Title: Adding users to local Admin group
Doesn't matter. Computer policy is computer
policy. You can also simply link the GPO to the domain and filter it based
on another security group - one that simply holds the computer accounts in
question.
Here's an article on what you want to
do:
--
I believe the _msdcs sub domain is Microsoft/ Windows only. Non-Windows
clients will use _ldap._tcp.domain-name or _ldap._tcp.site
name._sites.domain-name.
- Original Message -
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org;
Logon as an administrator and take ownership of the drive. Then grant
adequate permissions again.
Reinstalling Windows will obviously fix it, but is a drastic measure.
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, October 16, 2005 5:43
Yep. Me too.
- Original Message -
From: Al Mulnick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, October 16, 2005 6:38 PM
Subject: RE: [ActiveDir] Knowing when users were deleted.
I'd be interested to see that argument as well, Brett.
-Original
I believe Joe's memberOf tool is what you are looking for:
-- http://joeware.net/win/free/tools/memberof.htm
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
They're being rebranded anyway. I believe
the DS guys at the summit said IIFP will become Active Directory Meta Directory
Services. Not sure if MIIS' name will change. Certificates and AD as
we know it are all going to be rebranded, in what would appear to be a much more
meaningful set of
Title: Message
I always do it this way:
-- Global group in source contains user
objects.
-- Domain Local in target is assigned
permissions to resource.
-- Global group is a member of the domain
local.
Throwing universal groups into this
mix is just silly.
Also, bear in mind there will
It's a good way of preparing management for what you want at the Christmas
party.
We also put quantity in there!
- Original Message -
From: Dean Wells [EMAIL PROTECTED]
To: Send - AD mailing list [EMAIL PROTECTED]
Sent: Wednesday, November 30, 2005 2:29 AM
Subject: RE: [ActiveDir]
Title: RE: [ActiveDir] AD Schema Attribute
Uhh..hmmm!
You're British, not American! Don't forget
about Wales! Cardiff has been on the news quite a bit - there's been that
much drunken violence...
- Original Message -
From:
[EMAIL PROTECTED]
To:
is there anyway to have these log files save things not by size, but by
day to ensure that tracking between the logs can be done? [I'm pretty sure
the answer is no, and the only thing we can do is bump the size of those
logs but I thought I'd
ask the blonde question anyway]
Yes. There are a
Only when it was last modified. Groups don't have passwords or the like.
Objects that have a group as an ACE in their ACL don't need to speak to
the group about it at all.
So you'd have to search for old groups by modified date. Or you could dump
all groups, their locations and modified
WP on the user object's userAccountControl
attribute.
Morning all,
If we delete the NETLOGON.DNS file and restart NETLOGON it is recreated.
Where is it (NETLOGON) getting those values from?
Tell me it's not hard-coded and I can modify it somehow.
Thanks,
--Paul
List info : http://www.activedir.org/List.aspx
List FAQ:
file?
I hope I make sense??
Regards
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 26 Jan 2006 9:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NETLOGON.DNS
Morning all,
If we delete the NETLOGON.DNS file and restart
What are the options in the Winlogon box? You should only have the choice
of the NetBIOS domain name or the local box (and any trusted domains).
To use the DNS name you need to use a UPN.
--Paul
- Original Message -
From: Douglas M. Long [EMAIL PROTECTED]
To:
If you're running 2003 then I don't believe you
need to run /DOMAINPREP. That's only to do what it does for 2k
domains.
So it's just /FORESTPREP.
- Original Message -
From:
Brian
Desmond
To: ActiveDir@mail.activedir.org
Sent: Monday, April 03, 2006 4:01
PM
You don't even need full control (an error in
Microsoft's documentation if you ask me). You just need create and delete
dHCPClass objects in that container.
You need to do this via ADSIEDIT, DSACLS, LDP or
code.
Note. If I remember correctly, some of the
behaviour changed between 2k and
Title: Kerberos MaxTokenSize and too many groups issues
You might also want to review this interesting
white paper:
-- http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en
(that took me ages to find so please read it
;-)
--Paul
Title: Multihomed Domain Controllers
Couple of points. Most have probably been
covered, or read by you:
Clearly label the NICs, e.g. LAN00 and
BACKUP00.
Adjust the binding order so that LAN00 is above
BACKUP00.
If you don't require NetBT, disable it on
BACKUP00 (BackupExec will
If you create a new domain in your forest for this requirement, and in the
future they are bought by another company, then your only supported option
is to migrate to the new or existing forest on the other side.
It is probably easier, and safer, to create a new forest with an external
trust.
