Re: [ActiveDir] "Who Am I" request
It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try it. :) Joe R.: When will this be added to Adfind (or is it already)? Joe K. - Original Message - From: "Dmitri Gavrilov" <[EMAIL PROTECTED]> To: Sent: Monday, January 22, 2007 9:07 AM Subject: RE: [ActiveDir] "Who Am I" request ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check "self group membership". If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "Who Am I" request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the "Who am I?" extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] ftp access
Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda <[EMAIL PROTECTED]> wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
Re: [ActiveDir] Adfind + Admod help
Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN <[EMAIL PROTECTED]> wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be "nice" if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
[ActiveDir] Adfind + Admod help
Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc... Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be "nice" if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
[ActiveDir] ftp access
I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
RE: [ActiveDir] Remote DC's on Virtual Server
After reading this thread, I have to kick my 2 cents in. I use ESX and VS day in and day out, and I think I can give fair comparison. I use only ESX - none of the rest of the suite of related products (virtual center, vmotion, etc), so this should be a pretty good apples-to-apples comparison. First, I can't see how anyone can say installing ESX is difficult or complicated. You pick a time zone, configure your disks, and configure your network. Not exactly rocket science. Once you are up and running, you point your web browser at the box's IP address and download the management client. Building virtuals in ESX is about the same in ESX as it is in VS. ESX is clearly superior in capabilities: Virtuals can have 1 cpu in VS, 4 in ESX Virtuals can have 3.5GB of RAM in VS, 16GB in ESX ESX can present raw LUNs to virtuals - this lets you do physical-to-virtual clustering among other things ESX has VLAN capability in it's virtual switches. You can extend VLAN trunks into your ESX server via one NIC ESX virtual disk files can be grown. ESX knows how to "combine" identical memory pages to conserve memory. This is a big win if you run many small virtuals on one box. The strong points for VS is that it runs on any hardware that windows runs on, it supports iSCSI, and it is free. Both are solid and perform reasonably well (although the general consensus around here is that virtuals running under ESX seem "snappier" than VS). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, January 21, 2007 12:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Read all of this sort of. I have a fairly simple opinion: If you want to screw around, or do small scale virtualization, VS or VMWare server - whatever makes you happy, they're about the same in a datacenter. If you want to go do all that money saving stuff, large scale lets buy some gigantic servers on a SAN, drink the kool aid off the cover of eweek, etc - go buy an esx license or two. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Sunday, January 21, 2007 12:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server >>>All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others Not at all, Ben. I can speak from both side of the aisle as far as VMWare and VS are concerned, although my bias, to which I have already confessed, plays a role in my dislike of VMWare. My dislike, though, is driven largely based on the original (apples and oranges) statement to which I responded. I have not disputed that VMWare is ahead of VS at this present time. I have simply stipulated that the perceived gap is so considerably narrowed now that dismissing VS as a non-starter is no longer a technically sound or tenable position. >>>However, MS stated virtual machine support is the same regardless of virtual environment provider. This is just wrong. Please see http://www.support.microsoft.com/kb/897615 You will also notice that my observation and opinion were based mostly on where we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, but at what cost? I disagree with your assertion that ESX is easier to deploy and manage than VS - that just defies logic (no offense). Not with the availability of System Center. When you need to provision a lab of, say, 20 servers running various OSes, and you are under the gun to get it done, like 4 hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend. I was afraid that this thread will go down the undesirable path of "Us vs Them", and I apologize for making it so. The point I'm trying to make is that, if you are looking for a Virtualization solution, VS does NOT stink one bit. Factor in the cost overlay, the deployment and maintenance efforts, divide that by what EXACTLY you are looking for in virtualization, then give VS a fair shake and not just go with the popular "VMWare Rules" opinion. ESX may have been sexy a while back when VS was truly ugly, but that is not the case today. VS is evolving, and you may just be pleasantly surprised that it adequately meets your need without breaking your bank and back. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Be
RE: [ActiveDir] "Who Am I" request
ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check "self group membership". If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "Who Am I" request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the "Who am I?" extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] "Who Am I" request
Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the "Who am I?" extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Hi All,
Hi Tony, Its nice to see u in my inbox I really very happy to quick response from the group. Thanks Dear. Somesh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, January 22, 2007 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hi All, Hi Somesh Welcome to the discussion list. Tony www.activedir.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Somesh Sahu Sent: Monday, 22 January 2007 6:14 p.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hi All, Hi all, This is somesh,New member of this discussion fourm. Nice to use this site. Somesh sahu