RE: [ActiveDir] Delete ad object without Tombstone lifetime.
WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Details please? Thanks, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, August 11, 2004 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. OK, if you had only Windows 2000 or even a hybrid this would not be particularly feasible nor advisable but since you dont, it's going to be just peachy assuming you're at forest functional level 2 (Server 2003 Native) ... if you're not, it's still doable, just a lot more awkward and less than supported. WARNING - I'd like to point out to you that misuse of this feature can entirely (and nigh on irrecoverably) destroy a forest Windows 2003's Active Directory supports two applicable LDAP features; dynamic objects and dynamic auxiliary classes. 1. Dynamic aux. classes allow you to bolt an auxiliary class to new object instances without having first made any schema alterations (i.e. - no schema modification of any kind occurred). The attributes assigned to the auxiliary class then become available to the object instance(s) to which the aux. class was assigned. 2. Dynamic objects provides a mean by which a TTL (using a unit of seconds) can be written to an object after which time it self expires ~simultaneously on all DCs without the need for a tombstone. By using dyn. aux. classes we can dynamically bolt the dynamicObject class to new object instances which serves to provide us the attributes we need; most prominently entryTTL. When the entry TTL is populated, the directory service calculates an effective time of death and writes that to msDS-Entry-Time-To-Die (both attributes are actually constructed depending on how they're used). I've not attempted this with CSVDE but have done so numerous times via code and through LDIFDE so I'll leave it you to attempt the LDIF(DE) to CSV(DE) conversion. Here's an example LDIF file that creates a contact beneath the domain root using the default-minimum TTL of 15 minutes (this default can be reduced if it's too high) - [Begin LDIF file named foo.ldif] dn: cn=suicidal,dc=X changetype: add objectClass: contact objectClass: dynamicObject entryTTL: 901 [/LDIF file] ... here's the command line syntax to inject its content - ldifde -i -f foo.ldif -c DC=X your distinguished name here ... for example - ldifde -i -f foo.ldif -c DC=X dc=mset,dc=local Hope that proves useful. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 8:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Delete ad object without Tombstone lifetime. I have a Windows 2003 domain exclusively. Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex -Message d'origine- De : Dean Wells [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 août 2004 14:41 À : Send - AD mailing list Objet : RE: [ActiveDir] Delete ad object without Tombstone lifetime. Do you have Windows 2000, 2003 or a combination? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BATARD olivier Sent: Wednesday, August 11, 2004 5:43 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Delete ad object without Tombstone lifetime. Hello, I'm testing a csvde file and I want to delete object directly,without Tombstonelifetime. How can I do that ? Thanks, Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA Informatique http://www.sigma.fr 3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Another new joeware tool - GCChk
Don't even get me started on medial searches, which in my mind wasone of the glaringdeficiencieswith W2K AD compared to the other LDAP-based directories I'm familiar (e.g., iPlanet/SunOne/Java whatever). With W2K, you might as well not even try them. Horrible performance. In a 50k object domain I've seen medial searches tack on another 10 seconds to the query time (compared to the same query but remove the leading star). Allowing users to configuretuple indexes in W2K3 is fine, but IMO tuple indexing should be the norm for common attributes. Sync'ing objects to another directory for the sole purpose of finding conflict objects sounds like an overcomplicated solution to me. How about if MS just flagged conflict objects as being in conflict via some attribute:-? Telling people to install ADAM and download the AD/ADAM synchronizer is going to sound too much like work to do something as (conceptually) simple as finding conflict objects. Joe, here are the types of objects I consider to be "bad": - conflict objects - lingering objects - objects w/o guids - objects in the LostAndFound container - user objects w/dup SIDs - user objects w/dup UPNs Then there are a bunch of data maintenance related things I consider "not optimal": - missing subnet objects (requires parsing the system event log on DCs) - sites with no subnets (or site links) - computer objects for Windows 2000 and higher computers that have a password age of 6 months or more - groups with no members - GPOs that aren't linked - etc. I'm sure there are manyothers people can think of. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, July 12, 2004 10:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. Whether this is of interest or not would be related to the # of times the search is run. The more often you plain on doing said search, the easier this is to justify. It should be noted, however, that tuple indexes are one of the most expensive types in AD. A string of length N would yield N-2 index entries where N=3.. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. I think time has told us that this is an unfair assumption. (think lingering objects) If you did want to do this, however, I think this is a good ADAM usage scenario. Use the new AD syncher tool up on www.microsoft.com/adam (currently beta) and do it against ADAM. Light weight, and zero incremental cost on top of the server it sits on. You can also medial substring index it up in ADAM and eat the pef there, probably not a big deal given usage of this dsa. For the timeout problem, have you tried to use a paged search, and just keep requesting the next page as you get the one before it (despite amt of time the page took to deliver)? Does that help the timeout problem at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 12, 2004 8:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. The only things I can think of are 1. Use a standard LDAP query and crank the timeout value through the roof (-t option in adfind). 2. Have a program that keeps track of USN's when it does its searches so that it can have the last USN that was in place when it did its last search. That would drammatically limit the number of objects. However if you pointed at a new DC or had to rebuild the DC or the first time you ran it it would have to start at the beginning anyway. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. Kind of would be interesting to have a "bad" things service that watched for "bad" things in the directory and would flag them out when it found them. These objects would be good things to flag, what else could be flagged? Objects w/o GUIDs? What else? From: [EMAIL PROTECTED
RE: [ActiveDir] Redirecting Comps
Title: Re: [ActiveDir] Redirecting Comps I tried this as well a while back and it didn't work for me on W2K. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, July 11, 2004 5:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Redirecting Comps Only one real way to know for sure. :oP I think I tried this though once and it wouldn't let me do it... Definitely worth another try though. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Sunday, July 11, 2004 5:08 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Redirecting Comps I'm aware of this. I'm trying to figure understand if the manual change will work in 2k domains/dcs. --Brian -Original Message- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Sun 7/11/2004 1:20 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] Redirecting Comps in 2003 you can useredircmp.exeorredirusr.exeC:\WINDOWS\system32redircmp.exe /?Usage:redircmp CONTAINER-DN where CONTAINER-DN is the distinguished name of the container that will become the default location for newly created computer objects Note: The domain functional level must be at least Windows Server 2003- Original Message -From: "Brian Desmond" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Saturday, July 10, 2004 10:24 PMSubject: [ActiveDir] Redirecting Comps In pt 8.12 of the AD Cookbook, Robbie talks about modifying the wellknownvalue by hand. Does this work in a non 2003 native domain? Same with theusers CN --Brian . .+-j! 0j! or yIV+v*List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 DC Promo Question....
That was me. That and the Joeware trucker hat. :-P -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, July 09, 2004 7:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question You said you bought the thong And I didn't make you! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 09, 2004 7:16 PM To: Send - AD mailing list Subject: RE: [ActiveDir] 2003 DC Promo Question Nothing personal Todd ... I don't like you any less than the next person :-) except maybe those persons who develop free Active Directory tools and then make you wear their tee-shirts ;-) 28 seconds ... phew, I thought I was going to go over on that one! -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, July 09, 2004 6:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question I must not have been nice to the folks at the DEC in DC. Dean wasn't even there though, so he doesn't have a reason to be snubbing me. Todd -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 09, 2004 6:06 PM To: 'joe'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question And BTW, where were all you smart guys earlier when Todd was in need of an answer and you could have responded before I made myself look like a boob. Oh yeah, good to see you posting again Guido. Oh and Dean, you have been quiet lately too, but good to see you are still watching for my dumb-a** posts so you can thump me right proper. :o) joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 09, 2004 6:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] 2003 DC Promo Question Yeah, I looked around, I can't find where I might have read that and it was a long time ago. I found a doc that I could have interpreted that way had I been out drinking with Guido and Dean, but not sober. So either I was drunk or the doc disappeared, though I swear I had heard this separately as well as I recall being, WTF! But then wasn't too worried as I do not do OS upgrades unless it is absolutely unavoidable which is almost never (NT4 to 2K was an exception, at least for the PDC...) Todd, I am curious what you saw now as I had it in my mind it was a possibility. Now it seems it insn't so what happened? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 09, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question I can confirm that you have to tranfer the role manually - 2003 won't try to do this by itself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Freitag, 9. Juli 2004 16:32 To: Send - AD mailing list Subject: RE: [ActiveDir] 2003 DC Promo Question Hmmm ... re: If you do an OS Upgrade from 2K to K3 on a Domain Controller I believe it will pull the PDC functionality to it; nothing I've witnessed would seem to back that up. In the event I'm just a bad witness or someone with the retention of a Gold Fish and they do indeed do that, it's just plain wrong, wrong, wrong. PDC physical placement is important in certain scenarios, to arbitrarily move the role during an upgrade process could have significant security implications. -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 08, 2004 9:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question Hey Todd. If you do an OS Upgrade from 2K to K3 on a Domain Controller I believe it will pull the PDC functionality to it. If you DCPROMO in a fresh K3 it will not pull the role from what I have seen with the domains I have been involved with. Personally though, I am not into upgrades of OSes, much rather wipe and reload. A brilliant friend of mine once came up with a method for us to do that remotely that we used for NT4 to 2K. We would shoot the load down to the machine, then fire up a script that would look at some config info and store it, then boot into Win98 and slam the load down on the machine and reconfigure it when it finished rebuilding. While you should move those roles I don't believe there is an absolute requirement EXCEPT for the Domain Naming role which may be needed for setting up DNS App partitions. The PDC role should be moved just so that it can create the
RE: [ActiveDir] AD Monthly E-Mail Newletter?
