Thanks. It took me a bit to get back into
the machine. Here is the log. All users that it failed for (including this one)
are visible in the GAL.
Microsoft
Exchange Mailbox Merge Program, v6.5.7408.1
Start
Very good altho dividing by zero (last step) is not permitted and (as
per the below) causes an issue if permitted.
How about this:
(1-1) + (1-1) + (1-1) + ... = 0
Re-write left hand side by moving brackets one place to the right:
1 (-1+1) (-1+1) ...
Or simplified:
1 + 0 + 0 + ... = 1
So 1 = 0
The hardware consists of Dell PowerEdge's 2650s-2850s. Is there a way to
disable the hyperthreading? I guess I will check for the kb article Mark
mentioned, unless someone knows.
Nathaniel V Bahta
Sr. Systems Administrator
General Dynamics Information Technology
(937)257-4757
Is there a way to tell if a user account has been deleted?
Thanks,
Chris
Yes,
In the BIOS, I always turn it off when using ESX server, can't recall the exact
path though.
Mark
Mark Parris
Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
-Original Message-
From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED]
Date: Fri, 6 Oct 2006
Chris Pohlschneider wrote:
Is there a way to tell if a user account has been deleted?
Active Directory Users computers, ADSIEDit.exe, ldp.exe, adfind.exe -
couple more. Repadmin.exe also can be used.
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
joe's absolutely right. What's trying to be
accomplished is to publish new LDAPS SRV records for a
300+ DC environment. But I don't want to just blindly
assume each DC properly enrolled with the CA (we had
problems like that at the beginning), and I'd really
like to avoid the overhead of
by, you really cannot find it anymore when querying AD
;-)
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
PohlschneiderSent: Friday, October 06, 2006 14:34To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account
deletion
Is
Easy question for the group -
I have a forest rood domain: msroot.company
I have a domain: company.com
We use BIND. My question: do I need an allow-update entry for both zones
or just the forest root zone for proper dynamic update operation?
Thanks in advance,
James
List info :
allow-update needs to be configured per zone, so if you want dynamic
updates to occur in both domains you'll need the allow-update entry in the
zones representing each domain.
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, October 06, 2006
I believe that that would be a BIND specific situation and allow-update or
update-policy can be used, but both directives are per zone.
If you have two AD Domains that you want to enable dynamic update on, then
yes.
But using BIND for AD in all honesty is quite painful. But if you must
Thanks for the replies - I think I have to revise my question.
Upon DC promotion - does the DC need to dynamically update the forest root
and the domain the DC is in?
(e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to
both company.com AND msroot.company (the forest root
Is there a tool or utility out there that I can find out
who/what/when has been eating up disk space on the server? I would like to see
who is hogging up space with a parameter of by date.
Thank you.
Steve Comeau
IT Manager
Rutgers
Athletics
83
Rockefeller Road
Piscataway,
NJ
Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to
No,I'm gettingthem, but lately it seems
that messages are taking an inordinate amount of time to go
through.
We have R2 on some of our file servers...
unfortunately, this one doesn't have it.
I think that - for the time being - I will remove
the files and turn on auditing for the folders
Windows 2003 R2 has some great features in the FSM
tool. For your needs, the Storage Reports would be perfect.
If you don't have R2 on the server, you can use a
utility I have used in the past that works pretty well: TreeSize by JAM
Software. It's free and works really well.
-
I've used/liked FolderSizes (www.foldersizes.com)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Comeau
Sent: Friday, October 06, 2006 8:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disk Space Hogs
Is there a tool or utility out
Minor nit below. Otherwise, spot on
observations.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
HargravesSent: Friday, October 06, 2006 7:56 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User
rights overs computers with AD
Just to cover some
Try treesize pro Last time I checked there was a trial license
http://www.jam-software.com/treesize/
-Original Message-
From: Steve Comeau [mailto:[EMAIL PROTECTED]
Sent: 06 October 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disk Space Hogs
Is there a tool or
You are definitely funny Brett, some would just argue whether it is in the
ways you think. =)
I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in
fact. But with the crazy that can only be Brett hairdo, not the big boy
hairdo. ;o)
I do kind of agree with Tony though,
>From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off
I will be out of the office starting 10/06/2006 and will not return until 10/10/2006.
I will respond to your message when I return.
==
This communication, together with any attachments hereto or links contained herein,
http://www.jam-software.com/freeware/index.shtml
treesize free I've used quite a bit but it doesn't exactly have a by date. They
have a pay product that may be able to do what you want.
Kurt
From: [EMAIL PROTECTED] On Behalf Of Steve Comeau
Sent: Friday,
The DC in the child domain needs to update the dns zone that represents it's
domain. It also needs to update the _msdcs.root domain zone. The
_msdcs.root domain zone contains records for the GC's and the CNAME
records that are used for replication.
Hope that helps.
