RE: [ActiveDir] OT: ExMerge works for some, not others
Thanks. It took me a bit to get back into
the machine. Here is the log. All users that it failed for (including this one)
are visible in the GAL.
Microsoft
Exchange Mailbox Merge Program, v6.5.7408.1
Start
Logging:October 04, 2006 16:49:06
[16:49:06]
Logging Level: None
[16:49:06]
Reading settings from file 'C:\Program Files\Exchsrvr\bin\EXMERGE.INI'.
[16:49:06] Reading list of subjects
for messages to be selected from file ''
[16:49:06] Reading list of
attachment names for messages to be selected from file ''
[16:49:06] List
of folders to be ignored has been read. 0 folders in the list.
[16:49:06]
Current machine locale ID is 0x409
[16:49:06]
Operating System Version 5.2 (Build 3790)
[16:49:23] Error
8007203a opening an LDAP connection. ('LDAP://ASBHY/rootDSE')
(CADRoutines::GetNamingContextData)
[16:49:23]
Accessing Domain Controller 'SERVER1'
[16:49:33]
'SERVER1' is running Exchange Server 2000 or later
[16:49:33]
Mailbox '/o=MYCORP/ou=First Administrative
Group/cn=Configuration/cn=Servers/cn=SERVER1/cn=Microsoft System Attendant'
will be ignored as its DN contains strings in the ignore list
[16:49:33]
Mailbox '/o=MYCORP/ou=First Administrative
Group/cn=Configuration/cn=Connections/cn=SMTP
(SERVER1)/cn={219BB505-57BB-4D8D-BE30-0279D3B3A0E7}' will be ignored as its DN
contains strings in the ignore list
[16:49:33]
Mailbox '/o=MYCORP/ou=First Administrative
Group/cn=Recipients/cn=SystemMailbox{219BB505-57BB-4D8D-BE30-0279D3B3A0E7}'
will be ignored as its DN contains strings in the ignore list
[16:49:33] Found
26 mailbox(es) homed on database 'FIRST STORAGE GROUP/MAILBOX STORE (SERVER1)'.
[16:49:33]
Ignored 3 mailbox(es) homed on database 'FIRST STORAGE GROUP/MAILBOX STORE
(SERVER1)'.
[16:49:33] Found
26 mailbox(es) homed on the specified databases.
[16:49:33] Ignored
3 mailbox(es) homed on the specified databases.
[16:49:46] Using
attribute 'PR_MESSAGE_DELIVERY_TIME' for date operations.
[16:49:46]
Merging data into target store. The program will copy only those messages that
do not exist in the target store.
[16:49:46]
Associated folder data will NOT be copied to the target store.
[16:49:46] Using
'English (US)' (0x409) as the default locale (Code page 1252)
[16:49:46] All
mailboxes will be processed, regardless of locale
[16:49:46] Using
default locale for all mailboxes
[16:49:46]
Initializing worker thread (Thread0)
[16:49:46]
Copying data from mailbox 'John Randall' ('JRANDALL') on Server 'SERVER1' to
file 'C:\ARCHIVED EMAIL\JRANDALL.PST'.
[16:49:46] Error
opening message store (MSEMS). Verify that the Microsoft Exchange Information
Store service is running and that you have the correct permissions to log on.
(0x8004011d)
[16:49:46] Errors
encountered. Copy process aborted for mailbox 'John Randall' ('JRANDALL').
[16:49:46] Number
of items copied from the source store for all mailboxes processed: 0
[16:49:46] Total
number of folders processed in the source store: 0
[16:49:46] 0
mailboxes successfully processed. 1 mailboxes were not successfully processed.
0 non-fatal errors encountered.
[16:49:46]
Process completion time: 00:00:00
From: Ramon
Linan [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 05, 2006
6:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
ExMerge works for some, not others
Can you post the error?
Make sure those users are
not hidden in the GAL, if you hide them it will not work.
Rezuma
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Wednesday, October 04, 2006
8:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: ExMerge
works for some, not others
Hello:
Sorry for the OT. ExMerge is giving
me heartburn.
I have a small Exchange install
where all the tools (and everything else) is on the DC. (Yes, if they had
thought about it earlier, it would be SBS -- but it is not.)
I am trying to run ExMerge to pull
out PST files. The user running ExMerge is Domain Admin, Enterprise Admin, and
Domian User. I believe all of those groups are denied SEnd As and Receive As.
At least, Receive As is required to run ExMerge. Yet, despite that, I am able
to run ExMerge against about half of the users. The other half cough up
permission errors in the log.
One additional factor: all of the
problem users were disabled within AD. I re-enabled the accounts for this
purpose.
Any thoughts about what is going on
here? Why some work and some don't?
Thanks.
- nme
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.12.10/459 - Release Date: 9/29/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.12.10/459 - Release Date: 9/29/2006
--
No virus found in this outgoing message.