On a similar note, if you are interested in the latest industry news on AD and directory services, the latest AD-related downloads from MS, and don't mind some general observations from me, you might want to check out my Active Directory blog: http://www.rallenhome.com/blog/adcookbook/ Robbie Allen -- Original Message -- Wrom: VFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXL Reply-To: [EMAIL PROTECTED] Date: Mon, 21 Jun 2004 18:32:01 +1000 Jackson - ditto with the other e-mails that have been doing the rounds. Like Guido said it would be great if it was a honest newsletter with some handy points on some of the problems that are out there ... And not just a sales pitch. Regards, Andrew -Original Message- Wrom: YRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOH [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Saturday, June 19, 2004 4:55 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Monthly E-Mail Newletter? I've been doing focus groups with mid-market customers (avg ~100-500 employees) over the last few days and have both learned a lot about their pains and where they get information about Active Directory. A number of customers suggested that we consider a monthly AD-focused newsletter where we could inform recipients of new AD content, case studies and perhaps give the opportunity to well known industry folks to provide a short column. The newsletter would focus on how customers solve particular pains using AD or other technologies that leverage AD like Exchange, MIIS, etc. Or, maybe it is a web site with an RSS feed. There is no way that such a newsletter could replace a community like the one associated with this mailing list but I do believe it could serve the purpose of highlighting AD and informing customers - especially smaller customers consultants - about new developments around AD. My question to this group is: How useful do you think such a newsletter would be to you or your customers? Last thing I want to do is create more spam for anyone's Inbox. Thoughts? Feel free to reply directly to me, if you'd like. Best, Jackson Shaw Product Manager, Directory Services [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] scripting admin
But of course :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 16, 2004 4:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin And you are writing this in perl I assume? - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, April 15, 2004 8:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin On a related note, I'm working on a VBScript to Perl code converter. Input some VBScript code and output the (roughly) equivalent Perl code. I just started a couple of weeks ago, but should have something in a month or so if anyone is interested. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 14, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I'll second this. I've only run into one thing where I couldn't get Perl to work (deep, dark, ugly MAPI stuff...) Other than that, it's almost trivial to look at VBScript and convert it to perl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 13, 2004 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I say Perl... The activestate dist is great. I am not aware of anything off the top of my head you can do in vbscript that you can't do in perl. You may want to learn enough vbscript to convert vbscripts others have written to perl. Overall for really simple things vbscript may be easier at first glance, but as the complexity rises vbscript shows its issues and perl starts to shine. Grab Robbie Allen's AD Cookbook which has some perl in it, also his Managing Enterprise Active Directory Services has quite a bit of perl in it. Most everything I tend to post here in terms of scripts and do in general is perl. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 13, 2004 10:32 PM To: ActiveDir (E-mail) Subject: [ActiveDir] scripting admin sorry for what is more of a personal advice question- i'm a perl guy and i was wondering if for proper windows scripting, should i learn VBscript or can i get away with most admining with perl and activestate. i run a couple of linux and unix servers, so perl makes sense, but would it behove me to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get away with perl and its integer conversion et al and be a good admin mastering only one lang? thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] scripting admin
On a related note, I'm working on a VBScript to Perl code converter. Input some VBScript code and output the (roughly) equivalent Perl code. I just started a couple of weeks ago, but should have something in a month or so if anyone is interested. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 14, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I'll second this. I've only run into one thing where I couldn't get Perl to work (deep, dark, ugly MAPI stuff...) Other than that, it's almost trivial to look at VBScript and convert it to perl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 13, 2004 11:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] scripting admin I say Perl... The activestate dist is great. I am not aware of anything off the top of my head you can do in vbscript that you can't do in perl. You may want to learn enough vbscript to convert vbscripts others have written to perl. Overall for really simple things vbscript may be easier at first glance, but as the complexity rises vbscript shows its issues and perl starts to shine. Grab Robbie Allen's AD Cookbook which has some perl in it, also his Managing Enterprise Active Directory Services has quite a bit of perl in it. Most everything I tend to post here in terms of scripts and do in general is perl. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, April 13, 2004 10:32 PM To: ActiveDir (E-mail) Subject: [ActiveDir] scripting admin sorry for what is more of a personal advice question- i'm a perl guy and i was wondering if for proper windows scripting, should i learn VBscript or can i get away with most admining with perl and activestate. i run a couple of linux and unix servers, so perl makes sense, but would it behove me to learn VBscript or even VB to effectively script my win2k ad enviorment or can i get away with perl and its integer conversion et al and be a good admin mastering only one lang? thanks in advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Integrate Linux with AD
Depends on what you want to do. As far as allowing Linux clients to authenticate against AD, SFU doesn't do everything. The solutions guide is ok, but don't give it to any of your Linux/UNIX people to read ;-) Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, February 06, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Integrate Linux with AD Hot off the press. Solution Guide for Windows Security and Directory Services for UNIX Using Active Directory and Kerberos for authentication and identity store in a heterogeneous UNIX and Windows IT environment. http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 B82-65CF-4105- B60C-44515299797Damp;displaylang=en Could I use Services for Unix? Would that work instead of buying VAS? Jennifer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to track object deletion?
FYI, lastKnownParent is not supported on W2K. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, January 20, 2004 9:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Joe- In Server 2003, lastKnownParent is reliably populated with the last known home of the deleted object. However, I've not tried Win2K and its quite possibly not. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, January 20, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Hey Darren have you ever seen that attribute populated? I don't recall ever seeing it on any objects. I never looked deeply into it though to see what it was legally linked to. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 19, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to track object deletion? Check the lastKnownParent attribute on the deleted object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDIFDE and Perl...
You can find a bunch of Perl Net::LDAP examples here: http://www.rallenhome.com/books/managingenterprisead/code.html And the cookbook code page has a lot of Perl ADSI examples: http://www.rallenhome.com/books/adcookbook/code.html Let me know if you have any questions. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 15, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message W2K3AD does single instance store of security descriptors which can save a lot of space over W2K AD. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, January 15, 2004 8:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] What is your favorite scripting language?
I wrote an article about this topic a few weeks ago: http://www.oreillynet.com/pub/a/network/2003/11/18/activedir_ckbk.html There was a fair amount of discussion (at the end of the article) so I asked O'Reilly to host the poll. Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 12, 2003 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What is your favorite scripting language? I'm afraid to ask... but... why is Perl the preferred language (besides it works on Unix/Linux)? Rich -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] What is your favorite scripting language? But I did :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 8:52 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] What is your favorite scripting language? O'Reilly is hosting a poll for the most popular scripting language on the Windows platform. To vote for your favorite language, visit the O'Reilly website (http://www.oreilly.com/) and look on the right side of the page under O'Reilly Poll. FYI, Perl has the early lead and no I didn't vote twice :-) Regards, Robbie Allen http://www.rallenhome.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I'm really surprised that a virus hasn't tried to use AD as a possible source of new users/computers to attack. It is real easy to write a query to enumerate every user in the domain. Even though Authenticated Users can't read all attributes of users, there are still plenty that are readable. And then there is the issue of modifying the attributes granted to SELF. There are several other ways AD could be used maliciously, but I don't want to give anyone ideas ;-) This really could become a problem (and a difficult one to solve). As you mentioned, by just looking at DNS, you could get all of the DCs, DNS servers, mail servers, etc. and start spamming them (unless you aren't populating all of them in DNS). I think all the virus writers have been programming geeks/kiddies. A clueful Sys Admin could devise much more creative/damaging exploits than we've seen so far ;-) To my knowledge there is no way to limit the number of LDAP queries per second. The best you can do is monitor the number of LDAP queries per second (available from Perfmon). It is also good to monitor expensive/inefficient queries (see recipe 15.8). Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 4:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -Original Message- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony -- Original Message -- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K). Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 6:37 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I usually have to run about 10 authentication threads on each of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is essentially empty. I suppose that having them issue some complex query over a large DIT would alter that picture substantially. That's interesting that clients were getting intermittent errors even though the CPU wasn't pegged. Was the disk or network saturated? -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, December 11, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 11, 2003 5:38 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC The problem with the built-in security model is that in most environments its easy to get around it by using one of the various LocalSystem escalations on the DC. All of a sudden the ACLs are meaningless, and AD will happily replicate the corrupted data for you. Its hard to do a system wide denial-of-service by flooding the DCs with queries (I assume this is what you were talking about) because of the number of clients you would have to bring to bear. It takes a lot of clients to generate enough traffic to kill a DC, and a lot more to kill all the DCs in the system. And if the clients are connected to the DCs via slower WAN links, its probably impossible. You can disable anonymous queries (already done by default in W2K3), and you can configure IP addresses to deny connections from, but I don't know of a way to limit the number of LDAP queries per second. Sounds like a cool feature. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, December 11, 2003 2:36 PM To: '[EMAIL PROTECTED]' Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I'm not as worried about malicious, entry changing attacks due to the built in security model. Its cake and pie to do a denial of service attack against an LDAP system. Add to that a simple DNS query to find all the DC's, and the whole domain drops like a lead filled balloon. Is there a way to limit the number of LDAP queries per second on a DC, at least from a specific source address? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC I don't even think you have to restrict the AD-related virus issue to the file-system. Something that your AV tools won't help you with is a virus, that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14
[ActiveDir] What is your favorite scripting language?
O'Reilly is hosting a poll for the most popular scripting language on the Windows platform. To vote for your favorite language, visit the O'Reilly website (http://www.oreilly.com/) and look on the right side of the page under O'Reilly Poll. FYI, Perl has the early lead and no I didn't vote twice :-) Regards, Robbie Allen http://www.rallenhome.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Slightly OT] OU of a user in AD
If you want to get the RDN (e.g. cn=Users),use this: GetObject(objUser.Parent).Name If you want to get just the name of the parent (e.g. Users), use this: GetObject(objUser.Parent).Get("name") This isn't the most efficient way to do things if you are going to iterate over a bunch of users. You'd be better off parsing the distinguished name of the user. There are some functions in IADsTools that can help with this if you are interested in that. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver MarshallSent: Friday, December 05, 2003 10:49 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] [Slightly OT] OU of a user in AD Does anyone know if the OU of a user can be retrieved via a script ? I am using the following to TRY and set the description of the user to its OU (dont ask). but I cant find an OU parameter or similar that i can query. For Each objUser in objDomain objUser.description=objuser.ou objUser.SetInfo next
RE: [ActiveDir] [Slightly OT] OU of a user in AD
Forward your code and I'll take a look. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, December 05, 2003 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] OU of a user in AD My mistake, its working ok, but its not returning what I expected. Just the domain name rather the the OU it resides in. -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: 05 December 2003 16:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [Slightly OT] OU of a user in AD If you want to get the RDN (e.g. cn=Users), use this: GetObject(objUser.Parent).Name If you want to get just the name of the parent (e.g. Users), use this: GetObject(objUser.Parent).Get(name) This isn't the most efficient way to do things if you are going to iterate over a bunch of users. You'd be better off parsing the distinguished name of the user. There are some functions in IADsTools that can help with this if you are interested in that. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, December 05, 2003 10:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [Slightly OT] OU of a user in AD Does anyone know if the OU of a user can be retrieved via a script ? I am using the following to TRY and set the description of the user to its OU (dont ask). but I cant find an OU parameter or similar that i can query. For Each objUser in objDomain objUser.description=objuser.ou objUser.SetInfo next List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UserAccountControl Bitwise question
