RE: [ActiveDir] Quiet? DEC? Related?

[Jimmy Andersson]

I can only say that I really wanted to be there, glad you all had a great
time! I will try to be there the next time, if work allows it...

Joe/Deano - sounds like I missed a great session! 

/Jimmy the Swede


Jimmy Andersson, Principal Advisor - Q Advice AB 
 Microsoft MVP - Directory Services  Security
--- www.qadvice.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Saturday, April 01, 2006 1:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

I think he may have been there with us, as I believe the force may be strong
in him: as in keeping with Joe2D2, Dean3PO, Gil’bacca and Princess Horr-hay
- Deji is an anagram of Jedi

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: 01 April 2006 07:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

Definitely a huge thanks to everyone for making this an awesome first DEC
for me!  It was great matching up faces to the email addresses I see daily.
The DR, Security and Interopt sessions were a couple of my favorites.  The
DJ show was awesome!

For those not able to attend this year, make it a priority next year.  I was
told I could take a class this quarter...I've taken enough AD and Exchange
classes over the years so I chose to attend DEC because of the praise given
to it by the folks on this list.  It was well worth the trip...didn't hurt
that red 9 kept hitting either ;-)

So the only mystery left is where was Deji?

Cheers,
Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, March 31, 2006 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

Absolutely. Very entertained. 

I had a near permanent smile from the point I directed a question to Stuart
asking him where he was from so I could give him a copy of AD3E. The funny
part was him thinking I was trying to set him up for something... As soon as
I saw him in the audience I intended on giving him a copy to say thanks from
all of us for the work he has done on this stuff and his lack of failure in
listening to our feedback. The way it all played out though was great and
added to the fun.

To those who sadly didn't attend we gave out copies of Active Directory
Third Edition to folks who were answering questions we tossed out into the
open. I said the next question is for Stuart alone and said 

Stuart, where are you from? 

knowing that most of the folks in the audience would know exactly where he
was from having seen his keynote abt Identity Management I figured
most people would yell it out so I said it was just for him. His response
was priceless... Now or originally?  The audience howled. Great fun.

  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, March 31, 2006 7:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

That's cool. I can go with that. As long as you're entertained. Let's just
say it's not my kind of entertainment, unlike the joe and Dean show. Hey,
joe and Dean, aren't you the guys who sing Little Old Lady From Pasadena?
Or was that Little Old Attr Caused PAS Expansion? :)

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, March 31, 2006 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

Well it really depends on their attitude. What Guido I did wasn't gambling
though I stated it as such previously. Wee were being entertained. You don't
really gamble when you play the slots, you have no control over the outcome.
If someone goes in thinking they will walk away with more money than they
started with, I would argue they should not be doing it at all. I personally
figure out how much money I am spending on entertainment and then spend it
be it on slots, meals, drinks, or cool little rubber duckies at the hotel
airport. 

Thinking that way, I lost $0 as well, though I spent about $500 on
entertainment. Best money spent IMO.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, March 31, 2006 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

I've always thought that gambling in general was a tax on those who don't
understand probability by those who do understand brain chemistry. I lost
$0. Though it was sometimes fun watching other people support the Las Vegas
economy. What's lost in Lost Wages stays in Lost Wages. :)

Wook

-Original Message-
From: [EMAIL

RE: [ActiveDir] Adding drives to restrict drives policy

[Jimmy Andersson]

If memory serves
You must edit the HideDrives value. 

This is how you calculate the HideDrives value: 
The registry key that this policy effects uses a decimal number which 
corresponds to a 26 bit binary string, with each bit representing a drive 
letter: 

11 
ZYXWVUTSRQPONMLKJIHGFEDCBA 

The above configuration corresponds to 67108863 and will hide all drives. If

you only want to hide the drives: A, C, D, E, F, H and T you would do this: 

0010001001 
ZYXWVUTSRQPONMLKJIHGFEDCBA 

This would be 524477 in decimal number and hide the drives A, C, D, E, F, H 
and T. This is the value that you type in as the NoDrives Value in the 
policy template. 

If you want to edit the system.adm template, remember that you have to edit 
the .adm file on multiple places: 

POLICY !!NoDrives 
POLICY !!NoViewOnDrive 
...and don't forget to edit the corresponding value in the [strings] 
section. 

Regards,

/Jimmy

 
Jimmy Andersson, Principal Advisor - Q Advice AB 
 Microsoft MVP - Directory Services  Security 
--- www.qadvice.com  

 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Friday, December 23, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding drives to restrict drives policy


You are right about the system.adm file 
 
take a look at 
 
http://support.microsoft.com/kb/q231289/
http://support.microsoft.com/kb/q231289/ 
Using Group Policy Objects to hide specified drives in My Computer
for Windows 2000
 
You need to find out the Hexidecimal value for the drives you want
to hide
 
You can find the hex values here:
 
http://www.sd61.bc.ca/windows2000/HideDrives.htm
 
Hope this helps
 
Mike

 
On 12/23/05, Matt Johnson [EMAIL PROTECTED] wrote: 

I would like to restrict more drives than just A, B, C, D
via group
policy. However, I don't want to restrict access to all of
them. I 
know that I probably have to modify the system.adm file to
add more
drives. I wish I knew where to go from there. Any help would
be
greatly appreciated.

The drives by the way I want to restrict access to is
A,B,C,D,L. 

Thanks in advance.
--
Matt Johnson
[EMAIL PROTECTED]

Subtle and insubstantial, the expert leaves no trace;
divinely
mysterious, he is inaudible. Thus he is the master of his
enemy's 
fate. -Sun Tzu




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Very OT: Please Settle a Bet

[Jimmy Andersson]

wasn't it 16-bit loaded with highmem in dos? 
;)

/The Swede
-  Jimmy Andersson, Q Advice 
AB  Principal 
Advisor Microsoft MVP - Directory Services 
-- www.qadvice.com 
-- 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Friday, February 11, 2005 11:01 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Very OT: Please Settle a 
Bet

32 bit 
cooperatively multitasked if memory serves ...but it might not 
;)
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Friday, February 11, 2005 4:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Please 
Settle a Bet


Could anyone settle a bet for me? I 
would like to know if Windows 95 was a 16 or 32-bit OS. One of us is saying that 
it was natively 32-bit, but ran 16-bit apps in a VM, while the other one is 
saying the reverse: it was a 16-bit OS that was capable of running 32-bit apps 
in a VM.

Also, one person is saying that W95 
required DOS (like Win3.1.1) and the other is saying that, while built on DOS, 
DOS was not required and the OS went above and beyond its DOS 
roots.

If anyone can settle these issues 
and offer proof like links to Web pages and such, we would be 
grateful.

_

Daniel 
DeStefano
PC Support 
Specialist

IAG 
Research
345 Park Avenue 
South, 12th 
Floor
New 
York, NY 10010
T. 
212.871.5262
F. 
212.871.5300

www.iagr.net
Measuring Ad Effectiveness on 
Television

The information contained 
in this communication is confidential, may be privileged and is intended for the 
exclusive use of the above named addressee(s). If you are not the intended 
recipient(s), you are expressly prohibited from copying, distributing, 
disseminating, or in any other way using any of the information contained within 
this communication. If you have received this communication in error, please 
contact the sender by telephone 212.871.5262 or by response via 
e-mail.

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Jimmy Andersson]

I've been somewhere in time... As usual ;)

/The Swede


-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, February 09, 2005 3:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Where the hell have _YOU_ been, you little over-cooked Swede?

:OD  Great to hear from you!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Jimmy Andersson]

LOL! :P

/J 


-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Jimmy always sees his shadow around this time - Summit must be around the
corner :-p
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Wed 2/9/2005 6:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor



Where the hell have _YOU_ been, you little over-cooked Swede?

:OD  Great to hear from you!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB
 Principal Advisor
 Microsoft MVP - Directory Services
-- www.qadvice.com --





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.

And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.

While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.

Yours, Sakari






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor
   
   

  Hi, 

clipclipclip

Regards,
Jorge

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Jimmy Andersson]

Well, for one thing it will handle account lockouts due to 
the PDC chaining operation.

Regards,
/Jimmy
-  Jimmy Andersson, Q Advice 
AB  Principal 
Advisor Microsoft MVP - Directory Services 
-- www.qadvice.com 
-- 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ManjeetSent: Wednesday, February 09, 2005 4:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] PDC emulator in 
Native mode

Hi,

What happened to the PDC Emulator Role if we move from mixed mode to native 
mode.

Is the PDC Emulator is required in Native mode... ?

and if required then what will it do and what changes in the 
functional behaviour of it ?


Best-
Manjeet


Do you Yahoo!?Yahoo! Search presents - Jib 
Jab's 'Second Term'

RE: [ActiveDir] How to restrict access to event viewer

[Jimmy Andersson]

Do you mean that you want to control permissions on the 
different logs within Event Viewer?
If so, it's absolutely possible if you change the SDDL in 
the Registry, however you need to write a customized GPO template to push them 
out to the servers unless you want to manually edit each server's 
Registry.

Regards,
/Jimmy
- Jimmy 
Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 3:47 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] How 
to restrict access to event viewerSensitivity: 
Private

Hy, 
 
Can you share you experiences about how to restrict access to event viewer to 
only onegroup ? local and remote access ?

Thks.

AVISO LEGAL:Esta informacion es privada y confidencial y 
esta dirigida unicamente a su destinatario. Si usted no es el destinatario 
original de este mensaje y por este medio pudo acceder a dicha informacion por 
favor elimine el mensaje. La distribucion o copia de este mensaje esta 
estrictamente prohibida. Esta comunicacion es solo para propositos de 
informacion y no debe ser considerada como propuesta, aceptacion ni como una 
declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o 
afiliadas. La transmision de e-mails no garantiza que el correo electronico sea 
seguro o libre de error. Por consiguiente, no manifestamos que esta informacion 
sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo 
aviso.This information is private and confidential and intended for the 
recipient only. If you are not the intended recipient of this message you are 
hereby notified that any review, disseminastribution or copying of this message 
is strictly prohibited. This communication is for information purposes only and 
shall not be regarded neither as a proposal, acceptance nor as a statement of 
will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or 
affiliates. Email transmission cannot be guaranteed to be secure or error-free. 
Therefore, we do not represent that this information is complete or accurate and 
it should not be relied upon as such. All information is subject to change 
without notice. 

RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

[Jimmy Andersson]

True, I typed without thinking (or rather reading closely...) I just saw PAS
and typed away a canned answer... I must go on a break and clear my
head g

/Jimmy 


-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, June 11, 2004 12:57 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain and
sub-domain

first of all, if titi.com and toto.titi.com are real names, then I'd
switch jobs - this would drive me crazy ;-)

Rgd. adding the directReports to the PAS: that would be nice, but isn't
possible for the backlinks of linked attribute-pairs - this is the case here
for the directReports attribute = it is not a replicated attribute at all
(neither cross domain nor within the same domain), as only forward links
(here the manager attribute) get replicated between DC/GCs.  

Instead, the backlink attributes are processed locally on each DC when it
receives the forward-link (e.g. a user object's manager attribute) and
creates the link between the two respective AD objects via an entry in the
local link table on the DC/GC.


However, the forward-link will only replicate to DCs hosting the respective
naming context. And for attributes (even forward links), which are also in
the PAS (configured to replicate to the GC), this means that the information
is also replicated to GCs from another domain(s), hosting a read-only
partition of the source domain (of an object with a forward link). And the
GCs will then again create the respective backlink locally, when making the
entry in the linktable, even for cross-domain links.

For the given manager/directReport example this means that a user's manager
attribute is only replicated to DCs of the same domain and to GCs in the
forest - and that only these machines populate the respective
directReports attribute (backlink) for a user who is a manager of this
other user. As such, you won't see cross-domain directReports information on
a DC of a manager's domain, if this DC is not a GC. 


So here, the DC for titi.com used to lookup the directReports attribute
usertiti must have been a GC, while the DC of toto.titi.com used to
lookup the directReports attribute usertoto
must have been just a normal DC.


This is not to be confused with Phantom Records (which are updated via the
Infrastructure Master): as the directReports attribute is not the replicated
attribute, it is also not updated or replicated as a phantom record via the
IM.  
However, phantom records are created on non-GC DCs to replicate the
manager-attribute (forward-link) to other DCs, if e.g. a user's
manager-attribute is linked to a user-object outside the own domain. As Dean
perfectly described, the IM is then responsible to sync changes to the
linked object over time (renames, deletes etc.), but it would not update any
backlinks.


As a sidenote on the replication of the manager/directReports links you
should realize, that if you do leverage these accross domains in a forest
and you accidentally delete a manager (with direct-reports in various
domains) whom you must then authoritatively restore in AD, the links to the
manager's directReports are NOT recovered with the manager... (same issue as
with memberships in Universal Groups or Domain Local groups in other Domains
of the forest)

\Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Donnerstag, 10. Juni 2004 11:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain and
sub-domain

 If you really want/need it to be replicated to the GCs, you can use the
Schema snap-in, and check the box in front of 'Replicate this attribute to
the Global Catalog'.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, June 10, 2004 11:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Replication of linked attributes between domain and
sub-domain

The manager attribute is replicated between GCs as part of the Partial
Attribute Set.  The directReports attribute isn't.  Whether you see it or
not will depend on the domain of the DC you are querying.

Tony

-- Original Message --
Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 10:02:34 +0200

Hi,

I have a domain titi.com with a sub-domain toto.titi.com, a user
usertiti on domain titi.com and a user usertoto on domain
toto.titi.com.
I set usertiti as manager

RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

[Jimmy Andersson]

 If you really want/need it to be replicated to the GCs, you can use the
Schema snap-in, and check the box in front of 'Replicate this attribute to
the Global Catalog'.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, June 10, 2004 11:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Replication of linked attributes between domain and
sub-domain

The manager attribute is replicated between GCs as part of the Partial
Attribute Set.  The directReports attribute isn't.  Whether you see it or
not will depend on the domain of the DC you are querying.

Tony

-- Original Message --
Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 10:02:34 +0200

Hi,

I have a domain titi.com with a sub-domain toto.titi.com, a user
usertiti on domain titi.com and a user usertoto on domain
toto.titi.com.
I set usertiti as manager of usertoto and usertoto as manager of
usertiti. 
When I look a the usertoto and usertiti entries in the directories, I
have:
- the manager attribute of usertiti is correctly set at usertoto,
- the directReports attribute of usertiti is correctly set at usertoto,
- the manager attribute of usertoto is correctly set at usertiti,
- but, the directReports attribute of usertoto is not correctly set at
usertiti !

Why ? Is it normal or is it a replication problem ?

Thanks in advance for your answers...


Solange Desseignes


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] logon scripts

[Jimmy Andersson]

Sober? What's that??? 
:)

/Jimmy


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Tuesday, April 13, 2004 6:22 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

To quote Tony Murray-Smith - "I'm still trying to get used to being 
sober"

-- 
Roger D. Seielstad - MTS MCSE 
MS-MVP Sr. Systems 
Administrator Inovis Inc. 


  
  
  From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 
  Tuesday, April 13, 2004 11:11 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  
  What can I say? I'm still 
  jet-lagged, I guess :)
  
  Thanks for the pointer.
  
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA MCP+I
  Microsoft MVP - 
  Active 
  Directorywww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: Roger SeielstadSent: Tue 
  4/13/2004 6:24 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
  scripts
  
  Except Deji forgets one important piece of information (which is rare 
  for him) - VBScript doesn't natively run on Win9x. It requires a separate 
  install of Windows Scripting Host.
  
  -- 
  Roger D. Seielstad - MTS MCSE 
  MS-MVP Sr. 
  Systems Administrator Inovis Inc. 
  
  


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 13, 2004 12:19 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts

Smart 
guy.

:op

-rtk


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Monday, April 12, 2004 11:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] logon 
scripts


I don't have a Win9X to test this on, 
but Win2K/2K3/XP is fair game for this:

Set wshNetwork = WScript.CreateObject("WScript.Network")Set 
wshShell = WScript.CreateObject("WScript.Shell")
str_Group1_Share = "file://myserver/myShare1"str_Exec_Share = 
"file://myserver/myShare2"str_BS_Share = 
"file://myserver/myShare3"str_Super_Share = 
"file://mySuperServer/SuperShare"
strDriveToMap = "H:"
usrName = 
wshShell.ExpandEnvironmentStrings("%USERNAME%")Set usr = 
GetObject("WinNT://MyDomainName/"  usrName  ",user")
For Each grp In usr.Groups WScript.Echo 
grp.NameIf grp.Name = "BS-Group" Then 
wshNetwork.MapNetworkDrive strDriveToMap, str_BS_ShareExit 
ForElseif grp.Name = "SOME_GROUP" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Group1_ShareExit ForElseif grp.Name = 
"yet_Another_Group" OR grp.Name = "Super-DuperUser" 
ThenwshNetwork.MapNetworkDrive strDriveToMap, 
str_Super_SharewshNetwork.MapNetworkDrive "K:", 
str_Exec_ShareExit ForEnd IfNext
Set usr = NothingSet wshShell = NothingSet 
wshNetwork = Nothing

HTH




Sincerely,Dèjì 
Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP 
- Active 
Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon


From: Nathan CaseySent: Mon 
4/12/2004 4:17 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] logon 
scripts

What is a recommended logon 
script solution that will work with win9x, win2k/xp clients for drive 
mapping, etc that works similar to Novell logon scripts?

Example:
IF MEMBER OF "GROUP" THEN 
BEGIN
 MAP 
H:=SERVER1\VOL1:
END

RE: [ActiveDir] Security and AD

[Jimmy Andersson]

These articles might help:

A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q289241

AD Replication over Firewalls by Steve Riley,
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp

FYI:
Q224196 - Restricting AD Replication Traffice to a Specific Port.
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q224196

Q179442 - How to Configure a Firewall for Domains and Trusts.
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q179442

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gagnesh Kumar
Sent: Wednesday, March 24, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Security and AD

Hi,
  I want to run AD behind a firewall.Can someone please suggest what
ports should I leave open so that all the clients to my AD can access it
successfully?
Any help would be greatly appreciated.
Thanks and regards,
Gagnesh
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Do I really need to add UPNs?

[Jimmy Andersson]

Brothers in arms...??? COME ON RICK! It's Dean. 
I've go an idea. let's discuss it offline ;) BTW, Dean I'm just 
the Indian Swede with a bizzare life according to Rick... :) LOLDo the 
word Geotard come to mind ;)

/The Swede
- 
Jimmy Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Saturday, March 20, 2004 7:05 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need 
to add UPNs?

Oh, yeah - I remember the last heated discussion. 
When you've got Stuart on the run, you don't give up, do you? 
;o)

Looking forward to some 'brothers-in-arms' time in 
Redmond.


Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft 
MVP:Windows Server / Directory ServicesWindows Server / Rights 
ManagementAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzoneWebLog - 
www.msmvps.com/willhack4food 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing 
list (Send)Subject: RE: [ActiveDir] Do I really need to add 
UPNs?

Great 
answer ... indeed they are. Most of the info. is maintained as a blob 
(msDS-trustForestTrustInfo off the top of my head) on the representative TDO 
which, as you said, replicates to forest local GCs in order to allow CrackNames 
to resolve foreign-forest namespaces ... this particular attribute has been the 
cause of many a heated debate between myself and some Microsoft guys but that's 
another story entirely.

PS - 
Can't take yer liquor huh Joe? :-) 

See 
you guys at the summit.