Checked by
RE: [ActiveDir] OT: wikis
Very good altho dividing by zero (last step) is not permitted and (as
per the below) causes an issue if permitted.
How about this:
(1-1) + (1-1) + (1-1) + ... = 0
Re-write left hand side by moving brackets one place to the right:
1 (-1+1) (-1+1) ...
Or simplified:
1 + 0 + 0 + ... = 1
So 1 = 0 !
neil
PS Glad to see I managed to get the list talking about stuff other than
IT/Windows/AD/Exch/Jet/ESE...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: 05 October 2006 23:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis
From: http://www.jimloy.com/algebra/two.htm
a = x[true for some a's and x's]
a+a = a+x [add a to both sides]
2a = a+x [a+a = 2a]
2a-2x = a+x-2x [subtract 2x from both sides]
2(a-x) = a+x-2x [2a-2x = 2(a-x)]
2(a-x) = a-x [x-2x = -x]
2 = 1[divide both sides by a-x]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 05, 2006 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis
Careful, I recall a math professor in my differential equations class or
maybe it was higher throwing a proof up on the board showing that 1 + 1
!= 2 and it wasn't a numberical base trick
I didn't follow through it, I just closed my eyes and shook my head and
thought forward to my communications class as the sights were easier on
the eyes...
I still wonder why I went into a field with such a high ratio of men to
women... :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, October 05, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis
999,998 + 2 = 1,000,000, not 100,000. ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims
Sent: Thursday, October 05, 2006 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: wikis
It's funny how we quote wikis as definitive sources of information,
when they can be edited by anyone and everyone :)
Who vets the edits and how much does that person know about the
subject matter??
Anyone can edit, which is why they are generally correct.
When 100,000 people view a record, and 2 people want to change it to
be incorrect,
999,998 will want to correct it.
I wouldn't use a wiki as a great historical or technical source. But
for encyclopedia entries, which give a good summation of a subject,
they are great.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Domain Controller Bare Metal restore
The hardware consists of Dell PowerEdge's 2650s-2850s. Is there a way to disable the hyperthreading? I guess I will check for the kb article Mark mentioned, unless someone knows. Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 05, 2006 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore What brand of hardware is it? Maybe disable it as part of your imaging process and enable it when complete? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, October 05, 2006 12:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore Youre exactly right Mark, hyperthreading is enabled on the hardware that reboots and not enabled on the hardware that does not. Is there a best practice for a situation like this? Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, October 05, 2006 11:33 AM To: ActiveDir.org Subject: Re: [ActiveDir] Domain Controller Bare Metal restore The constant reboot is often a different HAL, multiproc, singleproc, damn hyperthreading, or APCI non APCI, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Thu, 5 Oct 2006 14:30:35 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller Bare Metal restore Look on the Altiris website for Hardware idependent installs v2 - you can disect all the info out of this document. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Thu, 5 Oct 2006 08:35:57 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore That’s what I have been trying to do, but using one image for all of my different hardware types has not worked. Specifically I can get the image to apply via PXE, but once it boots up to go through the SYSPREP mini-setup, the splash screen appears and it reboots, it just keeps doing that. The same image works fine on another version of the PowerEdge, but on the other model it just continuously reboots. Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 05, 2006 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore PXE Boot into an unattended install? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, October 05, 2006 8:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller Bare Metal restore List, I have been looking at several options to restore a failed DC from the ground up. ADS seems to look promising, but its hard to get one SYSPREP image for all of my DCs even though they are all flavors of Dell PowerEdge, it has proven difficult. Does anyone know of a good solution to restore a DC from the ground up utilizing a network connection, without inserting disk and going through the steps. Thanks, Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, October 04, 2006 3:24 AM To: ActiveDir.org Subject: Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter. SOAD has a lovely GUI and lots of flashing lights Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Yann [EMAIL PROTECTED] Date: Tue, 3 Oct 2006 20:11:12 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter. Hello all, I don't know if it is the right place I'm about to test 2 AD Troubleshooters products and I have to choose one them to monitor,tshoot our AD infrastructure: Spoltligh on Active Directory (SOAD) and Netpro Active Directory
[ActiveDir] User account deletion
Is there a way to tell if a user account has been deleted? Thanks, Chris
Re: [ActiveDir] Domain Controller Bare Metal restore
Yes, In the BIOS, I always turn it off when using ESX server, can't recall the exact path though. Mark Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Fri, 6 Oct 2006 08:06:58 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore The hardware consists of Dell PowerEdge's 2650s-2850s. Is there a way to disable the hyperthreading? I guess I will check for the kb article Mark mentioned, unless someone knows. Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 05, 2006 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore What brand of hardware is it? Maybe disable it as part of your imaging process and enable it when complete? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, October 05, 2006 12:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore Youre exactly right Mark, hyperthreading is enabled on the hardware that reboots and not enabled on the hardware that does not. Is there a best practice for a situation like this? Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, October 05, 2006 11:33 AM To: ActiveDir.org Subject: Re: [ActiveDir] Domain Controller Bare Metal restore The constant reboot is often a different HAL, multiproc, singleproc, damn hyperthreading, or APCI non APCI, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Thu, 5 Oct 2006 14:30:35 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller Bare Metal restore Look on the Altiris website for Hardware idependent installs v2 - you can disect all the info out of this document. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Date: Thu, 5 Oct 2006 08:35:57 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore That’s what I have been trying to do, but using one image for all of my different hardware types has not worked. Specifically I can get the image to apply via PXE, but once it boots up to go through the SYSPREP mini-setup, the splash screen appears and it reboots, it just keeps doing that. The same image works fine on another version of the PowerEdge, but on the other model it just continuously reboots. Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 05, 2006 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Bare Metal restore PXE Boot into an unattended install? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, October 05, 2006 8:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller Bare Metal restore List, I have been looking at several options to restore a failed DC from the ground up. ADS seems to look promising, but its hard to get one SYSPREP image for all of my DCs even though they are all flavors of Dell PowerEdge, it has proven difficult. Does anyone know of a good solution to restore a DC from the ground up utilizing a network connection, without inserting disk and going through the steps. Thanks, Nathaniel V Bahta Sr. Systems Administrator General Dynamics Information Technology (937)257-4757 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, October 04, 2006 3:24 AM To: ActiveDir.org Subject: Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter. SOAD has a lovely GUI and lots of flashing lights Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Yann [EMAIL PROTECTED]
Re: [ActiveDir] User account deletion
Chris Pohlschneider wrote: Is there a way to tell if a user account has been deleted? Active Directory Users computers, ADSIEDit.exe, ldp.exe, adfind.exe - couple more. Repadmin.exe also can be used. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Discovering LDAPS availability
joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability | --- ---| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] User account deletion
by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] BIND allow-update
Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] BIND allow-update
allow-update needs to be configured per zone, so if you want dynamic updates to occur in both domains you'll need the allow-update entry in the zones representing each domain. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 2:01 PM Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] BIND allow-update
I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] BIND allow-update
Thanks for the replies - I think I have to revise my question. Upon DC promotion - does the DC need to dynamically update the forest root and the domain the DC is in? (e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to both company.com AND msroot.company (the forest root domain)? Thanks again, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansar Mohammed Sent: Friday, October 06, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Disk Space Utilization
Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of by date. Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com ***
Re: [ActiveDir] Assign User rights overs computers with AD
Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the ONLY way unless you use some added value tool to provide delegated admin, that needs to be the Primary driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the Users and Computers containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the computers level... From: [EMAIL PROTECTED] on behalf of Alberto OviedoSent: Fri 22/09/2006 22:40To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Hey Dave. Do you mean separate trees under root computers? or Create different OU's for computers? On 9/22/06, Al Mulnick [EMAIL PROTECTED] wrote: Separate Trees? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade [EMAIL PROTECTED] wrote: I prefer to keep them in seperate trees. In fact we are just doing that at present... From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with ADThanks for your help. really useful.Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade [EMAIL PROTECTED] wrote:Alberto, Even though we made our users PowerUsers we found that we needed to make a number of tweaks to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to
Re: [ActiveDir] Who keeps creating this folder files?!
No,I'm gettingthem, but lately it seems that messages are taking an inordinate amount of time to go through. We have R2 on some of our file servers... unfortunately, this one doesn't have it. I think that - for the time being - I will remove the files and turn on auditing for the folders that these files keep reappearing in... I do appreciate all the suggestions and help: thanks! - Original Message - From: Laura A. Robinson To: ActiveDir@mail.activedir.org Sent: Thursday, October 05, 2006 4:47 PM Subject: RE: [ActiveDir] Who keeps creating this folder files?! Okay, this is now my third time recommending FSRM in response to this query; are my replies not getting through to the list? *Seriously*, just address the issueby using FSRM and not allowing .mp3 files to be saved on the server in the first place. If anybody complains, you'll have your culprit, to boot. :-) If the link is needed again, please let me know. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Thursday, October 05, 2006 4:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Who keeps creating this folder files?! I was hoping that there was some way to see who created it rather than wait until it happened again, or wait until someone accessed it... I'll have to settle for the auditing though. Thanks! - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, October 05, 2006 11:14 AM Subject: RE: [ActiveDir] Who keeps creating this folder files?! Set some auditing on the folder that this is happening in and watch the security log for the relevant audits Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J BSent: Thursday, October 05, 2006 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Who keeps creating this folder files?! Argh! On one of our file servers, there is a "public" directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
Re: [ActiveDir] Disk Space Utilization
Windows 2003 R2 has some great features in the FSM tool. For your needs, the Storage Reports would be perfect. If you don't have R2 on the server, you can use a utility I have used in the past that works pretty well: TreeSize by JAM Software. It's free and works really well. - Original Message - From: Steve Comeau To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 7:46 AM Subject: [ActiveDir] Disk Space Utilization Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of by date. Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com ***