The problem is the KB article, not you Mark. The userAccountControl attribute isn't updated when the password expires. Same for the lockout flag. Regards. Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/blog/adcookbook/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, December 04, 2003 4:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] UserAccountControl Bitwise question Yeah, I guess thats probably right, just like disabling an account is 512 + 2 = 514. Still, if anyone knows why it wouldnt be changing when the password is expired mc -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] UserAccountControl Bitwise question Shouldn't that be changed to 8389120 instead (512 + 8388608)? From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:22 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] UserAccountControl Bitwise question I thought flagging an account to require password change would change the UserAccountControl attribute from 512 to 8388608 (0x80). (per article KB 305144) But it's not happening. Accounts that are flagged for that are still 512. Am I misunderstanding something? likely J Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Security Concerns With Creating a Secondary DNS Z one
As long as this is on the intranet and you restrict the IPs that can perform zone transfers, there should be no security problems. That's not to say your security team can't invent a problem :-) Regards, Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/blog/adcookbook/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 17, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security Concerns With Creating a Secondary DNS Zone I would ask them there reasons and then post them here... I cant think of any real reasons as long as your servers are sat internally and talk on your private WAN? Rob [EMAIL PROTECTED] .com To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: [ActiveDir] Security Concerns With Creating a Secondary DNS Zone tivedir.org 17/11/2003 16:45 Please respond to ActiveDir Hi, Are there any security concerns or issues with creating a secondary DNS zone and doing Zone transfer? If you have a root Windows 2000 domain in a different country and want to create a secondary zone for the root domain in the US, what are the security issues associated with the configuration? If the security department is not allowing the creation of a secondary zone because of Security reasons, what would be those reasons? Any input would be really appreciated. Thanks, Santhosh (See attached file: winmail.dat) ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] About SIZELIMIT_EXCEEDED
You can get a size limit error due to either server or client size constraints that were exceeded. In your case, you've set the max entries to return to 5. All that error is telling you is that there were more than 5 matches found. This is necessary to allow the client to distinguish between a search that returns all matching results and a search that only returns a subset. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Patrick Gelin [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] About SIZELIMIT_EXCEEDED Hi, I'm integrating an open-source application using openldap with Active directory. I know openldap doesn't support pagination with RFC2696, So I can't manage more than 1000 result but it's enought. My problem is that I failed to avoid the message SIZELIMIT_EXEEDED even if the openldap client limit itself the request size result to only 5... ldapsearch -W -x -z 5 -b dc=rpn,dc=ch -D cn=Utilisateur LDAP,cn=Users,dc=rpn,dc=ch -h #.###.## -p 3268 # PC-A, Ordinateurs, rpn.ch dn: OU=PC-A,OU=Ordinateurs,DC=rpn,DC=ch description: PC Administratifs dSCorePropagationData: 20030130154242.0Z dSCorePropagationData: 20030130145847.0Z dSCorePropagationData: 20020920130143.0Z dSCorePropagationData: 20020723160040.0Z dSCorePropagationData: 16010714223649.0Z gPLink: [LDAP://CN={A8AA7B09-6230-4E5A-8753-6A0EBEB1B05D},CN=Policies,CN=Syste m,DC=rpn,DC=ch;0] instanceType: 4 distinguishedName: OU=PC-A,OU=Ordinateurs,DC=rpn,DC=ch objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rpn,DC=ch objectClass: top objectClass: organizationalUnit objectGUID:: fOfmDrou40aaJAhJXFTYxA== ou: PC-A name: PC-A uSNChanged: 3978665 uSNCreated: 64825 whenChanged: 20030916115727.0Z whenCreated: 20020628141248.0Z # search result search: 2 result: 4 Size limit exceeded = I've got what I want so why this error message # numResponses: 6 # numEntries: 5 Thanks. -- Patrick Gelin Office de la Statistique et de l'Informatique Scolaire CH-2300 La Chaux-de-Fonds Canton de Neuchâtel (Suisse) Tél. +41 (0)32 919 79 23 Email: [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Record Timestamp
There are a couple of ways you can get it. If you are a command line hacker, you could use this: dnscmd . /enumrecords rallencorp.com foobar /detail | findstr dwTimeStamp If you are looking to do it via VBScript or Perl, then you'll want to look at the MicrosoftDNS_ResourceRecord WMI class. It has a Timestamp property: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/mic rosoftdns_resourcerecord.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/mi crosoftdns_resourcerecord.asp BTW, in what situation does password change date not work if you use a sufficiently long expiration period? Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/ -Original Message- From: Marcus Oh [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Wednesday, October 29, 2003 8:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Record Timestamp Curious if anyone knows if the DNS record timestamp can be exposed by script? I'm working on a script to delete old machine accounts. Problem is, machine account age is not always accurate based on the last password change date. I'd like to do a query against DNS and examine the record timestamp as a secondary checkpoint prior to deleting the machine account. Any ideas? :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS WMI Provider
Title: Message Ahhh yes, the DNS WMI Provider. What a piece of ..., ok I won't go there :-) What kills me is that the MSDN documentation has NEVER been right. Even after they updated it for 2003 it was still wrong. I've submitted corrections to newsgroups and even to anMS internal docs group, but have notseen any corrections on MSDN. I was really hoping they were going to fix the problems in 2003, but alas I was disappointed. I find the WMI CIM Studio to be the best resource when you have questions about how a particular class is implemented. It is a little easier than digging through the MOF files. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:47 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS WMI Provider And don't even think about the bugs and memory leaks! -gil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, October 28, 2003 1:36 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS WMI Provider OK, I just gotta share, to vent some of my frustration. The DNS provider on Windows 2000 (included in the resource kit supplement and available for download from Microsoft) is NOT compatible with the DNS provider on Window 2003! Dagnabit! The CreateZone() and the WriteBackZone() routines are different!! And the documentation on MSDN isn't right -- it's somewhere in between the two versions. To figure it out, I eventually had to go into the blasted MOF files. Silly. VERY silly. And secondly, pass-through authentication does not work with WMI. Whose idea was THAT one? Bah. Humbug. So, because of these two things, I've gotta have code like this: Const int2000ADZone = 0Const int2000PrimaryZone = 1Const int2000SecondaryZone = 2 Const int2003PrimaryZone = 0Const int2003SecondaryZone = 1Const int2003StubZone = 2Const int2003ForwardZone = 3 ' ' code ' Sub CreateTheZone (objZoneRef, strZoneName)' Create the Zone Dim errResult WScript.Echo "Creating zone " strZoneNameIf intOS = 2000 ThenerrResult = objZoneRef.CreateZone (strZoneName, int2000PrimaryZone)Else'intOS = 2003errResult = objZoneRef.CreateZone (strZoneName, int2003PrimaryZone, False)End If WScript.Echo "Created zone " strZoneName ", will now create resource records"End Sub Sub SaveTheZone (objWMI, strZoneName)' Write the zone back to diskDim objZone, objZones WScript.Echo "Updating disk image of zone"set objZones = objWMI.ExecQuery ("Select * from MicrosoftDNS_Zone " _"where ContainerName = '" strZoneName "'")For Each objZone in objZonesIf intOS = 2000 ThenobjZone.WriteBackZoneToFile ()Else' intOS = 2003objZone.WriteBackZone ()End IfNextWScript.Echo "Disk image updated"End Sub Function OSVersion (strUser, strPass, strServer)Dim colOS, objOS, strCaption, intOSver, objWMI intOSver = -1 If ConnectComputer (strUser, strPass, strServer, "root\cimv2", objWMI) ThenWscript.Echo "*** Error: Could not connect to CIMv2 namespace on " strServerWScript.Quit 1End If Set colOS = objWMI.ExecQuery ("Select * from Win32_OperatingSystem")For Each objOS in colOS'Wscript.Echo objOS.Caption ' " " objOS.VersionstrCaption = objOS.CaptionIf Instr (strCaption, "2000") ThenintOSver = 2000ElseIf Instr (strcaption, "2003") ThenintOSver = 2003End IfEnd IfExit ForNext set objWMI = Nothing OSVersion = intOSver End Function Function ConnectComputer(ByVal strUserName, _ ByVal strPassword, _ ByVal strServer, _ ByRef strNameSpace, _ ByRef objService) On Error Resume Next Dim objLocator, objWshNet ConnectComputer = False 'There is no error. 'Create Locator object to connect to remote CIM object manager If IsEmpty (strUserName) ThenSet objService = GetObject ("winmgmts:" "{impersonationLevel=impersonate}!\\" strServer "\" strNameSpace) If Err.Number then Wscript.Echo "Error 0x" Hex (Err.Number) " occurred in acquiring a WMI object." If Err.Description "" Then Wscript.Echo "Error description: " Err.Description "." End If Err.Clear ConnectComputer = True 'An er
[ActiveDir] Active Directory Cookbook Bake-off
I'm working with O'Reilly to see if they would host something like this. If not, I can put it up on my site. If any other companies (or individuals) are interested in participating, please email me at [EMAIL PROTECTED] I don't have any details yet; I'm just trying to gauge general interest. Thanks for the nudge Todd. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: DiBias, Chip [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook BindView is in for the first month if you guys want to head down this path...this could get interesting. Chip DiBias Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:54 pm To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)
Certificate Services didn't make it into the AD Cookbook, but will in a future book. As far as good sources today, it really depends on if you are talking about Windows 2000 or Windows Server 2003. There were quite a few enhancements to Cert Services in 2003. Here are a few links you may want to take a look at (links may wrap) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windowsserver2003/proddocs/standard/SE_PKI.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windowsserver2003/maintain/operate/ws03pkog.asp http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp Robbie Allen http://www.rallenhome.com/ -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 4:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Thanks. I can see I will have some reading to do this weekend. Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: [EMAIL PROTECTED] Date: Fri, October 24, 2003 12:57 pm To: [EMAIL PROTECTED] While not a cookbook per se, I have found this link useful in my understanding of PKI: http://tinyurl.com/s8y1 HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Daniel Gilbert Sent: Fri 10/24/2003 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Cookbook Robbie, I haven't gotten my copy of your book yet, I know :-(, I waited until just recently to order it. I looked at the table of contents but did not see any thing about Certificate Services, is it there and I just missed it?? If it is not in your book, as the Master of Cookbooks can you suggest a good source for learning Certificate Services structure and installing guide. I am trying to get my head around Certificate Service in order to answer some structure questions. Dan Original Message Subject: RE: [ActiveDir] Active Directory Cookbook From: Robbie Allen [EMAIL PROTECTED] Date: Fri, October 24, 2003 9:43 am To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a reference that would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's why I thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Lou Vega [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's Tuna book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Active Directory Cookbook
Title: Message You are right, that wasn't the best way to fix them. I added those quick fixesa while back so the scripts wouldn't fail on forests with password complexity enabled. I just added "corrected" code for 6.1-6.3 (http://www.rallenhome.com/books/adcookbook/code.html#ch6). All I did was comment out the lines that set userAccountControl and put a note about why it isn't necessary to set it. Thanks! Robbie Allen -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 3:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook OK, Robbie fixed the examples on the webpage forthe Tunabook (although I personally don't like the way he changed 6.3) -- however, his change was to set userAccountControl to disabled (514). Is there an advantage, or disadvantage, either way -- to setting userAccountControl before the first SetInfoor not? Just preference? From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 2:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook Rick, I think he may be referring to our conversation 1. Here is what I vote for: set objParent = GetObject("LDAP://ParentDN")set objUser = objParent.Create("user", "cn=UserName")objUser.Put "sAMAccountName", "UserName"objUser.Put "userPrincipalName", "UserUPN"objUser.Put "givenName", "UserFirstName"objUser.Put "sn", "UserLastName"objUser.Put "displayName", "UserFirstName UserLastName"objUser.SetInfoobjUser.SetPassword "password1"objUser.AccountDisabled=FALSEobjUser.SetInfo Note you don't have to set the account disabled. The default useraccountcontrol on the create will be disabled. You need to swing back and enable it and set the password. 2. If a single domain adfind -default -f "(objectcategory=person)(samaccountname=*)" -dn NOTE: That may pull trust accounts to, I don't have trusts set up on my home domain to check. If multiple domain forest adfind -h dcname -default -f "(objectcategory=person)(samaccountname=*)" -dn or adfind-b dc=domain,dc=com-f "(objectcategory=person)(samaccountname=*)" -dn NOTE: Same note. If you do get trusts as well, you need to filter them out andat 1:53AM the thing I think you would do is add a (!samaccountname=*$) which really sucks because !'s kill search time. The first single domain query yanked my 2034 userids in my home domain in about 5 seconds. That is with a PIII-930 with 512 MB running about 10 normal apps(one isVPC 5.2 with a Windows Server 2003 Enterprise guest fired up and allocated 64MB RAM) against my W2K DC which is PII-450 w/ 128MB RAM. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Friday, October 24, 2003 6:35 PMTo: [EMAIL PROTECTED] Michael - 1) Yes, this is one way. Just discussed this topic on the list, with code samples, so check the archives. Setting the user to disabled and then applying the complex password is valid. 2) Not there directly ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, October 24, 2003 12:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook It's a great book. Two questions: 1) did you guru's here on activedir come to the conclusion that, due to password complexity, a user should be created disabled? Does that affect any recipes other than 6.1, 6.2, and 6.3? 2) I think you should add one of the simplest and (in my opinion) the most common AD query as a recipe: how to find all the users in a domain. From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a referencethat would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's whyI thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book andany corrections: http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards,
RE: [ActiveDir] Active Directory Cookbook