-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 
  2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Do I really need to add UPNs?
  actually I had to think some more about what I had posted 
  - I believe the "officially" added UPNs are also stored in the respective TDO 
  object of the trusting domain, which replicates to all the GCs of the own 
  domain. This is how a DC in the trusting forest will know where 
  to pass on the request if you logon to a workstation in the trusting 
  forest with a UPN defined in the trusted forest. In 
  addition - as mentioned before - you'll only be able to perform restrictions 
  on these UPN suffixeswhen added to the upnSuffixes 
  attribute.
  
  So I guess when you're using forest trusts and you do 
  want to allow the "other" (not the implicit) UPNs for logon in the trusting 
  forest, you'll have to add them to the attribute.
  
  But I guess I still earned the beer ;-) Won't I be 
  on my way until another 6 hours.
  
  Cheers,
  Guido
  
  
  From: joe [mailto:[EMAIL PROTECTED] 
  Sent: Samstag, 20. März 2004 03:22To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really 
  need to add UPNs?
  
  Ah, see I may be getting old but I can kind of remember. 
  :o)
  
  Thanks for the assist Guido. You have earned one crappy 
  American Beer when you get here. Heck you may already be on the way. 
  :o)
  
  -
  http://www.joeware.net (download joeware)
  http://www.cafeshops.com/joewarenet (wear joeware)
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 
  3:32 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Do I really need to add UPNs?
  
  Adding the UPN suffixes to the list of alternate UPNs 
  will enable configuration of TLN restrictions (Top-Level Name restrictions) 
  for forest trusts (i.e. transitive trust between two 2003 forests). The UI 
  lists the available UPN suffixes of the trusted forest incl. the stored 
  alternate UPNs and allows you to configure which ones you allow to be 
  used "accross the trust" for authentication. This is a must, if your UPN 
  isn't a subordinate of the top level name of your root (e.g. TLN of root = 
  "mycompany.net", but your alternative UPN suffix is "othercompany.net"). 
  
  
  Alternative UPNs which are subordinates (e.g. 
  "otherOrg.mycompany.net") can be added manually within the wizard by adding 
  exceptions for your existing root-UPN suffix.
  
  /Guido
  
  
  From: joe [mailto:[EMAIL PROTECTED] 
  Sent: Freitag, 19. März 2004 01:10To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really 
  need to add UPNs?
  
  Crap I knew the answer to this at one point... I must 
  have reached the end of my event log and am now 
  overwriting...
  
  It is for the GUI but there is something else that looks 
  at that and if it isn't populated it doesn't know to take that UPN Suffix into 
  account I want to say it has somet

RE: [ActiveDir] Do I really need to add UPNs?

[Jimmy Andersson]

I just realized, nobody knows me on this list besides Dean, 
Tony and Rick I hope I'm not beeing flamed because of this. 
:)

Regards,
/Jimmy the Swede

- 
Jimmy Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy 
AnderssonSent: Saturday, March 20, 2004 10:29 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need 
to add UPNs?

Brothers in arms...??? COME ON RICK! It's Dean. 
I've go an idea. let's discuss it offline ;) BTW, Dean I'm just 
the Indian Swede with a bizzare life according to Rick... :) LOLDo the 
word Geotard come to mind ;)

/The Swede
- 
Jimmy Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Saturday, March 20, 2004 7:05 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need 
to add UPNs?

Oh, yeah - I remember the last heated discussion. 
When you've got Stuart on the run, you don't give up, do you? 
;o)

Looking forward to some 'brothers-in-arms' time in 
Redmond.


Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft 
MVP:Windows Server / Directory ServicesWindows Server / Rights 
ManagementAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzoneWebLog - 
www.msmvps.com/willhack4food 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing 
list (Send)Subject: RE: [ActiveDir] Do I really need to add 
UPNs?

Great 
answer ... indeed they are. Most of the info. is maintained as a blob 
(msDS-trustForestTrustInfo off the top of my head) on the representative TDO 
which, as you said, replicates to forest local GCs in order to allow CrackNames 
to resolve foreign-forest namespaces ... this particular attribute has been the 
cause of many a heated debate between myself and some Microsoft guys but that's 
another story entirely.

PS - 
Can't take yer liquor huh Joe? :-) 

See 
you guys at the summit.

-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 
  2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Do I really need to add UPNs?
  actually I had to think some more about what I had posted 
  - I believe the "officially" added UPNs are also stored in the respective TDO 
  object of the trusting domain, which replicates to all the GCs of the own 
  domain. This is how a DC in the trusting forest will know where 
  to pass on the request if you logon to a workstation in the trusting 
  forest with a UPN defined in the trusted forest. In 
  addition - as mentioned before - you'll only be able to perform restrictions 
  on these UPN suffixeswhen added to the upnSuffixes 
  attribute.
  
  So I guess when you're using forest trusts and you do 
  want to allow the "other" (not the implicit) UPNs for logon in the trusting 
  forest, you'll have to add them to the attribute.
  
  But I guess I still earned the beer ;-) Won't I be 
  on my way until another 6 hours.
  
  Cheers,
  Guido
  
  
  From: joe [mailto:[EMAIL PROTECTED] 
  Sent: Samstag, 20. März 2004 03:22To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really 
  need to add UPNs?
  
  Ah, see I may be getting old but I can kind of remember. 
  :o)
  
  Thanks for the assist Guido. You have earned one crappy 
  American Beer when you get here. Heck you may already be on the way. 
  :o)
  
  -
  http://www.joeware.net (download joeware)
  http://www.cafeshops.com/joewarenet (wear joeware)
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 
  3:32 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Do I really need to add UPNs?
  
  Adding the UPN suffixes to the list of alternate UPNs 
  will enable configuration of TLN restrictions (Top-Level Name restrictions) 
  for forest trusts (i.e. transitive trust between two 2003 forests). The UI 
  lists the available UPN suffixes of the trusted forest incl. the stored 
  alternate UPNs and allows you to configure which ones you allow to be 
  used "accross the trust" for authentication. This is a must, if your UPN 
  isn't a subordinate of the top level name of your root (e.g. TLN of root = 
  "mycompany.net", but your alternative UPN suffix is "othercompany.net"). 
  
  
  Alternative UPNs which are subordinates (e.g. 
  "otherOrg.mycompany.net") can be added manually within the wizard by adding 
  exceptions

RE: [ActiveDir] Multiple Trees questions

[Jimmy Andersson]

I think Al is reading your question as multiple forests vs 
single forest. Please clarify since I understand your Q to be about one forest 
with a single tree vs multiple trees. If you want/need a security boundary 
you will end up in a multiple forest environment, but that's due to laws etc if 
applicable since the forest is the only security boundary today. If you have 
multiple trees in one forest you can have separate namespaces for each tree 
etc.. But before digging into the details please confirm is you're talking about 
singel forest or not.

Regards,
/Jimmy
- 
Jimmy Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Wednesday, March 17, 2004 6:48 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Multiple Trees 
questions

Thoughts inline


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 
11:53 AMTo: '[EMAIL PROTECTED]'Subject: 
[ActiveDir] Multiple Trees questions

I've got a few 
questions about using multiple trees in a forest. 

  Are there 
  transitive Kerberos trusts across the trees in Win2k? 
  Win2k3? [Mulnick, Al]You can set up trusts, butdo you 
  need them to be transitive? What's the end requirement thatyou 
  need if you go this route? 
  What's the 
  advantage/disadvantages of going with 3 seperate trees vs 1 single tree with 
  an empty root and 3 child domains? [Mulnick, 
  Al]The only reason to go withseparate forests is the way you 
  manageyour environment and security. If you have to have three 
  separate trees, it can be done, but it's much more complexand 
  administratively a burden if you use multiple trees for everything from 
  upgrades to administrivia. It does have the advantage of allowing you to 
  implement schema changing apps with less risk however which should count for 
  something. However, if you're a company that allows people to move 
  betwen countries, the migration process could be a 
  PITA.
  Assuming we 
  implement Exchange 2k3 does having 3 seperate trees mean 3 seperate Exchange 
  organizations?[Mulnick, 
  Al]have you read the Planning an Exchange 2003 document on www.microsoft.com/exchange/library 
  ? It talks about the pros and cons of a multi-org Exchange deployment 
  and how Microsoft sees it working. It's worth your time to read it to 
  help answer this and many more questions about the 
  app.
We have already 
implemented AD in our US offices but now our Europe office and Asia-Pacific 
offices are looking to join into our AD structures. 


Mike Celone
Systems Specialist
Radio Frequency 
Systems
v 203-630-3311 x1031 
f 203-634-2027
m 203-537-2406

RE: [ActiveDir] Changing ACLs via VBscript

[Jimmy Andersson]

Have you seen these?
http://msdn.microsoft.com/library/default.asp?url="">
http://www.microsoft.com/technet/community/scriptcenter/default.mspx

Regards,
/Jimmy
----- Jimmy 
Andersson, Q Advice 
AB 
Principal AdvisorMicrosoft MVP - Directory 
Services-- www.qadvice.com --



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Tuesday, March 16, 2004 2:59 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Changing ACLs via 
VBscript

I need to change 
both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 
2003, and Exchange 2000 and 2003).

I know how to do 
everything I want manually, but the GUI is too slow and error prone for the 
volume I've got going on...

I've been unable to 
find a website that discusses doing this, or any online resources to really 
help.

Does anyone have any 
suggestions, either online or books?

Thanks.

RE: [ActiveDir] Where in the world is Micky Balladelli?

[Jimmy Andersson]

Yes, I'm positive he left Compaq. 
To the best of my knowledge AOD was his personal project and I don't think
Compaq have done any work on it since he left. 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
Microsoft MVP - Active Directory
-- www.qadvice.com -- 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Friday, January 02, 2004 9:45 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Where in the world is Micky Balladelli?