The last place I worked, we used WinSSH for this
purpose. Trivial to setup and cheap (about $100/ £65). This allows
you to tunnel FTP and use Windows auth. There's also additional options to
allow some additional access control, e.g. only specific groups can use the
tunnel, etc.
If I
We team everything. It seems stupid not too. Use fault tolerance only (as
opposed to load balancing) and you've got additional resilliency. FT works
fine with different paths, e.g. different switches.
--Paul
- Original Message -
From: Freddy HARTONO [EMAIL PROTECTED]
To:
corruption issues (Taken from
the Directory Services Blueprint - page 29)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Paul Williams
Sent: Thursday, July 13, 2006 13:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Multihomed Domain
I can't see how you can get a duplicate NDNC as the creation of such objects
is targetted at the DN master. The DN master will check the existing
crossRefs and stop this happening, as we can't rely on the DS stopping it as
the RDN is different for each NDNC (unless they've used well-known GUIDs
Nice answer Steve. Thanks for the info. and
the KB.
- Original Message -
From:
Steve
Linehan
To: ActiveDir@mail.activedir.org
Sent: Friday, July 14, 2006 7:41 PM
Subject: RE: [ActiveDir] Always point a
DC with DNS installed to itself as the preferred DNS
Agree. Due to the number of servers some of
our guys have to look at virtualisation. I've said a flat no to the DCs
though. We're standardising on x64 with 32 GB RAM for our DCs.
There's no way we're going to take a perf hit because someone much further up
the chain wants fewer boxes.
I
The problem with this is delegating the ability
to support the remote systems. Possible of course -web based admin of the
VM, and all that, but usually a pain. ANd if done wrong...
--Paul
- Original Message -
From:
Matt
Hargraves
To: ActiveDir@mail.activedir.org
Are you talking about having Options minimised by default and educating
users to logon with UPN or domain\samaccountname syntax or are you talking
about actually modifying the list built by Winlogon?
There's probably a number of options. As Tony says you can modify the list
of domains
Write all properties is overkill! Joe'll go
wild when he sees that that is written in the MSFT delegation
guide... :P
I believe you require:
WRITE_PROP for name and
cn
Summarised, you're modify the RDN.
--Paul
- Original Message -
From:
O'Brien,
Cathy
To:
Check out Ryan's take on it...
-- http://dunnry.com/blog/msDsUserAccountControlComputedNotSoSpiffy.aspx
--Paul
- Original Message -
From: David Aragon [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 01, 2006 11:49 PM
Subject: [ActiveDir] Different (open)LDAP
Yeah, I'm in the same boat now. Got a requirement for fully autonomous DC
deployment with a largish DIT. Single domain forest so everything is GC. I
was frustrated to find out that one of the scripting guys told me that that
option didn't work. I plan on working round this by promoting the
I've done this a couple of times, but on the exchange gateway servers, not
on an SBS box. I've never seen SBS.
Anyway, the easiest way to do this is to create a second virtual SMTP server
and set it to listen on port 26 (and send on 25). Configure the first
virtual server to send on 26 (its
I've never seen SBS, but my younger brother has just started a new job
(first one since leaving Uni) and bought a new server and it came with SBS.
When he built it it appeared he had no choice but to make it a DC, even
though he only wanted it as a member server -there's already an SBS box
Title: Setting FFL=2 automatically when building first DC in forest
It might be worth looking at the
%systemroot%\system32\schema.ini file again. I just had a poke around in
there after reading Dean's answer to your question yesterday and the first
section, the [DEFAULTROOTDOMAIN] section is
Title: Setting FFL=2 automatically when building first DC in forest
Ah nice, you got there before me with a better
answer! :P
I'm poking around in there now, as I'm in a
similar position to Neil a the mo'.
Question: Can I provide schema.ini as an argument
to the promotion or unattended or
See kb216498 for the info. on the NTDSUTIL
cleanup. Basically you need to perform a metadata, DNS and FRS
cleanup. ThatKB details all the necessary steps.
You'd determine the IP address of the workgroup
by the 1B and 1C records registered for that name.
The domain master browser is
Title: Setting FFL=2 automatically when building first DC in forest
Am hwyl, dwi am ymateb drwy beidio a dweud dim
byd mwy nagadlewyrchu dy bwynt!
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 2:10
PM
Title: Setting FFL=2 automatically when building first DC in forest
Ha ha.
(I don't actually speak Welsh. A friend of
mine translated my English sentance into Welsh for that witty
reply).