Title: Message Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a referencethat would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's whyI thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book andany corrections: http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory CookbookAgreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 "Lou Vega" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To: [EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory CookbookReceived my very own copy of Mr. Robbie Allen's "Tuna" book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou
RE: [ActiveDir] Active Directory Cookbook
Title: Message And what have you been drinking at 1am??:-) Good thought, but my guess is that peoplewhooffer goodsuggestions probably already have a copy of the book (since they know what'sin there and what isn't). FWIW, I would be happy to mentionin the acknowledgements section anyone who suggests a recipe I include in the next edition. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 12:54 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook Hey Rob, What about this donate a cookbook a month for someone who comes up with a great idea for additions to the next version of the cookbook. Basically the submissions have to follow the format of the book, and have to work. They would be judge based on the following criteria. The topic covered in AD. 1-25 points (Existing topics with a spin get up to 12.5 points; new topics getting up to 25 if worthy.) The issues identified within the topic 1-25 points. (Each issue identified gets 2.5 points for existing topics. Max 10) The solutions that meet the needs identified for each topic. 1-50 points. (Each need that gets a solution gets 5 points per solutions. Solutions should identify any GUI, CLI, and VB methods for automation.) To make things interesting if it takes off, If one of the vendors (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was willing to support this contest, it would be really interesting. Just an Idea at 1AM... Toddler -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory Cookbook Thanks for all of the positive feedback about the book. I give the credit to my all-star cast of reviewers :-) My main goal was to produce a referencethat would help AD admins get their job done quicker and easier. There is just too much stuff AD admins have to remember and that's whyI thought the O'Reilly cookbook format would work especially well in this case. If you have the book (or even if you don't), be sure to check out the following web site, which has all of the code in the book andany corrections: http://www.rallenhome.com/books/adcookbook/code.html Keep the feedback coming Regards, Robbie Allen -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 11:51 AMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory Cookbook Agreed - I got mine yesterday from Amazon and I must say that this should be on the shelf of every AD administrator. Period. Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 "Lou Vega" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2003 10:37 AM Please respond to ActiveDir To: [EMAIL PROTECTED] cc: Subject:[ActiveDir] Active Directory Cookbook Received my very own copy of Mr. Robbie Allen's "Tuna" book last night from Amazon.com - in the first night's reading the book is already proving it's worth as I see how to do certain things much simpler than I had done them before (with regards to the VBScripts included), as well as learn new things I didn't realize could be done (in both AD2K and AD2K3). The book will be very handy as I continue to stand up my development Windows 2003 domain. To anyone else on this list who hasn't gotten it yet...it's a worthwhile addition to your Active Directory library. To Robbie (and all the others who assisted him!) - thanks for a great resource! r/ Lou
RE: [ActiveDir] DNS Name
I personally don't put a lot of weight into the save your top level domain for the Internet argument. I've been hearing that since the W2K JDP and we are already on a second version of AD with no indication that saving your tld will be important in any way. You could always prefix an external forest root domain name with ext or external. This is a prime example of a best practice that many people swear by, but I doubt will ever be justified. Just my $.02 :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 4:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Name You could use the .fin and/or .biz DNS names without getting into any AD problems. However, you should think about the fact whether or not you want to connect AD to the internet (not now but in the future?). Don't place your bets on renaming your domains in the future using the new domain renaming features in Windows Server 2003. The renaming is a very complex proces which has significant impact on the availability of the infrastructure. If you're sure you only want to use these names internally you can use these extensions without running into problems. Cheers! John -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: woensdag 22 oktober 2003 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Name Can someone please confirm if they have ever used, aside from the standard .com .org .net, for their AD implementation .biz or .fin domain name structure. I am considering implementing nb.fin or nb.biz domain name for our new AD structure some time in the very near future. Would such a name have any side affects on AD or DNS? Another question not pertaining to the one above. I know Windows 2003 server has drastically changed its default security structure on its folders and volumes through either ACL or DACL. In my test environment, when I created a home folder and when I created a user through ADUC, I was able to create a user's home folder, but the user security ACL's were not there. Under W2K, when you share the home folder, create a new user, and create a user's home folder, you automatically created in the security tab the user's name along with his ACL. Does anyone know how to do the same thing in Windows 2003 server? Thanks George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. P E-mail: [EMAIL PROTECTED] g Phone:+381 (11) 3202-474 GSM: +381 (63) 342-321 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP
Title: Message I'd love to see that if you can find it. Last I heard, there is still no DHCP Server WMI provider. I just looked at a W2K3 server with theDHCP Server installed and couldn't find a provider for it. Not having ascripting API is a big hole for the Microsoft DHCP Server. dhcpobjs.dll isn't supported and from what I heard it was only accidentally put in the W2K Res Kit. It has a lot of problems regardless. Shelling out to netsh (ugh) is the best option at this point from a scripting perspective. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 9:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP Clyde- Somewhere buried on Microsoft's site, I once came across a WMI provider for DHCP Servers. I will see if I can track down a URL. Darren -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burns, ClydeSent: Wednesday, October 22, 2003 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP Ive used netshto move the scopes from one server to another. There were some minor issues (documented in technet) but it works fairly well. Other things to try: From the 2000 Server Resource Kit Microsoft DHCP Database Export Import Tool - DHCPEXIM.EXE Just like the title says. An import/export tool. I prefered netsh as I could edit the script between servers. DHCP Objects 1.0 - DHCPOBJS.EXE dll to program against a dhcp server. It has issues with scopes that have more than 255 reservations. If anyone knows of any other type of automation tool to use against a dhcp server I would really like to hear about it. Clyde Burns Norton Healthcare. Louisville Ky. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Tuesday, October 21, 2003 7:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh You can't have 2 identical servers running at the same time (you'd get some exciting conflicts!) but you could dump your working server and keep the file safe. When your working server fails you then just reload the data into a "spare" server and your DHCP server is back and running. I'd guess it would make sense to do a scheduled dump of this data at regular intervals so that the file is always reasonably up to date. Steve -Original Message-From: Jerry Johnson [mailto:[EMAIL PROTECTED] Sent: 16 October 2003 17:13To: [EMAIL PROTECTED]Subject: [ActiveDir] DHCP/Netsh Everyone, Has anyone ever used Netsh to move DHCP to another server? In Mark Minasi's book he talks about using it to add another DHCP server to your network by dumping it with Netsh from one machine and Exec it to another machine. He did not go into much detail but I did not think you could have identically configured DHCP server's on a network. Thanks Jerry Scicom Data Services Minnetonka,Mn This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you.
RE: [ActiveDir] SMS Server 2003: AD schema extensions
The MS SFU 3.0 team also refused to provide LDIF files for their schema extensions. Microsoft really needs to set the example here. Most people are worried enough about extending the schema and when you can't even get the LDIF files it only exacerbates the situation. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 7:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SMS Server 2003: AD schema extensions Thanks Guido. This is good info. I like the idea of having the LDIF files available for testing schema updates outside the application itself. As Robbie Allen has pointed out in various books, articles and forums, LDIF files provide a useful self-documenting method of keeping track of your schema changes. It struck me as odd that the LDIF files for SMS 2003 are not available. I know it's not in RTM yet, but I'm guessing the schema definitions have been finalised for some time now. I would prefer to see a consistent approach across all Microsoft products for schema changes. ISA Server, for example, provides the ldif files on the CD. Tony -- Original Message -- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 9 Oct 2003 11:46:01 +0200 Tony, I don't have an LDIF file, but here are some details on the schema extensions as reported from the SMS2003 'Extadsch.exe' utility: Defined attribute cn=MS-SMS-Site-Code. Defined attribute cn=mS-SMS-Assignment-Site-Code. Defined attribute cn=MS-SMS-Site-Boundaries. Defined attribute cn=MS-SMS-Roaming-Boundaries. Defined attribute cn=MS-SMS-Default-MP. Defined attribute cn=mS-SMS-Device-Management-Point. Defined attribute cn=MS-SMS-MP-Name. Defined attribute cn=MS-SMS-MP-Address. Defined attribute cn=MS-SMS-Ranged-IP-Low. Defined attribute cn=MS-SMS-Ranged-IP-High. Defined class cn=MS-SMS-Management-Point. Defined class cn=MS-SMS-Server-Locator-Point. Defined class cn=MS-SMS-Site. Defined class cn=MS-SMS-Roaming-Boundary-Range. Note that most of the attributes are replicated to the GC... Also realize, that if you are absolutely against extending the Schema for SMS - the extensions are not a must for SMS 2003 to function. However, if the schema is not extended, it will be necessary to use WINS to enable resolution of MPs and SLPs (and I'd rather get away from any WINS dependencies if I can). Also, SMS Advanced Security requires to extend the schema - I haven't looked at this feature yet, so I'm not really sure what it means. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Montag, 6. Oktober 2003 10:55 To: [EMAIL PROTECTED] Subject: [ActiveDir] SMS Server 2003: AD schema extensions Does anyone have the ldif files for the SMS Server 2003 schema extensions? I realise it's early days, but I can't find any detailed documentation on what the schema update does. Tony List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add computers to domain permissions
Thanks for the kind words guys. The Active Directory Cookbook (the tuna book :) is due to ship on Tuesday - Sept 23rd. It is intended to answer many of the How do I ...? questions you might have about AD (at least as many that would fit in 600 pages). Here is the TOC: http://rallenhome.com/books/adcookbook/toc.html Here is a sample chapter: http://www.oreilly.com/catalog/activedckbk/chapter/ch08.pdf I'm taking requests for the next edition and for any suggestions I include I'll be sure to mention the requestor in the acknowledgements :-) Regards, Robbie Allen -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 6:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Even though my perspective might be tainted because of my ork on the book - I would still highly recommend it. I have a very hard time believing that the editorial staff could have messed this book up to the point that it still ouldn't be one of the best available. And, Joe - like you, I am reviewing Inside Active Directory 2/e What I've seen so far is pretty good. I'm heavily of the opinion that they really only needed to do an update - which, so far is what I've seen. The 'Cat' book - completely forgot about it. And, honestly, I don't know how. 'Deep' doesn't really even begin to explain it - it's a very comprehensive book. And, though I'm not the programmer you are, I have a copy of Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast resource when trying to understand HOW something works at the level below the interface. Joe, I do agree that there is no reference that lays out 'If you want to delegate the ability to do X, apply these permissions here, and at this level and apply inheritance to this SP'. I've used the information from 'Inside AD' to figure out much of what I've needed to do - sadly, most of it is still trial and error. So, Robbie - new chapters coming when? ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces of the 2nd edition of that one too, again Sakari is doing a good job. I caught myself a couple of times thinking, hmmm I didn't know that. I also like the Cat book (Active Directory by Alistar, 2nd Edition help from Robbie). Managing Enterprise Active Directory Services from Richard and Robbie - this is one of the deepest books I have seen. From AD programming standpoint I love Active Directory Programming from Gil. Overall though I don't think I have seen anything that really lays out the permissions and what you should delegate for different functionaly roles. That might make a good long chapter in the next cookbook. Also Robbie, don't forget the Exchange stuff in the next one. People need to be thinking about Exchange when doing stuff in AD otherwise they won't like being raped later when they install it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, September 19, 2003 6:21 PM To: [EMAIL PROTECTED] Well, I'll give you two. One is going to be Robbie Allen's new book (due shortly). I reviewed it for tech content, (as did a few others here) and it's good - lots of code and geared towards Windows 2000/2003. It's called Active Directory Cookbook and is being published by O'Reilly. http://www.amazon.com/exec/obidos/tg/detail/-/0596004648/qid=1 064009830/sr=1 -3/ref=sr_1_3/103-2178319-6639029?v=glance The other
RE: [ActiveDir] Script to populate the Windows 2000 user name in AD
Hi Raymond, Here is some VBScript code that sets the userPrincipalName for all users in a particular OU: '- strOU = ou=customers strDomain = ad-vm1.cisco.com set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) set objParent = GetObject(LDAP://; strOU , _ objRootDSE.Get(defaultNamingContext)) objParent.Filter = Array(user) for each objUser in objParent Wscript.Echo Modifying objUser.Get(sAMAccountName) objUser.Put userPrincipalName, _ objUser.Get(sAMAccountName) @ strDomain objUser.SetInfo next '- Let me know if you were looking for something different or have any questions. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Saturday, September 06, 2003 12:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Script to populate the Windows 2000 user name in AD After our upgrade to Windows 2000 I noticed that the windows 2000 user name field did not auto populate. I don't know whether it should have or not though. I tried to get all of the help desk personnel to update this field whenever they accessed an user acct to reset the password or whatever, but I'm afraid it may have fallen on deaf ears. Is there any way to run a script that will take the pre-windows 2000 username and populate the windows 2000 user name (of course adding the @domain.int) Any help will be much apreciated Thanks, Raymond McClinnis Network Administrator Provident Credit Union List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Manual Replication - Any suggestions?
