[ActiveDir] Search over SSL hangs
List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
Using ldp.exe; rootDSE query for supportedExtension will you the OID: 4 supportedExtension: 1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID ); 1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID ); 1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID ); 1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID ); Then it's (post bind to be useful) Browse - Extended Op and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value. Lee Flight On Mon, 22 Jan 2007, Joe Kaplan wrote: It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try it. :) Joe R.: When will this be added to Adfind (or is it already)? Joe K. - Original Message - From: Dmitri Gavrilov [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 22, 2007 9:07 AM Subject: RE: [ActiveDir] Who Am I request ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Lee Flight __ Lee Flight ([EMAIL PROTECTED]) Tel: +44 (0)116 252 2257 IT Services, Computer Centre, University of Leicester Leicester LE1 7RH, United Kingdom List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT DNS forwarders..
I have a web application which currently has a url of http://nzine33svr/businessobj/enterprise/infoview I would like to have some kind of redirector for this web link so that a user only needs to type in http://webi and it will forward the request to the correct url. How can I accompish this in AD DNS? or what would be the correct method? thanks - We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list.
RE: [ActiveDir] OT DNS forwarders..
DNS only maps names to IP addresses. It doesn't do anything with respect to paths. You could point the hostname webi to the same IP address as the host nzine33svr and configure your web server software to accept requests for either HTTP host header. Then, to redirect the user to the correct path, you are best off configuring this in your web server software (just about all web server software supports redirection). Just redirect requests for / (the root) to /businessobj/enterprise/infoview Cheers Ken From: [EMAIL PROTECTED] on behalf of Frank Abagnale Sent: Wed 24/01/2007 12:19 AM To: Active Subject: [ActiveDir] OT DNS forwarders.. I have a web application which currently has a url of http://nzine33svr/businessobj/enterprise/infoview I would like to have some kind of redirector for this web link so that a user only needs to type in http://webi http://webi/ and it will forward the request to the correct url. How can I accompish this in AD DNS? or what would be the correct method? thanks
Re: [ActiveDir] ftp access
Almost sounds like a FTP phishing Trojan. Check the machine for virii with a couple of up to date scanners as well. I have noticed a marked increase in port 21 attack traffic as of late. There are any number of Trojans that can accomplish this as well. Likewise, do you allow any anonymous uploading? Better check the logs to see what kind of activity is happening on that machine. A few more details as Al suggested will be most helpful as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Al Mulnick [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/22/2007 07:40 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 Message scanned by TrendMicro Message scanned by TrendMicro
RE: [ActiveDir] Adfind + Admod help
Thank you for the response Al. To answer your ultimate question, which was “Does that help, or ??”, then I would have to lean more towards ?? in my case. Not to say you didn’t give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn’t know how to do any of the options you suggest. (I’m studying the ways of VBScripting right now). To answer an earlier question, “Do you already have the department names in a list? Or is that something that you have to gather first?”, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I’m certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be nice if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
Re: [ActiveDir] Who Am I request
Cool, thanks Lee. It works. :) Joe - Original Message - From: Lee Flight [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 5:13 AM Subject: Re: [ActiveDir] Who Am I request Using ldp.exe; rootDSE query for supportedExtension will you the OID: 4 supportedExtension: 1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID ); 1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID ); 1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID ); 1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID ); Then it's (post bind to be useful) Browse - Extended Op and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value. Lee Flight On Mon, 22 Jan 2007, Joe Kaplan wrote: It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try it. :) Joe R.: When will this be added to Adfind (or is it already)? Joe K. - Original Message - From: Dmitri Gavrilov [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 22, 2007 9:07 AM Subject: RE: [ActiveDir] Who Am I request ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Lee Flight __ Lee Flight ([EMAIL PROTECTED]) Tel: +44 (0)116 252 2257 IT Services, Computer Centre, University of Leicester Leicester LE1 7RH, United Kingdom List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Adfind + Admod help
