WARNING - I'd like to point out to you that misuse
of this feature can entirely (and nigh on irrecoverably) destroy a forest
Details please?
Thanks,
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED
hs or more
- groups with no
members
- GPOs that aren't linked
- etc.
I'm sure there are manyothers people can think
of.
Robbie Allen
http://www.rallenhome.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Monday, July 12, 2004 10:03 PMTo:
[EMAIL P
Title: Re: [ActiveDir] Redirecting Comps
I tried this as well a while back and it didn't work for me
on W2K.
Robbie Allen
http://www.rallenhome.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Sunday, July 11, 2004 5:26 PMTo:
[EMAIL PROTECTED
That was me. That and the Joeware trucker hat.
:-P
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 09, 2004 7:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC Promo Question
You said you bought the
On a similar note, if you are interested in the latest industry news on AD
and directory services, the latest AD-related downloads from MS, and don't
mind some general observations from me, you might want to check out my
Active Directory blog:
http://www.rallenhome.com/blog/adcookbook/
Robbie
://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
(rallen)
Sent: Thursday, April 15, 2004 8:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
On a related note, I'm working on a VBScript to Perl code converter.
Input some VBScript code and output the (roughly) equivalent Perl code.
I just started a couple of weeks ago, but should have something in a
month or so if anyone is interested.
Robbie Allen
http://www.rallenhome.com
Depends on what you want to do. As far as allowing Linux clients to
authenticate against AD, SFU doesn't do everything. The solutions guide
is ok, but don't give it to any of your Linux/UNIX people to read ;-)
Regards,
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From
FYI, lastKnownParent is not supported on W2K.
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Darren Mar-Elia
Sent: Tuesday, January 20, 2004 9:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] How
You can find a bunch of Perl Net::LDAP examples here:
http://www.rallenhome.com/books/managingenterprisead/code.html
And the cookbook code page has a lot of Perl ADSI examples:
http://www.rallenhome.com/books/adcookbook/code.html
Let me know if you have any questions.
Robbie Allen
Title: Message
W2K3AD does single instance store of security
descriptors which can save a lot of space over W2K AD.
Robbie Allen
http://www.rallenhome.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Thursday, January 15, 2004 8:51 AMTo
I wrote an article about this topic a few weeks ago:
http://www.oreillynet.com/pub/a/network/2003/11/18/activedir_ckbk.html
There was a fair amount of discussion (at the end of the article) so I
asked O'Reilly to host the poll.
Robbie Allen
http://www.rallenhome.com/
-Original Message
knowledge there is no way to limit the number of LDAP queries per
second. The best you can do is monitor the number of LDAP queries per
second (available from Perfmon). It is also good to monitor
expensive/inefficient queries (see recipe 15.8).
Robbie Allen
http://www.rallenhome.com/
-Original
still). That would
be unfortunate if it isn't supported.
Robbie Allen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
Kirkpatrick
Sent: Thursday, December 11, 2003 5:38 PM
To: '[EMAIL PROTECTED]'
Subject: RE: AD as a possible target of attack
Neither that I recall. CPU was around 30-40%. In my experience it is
not uncommon to see occasional LDAP errors when the CPU reaches that
level on DCs (at least with W2K).
Robbie Allen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
:-)
Regards,
Robbie Allen
http://www.rallenhome.com/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
er a bunch of users. You'd be better off parsing the
distinguished name of the user. There are some functions in IADsTools that
can help with this if you are interested in that.
Robbie Allen
http://www.rallenhome.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Forward your code and I'll take a look.
Regards,
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Oliver Marshall
Sent: Friday, December 05, 2003 11:22 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
The problem is the KB article, not you Mark. The
userAccountControl attribute isn't updated when the password expires. Same
for the lockout flag.
Regards.
Robbie Allen
http://www.rallenhome.com/
http://www.rallenhome.com/blog/adcookbook/
From: [EMAIL PROTECTED]
[mailto:[EMAIL
As long as this is on the intranet and you restrict the IPs that can perform
zone transfers, there should be no security problems. That's not to say
your security team can't invent a problem :-)
Regards,
Robbie Allen
http://www.rallenhome.com/
http://www.rallenhome.com/blog/adcookbook
a search that returns all matching results and a search that only returns a
subset.
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Patrick Gelin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 2:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] About
not work if you use a
sufficiently long expiration period?
Robbie Allen
http://www.rallenhome.com/ http://www.rallenhome.com/
-Original Message-
From: Marcus Oh [mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ]
Sent: Wednesday, October 29, 2003 8:54 PM
To: [EMAIL
through the MOF files.