RE: [ActiveDir] Disk Space Hogs
I've used/liked FolderSizes (www.foldersizes.com) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Comeau Sent: Friday, October 06, 2006 8:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disk Space Hogs Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of by date. Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Assign User rights overs computers with AD
Minor nit below. Otherwise, spot on observations. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Friday, October 06, 2006 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This won't happen regardless.A computer account would never"download" user settings, even if the user side of a GPO is enabled. Disabling a GPO side is somewhat meaningless because if the side has no policy in it (i.e. its version is 0) then it won't be processed anyway. The only time this is useful is if you have settings on a side and you, for whatever reason, don't want them to be processed. Its kind of a way of blocking settings that would otherwise be applied by disabling them. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the "ONLY" way unless you use some added value tool to provide delegated admin, that needs to be the "Primary" driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the "Users" and "Computers" containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the "computers" level... From: [EMAIL PROTECTED] on behalf of Alberto OviedoSent: Fri 22/09/2006 22:40To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Hey Dave. Do you mean separate trees under root "computers"? or Create different OU's for computers? On 9/22/06, Al Mulnick [EMAIL PROTECTED] wrote:
RE: [ActiveDir] Disk Space Hogs
Try treesize pro Last time I checked there was a trial license http://www.jam-software.com/treesize/ -Original Message- From: Steve Comeau [mailto:[EMAIL PROTECTED] Sent: 06 October 2006 16:01 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disk Space Hogs Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of by date. Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Exchange 2007 Schema
You are definitely funny Brett, some would just argue whether it is in the ways you think. =) I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in fact. But with the crazy that can only be Brett hairdo, not the big boy hairdo. ;o) I do kind of agree with Tony though, unless you are one of the TAP folks with specific agreements with MSFT to bail you out in the event of a nasty fire, you probably shouldn't be installing heavily AD integrated beta products into your production forest. I would assume that ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for MSFT IT have the necessary support agreements in place. :) Plus they have Brian, not much he isn't going to be able to fix by himself I think. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 05, 2006 11:58 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema Oh crap! Brian Puhl, you reading? Tony says E2k7 is a beta product, I hope you didn't load that schema on our main forest? Too late to get it backed out (via forest restore)? Thanks for the heads up Tony, BrettSh [msft] P.S. - Does anyone think I'm as funny as I think I am ... probably not ... On Thu, 5 Oct 2006, Tony Murray wrote: Hi all There are apparently schema changes post Beta 2 - just in case anyone was considering pre-loading the schema changes into production [1]. I don't have any further details on what the changes are. Tony [1] Which of course you wouldn't contemplate with a Beta product :-) Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] User account deletion
>From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events.On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] User account deletion
Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off to another server or have software that saves them) On 10/6/06, Matt Hargraves [EMAIL PROTECTED] wrote: >From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events. On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Maurice McNeill is out of the office.
I will be out of the office starting 10/06/2006 and will not return until 10/10/2006. I will respond to your message when I return. == This communication, together with any attachments hereto or links contained herein, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is STRICTLY PROHIBITED. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments hereto or links herein, from your system. == The St. Paul Travelers e-mail system made this annotation on 10/06/06, 11:55:48.
RE: [ActiveDir] Disk Space Hogs
http://www.jam-software.com/freeware/index.shtml treesize free I've used quite a bit but it doesn't exactly have a by date. They have a pay product that may be able to do what you want. Kurt From: [EMAIL PROTECTED] On Behalf Of Steve Comeau Sent: Friday, October 06, 2006 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disk Space Hogs Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of by date. Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] BIND allow-update
The DC in the child domain needs to update the dns zone that represents it's domain. It also needs to update the _msdcs.root domain zone. The _msdcs.root domain zone contains records for the GC's and the CNAME records that are used for replication. Hope that helps. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 3:45 PM Subject: RE: [ActiveDir] BIND allow-update Thanks for the replies - I think I have to revise my question. Upon DC promotion - does the DC need to dynamically update the forest root and the domain the DC is in? (e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to both company.com AND msroot.company (the forest root domain)? Thanks again, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansar Mohammed Sent: Friday, October 06, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] BIND allow-update
You either need to allow the dynamic updates or create the DC's records manually. Do the records need to be created in the zones for the server to be reachable? Yes. Do you have to allow dynamic updates in order to create them? No. One way or another, however, you need to get the records created, and dynamic updates are easier than typing GUIDs. :-) As far as what the records that need to be created *are*, and for information on how to create them manually: http://technet2.microsoft.com/WindowsServer/en/library/b6879c0b-cff7-438d-a7 f3-0715456dcefb1033.mspx?mfr=true http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac tivedirectory/maintain/opsguide/part1/adogd10.mspx Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 06, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update Thanks for the replies - I think I have to revise my question. Upon DC promotion - does the DC need to dynamically update the forest root and the domain the DC is in? (e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to both company.com AND msroot.company (the forest root domain)? Thanks again, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansar Mohammed Sent: Friday, October 06, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Disk Space Hogs