- Original Message -
From:
Dean
Wells
To: Send - AD mailing list
Sent:
Title: Setting FFL=2 automatically when building first DC in forest
"Am hwyl, dwi am ymateb drwy beidio a dweud dim
byd mwy nag adlewyrchu dy bwynt!"
=
"Just for fun, I'll respond with an answer that
says nothing but simply illustrates your point."
- Original Message -
You simply need to install the Exchange Admin
tools on the system that you want these tabs. Therefore, in your case, you
should install them on your computer and possibly on a DC or two too (depending
on how you work).
--Paul
- Original Message -
From:
HBooGz
To:
schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again. I
just had a poke around in there after reading Dean's answer
in forest
Touching schema.ini would qualify as very not supported ...
-B
On Thu, 3 Aug 2006, Paul Williams wrote:
Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again. I
just had a poke around in there after reading
If you've got the necessary auditing enabled in
your domain, and you had auditing ACEs configured on the DNS zone (location
depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you
can. But you'll have to search each DCs security event log for this
info.
Otherwise, you
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to make
a suggestion here, I would recommed you leave SYSVOL where it is, giving
I believe, from a past conversation, that
disabling hyper-threading on bridgehead servers with lots of inbound
connections, i.e. in enterprise deployments, should be *considered* as
the replication queue has two parallel threads for processor, core or hyper
threading processor as the system
I believe the school of thought here is
that the person has write access to the same volume as the DIT, which means he/
she can easily perform DOS attacks, etc. by filling up the disk.
I agree it's unlikely, but there you
go. Take the [real] examples of where people with write access to
Yeah, I'm not disagreeing with what you
and Darren say. In fact, I mostly agree. I'm just working in a high
security environment where every detail is scruitinised and extra care needs to
be taken with everything. I've always been one of these people that try
and look at both sides of the
I've not tested this (just hashed it up as I read your post, so there's
probably going to be some syntax errors, etc. --please test first).
But here's a quick and dirty vbscript that should change all uppercase
accounts to lowercase.
set oConn=createObject(ADODB.Connection)
set
Title: Message
Lophcrack was purchased by Symantec and is
now sold as an enterprise security product. It's called LC5, I believe,
but has recently been discontinued (after symantec stopped selling it to people
outside of North America) and support runs out at the end of the year.
Which is a
I just whipped up this _vbscript_ to get
you started. Idon't have time to provide a more detailed breakdown
as that involves a little extra thought, but this should point you in the right
direction...
Save, for example, as c:\count.vbs and
run, from CMD, like so:
cscript c:\count.vbs
Ha ha. That's why my post says to
run using CSCRIPT.
--Paul
- Original Message -
From:
Ramon Linan
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 10, 2006 2:31
PM
Subject: RE: [ActiveDir] machine GP
load
I tried it out, I was
hitting
Restore it as you would any other
DC. The documentation that you refer to is either out of date, or
incorrect. The DS will invalidate the current RID pool when you restore
and request a new one from the RID master (itself) which should be the same
value as it was when it went down (if the
Which object are you trying to modify the fRSMemberReference attribute on?
You need to modify that attribute on the nTFRSSubscriber object called
CN=Domain System Volume (SYSVOL) which is located in the CN=NTFRS
Subscriptions container underneath the computer object for the DC.
You do not
Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Friday, July 14, 2006 6:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Always point a DC with DNS installed
Yeah right! Our customers still have hundreds of NT 4 boxes...
I saw some (three) production 3.51 boxes four months ago...
--Paul
- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 15, 2006 2:34 AM
Subject: RE: [ActiveDir] ADFind
Not quite. You need to escape the comma like so:
((objectCategory=person)(objectClass=user)(displayName=phelps\, k*))
--Paul
- Original Message -
From: Matheesha Weerasinghe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, August 14, 2006 8:46 PM
Subject: Re:
You need to escape the comma, as a comma
is a delimiter and in the case of displayName it shouldn't be a
delimiter:
((objectCategory=person)(objectClass=user)(displayName=phelps\,
k*))
I've not read the whole thread, so can't
discuss whether or not this is the best way to do what you
I'm not in a position to test whether this is a forest-wide or domain-wide
principal.
However, when you can't find something you think should be there, you should
search the GC. I've seen numerous people have issues with a user or group
not existing only to find it's in a parent domain.
Valid point. But you should [try and] restore from the backup that ran the
night before and that you verified successfully completed before you applied
the patch... ;-)
If you have a document process that goes through the proper change control,
then there shouldn't be any reason to do
I have. When bulk-patching NT 4 servers several died (OS was trashed, not
the h/w) and had to be restored from the backup the night before.