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Gil Kirkpatrick
[mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:47
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] DNS WMI Provider
And
don't even think about the bugs
. Thanks for the nudge Todd.
Regards,
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: DiBias, Chip [mailto:[EMAIL PROTECTED]
Sent: Monday, October 27, 2003 9:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Cookbook
BindView is in for the first
http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 4:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory
All I did was comment out the lines that set userAccountControl and put a note
about why it isn't necessary to set it.
Thanks!
Robbie
Allen
-Original Message-From: Michael B. Smith
[mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 3:35
PMTo: [EMAIL PROTECTED]S
Keep
the feedback coming
Regards,
Robbie
Allen
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 11:51 AMTo:
[EMAIL PROTECTED]Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Active
Directory
suggests a recipe I include in the next
edition.
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Myrick, Todd
(NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25,
2003 12:54 AMTo: '[EMAIL PROTECTED]'Subject:
RE: [ActiveDir] Active Directory
forest root domain name with ext or external. This is a prime example of a
best practice that many people swear by, but I doubt will ever be
justified.
Just my $.02 :-)
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: John Reijnders [mailto:[EMAIL PROTECTED]
Sent
.
dhcpobjs.dll isn't supported and from what I heard it was only accidentally put
in the W2K Res Kit. It has a lot of problems regardless. Shelling
out to netsh (ugh) is the best option at this point from a scripting
perspective.
Robbie
Allen
http://www.rallenhome.com/
-Original Message
The MS SFU 3.0 team also refused to provide LDIF files for their schema
extensions. Microsoft really needs to set the example here. Most people
are worried enough about extending the schema and when you can't even get
the LDIF files it only exacerbates the situation.
Robbie Allen
http
/books/adcookbook/toc.html
Here is a sample chapter:
http://www.oreilly.com/catalog/activedckbk/chapter/ch08.pdf
I'm taking requests for the next edition and for any suggestions I include
I'll be sure to mention the requestor in the acknowledgements :-)
Regards,
Robbie Allen
-Original Message
'-
Let me know if you were looking for something different or have any
questions.
Regards,
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Raymond McClinnis [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 06, 2003 12:26 PM
To: [EMAIL PROTECTED
. We have over 400 sites and 90 DCs and replication problems have
been the least of our worries.
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2003 6:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
is a Perl one-liner...
D:\perl -MWin32::OLE -le print Win32::OLE-new('IADsTools.DCFunctions')-
TranslateNT4ToDN($ARGV[0],'',1,0) AMERLOCAL\rallen
CN=rallen,CN=Users,DC=amer,DC=local
Regards,
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Roger Seielstad [mailto:[EMAIL
After
setting password complexity, it only applies when a password is changed (or
initially set when a user is created). It does not impact users that are
currently usingnon-complex passwords.
Regards,
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Thommes, Micha
questions.
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Clarence Heier [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 06, 2003 8:05 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password expiation Script
I need a script that will find users accounts where
Come over to the 'Dark Side' with VB.NET.its nice and
warm here *looks at the fires of hell*.
Come on guys, why go to VB.NET when you can get most of the benefits of a
compiled language and a whole lot more in a lot fewer lines with Perl!
muaahh...Muaahh...MUUAAAHH
:-)
Robbie Allen
FWIW, there are a couple other methods for tracking change in AD, but the
uSNChanged method Joe described is probably your best bet.
Here is more info:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/o
verview_of_change_tracking_techniques.asp
Robbie Allen
http
Late September or early October. The content is pretty much done now except
for some final tech reviews (you know who you are :), but O'Reilly needs a
full three months with it because it is going to be a 650-750 page book.
Robbie Allen
http://www.rallenhome.com/
-Original Message
)
- To all DCs that are replica servers for a
particular app partition.
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Sullivan, Kevin
[mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 2:40
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] DNS Replication
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen
Sent: Monday, June 16, 2003 12:34 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Updating pwdLastSet
Actually you can set the pwdLastSet attribute to 0 (to force
a password
change at next logon) or -1 to disable
Title: Message
Yeah, I like
those joeware tools too :-)He even does
Perl!
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:30
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] [OT] Installing
Title: Message
While
we are on the off-topic topic, is there a similar alias to activedir.org, except
for Win Server 2003 sys admin stuff (besides the microsoft
newslists)?
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Charles
Oppermann [mailto:[EMAIL
Title: Message
Agreed, I've never had any problems using the W2K3 tools against W2K
AD.
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From: Rick Kingslan
[mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:17
PMTo: [EMAIL PROTECTED]Subject: RE
), not
for native access control in AD.