In general, my philosophy is manual = bad, automated = good. And this definitely applies to maintaining the site topology and replication connections. Unless you have special replication needs (e.g. firewalls, not fully connected network, etc), doing it manually is never the preferred approach. We have over 400 sites and 90 DCs and replication problems have been the least of our worries. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 6:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Manual Replication - Any suggestions? Wow. Can't say that I ever expected to hear someone say that. With autogeneration you basically need network link cost and replication schedule time per site link which should be far less configuration than manually configuring replication connections. Even with a centralized method of managing creation of sites which we have (basic perl scripts that also create the site links) I don't see how it would ease the creation of replication connections. Especially if you have a failure and need to start repointing connections. Say you have 9 domains with 400 DC's spread across say about 300 sites with DC's and having another 200 sites that you simply need site links for calculating best (closest) coverage with a fairly simple 3 hub hub and spoke deployment you would have just over 500 site links but thousands of connection objects (800 alone if each DC only replicated with one other DC which obviously isn't feasible when you consider GC partitions (and intrasite replication if you care about latency)). Much easier, I would think, to manage the 500 links versus the thousands of connections. Especially considering the amount of work required for reconfiguration if a bridgehead blows in a hub site is sit back and watch the reconfiguration of connections. By any chance could you explain your forest in terms of number of domains and dc's and sites? Also do you have a really complicated network structure where you have to pump replication down specific spanning trees to get from one end to the other? I am curious as to the kind of layout that could cause this kind of mindset on managing connections versus links. thanks, joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Merry, Joel (US - Philadelphia) Sent: Thursday, September 04, 2003 11:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Manual Replication - Any suggestions? Even with the updated KCC algorithm, I'm still a fan of manual replication links. Even relying upon auto-generation, you still need to properly configure costing and all that fun jazz. And if you're going to go through all of that, why not configure everything manually? The only reason I can think of not doing it is if you don't have a centralized way to manage the creation of new sites (and potentially bridges depending on your network configuration) so you don't have to worry about sites being orphaned -- but considering the size of your environment, I would think you do. -Joel -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 3:56 PM To: AD mailing list (Send) Subject: RE: [ActiveDir] Manual Replication - Any suggestions? That requires forest functional level 1 which would prevent the presence of any 2000 DCs in any domain within the forest (NT4 Ds are permissible) ... if the lack of Windows 2000 is feasible, the new ISTG (in both my own and Microsoft's internal tests) would easily fulfill your requirements. -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Salandra, Justin A. Sent: Thursday, September 04, 2003 2:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Manual Replication - Any suggestions? What about upgrading your servers to Windows Server 2003, the ISTG in W2K3 can handle up to 3,000 sites tested, 5,000 in theory. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Manual Replication - Any suggestions? I'm currently working at a company where we have 115 international sites, and 3 domains. The KCC and ISTG are working sub-optimal, and it seems on MS's advice we are going to calculate a manual replication connection model. Anyone have any experience this, and have any gotcha's we should be expecting? Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org
RE: [ActiveDir] Connection String
A much more simple option is to use the IADsTools interface (from the Support Tools). It has a TranslateNT4ToDN function. In general, if there is a DS API you want to use from Perl or VBScript, there is a good chance a wrapper for it exists in IADsTools (there are a few exceptions). Here is a Perl one-liner... D:\perl -MWin32::OLE -le print Win32::OLE-new('IADsTools.DCFunctions')- TranslateNT4ToDN($ARGV[0],'',1,0) AMERLOCAL\rallen CN=rallen,CN=Users,DC=amer,DC=local Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem with that is you can't call the same methods from VBScript - which is where I seem to need it the most.. Better brush up on my mAd VB.net skilz... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Pablo, here is some code I use in VB.NET to do a similar thing, should be convertable to C# without much hassle strUserName = the fully qualified LDAP path of a user or group, ie LDAP://CN=GroupName,DC=testdomain,DC=local 'Constants required, rest are in the online doco for NameTranslate Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_1779 = 1 Const ADS_NAME_TYPE_NT4 = 3 Dim Translate As New ActiveDs.NameTranslate Dim strUser As String 'We want to chat to a GC server, any one will do Translate.Init(ADS_NAME_INITTYPE_GC, ) 'Pass in the FQDN name of the object Translate.Set(ADS_NAME_TYPE_1779, Mid(strUserName, 8)) -- the call doesnt like the LDAP:// on the front, so strip it 'Get back the NT v4 Equivalent strUser = Translate.Get(ADS_NAME_TYPE_NT4) Translate = Nothing strUser now = the DOMAIN\UserName pair You can easily go the other way, ie pass in the Domain\username pair, and get back the LDAP path. Its all in the online doco, just do a search for NameTranslate Very cool actually, was hacking around trying to pull apart LDAP strings and massage them myself, this is MUCH easier (and faster) HTH Glenn (lucky you asked today, worked out how to to this last night *grin*) - Original Message - From: Pablo Curello [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:44 PM Subject: RE: [ActiveDir] Connection String That's right, but what if the user Pablo Curello is inside an organizational group ? In that case, the LDAP string should be (for example): LDAP://cn=Pablo Curello, ou=Sales, dc=yourdomain, dc=com. It doesn´t work with: LDAP://cn=Pablo Curello, dc=yourdomain, dc=com Thanks. -Original Message- From: Costanzo, Ray [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 2:34 PM To: [EMAIL PROTECTED] I believe that you mean DOMAIN\Username, and if so: Function GetFullName(sUser) Dim sUsername, sDomain
RE: [ActiveDir] Password Lookup
Title: Message Hi Mike, You can require "complex" passwords bysetting the Domain Security Policy - Account Policies - Password Policy - Password must meet complexity requirements. Here ismore info: http://www.microsoft.com/technet/treeview/default.asp?url=""> After setting password complexity, it only applies when a password is changed (or initially set when a user is created). It does not impact users that are currently usingnon-complex passwords. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message-From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password Lookup Hi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some "special" switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 9:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
RE: [ActiveDir] Password expiation Script
Here is a Perl script to find users who set their password some number of days ago: http://rallenhome.com/books/adcookbook/source/06/6.24-passwd_about_to_expire .pls.txt BTW, you can retrieve similar results to the Perl script with the dsquery user -stalepwd command. Let me know if you have any questions. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Clarence Heier [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password expiation Script I need a script that will find users accounts where the password will expire in 5 days and email them. Does anyone know of a source for a script similar to this. Clarence Heier mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Connection String
Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem with that is you can't call the same methods from VBScript - which is where I seem to need it the most.. Better brush up on my mAd VB.net skilz... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Pablo, here is some code I use in VB.NET to do a similar thing, should be convertable to C# without much hassle strUserName = the fully qualified LDAP path of a user or group, ie LDAP://CN=GroupName,DC=testdomain,DC=local 'Constants required, rest are in the online doco for NameTranslate Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_1779 = 1 Const ADS_NAME_TYPE_NT4 = 3 Dim Translate As New ActiveDs.NameTranslate Dim strUser As String 'We want to chat to a GC server, any one will do Translate.Init(ADS_NAME_INITTYPE_GC, ) 'Pass in the FQDN name of the object Translate.Set(ADS_NAME_TYPE_1779, Mid(strUserName, 8)) -- the call doesnt like the LDAP:// on the front, so strip it 'Get back the NT v4 Equivalent strUser = Translate.Get(ADS_NAME_TYPE_NT4) Translate = Nothing strUser now = the DOMAIN\UserName pair You can easily go the other way, ie pass in the Domain\username pair, and get back the LDAP path. Its all in the online doco, just do a search for NameTranslate Very cool actually, was hacking around trying to pull apart LDAP strings and massage them myself, this is MUCH easier (and faster) HTH Glenn
RE: [ActiveDir] Last updated/added property?