Hey there used to be a guy named Micki Balladelli that worked for COMPAQ; I
believe he was based out of Southern France or something like that. He was
involved in a lot of the earlier scaling testing and he had this cool little
tool he was working on called Age of Directories. I went to contact him to
see if he is still working with that tool and enhancing it but it appears
his COMPAQ email address is dead and so I tried a like-minded HP address and
that didn't work either. 

Does anyone know positively if he left COMPAQ/HP?

Does anyone have a newer email address on him?

Barring all of that does anyone know what happened to Age of Directories?

If you know of his whereabouts but don't want to give me the info, please
forward him my email address and my request if possible. 


  Thanks, joe

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Little OT: AD, LDAP, Exchange

[Jimmy Andersson]

I've done it with SimpleSync from www.cps-systems.com and it works 
perfect.

Regards,
/Jimmy
- 
Jimmy Andersson, Q Advice 
AB 
CEO  Principal AdvisorMicrosoft MVP - 
Active Directory-- www.qadvice.com 
--



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: Friday, November 07, 2003 5:37 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Little OT: AD, LDAP, 
Exchange


Hopefully someone has done 
this 

Scenario: Company A owns 
Company B and Company C. Company A runs Active Directory and Exchange 
5.5. Company B runs Active Directory and Exchange 2000. Company A 
and Company B do not share networks, do not have any type of trusts, etc. 
Company A and Company B want to share Exchange server directories by way of 
exporting and importing .CSV files. How does Company B export from 2000 in a way 
that Company A can import into 5.5? Is there a better method? 


Im looking for a way to do this as 
temporary until we have the time and efforts to bring our forests together. 


Please send me your thoughts, 
suggestions, and experiences! 

Joe 
Pelle
Systems 
Analyst
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 
734.591.3000 Fax 
734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/

This message may have 
included proprietary or protected information. This message and the 
information contained herein are not to be further communicated without my 
express written consent.

RE: [ActiveDir] AD recovery after disaster

[Jimmy Andersson]

Title: Message



Windows NT4.0 and Windows 2000 Disaster Recovery and Backup and RestoreProcedures:http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q287061How 
to Back Up and Restore 
the System State in Windows 2000:http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q240363Backup of the Active 
Directory Has 60-Day Useful Life:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216993Regards,/Jimmy- Jimmy 
Andersson, Q Advice 
AB 
CEO  Principal AdvisorMicrosoft MVP - 
Active Directory-- www.qadvice.com 
--



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Orin 
RehorstSent: Monday, October 27, 2003 4:32 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] AD recovery after 
disaster


Pls 
point me to info re how to backup AD for restore on a new server after a 
disaster.

Regards,
Orin 
Rehorst
Port of 
Houston Authority

RE: [ActiveDir] account lockout troubleshooting

[Jimmy Andersson]

You can use wmic.exe to find most info about your 
services.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice 
AB 
CEO  Principal AdvisorMicrosoft MVP - 
Active Directory-- www.qadvice.com 
--



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
JoeSent: Thursday, October 09, 2003 1:01 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] account lockout 
troubleshooting

Check 
for any services that are possibly running in the context of the user (either 
services.msc or if you want command line check out svcutil at www.joeware.net with the viewx 
option)


F:\Dev\cpp\SvcUtilsvcutil . viewx

SvcUtil V02.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
May 2003

-Service list for 
LocalHost-Alerter 
Alerter 
stopped MANUAL NT 
AUTHORITY\LocalServiceALG 
Application Layer Gateway 
Service 
stopped MANUAL NT 
AUTHORITY\LocalServiceAppMgmt 
Application 
Management 
stopped MANUAL LocalSystemATI 
Smart 
ATI 
Smart 
stopped AUTO 
LocalSystemAudioSrv 
Windows 
Audio 
running AUTO 
LocalSystemBITS 
Background Intelligent Transfer Service 
running MANUAL 
LocalSystemBrowser 
Computer 
Browser 
running AUTO 
LocalSystemcisvc 
Indexing 
Service 
stopped MANUAL 
LocalSystemClipSrv 
ClipBook 
stopped MANUAL 
LocalSystemCOMSysApp 
COM+ System 
Application 
stopped MANUAL 
LocalSystem
SNIP



Also 
check for any MTS/COM+ objects that are set up to authenticate as the user. 
Sorry don't have a command line tool I am aware of to do 
that.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Wednesday, October 08, 2003 4:37 PMTo: 
[EMAIL PROTECTED]


Thanks everyoneI 
appreciate the excellent suggestions. Ill post whether or not Microsofts 
solution (DS Client) is successful in the next day or two.


mc 
-Original 
Message-From: Coleman, 
Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 3:58 
PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] account lockout 
troubleshooting

I've seen 
this, as Mike said, with persistent drives mapped. Also with scheduled tasks 
using an old password.

Hunter




From: 
Creamer, Mark 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 1:30 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] account lockout 
troubleshooting
Yep, one 
is the PDCE. That would explain the same event at the same time on 2 DCs. But 
here's the strange thing. The users log on successfully. They work with no 
problem for a while with apps running like Outlook (to Exchange 2000), IE, open 
Office files on a file server, etc. Suddenly they can't work anymore - again, 
just as if someone else was locking out the account. But the events are coming 
from the user's own PC only.


mc 
-Original 
Message-From: Coleman, 
Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 3:17 
PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] account lockout 
troubleshooting

Is one of 
the DCs your PDC emulator? Normally, if a user attempts to authenticate to a DC 
with an incorrect password (error code 3221225578), that DC will redirect the 
authentication to the PDC emulator for an "authoratative" response. This covers 
the case where a user's password has changed but not fully replicated to all 
DCs. The PDC emulator would know about the change, so checking there would 
validate the login attempt or reject it if appropriate.

Hunter





From: 
Creamer, Mark 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 12:03 
PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] account lockout 
troubleshooting
Hi folks,
I have been trying to troubleshoot 
some lockout events. In every case, the event originates on the user's own 
workstation (not some other user). There are no associated file object failures 
on the primary file server. It seems like it is application-based, but I can't 
nail it down. I've been using Microsoft's AL tools, including EventCombMT, but I 
can't use the acctinfo.dll because the clients are Win9x. 

Today I noticed for the first time 
that on 2 DCs, the exact same 5 login failures occurred (one example 
follows):

681,AUDIT FAILURE,Security,Tue Oct 
07 13:13:38 2003,NT AUTHORITY\SYSTEM,The logon to account: 
MYUSER by: 
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: 
\\HIS_PC failed. The error code was: 
3221225578 

I was concerned that I didn't think 
it is normal that 2 DCs would log the same 5 logon failures at exactly the same 
times. What do you think?

Thanks,

Mark 
Creamer Systems 
Engineer Cintas 
Corporation http://www.cintas.com 
Honesty 
and Integrity in Everything We Do 

RE: [ActiveDir] ADM files

[Jimmy Andersson]

www.thethin.net has a lot of template files. You'll find most of them there.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Monday, September 22, 2003 5:48 PM
To: [EMAIL PROTECTED]

Is there a place where you can download all of the ADM files, or at
least view the contents of all of them.  I have found that these files
are all over the place.  On W2K CDs, W2003 CDs, Office 2003, Office XP,
SMS, etc... IT is becoming a pain.  One central place to be able to say,
oh, That is what I would like to my domain policy...

Maybe I am asking too much.  After all, we are dealing with Microsoft
and their ability to hide important information. :)

Thanks,
Steve

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD 2003 DB

[Jimmy Andersson]

70GB for a 300 user AD will absolutely be enough.

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Juan Ibarra
Sent: Tuesday, September 16, 2003 6:03 PM
To: [EMAIL PROTECTED]

Hi, we are planning to migrate from NT to AD 2003 in the near future.  We
are trying to figure out the specs for new HW requirements.  We are
concerned with the amount of space that we will need in our DC to host the
DB.  I know that the more space the better, but will the DB be too big? At
what rate will it grow.  Will 70G will be plenty for an org with 300 users?

Best regards, 
Juan 



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

Cool, haven't tried the earlier version for this task.

Thanks Tony!

BTW - hope you're doing well!

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, August 26, 2003 2:12 PM
To: [EMAIL PROTECTED]

Actually, it looks like the LDP version doesn't matter, both v3.0 and the
earlier one will work.  

The point is that the LDAP connection must be to a Windows Server 2003 DC.
The domain and forest functionality can still be Windows 2000.

Tony
-- Original Message --
From: Jimmy Andersson [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 25 Aug 2003 21:23:23 +0200

I know, and I posted it some time ago but it hasn't showed up on the list
yet... 
I use LDP 3.0 in all my 'Inside AD' classes and it works perfect for all my
students and clients. 

Note-to-self, include the LDP version in the future. :)

Glad you got it working! 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, August 25, 2003 8:53 PM
To: [EMAIL PROTECTED]

Rick,
 
You found the solution to my problem. LDP version 3.0 worked flawlessly.
Jimmy's solution will not work with any other.
 
Thanks
 
Yves
 
 



From: Rick Kingslan
Sent: Mon 25/08/2003 1:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Jimmy,

What version of OS and version of LDP are you doing this on?  I can't get it
to work either - and I'm using the Builtin Group SIDS.  I would suspect that
I should get a consistent return on those, but I'm getting a BAD_NAME error.



Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Monday, August 25, 2003 9:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute

I've tried it again and again With different SIDs on existing objects,
and it works every time for me.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, August 25, 2003 4:02 PM
To: [EMAIL PROTECTED]

Can anyone test the following instructions from Jimmy and let me know if it
worked for you? I can't seem to get it to work.
 
I am not searching on a deleted SID. I am searching on an existing sid that
I cut and paste from an existing user.
 
Thanks
 
Y
 
 


From: Jimmy Andersson
Sent: Fri 22/08/2003 5:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

Don't forget the '' and '' on the SID, you might also need to put in the
'-' symbol within the SID itself.