Here is more info:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/h
tml/AzManRoles.asp
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Jimmy Andersson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 27, 2003 9:52
/searching_with_activex_data_objects_ado.asp
But I'm not aware of a way to do it when using a GetObject call.
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 3:55 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADSI
multiple
attributes at once if you want (separated by dashes).
You
need to set the schemaIDGUID when you create the object.
Don't
you love LDIF! :-) I actually kinda like it, but I may just be used
to it. Check out the LDIF RFC 2849for more
details.
Robbie
Allen
http://www.rallenhome.com
Title: Message
Not
sure about a new API to restore deleted objects, but there is aprocedure
you canfollow to do it. It is outlined here:
http://msdn.microsoft.com/library/default.asp?url="">
Robbie
Allen
http://www.rallenhome.com/
-Original Message-From:
[EM
Title: Message
It is
called adprep...
http://www.microsoft.com/technet/treeview/default.asp?url="">
-Original Message-From: Parker, Edward
[mailto:[EMAIL PROTECTED]] Sent: 19 December, 2002
17:06To: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] /domainprep and /forestprep
: Function ldap_search completed with an elapsed time of 20
ms.
And of course you can always deny certain clients from querying AD by
setting the IP Deny List (via ntdsutil), but I doubt that is what you had in
mind.
Robbie Allen
-Original Message-
From: Isham, Alan A [mailto:[EMAIL
they are considering for the
next release of AD (after .NET). I'm not sure what it would look like, but
I believe Stuart said they where thinking it would be file-based.
Robbie Allen
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 26, 2002 3:49 AM
To: [EMAIL
increase the size of the DIT, especially over time, but I think it would be cool
to have as an option ;-) And yes some of this can be done with the dirsync
control and change notifications, but it would be nice if it was stored directly
in AD.
Robbie
Allen
-Original Message-From
provider on .NET is very solid and exactly what we've been
needing as far as a DNS API for the Windows DNS server.
Robbie Allen
-Original Message-
From: Hutchins, Mike [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 2:24 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Create
or monthly
basis. You can customize it to find inactive computers x number of months
old.
You could modify the script to directly delete the inactive computer
accounts, but when dealing with 60,000 computer objects, I'm a little
paranoid :-)
Robbie Allen
Burns, Clyde [EMAIL PROTECTED]
Sent
a pretty good overview of TLS (URL may break):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/transport_layer_security_tls_protocol.asp
Robbie Allen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Frank Ooms
The 'distinguishedName' attribute is present on all objects, which can be
used to query or retrieve the DN. Have you tried that?
Robbie Allen
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 10:22 AM
To: '[EMAIL PROTECTED
Isolated environment meaning no contact with a DNS server? Most people are
trying to get away from NetBEUI these days. Could you setup DNS on the W2K
server? It is pretty low overhead.
Robbie Allen
Cisco Systems Enterprise Management
Coauthor of Managing Enterprise Active Directory Services
hese options can be customized to some extent,
but I haven't seen any documentation on it.
Robbie
Allen
Cisco
Systems Enterprise Management
Coauthor of "Managing Enterprise Active Directory
Services"
-Original Message-From: Ken Rinehart
[mailto:[EMAIL PROTECTED]] Sent
as a NOS-only directory and not a true competitor to Sun or
Novell in the app space.
Robbie Allen
Cisco Systems Enterprise Management
Coauthor of Managing Enterprise Active Directory Services
-Original Message-
From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 18
Why is that an issue for running just a generic LDAP directory? You can
still do standard LDAP binds against it and each directory has its own way
for securing resources.
Robbie Allen
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 18, 2002
directory into one. The two are
largely not compatible in terms of requirements (e.g. multi-domain vs flat).
Robbie Allen
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 18, 2002 7:06 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] New AD
nearly as much with
the Net::LDAP perl module.
Robbie Allen
Cisco Systems Enterprise Management
Coauthor of Managing Enterprise Active Directory Services
-Original Message-
From: Joanna Days [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 2:09 PM
To: [EMAIL PROTECTED]
Subject
of
experiences we have to share.
More information available at:
http://www.netpro.com/welcome/directoryexperts
Robbie Allen
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir
Title: Message
When
are there anything but DCs defined under a site (i.e. server
object)?
-Original Message-From: Steve Judd
[mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 19, 2001 10:45
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] List all Dc's in a site
Do a
Title: Message
So
when/why would that ever happen?
-Original Message-From: Steve Judd
[mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:12
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] List all Dc's in a site
Nothing stops you from creating server objects in
66 matches
Mail list logo