FWIW, there are a couple other methods for tracking change in AD, but the uSNChanged method Joe described is probably your best bet. Here is more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/o verview_of_change_tracking_techniques.asp Robbie Allen http://www.rallenhome.com/ -Original Message- From: Costanzo, Ray [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Last updated/added property? Thanks a lot Joe. Ray at work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Yes, this info is maintained in two ways. 1. In the whenChanged/whenCreated attributes - ex. (whenCreated=2003072500.0Z) 2. In the USN attributes uSNChanged/uSNCreated. ex. (uSNCreated=648965) trim Hi group, Does the AD keep track of when an object (a user, specifically) was last updated or when one was created, trim ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
Late September or early October. The content is pretty much done now except for some final tech reviews (you know who you are :), but O'Reilly needs a full three months with it because it is going to be a 650-750 page book. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Anyone know when the AD cookbook is coming out? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 6:35 AM To: '[EMAIL PROTECTED]' I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksf ile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com
RE: [ActiveDir] DNS Replication
Title: Message You have these options with AD-integrated zones in Windows Server 2003: - To all DCs that are DNS serversin the forest (predefined app partition) - To all DCs that are DNS servers in a domain (predefined app partition) - To all DCs in a domain (only option with W2K) - To all DCs that are replica servers for a particular app partition. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 2:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Replication In Windows 2000 the Integrated zones are in the domain naming context so this is correct. But in Windows server 2003 it is in an application partition and you can choose replication partners explicitly. From: Victor Hugo Naranjo [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:31 PMTo: [EMAIL PROTECTED] Hi, DNS Zones configured as AD Integrated could not replicate between Parent and Child Domain, is it correct? Sincerely, Víctor Naranjo MCSE, MCSA
RE: [ActiveDir] Updating pwdLastSet
Thanks for the pointers. My problem is not determining who needs to change their password, rather it is setting up a test case where the user will warned that their password is about to expire. What I am testing is external authentication software that reads pwdLastSet and other attributes out of the directory and either logs the user into an external system; or prompts them to change their password if it is about to expire; or forces them to change their password if it has expired. How close to the actual expiration is about to expire for you? If your max password age is 180 days, for testing purposes you could make the about to expire timeframe in your authentication software something like 170 days before expiration. Then you would need to test with a user that set their password 10 or more days ago (you can obviously adjust these numbers accordingly). Robbie Allen http://www.rallenhome.com/ Setting the pwdLastSet to 0 will allow me to test the expired case, but I need to set it to a value that will create a password is about to expire test case. Responses I have gotten other places seem to indicate that this read-only field. Your response indicates that it is read-only-mostly, with the exception of a few special values. Any idea what controls what these special values are? or is there away I can assume some specific (system) security context and be allowed to update this attribute? Rex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen Sent: Monday, June 16, 2003 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Updating pwdLastSet Actually you can set the pwdLastSet attribute to 0 (to force a password change at next logon) or -1 to disable password change at next logon. You cannot set a password expiration date though. Attached is a Perl script that will find users who have not changed their password in x number of days. The script could be easily modified to look at the max password age for the domain and notify users that have a password that is going to expire in x number of days. Let me know if you have any questions. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Adam Wood [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Updating pwdLastSet It is indeed read-only in Windows 2000. You could always script changes in date and time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rex Wheeler Sent: 16 June 2003 18:05 To: [EMAIL PROTECTED] We are doing some integration work allowing other platforms (unix) to authenticate against Active Directory. We have succeeded in making this happen but are running into testing challenges. We would like to be able to write test scripts to verify that account and password expiration logic is working correctly. For example we want to test that if you have a policy that says you must change your password every 30 days and you last changed your password 25 days ago, you should get a warning message saying that you have 5 days to change your password. The problem is that we can't seem to update the pwdLastSet attribute. How can the value of this attribute be set? If it can not, does anyone have any ideas how to test such expiration logic without spending days of wall clock time? Thanks, Rex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Yeah, I like those joeware tools too :-)He even does Perl! Robbie Allen http://www.rallenhome.com/ -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain LOL, no problem, glad you like the tools, that is why I put them out there. So many things lacking that need to be done... so little time, especially when it is for free. ;oP~ I really have some serious updates coming for ADFIND or at least I want them to be coming, I want to restructure and go to V2 and add Security Descriptor stuff and decoding of more values like useraccountcontrols, et al and also allowing reencoding of nice names into blobs for searching if possible. However I expect that I will be gearing a little towards E2K right now as that is what my paying job is throwing me into now. Note that if you hadn't heard joeware has been getting shut down at the end of the month or so every month lately so I moved it to a new provider so that shouldn't happen for a bit now. Man I got some serious flames when that would happen too, made me laugh pretty hard. I also finally killed the midi's that everyone bitched about. I started seeing how much bandwidth those little things were taking up and decided I didn't like them that much either. eg Anyway, thanks for the welcome. Hopefully I can contribute my share. :o) joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, June 12, 2003 12:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem
RE: [ActiveDir] A plea to stay on-topic
Title: Message While we are on the off-topic topic, is there a similar alias to activedir.org, except for Win Server 2003 sys admin stuff (besides the microsoft newslists)? Robbie Allen http://www.rallenhome.com/ -Original Message-From: Charles Oppermann [mailto:[EMAIL PROTECTED] Sent: Friday, May 16, 2003 1:48 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] A plea to stay on-topic I have no idea if you're right or wrong. I thought this was an Active Directory mailing list. Guys, can we at least attempt to stay on topic? -Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Friday, May 16, 2003 8:14 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Am I right or am I right ? there is no product available that will resize a BASIC volume that has been set up on a Windows 2000 server ? I have just installed Veritas VolumeManger 3.1 Enterprise Edition and it seems it will only resize DYNAMIC volumes. I need to resize (make smaller) a BASIC volume so how can i do it !?!?!? Many thanks Mark Abbiss EADS Headquarters 81663 Muenchen Deutschland Phone : +49 (0)89 607-34776 Email:[EMAIL PROTECTED] -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED]Sent: Donnerstag, 15. Mai 2003 21:14To: [EMAIL PROTECTED]Subject: [ActiveDir] Cisco router and IAS server Hi all, We have a Cisco 2600 router with analog port to allow user to dial into the router. The authentication is passes by the Cisco device to an internal IAS server which is running RADIUS. Now my problem is that if the user dials in using a normal windows client (tested windows xp and 2000) they are able to authenticate and log in BUT if the user has a call back option on their user profile the Cisco advice does not ask the user for the number to call the user back even though they have this option enabled. We also have a Windows 2000 RRAS server installed the authentication setting is also to that IAS server with RADIUS but in this case the call back option works? I know about Cisco VSA's but have tried a a lot of different ones but no luck , I was wondering if anyone here knew about anything else be it VSA's or settings on the IAS or Cisco router to check for? I would love to know cause this is driving me insane! ADSI and DirectoryServices advice : http://groups.yahoo.com/group/ADSIANDDirectoryServices WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING ASPELITE member: www.aspelite.com Carlos Magalhaes
RE: [ActiveDir] Active Directory Tools on XP Clients
Title: Message Agreed, I've never had any problems using the W2K3 tools against W2K AD. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients Raymond, I'd be interested in hearing what justification someone might have used, but Ihave used the tools pretty much since they were available to us in the Windows Server 2003 beta - which I suspect was better than a year ago. I've had absolutely NO problem with the tools in a pure Windows 2000 environment, or my mixed 2k /2k3 environment at home. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Wednesday, June 11, 2003 12:22 PMTo: [EMAIL PROTECTED] Just a question regarding this... I had someone tell me that it was not "safe" to run the 2k3 tools against a 2k domain, is this true or is it just a matter of opinion? Sorry if this has been brought up before... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan SchlegelSent: Wednesday, June 11, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Tools on XP Clients http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3DisplayLang=en -Original Message-From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active Directory Tools on XP Clients I think if you have a beta or full release of 2003 server you can install adminpak.msi on XP and have your tools there."Salandra, Justin A." [EMAIL PROTECTED] wrote: I know this might have been a topic before, but I am unable to find thee-mails on this topic. Where do I get the AD tools to run on a XPWorkstation?Justin A. Salandra, MCSESenior Network EngineerCatholic Healthcare System212.752.7300 primary office917.455.0110 cell[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Do you Yahoo!?Free online calendar with sync to Outlook(TM).
RE: [ActiveDir] Windows Server 2003: Groups type
Well there are the Authorization Manager groups, but they are only for role-based applications. I got excited when I first heard references to LDAP query groups, which define membership based on an LDAP search filter, but unfortunately that is only available with Authz Mgr (stored in AD), not for native access control in AD. Here is more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/h tml/AzManRoles.asp Robbie Allen http://www.rallenhome.com/ -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows Server 2003: Groups type Same in W2K3. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vincent Faraut Sent: den 27 maj 2003 15:16 To: [EMAIL PROTECTED] Hi, Under Windows 2000, a group scope (or type) can be Local, Global, or Universal. Does anybody knows if there is new type for groups object in Active Directory under Windows Server 2003 ? Thanks in advance Vince List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADSI
As far as timeouts, you can set them when using IDirectorySearch: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi /ads_searchpref_enum.asp?frame=true Or using ADO: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi /searching_with_activex_data_objects_ado.asp But I'm not aware of a way to do it when using a GetObject call. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 3:55 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ADSI If you're using serverless binding, ADSI may be selecting a DC that is either far away, not reachable, or down. Make sure your DNS contains the proper SRV records for your DCs. You can set timeout values for LDAP calls using the LDAP APIs, but I don't think that that functionality is exposed through ADSI. -gil -Original Message- From: Reva S [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 12:31 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADSI Hi, Has anyone experienced problem with ADSI? I try to connect to RootDSE object of the remote server and it sometimes never returns. Can we specify timeout or some other way to force the method to return? Thanks! Reva _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how can i add the value of the SchemIDGUID when Icreate a schemd object?
Title: Message Good explanation Dave. Couple additional comments... The double colons :: in LDIF means that the value to the right is base64 encoded. The dash- after schemaUpdateNow is needed when you modify an entry in LDIF (not necessary for adding or deleting). It allows you to modify multiple attributes at once if you want (separated by dashes). You need to set the schemaIDGUID when you create the object. Don't you love LDIF! :-) I actually kinda like it, but I may just be used to it. Check out the LDIF RFC 2849for more details. Robbie Allen http://www.rallenhome.com/ (under construction) -Original Message-From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 10:46 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] how can i add the value of the SchemIDGUID when I create a schemd object? zhaohu - Here's an example: dn: cn=nwa-test-attribute,cn=schema,cn=configuration,dchangetype: addobjectClass: attributeSchemacn: nwa-test-attributeattributeID: 1.3.6.1.4.1.11802.2.1.1.1attributeSyntax: 2.5.5.12oMSyntax: 64isSingleValued: TRUElDAPDisplayName: nwaTestAttributedescription: attribute added for test - please ignorerangeLower: 1rangeUpper: 10schemaIDGUID:: DPzmI4k/WUqX0IqM1HQiJA== dn:changetype: modifyadd: schemaUpdateNowschemaUpdateNow: 1- - I put everything between the lines above into a LDIF file called test.ldf I then invoked the following command line (replacing the yourdomain portion with the real domain name, of course): ldifde -i -f test.ldf -c d dc=yourdomain,dc=com -v You should get an attribute with a schemaIDGUID value of {23E6FC0C-3F89-4A59-97D0-8A8CD4742224}. A couple of notes- the extra colon after schemaIDGUID and the dash (-) afterthe schemaUpdateNow element seem to be important - don't ask me why. Of course, for real extensions you can place several attribute and class definitions in the same LDIF file and do them all at once. Just remember to put the schemaUpdateNow section after anything that's required by other parts of the file. For example, I recently did one with two new attributes, and a new auxiliary class that was connected to the User class. The LDIF file had the add attribute sections, an update, the add class section, another update, a modify section to add the auxiliary class to the user class, and then a final update. Hope that helps. Dave -Original Message-From: zhaohu [mailto:[EMAIL PROTECTED]Sent: Thursday, May 29, 2003 7:46 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] how can i add the value of the SchemIDGUID when I create a schemd object? yeah, i wanna specify a value for schemaIDGUID in order to create extended rights for some objects, and i get the Base64-encoded format value by the utility uuidgen.exe. then how do youextend the schema using LDIF files? could you show me an example, because i had failed to do that, so i have to program it by C++ , thanks very much~ - Original Message - From: Fugleberg, David A To: [EMAIL PROTECTED] Sent: Friday, May 30, 2003 3:43 AM Subject: RE: [ActiveDir] how can i add the value of the SchemIDGUID when I create a schemd object? I'm not the expert either, but I do have some experience with this. Normally, like Rick said, GUIDs are simply assigned by the system upon object creation. SchemaIDGUID is kind of a special case, though - it's the GUID of the classSchema or attributeSchema object itself. If you ever want to define some extended rights that apply to instances of your new class or attribute, you'll need to know the SchemaIDGUID of the classSchema or attributeSchema object in the forest. Let's say you write a program that extends the schema, and it does NOT specify the schemaIDGUID. The system will generate one for you when the program is run. If you run it again in a different forest, those objects will have a different value of schemaIDGUID in that forest. On the other hand, if your program DOES specify a value for schemaIDGUID, then it will have that value in every forest where your extension is installed. That way, you can document what it should be, and can programatically create extended rights for those objects in any of those forests. The value must be in the Base64-encoded format. There are a couple of ways to generate a value to use: 1. Install the extension on a test forest WITHOUT specifying the schemaIDGUID, copy the value that gets automatically generated, and put in it your program for future
RE: [ActiveDir] Changes to Win2003 and online AD restores
Title: Message Not sure about a new API to restore deleted objects, but there is aprocedure you canfollow to do it. It is outlined here: http://msdn.microsoft.com/library/default.asp?url=""> Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Changes to Win2003 and online AD restores I was reading "Guide to Windows Server 2003 Changes in Default Behavior"http://microsoft.com/downloads/details.aspx?FamilyID=0fa11476-2ba7-4474-bc35-8fc38c65ef16DisplayLang=en And saw this blurb: Add an option for Active Directory to undelete deleted objects. Provides an option to "undelete" or support online recovery by reanimating tombstones. ISVs can write applications to call this API to reanimate a tombstone and add value by restoring other attribute data, thereby providing an "online" restore capability. This feature provides an API to reanimate tombstones without hacking into the ESE database. ISVs can differentiate their products by restoring other data that is not recovered by this feature. Take a domain controller offline, perform a restore from backup media, and then authoritatively restore the one object of interest.I assume this has to do with the statement put out by MS someone posted recently. Does anyone know of product plans exploiting this new API?