Also you might need to check in the control 'Return deleted objects' if the
object exist in the Deleted Object container. You'll find the controls in
Search - Options - Controls.
You also might need to 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 9:58 PM
To: [EMAIL PROTECTED]

Tony,
 
I clicked on Browse and then Search in LDP. The little window comes up. (I
actually used bind first).
 
In the base DN field I typed in SID=S15A913838F5E5A9AABF22742D54F69
In the Filter field I type in ((ObjectCategory=*))
My scope is set to Subtree.
I clicked on Run.
 
The ObjectSID was a cut and paste from my attribute.
 
I does not return anything. What am I doing wrong here? I tried SID=,
objectSID=, GUID=,objectGIUD=.
 
Any help would be appreciated.
 
Thanks
 
Y
 
 



From: Tony Murray
Sent: Fri 22/08/2003 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


It's not really using an attribute as your Base DN.  The starting point for
a search can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD [EMAIL

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

I use LDP version 3.0.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, August 25, 2003 6:53 PM
To: '[EMAIL PROTECTED]'

AFIK, the SID syntax is not part of the LDAP interface... So it is likely
that it is supported by code inside LDP. What versions of LDP are you all
using? That might be why it works for some people and not others.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: Jimmy Andersson [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 25, 2003 7:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


I've tried it again and again With different SIDs on existing objects,
and it works every time for me.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, August 25, 2003 4:02 PM
To: [EMAIL PROTECTED]

Can anyone test the following instructions from Jimmy and let me know if it
worked for you? I can't seem to get it to work.
 
I am not searching on a deleted SID. I am searching on an existing sid that
I cut and paste from an existing user.
 
Thanks
 
Y
 
 


From: Jimmy Andersson
Sent: Fri 22/08/2003 5:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

Don't forget the '' and '' on the SID, you might also need to put in the
'-' symbol within the SID itself.

Also you might need to check in the control 'Return deleted objects' if the
object exist in the Deleted Object container. You'll find the controls in
Search - Options - Controls. You also might need to 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 9:58 PM
To: [EMAIL PROTECTED]

Tony,
 
I clicked on Browse and then Search in LDP. The little window comes up. (I
actually used bind first).
 
In the base DN field I typed in SID=S15A913838F5E5A9AABF22742D54F69
In the Filter field I type in ((ObjectCategory=*))
My scope is set to Subtree.
I clicked on Run.
 
The ObjectSID was a cut and paste from my attribute.
 
I does not return anything. What am I doing wrong here? I tried SID=,
objectSID=, GUID=,objectGIUD=.
 
Any help would be appreciated.
 
Thanks
 
Y
 
 



From: Tony Murray
Sent: Fri 22/08/2003 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


It's not really using an attribute as your Base DN.  The starting point for
a search can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 09:26:36 -0400

I never heard of using an attribute as your BaseDN. 

If this worked for you I really would like to know how you did it.

Thanks

Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

I know, and I posted it some time ago but it hasn't showed up on the list
yet... 
I use LDP 3.0 in all my 'Inside AD' classes and it works perfect for all my
students and clients. 

Note-to-self, include the LDP version in the future. :)

Glad you got it working! 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, August 25, 2003 8:53 PM
To: [EMAIL PROTECTED]

Rick,
 
You found the solution to my problem. LDP version 3.0 worked flawlessly.
Jimmy's solution will not work with any other.
 
Thanks
 
Yves
 
 



From: Rick Kingslan
Sent: Mon 25/08/2003 1:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Jimmy,

What version of OS and version of LDP are you doing this on?  I can't get it
to work either - and I'm using the Builtin Group SIDS.  I would suspect that
I should get a consistent return on those, but I'm getting a BAD_NAME error.



Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Monday, August 25, 2003 9:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute

I've tried it again and again With different SIDs on existing objects,
and it works every time for me.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, August 25, 2003 4:02 PM
To: [EMAIL PROTECTED]

Can anyone test the following instructions from Jimmy and let me know if it
worked for you? I can't seem to get it to work.
 
I am not searching on a deleted SID. I am searching on an existing sid that
I cut and paste from an existing user.
 
Thanks
 
Y
 
 


From: Jimmy Andersson
Sent: Fri 22/08/2003 5:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

Don't forget the '' and '' on the SID, you might also need to put in the
'-' symbol within the SID itself.

Also you might need to check in the control 'Return deleted objects' if the
object exist in the Deleted Object container. You'll find the controls in
Search - Options - Controls.
You also might need to 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 9:58 PM
To: [EMAIL PROTECTED]

Tony,
 
I clicked on Browse and then Search in LDP. The little window comes up. (I
actually used bind first).
 
In the base DN field I typed in SID=S15A913838F5E5A9AABF22742D54F69
In the Filter field I type in ((ObjectCategory=*))
My scope is set to Subtree.
I clicked on Run.
 
The ObjectSID was a cut and paste from my attribute.
 
I does not return anything. What am I doing wrong here? I tried SID=,
objectSID=, GUID=,objectGIUD=.
 
Any help would be appreciated.
 
Thanks
 
Y
 
 



From: Tony Murray
Sent: Fri 22/08/2003 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


It's not really using an attribute as your Base DN.  The starting point for
a search can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 09:26:36 -0400

I never heard of using an attribute as your BaseDN. 

If this worked for you I really would like to know how you did it.

Thanks

Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

Set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

Don't forget the '' and '' on the SID, you might also need to put in the
'-' symbol within the SID itself.

Also you might need to check in the control 'Return deleted objects' if the
object exist in the Deleted Object container. You'll find the controls in
Search - Options - Controls.
You also might need to 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 9:58 PM
To: [EMAIL PROTECTED]

Tony,
 
I clicked on Browse and then Search in LDP. The little window comes up. (I
actually used bind first).
 
In the base DN field I typed in SID=S15A913838F5E5A9AABF22742D54F69
In the Filter field I type in ((ObjectCategory=*))
My scope is set to Subtree.
I clicked on Run.
 
The ObjectSID was a cut and paste from my attribute.
 
I does not return anything. What am I doing wrong here? I tried SID=,
objectSID=, GUID=,objectGIUD=.
 
Any help would be appreciated.
 
Thanks
 
Y
 
 



From: Tony Murray
Sent: Fri 22/08/2003 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


It's not really using an attribute as your Base DN.  The starting point for
a search can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 09:26:36 -0400

I never heard of using an attribute as your BaseDN. 

If this worked for you I really would like to know how you did it.

Thanks

Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

Why not use LDP and set it like this:

Base DN SID=S-1-5-21-709049380-3306950797-3746505139
Filter ((ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Groups and OU's

[Jimmy Andersson]

I you have one person that will administer the groups, create one OU for the
groups and delegate it to that user sounds like a good idea.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Friday, August 08, 2003 11:34 PM
To: [EMAIL PROTECTED]

I will have a single forest, single domain .  Less than 1,000 users.  I want
it simple.  If I don't create an OU for the groups will I have to include
groups into another ou?  I will have one person administer groups. 

-Original Message-
From: Jimmy Andersson [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 4:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Groups and OU's

Yes, you could have an OU for groups if you want. But the pros and cons all
depend on the way you want to administrate your AD. Can you give a bit more
info on your environment?

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Friday, August 08, 2003 10:20 PM
To: [EMAIL PROTECTED]

Is it advisible to have an OU for Groups? What are the pros and cons?  I
want a very simple and basic OU structure.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Groups and OU's

[Jimmy Andersson]

Yes, you could have an OU for groups if you want. But the pros and cons all
depend on the way you want to administrate your AD. Can you give a bit more
info on your environment?

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Friday, August 08, 2003 10:20 PM
To: [EMAIL PROTECTED]

Is it advisible to have an OU for Groups? What are the pros and cons?  I
want a very simple and basic OU structure.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] fismos

[Jimmy Andersson]

Q223346 - FSMO Placement and Optimization on Windows 2000 Domains: 
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q223346

Q223787 - Flexible Single Master Operation Transfer and Seizure Process:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q223787


Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, June 19, 2003 7:31 PM
To: [EMAIL PROTECTED]


I have 3 dc's I would like to break the fismos off on to.  Is there some
servers that should be faster then others or does it not matter what I put
where?  Also what is the best tool to use to do this with? 


Thanks again for the help
Ryan McDonald
Systems Administrator

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Changing Directory Name

[Jimmy Andersson]

If you're in Native mode - then you can't change the domain name unless you
upgrade to Windows Server 2003. If you have Exhange on the network
rendom.exe won't work. And you should know that renaming a domain is not a
task you should take light upon, even if there is a tool in Windows Server
2003.
http://www.microsoft.com/windows2000/downloads/tools/domainrename/

If you're in mixed mode, see this article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q292541

You can define new UPN suffixes in AD Domains and Trusts snap-in, but you'll
need to change your current users to use it. This way users will believe
that you've renamed your AD and in most cases that's sufficient.

Run dcpromo.exe to demote a domain controller.

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB  
  CEO  Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang
Sent: Wednesday, June 18, 2003 10:25 AM
To: [EMAIL PROTECTED]

My current Active Directory name for my network is for example 
testing123.net and I have about 30 users on it. Is it possible to 
change the name on the network to something like foo.testing123.net 
while maintaining all my permissions and user accounts?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD/AM Beta available

[Jimmy Andersson]

I use it and it's cool!


BTW - Hope you're doing well Tony!

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, April 03, 2003 1:25 PM
To: [EMAIL PROTECTED]

For those that are interested, the beta release of Active Directory
Application Mode is now available.  To get to the point at which you can
download, you need to register for the Beta by completing a survey.  After a
day or two you will get an email with instructions for download.