- Original Message
You either need to allow the dynamic updates or create the DC's records
manually. Do the records need to be created in the zones for the server to
be reachable? Yes. Do you have to allow dynamic updates in order to create
them? No. One way or another, however, you need to get the records created,
ShowSize works for us http://showsize.com/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Darren Mar-Elia
Sent: Friday, October 06, 2006 10:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disk Space Hogs
I've used/liked
Hi
I was trying to use AdMod to change the distinguished name
of one of our users. (A new tech entered the name incorrectly and email, etc
has already started to flow to the account.) AdMod returns an error. Is this
possible? What is the syntax I would use?
Thanks.
-- nme
P.S.
Very much - thanks everyone.
James Masters
Systems Architecture and Engineering
The Kroger Co.
(859) 363-2346 - Desk
(859) 653-8644 - Cell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of itgeek
Sent: Friday, October 06, 2006 12:00 PM
To:
http://research.microsoft.com/programs/up_content/bind.doc might be of use.On 10/6/06,
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Easy question for the group -I have a forest rood domain: msroot.companyI have a domain: company.comWe use BIND. My question: do I need an allow-update entry for both
For the BrettSh T-Shirt, my vote is for the line to be split
BrettSh T-
Shirt
It's similar to the signs in the UK for leasing buildings -
TO LET
They are just missing an i.
I think Dean and Paul W know what I'm talking about
:-)
Rich
Yeah, I guess it's one of those If you don't need it, get rid of it things for me.Not going to use it? Just disable it and get rid of the excuse for some half-informed admin from going in and putting settings on there (we all know who they are and probably were him at some point in time, I'm sure
Boy, Al, Id dearly *love* to step away from the
keyboard, keep your hands where we can see em! but I am the
monkey in charge of doing this.
Problem was (is?), I stupidly shut down
the FTPSERVER without seeing if it was a time server, the OU master, the AD
controller, and/or the PDC.
Thank everyone for their help. The problem
seems to be that users need read permissions to the root home folders directory
as just giving them traverse/read folder contents was not enough. This is not
such a big deal I guess because thanks to ws2k3 sp1s new access-based
enumeration
Does anyone know if it's possible to set Directory ACLs using an LDIF?
I'm trying to enforce a process for setting ACLs that is similar to the
process we have for making Schema extensions.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List
Glad you're able to retain a sense of humor. That's important too. :)
You're in good shape if AD and DNS is working fine or at least as expected. You can find out if the old FTP server held any roles etc and clean up based on that.
I don't have the links handy, but you'll want to check for the
There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it.
You'd be better off using a different tool in my opinion.
Al
On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote:
Does anyone know if it's possible to
I think you could but it would be non-trivial, I agree with
Al, use a different tool. dsacls or scripting is the
"standard".
Theoretically, and Dmitri or Eric can correct me if I am
off, you could create yourSecurity Descriptorin SDDL format, convert
that to the binary form, then mime
Hey Noah,
To change the distinguished name, that is a special process
called a rename. You don't update the attribute directly. You handle that
through the -rename switch. If you are doing that and it isn't working, enable
the -exterr switch and post the full error.
On the forum, yeah
Ouch that does sound like a lot of
trouble. And once the binary string is in the LDIF admins wont be able
to tell what the string is doing.
Sounds like dsacls is the way to go.
Thanks for the info
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent:
You mean the people on this thread are
less than honest?? ;P
Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Friday,
Yeah next they'll be SBS servers being installed there.
(For some of us having our DCs do other things doesn't freak us out as
much as it does you big serverland guys)
Matt Hargraves wrote:
I know you probably haven't been there very long, but what in the heck
are they thinking, making DCs
Well, the servers running the DC, mail, PDC, etc. are quad-processor
SuperMicros, so they aren't even sweatin' hard. I'm watching them,
they're golden. (Thanks, Susan - we think alike.)
(Ahem... don't look now, but we already have 8 IBM e-Business servers
(quad xeon) and are getting more. Don'
Yeah, Joes correct, dsacls or scripting is your best bet.
SDDL+encoding is also possible, but it would replace the whole SD value, which
is rarely what you really want. Usually you just need to add or remove an ACE,
right? This would require reading the old value, which is not possible
It's not speed or resources that scare most of us when it comes to
sharing DC space with other apps, it's security. With SBS Microsoft has
(at least in theory) covered most of those security bases for the admin.
The last time I allowed another admin to install FTP on a server he
inadvertently put
Granted external FTP isn't one that SBSers recommend either and we're
freaking out going WHAT ARE YOU THINKING? as well.
As we say down here we don't get hacked... we get stupid.
Tim Vander Kooi wrote:
It's not speed or resources that scare most of us when it comes to
sharing DC space
I'd love to see something like that as a constructed read/write attribute if
it could ever be made to happen. You could also blow apart the fields in
the SD into separate attributes to make the semantics more clear.
Joe
- Original Message -
From: Dmitri Gavrilov
To:
Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :)
Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense
48 matches
Mail list logo