ShowSize works for us http://showsize.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 06, 2006 10:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disk Space Hogs I've used/liked FolderSizes (www.foldersizes.com) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Comeau Sent: Friday, October 06, 2006 8:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disk Space Hogs Is there a tool or utility out there that I can find out who/what/when has been eating up disk space on the server? I would like to see who is hogging up space with a parameter of by date. Thank you. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Changing the distinguishedName with AdMod
Hi I was trying to use AdMod to change the distinguished name of one of our users. (A new tech entered the name incorrectly and email, etc has already started to flow to the account.) AdMod returns an error. Is this possible? What is the syntax I would use? Thanks. -- nme P.S. Joe, I tried to register for the support forum at your site and never receive the confirmation email. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.13.0/465 - Release Date: 10/6/2006
RE: [ActiveDir] BIND allow-update
Very much - thanks everyone. James Masters Systems Architecture and Engineering The Kroger Co. (859) 363-2346 - Desk (859) 653-8644 - Cell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of itgeek Sent: Friday, October 06, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] BIND allow-update The DC in the child domain needs to update the dns zone that represents it's domain. It also needs to update the _msdcs.root domain zone. The _msdcs.root domain zone contains records for the GC's and the CNAME records that are used for replication. Hope that helps. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 3:45 PM Subject: RE: [ActiveDir] BIND allow-update Thanks for the replies - I think I have to revise my question. Upon DC promotion - does the DC need to dynamically update the forest root and the domain the DC is in? (e.g. I'm promoting a DC for company.com, does the DC need to do DDNS to both company.com AND msroot.company (the forest root domain)? Thanks again, -James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ansar Mohammed Sent: Friday, October 06, 2006 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BIND allow-update I believe that that would be a BIND specific situation and allow-update or update-policy can be used, but both directives are per zone. If you have two AD Domains that you want to enable dynamic update on, then yes. But using BIND for AD in all honesty is quite painful. But if you must http://www.linux-mag.com/2001-03/bind_01.html Then read the unix haters handbook.(Not that I don't like Unix) http://research.microsoft.com/~daniel/uhh-download.html -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: October 6, 2006 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND allow-update Easy question for the group - I have a forest rood domain: msroot.company I have a domain: company.com We use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation? Thanks in advance, James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] BIND allow-update
http://research.microsoft.com/programs/up_content/bind.doc might be of use.On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Easy question for the group -I have a forest rood domain: msroot.companyI have a domain: company.comWe use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation?Thanks in advance,JamesList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Exchange 2007 Schema
For the BrettSh T-Shirt, my vote is for the line to be split BrettSh T- Shirt It's similar to the signs in the UK for leasing buildings - TO LET They are just missing an i. I think Dean and Paul W know what I'm talking about :-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema You are definitely funny Brett, some would just argue whether it is in the ways you think. =) I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in fact. But with the crazy that can only be Brett hairdo, not the big boy hairdo. ;o) I do kind of agree with Tony though, unless you are one of the TAP folks with specific agreements with MSFT to bail you out in the event of a nasty fire, you probably shouldn't be installing heavily AD integrated beta products into your production forest. I would assume that ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for MSFT IT have the necessary support agreements in place. :) Plus they have Brian, not much he isn't going to be able to fix by himself I think. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 05, 2006 11:58 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema Oh crap! Brian Puhl, you reading? Tony says E2k7 is a beta product, I hope you didn't load that schema on our main forest? Too late to get it backed out (via forest restore)? Thanks for the heads up Tony, BrettSh [msft] P.S. - Does anyone think I'm as funny as I think I am ... probably not ... On Thu, 5 Oct 2006, Tony Murray wrote: Hi all There are apparently schema changes post Beta 2 - just in case anyone was considering pre-loading the schema changes into production [1]. I don't have any further details on what the changes are. Tony [1] Which of course you wouldn't contemplate with a Beta product :-) Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Assign User rights overs computers with AD
Yeah, I guess it's one of those If you don't need it, get rid of it things for me.Not going to use it? Just disable it and get rid of the excuse for some half-informed admin from going in and putting settings on there (we all know who they are and probably were him at some point in time, I'm sure I was ;) ) On 10/6/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Minor nit below. Otherwise, spot on observations. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Friday, October 06, 2006 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This won't happen regardless.A computer account would neverdownload user settings, even if the user side of a GPO is enabled. Disabling a GPO side is somewhat meaningless because if the side has no policy in it (i.e. its version is 0) then it won't be processed anyway. The only time this is useful is if you have settings on a side and you, for whatever reason, don't want them to be processed. Its kind of a way of blocking settings that would otherwise be applied by disabling them. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the ONLY way unless you use some added value tool to provide delegated admin, that needs to be the Primary driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the Users and Computers containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the computers level...
RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Boy, Al, Id dearly *love* to step away from the keyboard, keep your hands where we can see em! but I am the monkey in charge of doing this. Problem was (is?), I stupidly shut down the FTPSERVER without seeing if it was a time server, the OU master, the AD controller, and/or the PDC. Chalk it up to inexperience/stupidity. I went into this task DUMB. (FTPSERVER is the old, inactivated server, FTP1 is now the only ftp server in the organization) Id like to flatten the Sweden server and start over, but what if the problem is still there? Something is going to be broken within the AD on the Headquarters end. Im going to suck the filesystem over here to the States, then probably bare metal the little bugger. DNS seems to be working okay, replication and all. I have the HQ NAT address in the 192.168.1.x range, with Poland on 192.168.2.x and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate is the 192.168.1.x Class C. I VPN tunnel to them, and Im able (when DNS is working) to login with the AD login permissions available here. Im pretty sure its working, because when I add the Sweden DNS server to the purcellsystems.com domain everything works in the Sweden office. AD is working okay ( I *think*), Im doing my level best to avoid having to tweak it in any way. Im slavishly following the instructions in Robbie Allens Active Directory Cookbook to avoid any future screw-ups. FWIW, Ive torn the servers DNS and AD down completely, rebooted the server twice, then rebuilt/reinstalled DNS and was attempting to reinstall AD when this happened. Is bare metal rebuild the only option at this point? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, October 05, 2006 5:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now My first instinct is to say please step away from the keyboard but that's just to make me chuckle. :) It looks like the old server, FTP1 was configured as a time server? Or was it an AD domain controller? The answer to that guides the rest of the conversation, but the best thing to do regardless is to flatten the Sweden server. Rebuild it completely with a new name and everything. Because you're not sure of the state, be sure to get a backup should you need it. If everything else is fine, then you'll want to rebuild that server, rejoin it to the appropriate domain and let it settle. Before you continue, you'll want to ensure that everything else is in good shape including dns, replication and authentication at a minimum. DNS would be my primary concern at this point. Don't mess with the forest, domain or any of the other pieces if you can help it. Upgrading the forest functional level or the domain functional level is not something you want to just walk out and pull the trigger on without understanding what it means and what the implications are. Al On 10/5/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote: I'm the System/Network Engineer for Purcell Systems, and I'm afraid I've screwed the pooch on my network. Here's how: Shut down an antiquated FTP server after transferring files to the new FTP server.The old one's OS was Win2K, the new one is Win2003. I *did not* do anything to AD at the time this occurred. A day before I started working here (8/8/06) the server in Sweden was rebuilt by a local consultant.Hardware failure.He rebuilt from bare metal, and set up the DNS and AD incorrectly.The end result was a server sitting in its own domain.DNS was somehow told to replicate to the server, and was working fine. I next tried to put/rename/move the Sweden server into the Purcell.com domain.Oops, have to upgrade out of Win2000 mixed mode.No problem, I'll just transfer the AD, DNS, and PDC to a master machine running Win2003 and have lotsa machines (okay, one or two) running as PDCs and alternate DNS and AD, right? Here's where the pooch got this way - I'm a n00b when it comes to AD, and somehow in the transfer of functions I've messed up the domain something fierce.AD and DNS work just fine (replicate) on the USA and Poland servers, but I tried upgrading the Sweden server to the forest and things got cranky - it wouldn't upgrade because it swore up and down that the domain was still in pre-Win2003 mode.In frustration, I tore down DNS and AD on the Sweden server, and rebuilt them - not an easy task by remote control... The DNS rebuilt just peachy on the Sweden server, but when I go to install AD on it, it tells me that the domain ain't ready for prime time - I have to run adprep on the domain.I ran adprep the first time, and everything appeared to work just fine.Subsequent attempts are rebuffed - I've already prepared the domain, it tells
RE: [ActiveDir] Folder Redirection Issue
Thank everyone for their help. The problem seems to be that users need read permissions to the root home folders directory as just giving them traverse/read folder contents was not enough. This is not such a big deal I guess because thanks to ws2k3 sp1s new access-based enumeration feature, users cannot even see other users home folders in the home folder share. Again, thank all of you for your help, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Thursday, October 05, 2006 9:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Folder Redirection Issue Sorry, didn't read thoroughly first (oops). Yeah, it sounds like a perms issue, I usually set the root of my user shares directory to have Read/Traverse perms for users in case of an emergency and/or troubleshooting. It's an administrative share anyway, I can understand the paranoia of also setting it to basically be unbrowsable, but it sounds like you're going 1/2 a step too far (at least for the purposes of the applications in your environment). On 10/5/06, Matt Hargraves [EMAIL PROTECTED] wrote: If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone. On 10/4/06, Kennedy, Jim [EMAIL PROTECTED] wrote: Office was deployed to the workstations via group policy using an AIP and MST transform. Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
[ActiveDir] Using an LDIF to set ACLs
Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Glad you're able to retain a sense of humor. That's important too. :) You're in good shape if AD and DNS is working fine or at least as expected. You can find out if the old FTP server held any roles etc and clean up based on that. I don't have the links handy, but you'll want to check for the following: 1) time server settings for the Domain - check PDC (by default it's the time master for the domain but yours may be custom/different) 2) find out if the FTP server was a DC. For this, open the ADUC and see what it shows in the domain controllers container. Not foolproof but it's an indication 3) Use DCDIAG on the domain controllers and check the information that comes back. Look for issues in there. Easiest if you pipe it to a text file and use the /v switch, so that you can search it later. Before you take action, feel free to drop a note back with the results. Some things can be easy, while others might be better left alone or better yet, you might need to involve Microsoft Support. 4) Leave the sweden server alone until you have the other questions answered. It's fine the way it is for now, even if it leaves them degraded. 5) once you've been able to clear the rest, then we can go back and find out why the server doesn't want to be added to the domain as a dc (keep in mind it should be a domain member server now without issue). Chances are, based on your description, that there's nothing to be terribly concerned about. Verify and then figure out why the server won't join as a DC. There are logs for the dcpromo process that should give an indication of that issue, but I highly suggest attacking this serially. Al On 10/6/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote: Boy, Al, I'd dearly *love* to "step away from the keyboard, keep your hands where we can see 'em!" but I am the monkey in charge of doing this. Problem was (is?), I stupidly shut down the FTPSERVER without seeing if it was a time server, the OU master, the AD controller, and/or the PDC. Chalk it up to inexperience/stupidity. I went into this task DUMB. (FTPSERVER is the old, inactivated server, FTP1 is now the only ftp server in the organization) I'd like to flatten the Sweden server and start over, but what if the problem is still there? Something is going to be broken within the AD on the Headquarters end. I'm going to suck the filesystem over here to the States, then probably bare metal the little bugger. DNS seems to be working okay, replication and all. I have the HQ NAT address in the 192.168.1.x range, with Poland on 192.168.2.x and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate is the 192.168.1.x Class C. I VPN tunnel to them, and I'm able (when DNS is working) to login with the AD login permissions available here. I'm pretty sure it's working, because when I "add" the Sweden DNS server to the purcellsystems.com domain everything works in the Sweden office. AD is working okay ( I *think*), I'm doing my level best to avoid having to tweak it in any way. I'm slavishly following the instructions in Robbie Allen's "Active Directory Cookbook" to avoid any future screw-ups. FWIW, I've torn the server's DNS and AD down completely, rebooted the server twice, then rebuilt/reinstalled DNS and was attempting to reinstall AD when this happened. Is bare metal rebuild the only option at this point? Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, October 05, 2006 5:18 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now My first instinct is to say please step away from the keyboard but that's just to make me chuckle. :) It looks like the old server, FTP1 was configured as a time server? Or was it an AD domain controller? The answer to that guides the rest of the conversation, but the best thing to do regardless is to flatten the Sweden server. Rebuild it completely with a new name and everything. Because you're not sure of the state, be sure to get a backup should you need it. If everything else is fine, then you'll want to rebuild that server, rejoin it to the appropriate domain and let it settle. Before you continue, you'll want to ensure that everything else is in good shape including dns, replication and authentication at a minimum. DNS would be my primary concern at this point. Don't mess with the forest, domain or any of the other pieces if you can help it. Upgrading the forest functional level or the domain functional level is not something you want to just walk out and pull the trigger on without understanding what it means and what the implications are. Al On 10/5/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote: I'm the System/Network Engineer for Purcell Systems, and I'm afraid I'vescrewed the pooch on my network. Here's how:
Re: [ActiveDir] Using an LDIF to set ACLs
There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF?I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using an LDIF to set ACLs
I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the "standard". Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 06, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF?I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Changing the distinguishedName with AdMod
Hey Noah, To change the distinguished name, that is a special process called a rename. You don't update the attribute directly. You handle that through the -rename switch. If you are doing that and it isn't working, enable the -exterr switch and post the full error. On the forum, yeah yeah... I posted an notificaion on the forum that I am currently having hundreds of spam userids being requested. I am trying to sort them out and grant the IDs for folks that I ascertain as real but it is tough. Just send me a separate email with your ID and I will activate it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 06, 2006 12:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Changing the distinguishedName with AdMod Hi I was trying to use AdMod to change the distinguished name of one of our users. (A new tech entered the name incorrectly and email, etc has already started to flow to the account.) AdMod returns an error. Is this possible? What is the syntax I would use? Thanks. -- nme P.S. Joe, I tried to register for the support forum at your site and never receive the confirmation email. --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.394 / Virus Database: 268.13.0/465 - Release Date: 10/6/2006
RE: [ActiveDir] Using an LDIF to set ACLs
Ouch that does sound like a lot of trouble. And once the binary string is in the LDIF admins wont be able to tell what the string is doing. Sounds like dsacls is the way to go. Thanks for the info From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the standard. Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
You mean the people on this thread are less than honest?? ;P Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Friday, October 06, 2006 2:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote: Al, will do. I tucked FTPSERVER under a desk and forgot about it. Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse. Nevermind the smell AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it! FTPSERVER *was* a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. SNIP
Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do. I tucked FTPSERVER under a desk and forgot about it. Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse. Nevermind the smell… AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it! FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there?? It's NOT an AD server, it refuses to become one… This entry is from an OLD Sweden server entry – notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!. Maybe I should just quit screwing with it – for now… I'll keep plugging away at it, I guess. Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Friday, October 06, 2006 1:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Glad you're able to retain a sense of humor. That's important too. :) You're in good shape if AD and DNS is working fine or at least as expected. You can find out if the old FTP server held any roles etc and clean up based on that. I don't have the links handy, but you'll want to check for the following: 1) time server settings for the Domain - check PDC (by default it's the time master for the domain but yours may be custom/different) 2) find out if the FTP server was a DC. For this, open the ADUC and see what it shows in the domain controllers container. Not foolproof but it's an indication 3) Use DCDIAG on the domain controllers and check the information that comes back. Look for issues in there. Easiest if you pipe it to a text file and use the /v switch, so that you can search it later. Before you take action, feel free to drop a note back with the results. Some things can be easy, while others might be better left alone or better yet, you might need to involve Microsoft Support. 4) Leave the sweden server alone until you have the other questions answered. It's fine the way it is for now, even if it leaves them degraded. 5) once you've been able to clear the rest, then we can go back and find out why the server doesn't want to be added to the domain as a dc (keep in mind it should be a domain member server now without issue). Chances are, based on your description, that there's nothing to be terribly concerned about. Verify and then figure out why the server won't join as a DC. There are logs for the dcpromo process that should give an indication of that issue, but I highly suggest attacking this serially. Al On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Boy, Al, I'd dearly **love** to step away from the keyboard, keep your hands where we can see 'em! but I am the monkey in charge of doing this. Problem was (is?), I stupidly shut down the FTPSERVER without seeing if it was a time server, the OU master, the AD controller, and/or the PDC. Chalk it up to inexperience/stupidity. I went into this task DUMB. (FTPSERVER is the old, inactivated server, FTP1 is now the only ftp server in the organization) I'd like to flatten the Sweden server and start over, but what if the problem is still there? Something is going to be broken within the AD on the Headquarters end. I'm going to suck the filesystem over here to the States, then probably bare metal the little bugger. DNS seems to be working okay, replication and all. I have the HQ NAT address in the 192.168.1.x range, with Poland on 192.168.2.x and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate is
RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard. I'm watching them, they're golden. (Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more. Don' neeed no steeenkin' SBS's! ;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do. I tucked FTPSERVER under a desk and forgot about it. Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse. Nevermind the smell... AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it! FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there?? It's NOT an AD server, it refuses to become one... This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!. Maybe I should just quit screwing with it - for now... I'll keep plugging away at it, I guess. Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Friday, October 06, 2006 1:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now SNIP List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Using an LDIF to set ACLs
Yeah, Joes correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIFable. Alas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the standard. Theoretically, and Dmitri or Eric can correct me if I am off, you could create yourSecurity Descriptorin SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this. LDIFDE might have something with it, but I haven't seen it. You'd be better off using a different tool in my opinion. Al On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard. I'm watching them, they're golden. (Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more. Don' neeed no steeenkin' SBS's! ;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do. I tucked FTPSERVER under a desk and forgot about it. Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse. Nevermind the smell... AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it! FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there?? It's NOT an AD server, it refuses to become one... This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!. Maybe I should just quit screwing with it - for now... I'll keep plugging away at it, I guess. Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Friday, October 06, 2006 1:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now SNIP List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Granted external FTP isn't one that SBSers recommend either and we're freaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid. Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard. I'm watching them, they're golden. (Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more. Don' neeed no steeenkin' SBS's! ;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers. Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do. I tucked FTPSERVER under a desk and forgot about it. Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse. Nevermind the smell... AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it! FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there?? It's NOT an AD server, it refuses to become one... This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!. Maybe I should just quit screwing with it - for now... I'll keep plugging away at it, I guess. Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Friday, October 06, 2006 1:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now SNIP List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Using an LDIF to set ACLs
I'd love to see something like that as a constructed read/write attribute if it could ever be made to happen. You could also blow apart the fields in the SD into separate attributes to make the semantics more clear. Joe - Original Message - From: Dmitri Gavrilov To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 6:40 PM Subject: RE: [ActiveDir] Using an LDIF to set ACLs Yeah, Joe's correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIF'able. Alas. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :) Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena. Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;) Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned. Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy. If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though Al On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about it.Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse.Nevermind the smell... AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it!FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there??It's NOT an AD server, it refuses to become one...This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!.Maybe I should just quit screwing with it - for now... I'll keep plugging away at it, I guess. Steve