I'm currently downloading so haven't had a chance to look at it yet.

http://www.microsoft.com/windowsserver2003/adam/default.mspx

Tony
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Synchronization with Unix and Oracle

[Jimmy Andersson]

Title: Message




CPS-Systems 
have really improved the ODBC interface in SimpleSync and can both 
Provision new User Accounts as well as maintain pre-existing accounts, from any 
Oracle feed, either LDAP or CSV.
I know of a 
client that is installing this solution this weekend - with the result 
being a fully automatic update from PeopleSoft/Oracle = 
AD.

Regards,
/Jimmy
--Jimmy Andersson, Q 
Advice ABMicrosoft MVP - Active Directory www.qadvice.com 





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Amit 
ZinmanSent: Thursday, March 27, 2003 4:02 PMTo: 
[EMAIL PROTECTED]


Biztalk is cool, but 
more for data Exchange. We are more interested in synchronizing passwords or 
providing some sort of smart logon or unified administration or even single-sign 
on (one can just dream).


Amit 
Zinman
Systems 
Consultant
Integrity 
Systems
[EMAIL PROTECTED]
03-7522424
058-326753





From: Roger 
Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 4:14 
PMTo: 
'[EMAIL PROTECTED]'


Services for Unix 
would help with the Unix side - if you're trying to integrate AD and NIS for 
instance.



Oracle and AD would 
probably have to be custom done - depending on what you're trying to do. The MS 
Biztalk server site has a link to a third party Biztalk module that will 
interface with AD, and then just interface your Oracle stuff to 
Biztalk.



Roger

-- 
Roger D. Seielstad - 
MCSE Sr. Systems 
Administrator Inovis 
Inc. 

  -Original 
  Message-From: Amit 
  Zinman [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 8:49 
  AMTo: ActiveDir Mailing 
  ListSubject: [ActiveDir] 
  Synchronization with Unix and Oracle
  Hi,
  If any of you ever did synchronize 
  your AD with Oracle or Unix I would love to hear your input on this 
  matter.
  
  Thanks,
  
  Amit 
  Zinman
  Systems 
  Consultant
  Integrity 
  Systems
  [EMAIL PROTECTED]
  03-7522424
  058-326753
  

RE: [ActiveDir] Port Numbers

[Jimmy Andersson]

RDP uses port 3389.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Monday, March 24, 2003 4:35 PM
To: '[EMAIL PROTECTED]'

Plus I don't see Terminal Services on that list

 -Original Message-
From:   Salandra, Justin A.  
Sent:   Monday, March 24, 2003 10:30 AM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] Port Numbers

Some one told me that for a Win 2K Server to be a VPN I need port TCP 1723
open with protocol GRE, is this true?

 -Original Message-
From:   Jochen Andries [mailto:[EMAIL PROTECTED] 
Sent:   Monday, March 24, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Port Numbers

A usefull link :

http://www.keir.net/portlist.html


Jochen

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: maandag 24 maart 2003 16:07
To: ActiveDir (E-mail)
Subject: [ActiveDir] Port Numbers

What port numbers do Windows 2000 Terminal Server and Windows 2000 VPN
services use?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 primary office
914.681.8117 secondary office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Program that gives folder rights

[Jimmy Andersson]

Take a look at DumpSec from www.somarsoft.com, it might be what you're
looking for. 

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Friday, March 21, 2003 8:45 PM
To: [EMAIL PROTECTED]

Does anyone know of a tool that will display security (file) rights for
multiple folders?



Thank you
Jenn Fountain

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT v2.0

[Jimmy Andersson]

HOWTO: Use Visual Basic Script to Clear SidHistory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray
Sent: Friday, January 31, 2003 1:38 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2.0


No, I don't think it does this (it certainly didn't in the first version).
Several of the 3rd party migration tool vendors offer this feature.

It should also be fairly easy to write something of your own to clear the
attribute value.  I dare say Richard Puckett probably has something lying
around which does this! :-)

Tony

-- Original Message --
From: Abbiss, Mark [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 31 Jan 2003 10:52:17 +0100

Is ADMT v2.0 also able to clean up the SID history once everything has been
successfully migrated from the old NT world ?

Thanks,

Mark Abbiss

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]]
Sent: Freitag, 31. Januar 2003 10:51
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ADMT v2.0


Yes, it really is possible, as long as your target domain is in native mode.

Tony

-- Original Message --
From: Mulder, Joeri (NL - Amsterdam) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 31 Jan 2003 10:27:10 +0100

Hello,
 
Can somebody confirm that it is really possible to migrate accounts +
passwords from a W2K forest to another W2K forest with the ADMT v2.0 tool? 



Regards,

Joeri



This e-mail message and its attachments are subject to the disclaimer
published at the following website of Deloitte  Touche :
http://www.deloitte.nl/disclaimer

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT v2.0

[Jimmy Andersson]

Oh, sorry! It's included with the Windows Server 2003 CD (RC1 and RC2).

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A.
Sent: Friday, January 31, 2003 3:38 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2.0


Jimmy I downloaded that files however the file version number is the same as
my ADMT v1

 -Original Message-
From:   Jimmy Andersson [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, January 31, 2003 9:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] ADMT v2.0

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.
asp

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A.
Sent: Friday, January 31, 2003 3:19 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2.0


Where can I get a copy of the most recent version of ADMT 2.0?

 -Original Message-
From:   Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, January 31, 2003 4:51 AM
To: [EMAIL PROTECTED]
Subject:Re: [ActiveDir] ADMT v2.0

Yes, it really is possible, as long as your target domain is in native mode.

Tony

-- Original Message --
From: Mulder, Joeri (NL - Amsterdam) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 31 Jan 2003 10:27:10 +0100

Hello,
 
Can somebody confirm that it is really possible to migrate accounts +
passwords from a W2K forest to another W2K forest with the ADMT v2.0 tool? 



Regards,

Joeri



This e-mail message and its attachments are subject to the disclaimer
published at the following website of Deloitte  Touche :
http://www.deloitte.nl/disclaimer

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT v2.0

[Jimmy Andersson]

Yes.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A.
Sent: Friday, January 31, 2003 3:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2.0


Can I use this tool to migrate users from a parent domain to a child domain
within the same forest?

 -Original Message-
From:   Jimmy Andersson [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, January 31, 2003 9:25 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] ADMT v2.0

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.
asp

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A.
Sent:   Friday, January 31, 2003 3:19 PM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] ADMT v2.0


Where can I get a copy of the most recent version of ADMT 2.0? -Original
Message-
From:   Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, January 31, 2003 4:51 AM
To: [EMAIL PROTECTED]
Subject:Re: [ActiveDir] ADMT v2.0

Yes, it really is possible, as long as your target domain is in native mode.
Tony
-- Original Message --
From:   Mulder, Joeri (NL - Amsterdam) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:   Fri, 31 Jan 2003 10:27:10 +0100

Hello,
Can somebody confirm that it is really possible to migrate accounts +
passwords from a W2K forest to another W2K forest with the ADMT v2.0 tool? 


Regards,
Joeri



This e-mail message and its attachments are subject to the disclaimer
published at the following website of Deloitte  Touche :
http://www.deloitte.nl/disclaimer
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question

[Jimmy Andersson]

See the License Availability Roadmap at:
http://www.microsoft.com/windows/lifecycle.mspx

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A.
Sent: Friday, January 31, 2003 7:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Question
Importance: High


I have a tech working here today and he mentioned to me that he heard that
MS will no longer be selling Windows 2000 Professional as of April 2003. Has
anyone else heard this?

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD 2 AD Migration

[Jimmy Andersson]

It's a great tool.
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/admt.asp
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Mulder, Joeri (NL - Amsterdam)
Sent: Thursday, January 16, 2003 4:05 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD 2 AD Migration


Hello,
 
Does anyone have experience migrating users and groups from one forest to another? Is 
ADMT v2.0 the best tool to do this?
 
Greets,
--Joeri--i .i jívҕ

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Justications to Migrate to Active Directory

[Jimmy Andersson]

I agree with Martin Tuip.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Martin Tuip
Sent: Wednesday, January 15, 2003 9:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Justications to Migrate to Active Directory



I agree on that with you. Windows 2000 has been as stable as a rock. So
besides that and the retiring of the support it should be an easy one.



Martin Tuip
MVP Exchange

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad
Sent: Wednesday, January 15, 2003 8:21 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Justications to Migrate to Active Directory


To date, I haven't found an instance where NT4 was more stable than Win2k.

--
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


 -Original Message-
 From: Jeremy Young [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 15, 2003 12:50 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Justications to Migrate to Active Directory
 
 
 I don't know if this will be of any importance, but I have seen 
 several instances where windows 2000 is much more stable than NT4.  
 Case in point, I was working for a defense contractor and we had 5 
 mail servers(exch. 5.5) and they notoriously went down.  If we
 didn't reboot
 the servers once a week, they would go down.  We took one of the lower
 tasked servers(500 users) and put it on windows 2000 and 
 didn't have to
 reboot it for a month and it was still running like a champ.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of Roger 
 Seielstad
 Sent: Wednesday, January 15, 2003 11:10 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Justications to Migrate to Active Directory
 
 
 Add to that the fact that Exchange 5.5 is end of support at the same
 time, and its pretty much a no brainer.
 
 --
 Roger D. Seielstad - MCSE
 Sr. Systems Administrator
 Inovis - Formerly Harbinger and Extricity
 Atlanta, GA
 
 
  -Original Message-
  From: Van Donk, Fred [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, January 15, 2003 11:46 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] Justications to Migrate to Active Directory
  
  
  Cliff,
  
  I think that the link below says it all:
  
  http://microsoft.com/ntserver/ProductInfo/Availability/Retiring.asp
  
  No more support for NT4 after the end of this year.
  