There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB
section of the disk, although that hit workstations more than servers as
they'd
http://connect.microsoft.com/
--Paul
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 4:35
PM
Subject: [ActiveDir] [OT] Longhorn
Beta
Outside of my MSDN account is
there a preferred way to
environment to
create a Longhorn DC.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 17, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Longhorn Beta
http
Then your problem is likely a DNS issue. Ensure that all clients are
pointing to at least two DCs. Ensure that your DCs are pointing to at least
two as well, as they're also DNS clients.
--Paul
- Original Message -
From: Pankaj Verma [EMAIL PROTECTED]
To:
If you do NSLOOKUP DOMAIN-NAME.COM then
you will get a list of all the DNS servers for that domain. For example,
if you are using AD-Integrated DNS, you will get a list of any DCs that are also
DNS servers. Basically, that command returns the (Same as parent) records
for the domain.
If you
Probably because it's a secondary
server. Check to see if that IP is hosting a secondary copy of the
zone.
--Paul
- Original Message -
From:
Ramon Linan
To: ActiveDir@mail.activedir.org
Sent: Monday, August 28, 2006 10:04
PM
Subject: RE: [ActiveDir]
Not much that you can do other than filter
out the replication errors from your monitoring solution, so that calls aren't
needlessly raised.
A couple of days won't cause you any
issues. Just ensure that everything is replicating and talking properly
when things come back online.
--Paul
If you don't have a host record (A) for
the hostname "sami", then you should delete the SRV record [1]. If that
isn't a DC, look at the KB mentioned by Steve and I. I've seen a bunch of
XP workstations registering in DNS in the past.
--Paul
[1] Assuming of course that you don't have
a
be sure to drink my
first coffee of the day _before_ replying in the future!
--Paul
(No I didn't spot the error; I was
notified offline ;-)
- Original Message -
From:
Paul Williams
To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 29, 2006 10:43
AM
Subject: Re
Posh! I prefer browns myself. Well, actually, reds...
--Paul
- Original Message -
From: Mark Parris [EMAIL PROTECTED]
To: ActiveDir.org ActiveDir@mail.activedir.org
Sent: Monday, September 04, 2006 4:30 PM
Subject: Re: [ActiveDir] Completely OT: Maroons
The only notes I use are
Google RID FSMO for the functions of the
RID master. Many people, including myself [1], have documented this.
This info. is easily findable on the big wild web.
As for how to view the RID of a user
object, there are several ways. An easy was is to download ADFIND (www.joeware.net) and type
Use NTDSUTIL to seize the role(s) -
kb255504. Follow the steps in kb216498 to clean AD (metadata and FRS
objects) and DNS.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, September 05, 2006 1:02
PM
PWD_NOT_REQ is 32.
You can create an
account with this set and bypass the need to set a password (ADSI does this
automatically if you dont set a password when you create an enabled user without
a password), but you cant set it back to 512 (normal) when its blank, like Al
says:
Pressed send before I
finished typing! : (
Following on from the
last mail
You can, however,
modify the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?
If you test this,
when you set the policy to
But you cannot set UAC to 512 if the
password is blank, as it doesn't comply with the password policy. Try
it. The other half of my post shows the error. I also tried it
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although
less specific) and it said it wasn't
check the password
length. Andrew Fidel
"Paul Williams" [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/07/2006 07:35 AM
Please respond
toActiveDir@mail.act
Yeah, I think I saw your post last
night. Mail was taking 70 minutes to come through last night.
It's not really academic or obsolete, as
this proves that it couldn't have been 544 and set back to 512. Which
means that it is more than likely the password, or lack of, was set when the
If the permissions are being reset it is
the result of DSPROP. Google adminSDHolder or look at this:
-- http://www.msresource.net/content/view/38/46/
The reason this is happening is because
these users are members (directly or indirectly) of groups considered protected,
e.g.
Impossible/irrelevant. If it's a domain account, the policy applies
regardless, because the account is stored in AD. If it's a local account,
then the policy doesn't apply regardless; domain account policies don't
apply to local accounts. Is this a local account or a domain account?
Any
But it's possible that someone changed this policy, created the account, and
changed it back.
I've done this myself (several times for service accounts to avoid [HP]
protect tool's obfuscation process).