RE: [ActiveDir] /domainprep and /forestprep
Title: Message It is called adprep... http://www.microsoft.com/technet/treeview/default.asp?url=""> -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED]] Sent: 19 December, 2002 17:06To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] /domainprep and /forestprep You need them if you are upgrading AD to .NET as well. (Using a different EXE than the Exchange ones) -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 8:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] /domainprep and /forestprep Can anyone tell me if these two switches are for anything OTHER than installing E2K? TIA Joe Pelle __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the company. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Standard Bank. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___
RE: [ActiveDir] CSVDE/ADSI queries causing mini denial of serviceattacks
Hi Alan, How would you define intensive? I've not seen any way to do query-based user-specific rate-limiting in AD. The closest thing is the LDAP query policy, but that is probably not what you were looking for (Q315071). Object quotas are new as of .NET AD, but only apply to limiting the number of objects created, not queried. We've encountered this issue quite frequently as well. A lot of vendors tend to prefer sucking out data from AD and storing it locally in a DB as opposed to doing real-time queries. And even though there are a few different ways to track changes in AD (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/ overview_of_change_tracking_techniques.asp), each method has issues and most find it easier to just do periodic dumps. Another issue on this front is simply identifying when clients are performing these intensive queries. We do real-time monitoring on the LDAP and DS counters in the NTDS perfmon object and alert when they reach certain thresholds (I can provide the thresholds if people are interested). In some cases we've had to resort to running netmon for extended periods of time to track down the offender. What I'd really like to see is a log of all LDAP queries and parameters, client IP, query duration, and number of entries returned. Most other directory servers have this capability and it is extremely helpful especially post-incident. The LDAP Interface Events diagnostics logging (Q220940) provides some of this data, but not all. Here is an example event: Event Type: Information Event Source: NTDS LDAP Event Category: LDAP Interface Event ID: 1139 Date: 12/8/2002 Time: 6:29:38 AM User: AD-VM\administrator Computer: AD-01 Description: Internal event: Function ldap_search completed with an elapsed time of 20 ms. And of course you can always deny certain clients from querying AD by setting the IP Deny List (via ntdsutil), but I doubt that is what you had in mind. Robbie Allen -Original Message- From: Isham, Alan A [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 4:00 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] CSVDE/ADSI queries causing mini denial of service attacks Background: In recent months, we have discovered (reactively) a number of customers who are content dumping the entire Workers OU (70,000+ objects) at pretty frequent intervals, which is causing mini denial of service attacks on our domain controllers in small pipe locations. Has anyone limited access to their production Windows 2000 Active Directory forests to prevent users from running intensive CSVDE/ADSI queries against their domain controllers? If so, how? Through technology? Through policy? Both? -- Alan A. Isham, IT Product Manager Messaging and Active Directory Engineering Intel Corporation List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to get changes from active directory?
The doc Gil mentioned describes how to track change as it happens. There is also metadata that is stored with every object that contains a brief change log history for each object (stored in the replPropertyMetaData attribute). You can view the metadata for an object using tools like repadmin or replmon. For example: C:\repadmin /showmeta cn=administrator,cn=users,dc=mycorp,dc=com Loc.USN Originating DCOrg.USN Org.Time/Date Ver Attribute === === === = === 24684 Default-First-Site-Name\DC1 24684 2002-11-26 06:05:05 1mail 20548 Default-First-Site-Name\DC1 20548 2002-11-15 17:12:05 1 lastLogonTimestamp ... With metadata you can answer questions about when, where and what changes occurred to an object. Well you actually don't get the full story with what changed because only the attribute name that changed is stored, not the values that changed. I asked Stuart at DEC if they could answer the who question by adding the writer GUID to the metadata, which would be the object guid of the security principal that made the change. I also think it would be nice if the what question could also be fully answered in the metadata by providing the before and after values of the changed attribute (there are certain ramifications to this though). There are a couple other issues that impair the use of metadata, namely it is stored in binary format and not easily parsable unless using Microsoft API's. And since it is in binary, you can't search it. For more info on the API: http://msdn.microsoft.com/library/en-us/netdir/ad/ds_repl_obj_meta_data.asp Microsoft did include Detailed transaction logging on the questionnaire they provided at DEC as one of the features they are considering for the next release of AD (after .NET). I'm not sure what it would look like, but I believe Stuart said they where thinking it would be file-based. Robbie Allen -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 3:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to get changes from active directory? Thanks Gil, I wasn't aware of this. You learn something new every day :-) Any idea why Microsoft decided not to implement the changelog approach? It seems like a number of the other vendors have. I quite like the look of the IBM Directory approach, which includes support for a number of change log entry attributes, including the DN of the change originator, e.g. ibm-changeInitiatorsName The DN of the entity that initiated the change Syntax: 1.3.6.1.4.1.1466.115.121.1.12 Value: single-valued Usage: userApplications I think this type of information would be useful in AD. Robbie Allen touched on this at DEC Europe during his round table discussion on tools. Stuart Kwan was there and mentioned something about Microsoft's plans, but I can't remember exactly what it was. Maybe Robbie remembers? Tony -- Original Message -- From: Gil Kirkpatrick [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 25 Nov 2002 12:37:29 -0700 Naval, There are several mechanisms for getting change information from the directory. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/p olling_for_changes_using_the_dirsync_control.asp Each mechanism has its advantages and disadvantages; the docs do a reasonable job of explaining them. -gil -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 7:07 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to get changes from active directory? Hi Naval AD doesn't (currently) store change information in the directory. Some information can be made available through auditing of AD object access. The audit information will be written to the event log. The limitation of this approach is that this information will only be available on the DC where the change was made. A separate consolidation process would then be required if centralised information were a requirement. Stuart (if he's listening) may have some information on Microsoft's future plans in this area. Tony -- Original Message -- From: Naval [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 25 Nov 2002 16:48:21 +0530 Hi, How can i get the changes from Active Directory server? For e.g netscape provides changes below cn=changelog node. Where does AD publish the changes. Thanks, Naval List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] LDAP Display Name for Security Properties
Title: Message This is an example of why it would be nice if the object GUID of the security principal that performed the write was included in the metadata for themodified object. I mentioned this to one of the AD developers during the MEC AD Community session, and he said he would take it back to the AD team. On arelated note, if the object GUID of the writer was included in the metadata, then all that would be needed to have a complete change log history of objects stored in the metadata would be the before and after valuesofmodified attributes. Granted, this could greatly increase the size of the DIT, especially over time, but I think it would be cool to have as an option ;-) And yes some of this can be done with the dirsync control and change notifications, but it would be nice if it was stored directly in AD. Robbie Allen -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, November 11, 2002 3:02 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP Display Name for Security Properties Rick, Unfortunately, if we are talking about the same dialog box with the ACL and the ACE's (in advance view) these are Security Principals with permissions that they have on this object. It's likely that one of these objects DID join it to the domain, but if it was the Domain Administrators group, and there are 5 members, which member performed the join of the computer? Maybe someone esle can provide better or more complete information, but I don't believe that there is any information that will tell you which Security Principal actually joined a computer to the domain. This is even compunded further by the fact that BY DEFAULT any user can join up to 10 machines to the domain, IIRC. Now, the problem gets even more difficult to track. Auditing is the only way to confirm who did what - but that, again, assumes that auditing was on, configured, and the logs are available. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jones, Rick J.(Desktop Engineering)Sent: Monday, November 11, 2002 1:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP Display Name for Security Properties Anyone know the LDAP Display Name for the security properties on a Computer Account? When I open Active Directory Computers and Users and right click on a computer account, click on security (with advanced options turned on) I get a list of accounts. One of those is the account name that was used to join the computer to the domain (I believe), what I need to do is be able to query that information so we can find out who joined these computers to the domain. Rick J. Jones
RE: [ActiveDir] Create a buttload of DNS zones with PERL
Hi Mike, I still wouldn't suggest using the DNS WMI provider on W2K, although if you only wanted to create zones you could probably get by with it. You could script around dnscmd.exe or just use the DnsCmd.pm module I included in the book, which should get the job done. BTW, the DNS WMI provider on .NET is very solid and exactly what we've been needing as far as a DNS API for the Windows DNS server. Robbie Allen -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 2:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Create a buttload of DNS zones with PERL If anyone out there has any info on if this is possible, let me know. I have Robbies Managing Enterprise ADS, and it says that the WMI interface to DNS isn't reliable. I need to create a couple hundred reverse lookup zones on a standalone W2K box for our routers, and don't wanna do it manually. Any suggestions are appreciated. TIA Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cleaning out old machine accounts
Attached is a Perl script I wrote a while back to manage inactive computer objects. It does the following: * Iterate through each domain controller for a domain (uses Net::DNS) * Find all disabled computer accounts (via userAccountControl) * Find all inactive computer accounts (via pwdLastSet) * Deletes the disabled computer accounts * Disables the inactive computer accounts In a nut shell, the script will disable any inactive computers it finds, and then in the next invocation of the script, it will delete the disabled computer accounts. The script is meant to be run on a weekly or monthly basis. You can customize it to find inactive computers x number of months old. You could modify the script to directly delete the inactive computer accounts, but when dealing with 60,000 computer objects, I'm a little paranoid :-) Robbie Allen Burns, Clyde [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/10/2002 20:28 Please respond to ActiveDir To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] Cleaning out old machine accounts I used this back in NT4 days. It might be worth your time to take a look and see if will work in an AD environment. http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q197478; -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 11:36 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Cleaning out old machine accounts Our AD was upgraded from a NT domain. We have a bunch of old machine accounts. What is the best method to tell if a machine no longer exists or hasn't connected to the network? Thanks,jb -- Jason Benway [EMAIL PROTECTED] 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ inactive_computers.pl Description: Binary data inactive_computers.pl Description: Binary data
RE: [ActiveDir] Start TLS on LDAP (389)
Support for Start TLS defined in RFC 2830 (http://www.ietf.org/rfc/rfc2830.txt) is not available until .NET AD. If you have a copy of .NET you can play with TLS via LDP Options TLS StartTLS/StopTLS. As far as W2K AD goes, you'll need to use SSL as Rick mentioned. For the curious, MSDN has a pretty good overview of TLS (URL may break): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se curity/transport_layer_security_tls_protocol.asp Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frank Ooms Sent: Friday, October 04, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Start TLS on LDAP (389) Hi, Does anyone know if we can Start TLS on Active Directory port LDAP 389? I am trying to understand how we make secure connections to AD. If we have to use LDAPS, I need to know that quite soon. Rgds, -- Frank P. Ooms[EMAIL PROTECTED] Principal IT Systems Architect Schlumberger IT Standards Planning Tel: +31 70 3105454 Fax: +31 70 05 463 Mobile: +31 6 51280369 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Querying the DN
The 'distinguishedName' attribute is present on all objects, which can be used to query or retrieve the DN. Have you tried that? Robbie Allen -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 10:22 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Querying the DN I have been trying to figure out a way using LDP to query the DN or Canonical Name with no success. I can query fields using samaccountName, Notes, etc. Any one know how to query it? I know I can LDIF it and use ADSI. Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sort of OT: other Protocols
Isolated environment meaning no contact with a DNS server? Most people are trying to get away from NetBEUI these days. Could you setup DNS on the W2K server? It is pretty low overhead. Robbie Allen Cisco Systems Enterprise Management Coauthor of Managing Enterprise Active Directory Services -Original Message- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 10:45 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Sort of OT: other Protocols I have an Isolated environment that runs SQL 2000 and Windows 2000 Servers. This environment experienced problems the other day because of a lack of name resolution between the Servers. I was asked by management to look at netbeui as a backup incase standard TCPIP name Resolution failed... Here is what I have set up... On each machine I have 2 Nic's, 1 nic on each machine is dedicated to IP and 1 Nic is dedicated to NetBeui. Does anyone see any issues with this? Joshua Morgan PROFITLAB Senior Network Engineer PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] http://www.profit-lab.com http://ncontrol.info The greatest glory is not in never failing, but in rising up every time we fall. -- Confucius List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Educating users on proper AD use ;-)
Title: Message There are a couple options although neither may be ideal. First, you can go to Start - Search - For Files or Folders At the bottom of the left pane is "Search for other items:" and underneath that is a link for "Computers" Second is after you browse to the domain as you mentioned below, right click on the domain and select "Find". You can then save the search by selecting File - Save Search Problem with this option in its default state is that it executesa search whenopened (even if no criteria are entered). Ibelieve both of these options can be customized to some extent, but I haven't seen any documentation on it. Robbie Allen Cisco Systems Enterprise Management Coauthor of "Managing Enterprise Active Directory Services" -Original Message-From: Ken Rinehart [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 11:23 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Educating users on proper AD use ;-) I got one response telling me I could limit who sees the OrgUnits in AD (obviously) but other than that I haven't heard much. Ken -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of SEYBOLDT,VOLKER (HP-Germany,ex1)Sent: Wednesday, July 17, 2002 6:35 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Educating users on proper AD use ;-) Hi Ken, this is an interesting point. Did you get any response on this? Volker -Original Message-From: Ken Rinehart [mailto:[EMAIL PROTECTED]]Sent: Tuesday, July 16, 2002 6:39 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Educating users on proper AD use ;-) Hello I understand that Microsoft wants users to get away from Network Neighborhood and start using features of Active Directory. In most of the books that I have there is mention of this and that "eventually" you won't have to use Network Neighborhood and broadcast based browsing will go away. But what will replace it? I want to turn it off across my officespace so I have no NBT broadcast browsing. I'm at a crossroads where I've just setup a native AD and want to use it "properly" and get users to make a behavioral change when accessing resources. So far I'm familiar with the standard My Network Places - Entire Network - Entire Contents - where there is then a choice for "Microsoft Windows Network" and "Directory - AD Domain" Double clicking this shows you all your OrgUnits but is this something you really want your users to see? Seems way to confusing and I'd rather not having them poking around looking at who my DCs are!. The alternative of course is to right click on your AD domain and choose "Find" which is better but most users will never figure this out. Is there a more direct way of acessing this utility? So I could use a GP to put it on all desktops or something. I'm so tired of browsing :-( Ken-
RE: [ActiveDir] New AD announced for web apps.