  -Original Message-
  From: Clifford Airhart [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, January 15, 2003 11:37 AM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] Justications to Migrate to Active Directory
  
  
  I am currently compiling information and trying to find good 
  justifications to migrate our Windows NT base network to Active 
  Directory. We are a medium size company. We don't have any direct 
  requirements to implement AD, like we must upgrade to 
  Exchange2000(which requires AD). I can see a few benefits, but my 
  management wants to see quantified justifications. For example, by 
  migrating to AD you can save 1 hour in setting up a new user with 
  RIS.
  
  Does anyone know I good website that would show time saved or
  something more concrete and specific than Microsoft's marketing 
  jargon?
  
  Has anyone gone through a similar experience with their company?
  
  I would appreciate your insights and advice!!!  Thanks!!!
  
  
  Cliff Airhart
  Answer Financial Inc.
  Senior Systems Administrator - Server Support / eBusiness 
  [EMAIL PROTECTED] 818.644.4225 We answer to you.
  
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir% 40mail.activedir.org/
  
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org

RE: [ActiveDir] AD restore to dissimilar hardware

[Jimmy Andersson]

Disaster Recovery of Active Directory on Dissimilar Hardware:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q263532;

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of osman filiz
Sent: Tuesday, January 07, 2003 1:30 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD restore to dissimilar hardware



Hi,
I have one domain controller that has hardware problem about RAID Card;
now 
i cannot fix it and i want to restore active directory to another pc
with 
IDE controller.But i can't...After restoring active directory it gives
the 
blue screen message while startup : 0x007B INACCESSIBLE BOOT DEVICE.
Ýs 
it possible to restore AD to dissimilar hard disk controller platform?

Any comment?



_
Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] rename Domain Controller

[Jimmy Andersson]

That's the way to go!

See this article for more info:

How to Rename a Windows 2000 Domain Controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296592

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
 www.qadvice.com 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Pelle, Joe
Sent: Thursday, January 02, 2003 3:59 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] rename Domain Controller


Hello!
Anyone know how to rename a Domain Controller?  I think I can just run
DCPROMO, make it a member server, rename it, then re-run DCPROMO and
make it a DC again?  Is this right, wrong, completely stupid?. Also,
any recommendations on (assuming the previous was correct) if I should
do this or just rebuild the server?
Finally, I would like to know how any of you out there did your
migration testing for production applications that could NOT be
reproduced in a lab environment? 
Lemme Know!  Thanks! 
Joe Pelle
Systems Administrator
Information Technology
Valassis / Targeted Print  Media Solutions
35955 Schoolcraft Rd.   Livonia, MI  48150
Tel 734.632.3753  Fax 734.632.6240
[EMAIL PROTECTED]
http://www.valassis.com/
This message may have included proprietary or protected information.
This message and the information contained herein are not to be further
communicated without my express written consent.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Script to find last logged on date

[Jimmy Andersson]

Title: Message



Usrstat.exe from the Resource Kit displays the user name, full name, and 
last logon date and time for each user in the 
domain.Regards,/Jimmy
--Jimmy Andersson, Q Advice ABMicrosoft MVP - Active 
Directory www.qadvice.com 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Byrne, SteveSent: Tuesday, December 17, 2002 
  3:59 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Script to find last logged on date
  Hi,
  
  I'm looking for a 
  way to find user accounts that have not been used for more than 6 months. 
  
  Does anyone know 
  where I can find a script to do this?Thanks,
  SB

RE: [ActiveDir] Back to Basics - Design Pros and Cons

[Jimmy Andersson]

Title: Message



Have 
you seen the Microsoft University Relations website? It's a site dedicated to 
issues for the University IT Pro.
http://msruniv.corp.bcentral.com/

I've 
seen many Universities with multiple forest,Many 
peoplethinkthat a domain is a Security boundary, but if you need 
more than an Administrative boundary, multiple forests is the way to 
go.

Regards,
/Jimmy
--Jimmy Andersson, Q 
Advice ABMicrosoft MVP - Active Directory www.qadvice.com 


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Wohlgehagen, Max WSent: Wednesday, December 11, 
  2002 2:20 AMTo: '[EMAIL PROTECTED]'Subject: 
  [ActiveDir] Back to Basics - Design Pros and Cons
  There is so much material out there on AD now it is 
  almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS 
  component] My problem is design for a new network, being in a school we have 
  the luxury of starting from scratch without business fallout problems. We are 
  multi-campus and have a fairly substantial network with an 11MB "Spread 
  Spectrum" Microwave link between campuses. I am a big fan of the KISS 
  principle but am stuck in deciding between multiple trees or a single tree 
  with many sites, both concepts have advantages. We do not need to implement a 
  Forrest structure as our DNS is set in concrete. We have the following 
  elements: Campus1, Campus2, Students1, Students2, Staff1, Staff2 ... or 
  OrganisationAll, StaffAll, StudentsAll. Obviously there are sub components of 
  these elements as well. The main concern is to have the most useful GPO 
  structure without too much complexity. Does anyone have any experience in 
  setting up this type of AD. Any ideas on multiple domains versus single domain 
  many sites?? Help, opinions, comments, ideas all welcome. Thanks.
  Max Wohlgehagen TSI - Rowville "Of all the things 
  I've lost, it's my mind I miss the most." Wohlgehagen, Max (E-mail).vcf 
  
  *** 
  Important - 
  This email and any attachments may be confidential. If received in error, 
  please contact us and delete all copies. Before opening or using attachments 
  check them for viruses and defects. Regardless of any loss, damage or 
  consequence, whether caused by the negligence of the sender or not, resulting 
  directly or indirectly from the use of any attached files our liability is 
  limited to resupplying any affected attachments. Any representations or 
  opinions expressed are those of the individual sender, and not necessarily 
  those of the Department of Education  
Training.

RE: [ActiveDir] VB Script Help

[Jimmy Andersson]

Title: Message



Step-by-Step Guide to Bulk Import and Export to Active 
Directory:http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/bulksteps.asp
More scripting links:http://www.15seconds.com/focus/ADSI.htmhttp://www.trainingtools.com/http://www.microsoft.com/DirectX/dxm/default.htmhttp://msdn.microsoft.com/scripting/http://www.robvanderwoude.com/index.htmlhttp://www.dx21.com/SCRIPTING/RUNDLL32/INDEX.ASP?NTI=4SI=6http://support.microsoft.com/support/kb/articles/q191/2/39.asp?id=191239SD=MSKBhttp://www.kouti.com/scripts.htmhttp://www.microsoft.com/technet/treeview/default.asp?url="">http://msdn.microsoft.com/scripting/vbScript/doc/vbstoc.htmhttp://cwashington.netreach.nethttp://www.winguides.com/scripting/http://www.adminscripts.net/pages/main.hethttp://members.aol.com/rick3in1/computer/batch.htmhttp://www.microsoft.com/technet/treeview/default.asp?url="">Regards,/Jimmy--Jimmy 
Andersson, Q Advice ABMicrosoft MVP - Active Directory 
www.qadvice.com 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Mayet, Yusuf YSent: Wednesday, November 27, 
  2002 12:24 PMTo: '[EMAIL PROTECTED]'Subject: 
  [ActiveDir] VB Script Help
  Hi all, 
  
  
  I receiveda 
  request mentioned belowfrom ourUser Administration 
  Department.
  Considering what I 
  know about scripts is scary.
  
  Can you guys 
  help??
  
  
  Write a VBScript application, 
  together with the relevant supporting documentation, that creates user 
  accounts in the Active Directory based on input provided in a flat file. The 
  flat file should contain the following information at a minimum: 
  o First Name 
  o Last Name 
  o OU where the user 
  account should be created 
  
  
  __
  Disclaimer and 
  confidentiality note 
  Everything in this 
  e-mail and any attachments relating to the official business of Standard Bank 
  Group Limited is proprietary to the company. It is confidential, legally 
  privileged and protected by law. Standard Bank does not own and endorse any 
  other content. Views and opinions are those of the sender unless clearly 
  stated as being that of Standard Bank. 
  The person 
  addressed in the e-mail is the sole authorised recipient. Please notify the 
  sender immediately if it has unintentionally reached you and do not read, 
  disclose or use the content in any way.
  Standard Bank can not assure that the integrity of this communication has 
  been maintained nor that it is free of errors, virus, interception or 
  interference.
  ___

RE: [ActiveDir] How to get changes from active directory?

[Jimmy Andersson]

You could use EventComb to search multiple DCs for specific events. It's
part of the tools that came with SOG.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
Whistler Tech Beta Program Member
Windows Pre-release Community Member




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray
Sent: den 25 november 2002 15:07
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] How to get changes from active directory?


Hi Naval

AD doesn't (currently) store change information in the directory.  Some
information can be made available through auditing of AD object access.
The audit information will be written to the event log.  The limitation
of this approach is that this information will only be available on the
DC where the change was made.  A separate consolidation process would
then be required if centralised information were a requirement.

Stuart (if he's listening) may have some information on Microsoft's
future plans in this area.

Tony

-- Original Message --
From: Naval [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Mon, 25 Nov 2002 16:48:21 +0530

Hi,

How can i get the changes from Active Directory server?
For e.g netscape provides changes below
cn=changelog node.
Where does AD publish the changes.

Thanks,
Naval
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] System State

[Jimmy Andersson]

HOW TO: Use the Backup Program to Back Up and Restore the System State
in Windows 2000:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q240363ID=KB;EN
-US;Q240363

Backup of the Active Directory Has 60-Day Useful Life:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216993

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
Whistler Tech Beta Program Member
Windows Pre-release Community Member
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Carlos
Magalhaes
Sent: Wednesday, November 20, 2002 8:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] System State


Tombstone meaning that you can set to allow restoring a system state
that was backed up more than 60 days ago?

If can I set it to 90 days ?

Regards,
Carlos Magalhaes


-Original Message-
From: Jimmy Andersson [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 20, 2002 3:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] System State

Do you mean because of the default Tombstone lifetime? If so, you can
re-configure it.


Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
Whistler Tech Beta Program Member
Windows Pre-release Community Member


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 20, 2002 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] System State


On Domain Controllers as I understand it. 

-Original Message-
From: Carlos Magalhaes [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 20, 2002 4:10 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] System State


Is it true that you cant restore from a system state back up that is
older than 60 days.



Regards,

Carlos Magalhaes







-
This email and any files transmitted are
confidential and intended solely for the
use of the individual or entity to which
they are addressed, whose privacy
should be respected.  Any views or
opinions are solely those of the author
and do not necessarily represent those
of the Trencor Group, or any of its
representatives, unless specifically
stated.  

Email transmission cannot be guaranteed
to be secure, error free or without virus
contamination.  The sender therefore
accepts no liability for any errors or
omissions in the contents of this message,
nor for any virus infection that might result
from opening this message.  Trencor is not
responsible in the event of any third party
interception of this email.   

If you have received this email in error please notify
[EMAIL PROTECTED]   For more information about
Trencor, visit www.trencor.net http://www.trencor.net
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Monitoring with HP OpenView

[Jimmy Andersson]

[Regarding the monitoring comparison]

I got a response from HP that I should send this URL to you guys. 

http://www.openview.hp.com/products/smartplugins/spis/Documents/Product_
HTML-516.asp

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directoryv
Whistler Tech Beta Program Member
Windows Pre-release Community Member


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Monitoring AD

[Jimmy Andersson]

I'll send it to you :)

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
Whistler Tech Beta Program Member
Windows Pre-release Community Member




-Original Message-
From: [EMAIL PROTECTED]
[mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Graham Turner
Sent: den 10 november 2002 16:30
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Monitoring AD


Jimmy, don't know if this was an open invite - but I would certaintly be
a glad recipient of said comparison.

Graham Turner

- Original Message -
From: Jimmy Andersson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, November 09, 2002 3:47 PM
Subject: RE: [ActiveDir] Monitoring AD


 I did a functionality comparison between BMC Patrol, Multicenter and 
 HP OpenView OVO7 for a customer a couple of months ago, let me know 
 (by private e-mail) if you want it.

 Also, see www.netiq.com

 Regards,
 /Jimmy
 --
 Jimmy Andersson, Q Advice AB
 Microsoft MVP - Active Directory
 Whistler Tech Beta Program Member
 Windows Pre-release Community Member




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Mike Baudino
 Sent: den 9 november 2002 15:52
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Monitoring AD


 All,

 I've been asked recently to come up with monitoring requirements for 
 an upcoming AD deployment to roughly 120 offices, all of which will be

 individual sites.  I don't have experience (yet) with AD this size. 
 Vendor whitepapers are little more than thinly disguised salespitches.

 Those companies that offer monitoring products for AD state that it's 
 essential and, oh, by the way, we happen to have just the product for 
 you.  I'm not really able to get a clear picture of how critical it is

 to actively monitor AD and how granular you need to be.

 One company I spoke with said that it's sufficient to monitor DNS and 
 DHCP and they will tell you if anything's up.  I don't buy that, other

 than I believe that availability of DNS and verifying that dynamic 
 update is working and that the DC's are registering, etc.  Another 
 company states that you need very granular monitoring complete with 
 custom scripts, automated tasks, and alerts.  Microsoft says that all 
 we need is MOM.

 Well, MOM's out as our mandate is to have a monitoring product that is

 cross platform (we also have various flavors of UNIX and some big 
 iron). Our current product is from the first company I mentioned in 
 the previous paragraph.

 I believe the truth is somewhere between the two companies.  I'm 
 looking for suggestions based on practical experience though.  Anyone 
 want to share?


 Thanks,
 MIke



 *** PLEASE NOTE ***
 This E-Mail/telefax message and any documents accompanying this 
 transmission may contain privileged and/or confidential information 
 and is intended solely for the addressee(s) named above.  If you are 
 not the intended addressee/recipient, you are hereby notified that any

 use of, disclosure, copying, distribution, or reliance on the contents

 of this E-Mail/telefax information is strictly prohibited and may 
 result in legal action against you. Please reply to the sender 
 advising of the error in transmission and immediately delete/destroy 
 the message and any accompanying documents.  Thank you.


 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Monitoring AD

[Jimmy Andersson]

I did a functionality comparison between BMC Patrol, Multicenter and HP
OpenView OVO7 for a customer a couple of months ago, let me know (by
private e-mail) if you want it.

Also, see www.netiq.com

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
Whistler Tech Beta Program Member
Windows Pre-release Community Member




-Original Message-
From: [EMAIL PROTECTED]
[mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Mike Baudino
Sent: den 9 november 2002 15:52
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Monitoring AD


All,

I've been asked recently to come up with monitoring requirements for an
upcoming AD deployment to roughly 120 offices, all of which will be
individual sites.  I don't have experience (yet) with AD this size.
Vendor whitepapers are little more than thinly disguised salespitches.
Those companies that offer monitoring products for AD state that it's
essential and, oh, by the way, we happen to have just the product for
you.  I'm not really able to get a clear picture of how critical it is
to actively monitor AD and how granular you need to be.

One company I spoke with said that it's sufficient to monitor DNS and
DHCP and they will tell you if anything's up.  I don't buy that, other
than I believe that availability of DNS and verifying that dynamic
update is working and that the DC's are registering, etc.  Another
company states that you need very granular monitoring complete with
custom scripts, automated tasks, and alerts.  Microsoft says that all we
need is MOM.

Well, MOM's out as our mandate is to have a monitoring product that is
cross platform (we also have various flavors of UNIX and some big iron).
Our current product is from the first company I mentioned in the
previous paragraph.

I believe the truth is somewhere between the two companies.  I'm looking
for suggestions based on practical experience though.  Anyone want to
share?


Thanks,
MIke



*** PLEASE NOTE ***
This E-Mail/telefax message and any documents accompanying this
transmission may contain privileged and/or confidential information and
is intended solely for the addressee(s) named above.  If you are not the
intended addressee/recipient, you are hereby notified that any use of,
disclosure, copying, distribution, or reliance on the contents of this
E-Mail/telefax information is strictly prohibited and may result in
legal action against you. Please reply to the sender advising of the
error in transmission and immediately delete/destroy the message and any
accompanying documents.  Thank you.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Pruning printers from AD

[Jimmy Andersson]

Title: Message



Printer Pruner May Not Remove Printer Queue Objects from Active 
Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q246174

If 
you'd like to see the printer objects:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q235925

Regards,
/Jimmy
--Jimmy Andersson, Q 
Advice ABMicrosoft MVP - Active DirectoryWhistler Tech Beta Program 
MemberWindows Pre-release Community Member

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Lev ZdenìkSent: den 8 november 2002 
  16:51To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Pruning printers from AD
  Hello evr, I had to reinstall my print server (W2K) which was a member server of 
  my AD domain. After that I installed all my printers to the reinstalled print 
  server. Now when I am searching printers in AD there are old and new 
  one.
  How Can I prune those old printers from 
  AD THX ZL 

RE: [ActiveDir] Pruning printers from AD

[Jimmy Andersson]

If you'd like to see the printer objects:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q235925
 
Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Active Directory
Whistler Tech Beta Program Member
Windows Pre-release Community Member




-Original Message-
From: [EMAIL PROTECTED]
[mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Lev Zdenìk
Sent: den 8 november 2002 17:06
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Pruning printers from AD


I have tried to find printers object by ADSI edit but without success.
Where it is located ? Thx Z.


-Original Message-
From: Tony Murray [mailto:tony;mail.activedir.org]
Sent: Friday, November 08, 2002 4:57 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Pruning printers from AD


Well, you can do it manually, but removing the old printQueue objects
using ADSIEdit or LDP.  

How long have you waited?  The pruning service is governed by Group
Policy settings.  The default setting is that the service will try to
check the printer availability (on the print server) three times at 8
hour intervals, after which it removes the printer objects from AD.

Check your GPO settings and also check the Spoolsv.exe process is
running on at least one DC in your domain.

Tony

-- Original Message --
From: =?iso-8859-2?Q?Lev_Zden=ECk?= [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 8 Nov 2002 16:50:53 +0100

Hello evr,
I had to reinstall my print server (W2K) which was a member server of my
AD domain. After that I installed all my printers to the reinstalled
print server. Now when I am searching printers in AD there are old and
new one. How Can I prune those old printers from AD THX ZL



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Receiving Posts out of order

[Jimmy Andersson]

Title: Message



I see 
the same weird thing

Regards,
/Jimmy
--Jimmy Andersson, Q 
Advice ABMicrosoft MVP - Active DirectoryWhistler Tech Beta Program 
MemberWindows Pre-release Community Member

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Sullivan, KevinSent: den 8 november 2002 
  19:20To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] OT: Receiving Posts out of order
  
  Sorry for the way off topic but I 
  seem to receive some responses before I get the original posts. Hours apart. 
  Also sometimes when I post I dont see the post for a few hours. Is anyone 
  else experiencing this and any suggestions?
  
  Thanks
  
  Sent at 1:20 PM 
  11/8/02
  

RE: [ActiveDir] IIS Question on DC

[Jimmy Andersson]

Title: Message



No.
Regards,
/Jimmy
--Jimmy Andersson, Q 
Advice ABMicrosoft MVP - Active DirectoryWhistler Tech Beta Program 
MemberWindows Pre-release Community Member

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Don Murawski (Lenox)Sent: den 7 november 2002 
  17:43To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] IIS Question on DC
  Is there a reason 
  why IIS should be on a DC?
  
  
  Don L Murawski
  Sr. Network Administrator - MCSE 4.0, 
  2000
  WorldTravel BTI
  1055 Lenox Park Blvd
  Suite 420
  Atlanta, GA 30319
  Phone: (404) 923-9468
  Fax: (404) 
  949-6710
  Cell: (678) 
  549-1264