It might not even have been intentional. One admin could have messed with
the policy
Have you actually seen this
behaviour? As it was my understanding that this particular policy is
processed by SCE outside of normal policy application (by the PDCe - I can't
remember how often, 60 minutes comes to mind but I don't know why). I've
tried to document this here:
--
_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml-
Original Message -
From:
Paul Williams
To: ActiveDir@mail.activedir.org
Sent: Monday, September 11, 2006 7:06
PM
Subject: Re: [ActiveDir] S
It must be some kind of issue with the DS*
tools. I was using a combination of ADFIND and DSMOD last week to enable
~200,000 user objects (I forgot to set a password in a scrpit that created a
bunch of objects and therefore had a shed load of objects with uac of 546) and
it would die every
I can't get too specific about the
requirements, so please don't ask ;-)
I'm looking for your ideas, opinions and
experience on how you maintain different sets of schemas for different forests
that you manage (for the same customer).
Basically, consider this: you have an
internal domain
You know ITIL. It's all guidelines
and advice, etc. It's not hands on processes for you (or if it is, I slept
through all that).
We obviously have a structured process for
testing additions. My question is more around technically implementing
such a process, with minimal intervention,
Not really, as it's now 512 and can't get
to that state without a password meeting complexity.
--Paul
- Original Message -
From:
Akomolafe,
Deji
To: ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 4:52
AM
Subject: RE: [ActiveDir] Strange
Neil,
Try a re-read of the first couple of
chapters of the first part of the deployment guide book designing and deploying
directory and security services. Obviously it doesn't spell out how to do
this -it doesn't even allude to how this is done- but does emphasise when and
when not to go
Title: VBScript Container Security
I can't point you at any examples, but
most of the documentation I read and from what MSFT people said at conferences,
reckons you should grant full control to the group for SMS servers on that
container. That's horse sh!t -you need to grant create and
Look into the Win32_Service class for
info. on how to view and manage services via script. Or, if you fancy
calling EXEs and not handling everything in code, use the SC.EXE
tool.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Lucky you : )
I'm in an environment where we're doing
this now, and I'm not happy with how its being done (I think we can be even more
secure ;-), which means I've accidently volunteered to re-look at it all for the
next iteration of the design cycle...
(bollocks)
--Paul
-
No worries. It'sa big thread
that has spawned serveral different threads of discussion.
--Paul
- Original Message -
From:
Akomolafe,
Deji
To: ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 5:32
PM
Subject: RE: [ActiveDir] Strange password
especially if the layer-8 issues are not resolved
up
front.
Al
On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote:
Neil,
Try a re-read of the first couple of chapters of the first part of the
deployment guide book designing and deploying directory and security
services. Obviously it doesn't
DAs got nothing to do with it. It makes it easier, but this can be done by
someone without any account at all.
--Paul
- Original Message -
From: Bernard, Aric [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 10:33 PM
When we spoke with the PM out in Redmond
it was said that the feature that allows you to copy a file on one replica and
that file get made up on another with very little replication traffic, e.g. a
comparison taken on the local source and then only the deltas replicated (just
like the rest
It's probably SMB (CIFS). The NT5.x
client service attempts to establish SMB sessions using both 445 and 137/8/9
(whichever one). The first to reply is what is used. If 445, it's
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP
(NetBT).
Note. It doesn't use all three
We populate this on user creation because we use provisioning systems
(bespoke stuff that was written for the project(s)).
For some of our smaller customers, there were scripts that were run to
populate this stuff. Initially a bulk import, followed by monthly updates
or adhoc updates via the
Joe,
How is the DS calculating these
values? The reason I ask is I've always found it to be way off. For
example, take a look at the following output against one of my ADAM
instances:
D:\dev\dotnet\vb\dsadfind -h .:5
-b ou=people,dc=test-lab,dc=com -s one -f
Something like this, against a
GC:
(|((objectCategory=person)(memberOf=dn of group
01))((objectCategory=person)(memberOf=dn of group
02))((objectCategory=person)(memberOf=dn of group
03)))
You can also do it the way you want using
ASQ if you don't mind DN as the output. Here's an
Perhaps Tomasz and I should blog about this more for now. :)
Yeah, you guys do that please!
This looks like it's taking off, and some of it is a real black art for some
infrastructure people...
--Paul
- Original Message -
From: Joe Kaplan [EMAIL PROTECTED]
To:
Great answer Joe. I completely
missed the multi-domain issue, thinking (as I wrote) that was only an issue for
DLGs. Oh well, you've certainly refreshed my memory and answered the
question admirably.
As you can tell from this, and from our
off-line conversation, I'm just using ASQ all the
I assume you mean NetPro Directory
Analyser? I've not done much with any, but we've got NetPro Directory
Troubleshooter here and from what I've seen of it, it doesn't compare with
Quest's SOAD as it does more proactive, task oriented stuff.
I've not seen NetPro's analyser.
Quest's SOAD is
1 - 100 of 133 matches
Mail list logo
