admin account and the service account and via both ports: 389
Email? Hmm...
I'm going to assume that's a generality, right? :)
On 4/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
None. This is where the policy/process element come in. You know which ofyour accounts are Service accounts and which of your users are on vacation.
You do a periodic query of
Its only been that one. Okay,
maybe one other that was indexed, but that was because a very large network/voip
vendor that required a schema extension subsequently used one of these
attributes in all of their queries. In a large implementation (which they
clearly had never seen) the query
56 matches
Mail list logo