Stuart Kwan had mentioned this was coming at the Directory Experts Conference in May. Ultimately I think it could be a good thing if Microsoft starts to treat AD as a separate product instead of just an add-on to Windows 2000/.NET. I don't see the benefit to what they are saying about needing to set-up an entire operating system environment as is now mandated. You can setup standalone AD servers that act as LDAP servers today. Perhaps they can limit the DNS requirements, but other than that it still has to go on a Windows OS. I think this has a lot to do with the perception of AD as a NOS-only directory and not a true competitor to Sun or Novell in the app space. Robbie Allen Cisco Systems Enterprise Management Coauthor of Managing Enterprise Active Directory Services -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 1:21 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] New AD announced for web apps. http://www.infoworld.com/articles/hn/xml/02/07/17/020717hnacti vedirectory.xm l List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New AD announced for web apps.
Why is that an issue for running just a generic LDAP directory? You can still do standard LDAP binds against it and each directory has its own way for securing resources. Robbie Allen -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 6:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New AD announced for web apps. The big issue using AD as a standalone LDAP server (as Stuart explained at the DEC) has to do with AD's ties to the Win32 security system... authentication through Kerberos, generation of Win32 security tokens, SIDs appearing in ACLs, etc. ADAM removes these ties as I understand it. -gil -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New AD announced for web apps. Stuart Kwan had mentioned this was coming at the Directory Experts Conference in May. Ultimately I think it could be a good thing if Microsoft starts to treat AD as a separate product instead of just an add-on to Windows 2000/.NET. I don't see the benefit to what they are saying about needing to set-up an entire operating system environment as is now mandated. You can setup standalone AD servers that act as LDAP servers today. Perhaps they can limit the DNS requirements, but other than that it still has to go on a Windows OS. I think this has a lot to do with the perception of AD as a NOS-only directory and not a true competitor to Sun or Novell in the app space. Robbie Allen Cisco Systems Enterprise Management Coauthor of Managing Enterprise Active Directory Services -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 1:21 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] New AD announced for web apps. http://www.infoworld.com/articles/hn/xml/02/07/17/020717hnacti vedirectory.xm l List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New AD announced for web apps.
iNetOrgPerson is supported fully in .NET ;-) Have you seen studies where AD is much slower than iPlanet/ONE, eDirectory or OpenLDAP in terms of bind time? I've heard varying reports. In my experience, I believe the bigger issues are when you try to consolidate your NOS and enterprise app directory into one. The two are largely not compatible in terms of requirements (e.g. multi-domain vs flat). Robbie Allen -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 7:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New AD announced for web apps. iNetOrgPerson and performance. Some apps can't deal with the default AD schema and doing a simple bind that only does a local password check is a lot quicker than issuing tickets, constructing tokens, etc. -gil -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 3:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New AD announced for web apps. Why is that an issue for running just a generic LDAP directory? You can still do standard LDAP binds against it and each directory has its own way for securing resources. Robbie Allen -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 6:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New AD announced for web apps. The big issue using AD as a standalone LDAP server (as Stuart explained at the DEC) has to do with AD's ties to the Win32 security system... authentication through Kerberos, generation of Win32 security tokens, SIDs appearing in ACLs, etc. ADAM removes these ties as I understand it. -gil -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] New AD announced for web apps. Stuart Kwan had mentioned this was coming at the Directory Experts Conference in May. Ultimately I think it could be a good thing if Microsoft starts to treat AD as a separate product instead of just an add-on to Windows 2000/.NET. I don't see the benefit to what they are saying about needing to set-up an entire operating system environment as is now mandated. You can setup standalone AD servers that act as LDAP servers today. Perhaps they can limit the DNS requirements, but other than that it still has to go on a Windows OS. I think this has a lot to do with the perception of AD as a NOS-only directory and not a true competitor to Sun or Novell in the app space. Robbie Allen Cisco Systems Enterprise Management Coauthor of Managing Enterprise Active Directory Services -Original Message- From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 18, 2002 1:21 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] New AD announced for web apps. http://www.infoworld.com/articles/hn/xml/02/07/17/020717hnacti vedirectory.xm l List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Question
Hi Joanna, At Cisco we've developed a whole suite of web-based AD tools to include an Account Mgmt (users, groups, compters) tool. It was all done using Perl and CGI with Apache as the web server. ADSI makes it pretty straightforward, or if you want to develop on a UNIX platform, you can do nearly as much with the Net::LDAP perl module. Robbie Allen Cisco Systems Enterprise Management Coauthor of Managing Enterprise Active Directory Services -Original Message- From: Joanna Days [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 2:09 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Question Do you have the name of the Cisco person that spoke or a point of contact from that conference that I can check up with? Gil Kirkpatrick wrote: Joanna, Don't know if there's a commercial product for this, but at the Directory Exerpts Conference this past April, the AD architect from Cisco spoke on some software they had developed in-house, which appeared to be just what you describe. It was apparently a pretty straightforward development project with IIS, ASP, and Perl scripts. -g Gil Kirkpatrick Chief Technology Officer, NetPro Author of Active Directory Programming from MacMillan Got eBook? Get your free Active Directory Troubleshooting eBook at: http://www.netpro.com/ebook -Original Message- From: Joanna Days [mailto:[EMAIL PROTECTED]] Sent: Friday, July 12, 2002 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Question I am currently doing Windows 2000 Active Directory research in preparation for our upcoming migration from Novell to Active Directory. I have a couple of questions and wanted to know if anyone has dealt with them I work in an education institution so my questions may be specific to EDU but also to other companies. - Does anyone currently have a method where students/staff/faculty can create their own AD account? - Does anyone currently have a method (preferable web based) where users can reset their own password? - Does anyone currently have a method to check to see if the account is current and if not to automatically delete the account? - Are you using an off the shelf product or are you using an in house program (or a combination of the two)? Below is a list of things that we are trying to accomplish: We are trying to find a solution that will allow our students to create their own Active Directory account to allow them to log on to the machines in the computer lab. They need to also be able to reset their own passwords. Accounts need to exist only for the currently enrolled students. That would mean that on a nightly basis a program would need to go out and compare the list of AD users in the computer lab OU with our in-house database and delete any accounts that exist in AD from users that are no longer enrolled. This will most likely a batch program that will go out and query the database and respond with LDAP information. Our currently enrolled students at this time can obtain an account on our UNIX server. We are looking to either have a process that would either check to see if they have an account on the UNIX server or to go out and do a direct connection to our registration database. Is anyone out there doing something similar or have any idea on how we would need to transfer the data to AD? I would greatly appreciate any assistance or guidance that anyone could provide. Thanks. -- Joanna ;-) \\|// (o o) ~oOOo~(_)~oOOo ~~ ~~ It doesn't matter what others think Joanna C. Days as long as you know the truth. Network Support Engineer Information Technology -JCD- [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ -- Joanna ;-) \\|// (o o) ~oOOo~(_)~oOOo~~ ~~ It doesn't matter what others think Joanna C. Days as long as you know the truth. Network Support Engineer Information Technology -JCD- [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org
[ActiveDir] Directory Experts Conference - Running Active Directory Like YourNetwork Depends On It (May 19th-21st)
NetPro is hosting a conference in Scottsdale, AZ for experienced Active Directory administrators and architects, May 19th-21st. Microsoft and NetPro are sponsoring. It is intended to be an open exchange of experiences with Active Directory, so the more companies that attend, the bigger pool of experiences we have to share. More information available at: http://www.netpro.com/welcome/directoryexperts Robbie Allen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] List all Dc's in a site
Title: Message When are there anything but DCs defined under a site (i.e. server object)? -Original Message-From: Steve Judd [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 19, 2001 10:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List all Dc's in a site Do a subtree search of the DS in the site of interest for NTDS-Settings objects. The parent of each object returnedis a Server object for a DC. You can use any of several query API's to do the search and enumerate the results. I favor IDirectorySearch. -s -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Deepa KumthekarSent: Tuesday, June 19, 2001 5:30 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] List all Dc's in a site Hi , Is there any API to find all domain controllers in a site. I know one which lists all servers 'DsListServersInSite' but I don't want all servers, I want only DC's. Thanks, Deepa
RE: [ActiveDir] List all Dc's in a site
Title: Message So when/why would that ever happen? -Original Message-From: Steve Judd [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List all Dc's in a site Nothing stops you from creating server objects in a site, and there is no guarantee that the server objects found in a Site container represent DC's. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robbie AllenSent: Wednesday, July 04, 2001 11:37 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] List all Dc's in a site When are there anything but DCs defined under a site (i.e. server object)? -Original Message-From: Steve Judd [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 19, 2001 10:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] List all Dc's in a site Do a subtree search of the DS in the site of interest for NTDS-Settings objects. The parent of each object returnedis a Server object for a DC. You can use any of several query API's to do the search and enumerate the results. I favor IDirectorySearch. -s -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Deepa KumthekarSent: Tuesday, June 19, 2001 5:30 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] List all Dc's in a site Hi , Is there any API to find all domain controllers in a site. I know one which lists all servers 'DsListServersInSite' but I don't want all servers, I want only DC's. Thanks, Deepa