What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 5:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be nice if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
RE: [ActiveDir] Adfind + Admod help
I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and
[ActiveDir] OT - Exchange config questions
We're looking at moving to Exchange 2007 (currently on Sun JES IMAP). Is there anyone out there with a 5 to 10K user base that would be willing to answer some questions? tia, al -- Al Lilianstrom CD/CSI/CSG [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
Joe, List, yes! It does sound like it is something with Oracle SSL engine. I let the process (search) running for more than 3 hours (so I think it is not a problem of slow communication/authentication) and it never returned. When it was issued a CTRL+C to abort the procedure (which was running from a sqlplus), the stack error it returned pointed to a Oracle package (SYS.DBMS_LDAP_API_FFI) in its last level (upper level). The code in Pl/Sql follows (SECURITYSOX is our schema user and LDAP is our user package): ## SQL 1 declare 2 X number; 3 begin 4 X := -1; 5 X := LDAP.VALIDA_USUARIO_LDAP(2,'ldapuser','ldappass'); 6 dbms_output.put_line(X); 7* end; SQL / declare * ERROR at line 1: ORA-01013: user requested cancel of current operation ORA-06512: at SYS.DBMS_LDAP_API_FFI, line 134 ORA-06512: at SYS.DBMS_LDAP, line 253 ORA-06512: at SECURITYSOX.LDAP, line 221 ORA-06512: at SECURITYSOX.LDAP, line 581 ORA-06512: at SECURITYSOX.LDAP, line 181 ORA-06512: at line 5 ## Nothing appears in oracle's alert.log. No traces are generated in bdump, cdump or udump directories like it had nothing to do with/for oracle. The certificates used were provided by our customer and were tested by them and as we can init the session, open the ssl support for that session and even authenticate a ldap user/pass, the certificates are out of the possible causes of this issue. And even more because, as mentioned, we can perform a search over SSL using JXplorer and it is almost immediate, no hangs (for the little they could be), no delays, nothing, just direct to the result! I am trying to contact out customer's LDAP admin in order to get additional info from the server logs. As soon as I can get this, I will update the thread. Thanks you all for your help! Em Ter, 2007-01-23 às 10:51 -0600, Joe Kaplan escreveu: If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Adfind + Admod help
We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I’ll go about this, it looks like I’ll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don’t know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a
[ActiveDir] [OT] USB/PS2 monitoring software
Hey all, I am looking for an application that can monitor and alert the usage of USB/PS2 devices on the clients (mostly XP). If a user plugs in a new keyboard, disconnects a mouse or tries to use a DOK - I need to be able to record the action and trigger alerts based on different criteria. Anyone aware of something like this ? Using it ? TIA, Guy
Re: [ActiveDir] Who Am I request
If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
I know nothing about Oracle (never seen it, never touched it), so I can't help at all there. However, I'd suggest going back to the vendor to help you troubleshoot this. The fact that the issue seems to be restricted to their LDAP/SSL stack suggests that they should be able to help troubleshoot the problem. Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:43 AM Subject: Re: [ActiveDir] Search over SSL hangs Joe, List, yes! It does sound like it is something with Oracle SSL engine. I let the process (search) running for more than 3 hours (so I think it is not a problem of slow communication/authentication) and it never returned. When it was issued a CTRL+C to abort the procedure (which was running from a sqlplus), the stack error it returned pointed to a Oracle package (SYS.DBMS_LDAP_API_FFI) in its last level (upper level). The code in Pl/Sql follows (SECURITYSOX is our schema user and LDAP is our user package): ## SQL 1 declare 2 X number; 3 begin 4 X := -1; 5 X := LDAP.VALIDA_USUARIO_LDAP(2,'ldapuser','ldappass'); 6 dbms_output.put_line(X); 7* end; SQL / declare * ERROR at line 1: ORA-01013: user requested cancel of current operation ORA-06512: at SYS.DBMS_LDAP_API_FFI, line 134 ORA-06512: at SYS.DBMS_LDAP, line 253 ORA-06512: at SECURITYSOX.LDAP, line 221 ORA-06512: at SECURITYSOX.LDAP, line 581 ORA-06512: at SECURITYSOX.LDAP, line 181 ORA-06512: at line 5 ## Nothing appears in oracle's alert.log. No traces are generated in bdump, cdump or udump directories like it had nothing to do with/for oracle. The certificates used were provided by our customer and were tested by them and as we can init the session, open the ssl support for that session and even authenticate a ldap user/pass, the certificates are out of the possible causes of this issue. And even more because, as mentioned, we can perform a search over SSL using JXplorer and it is almost immediate, no hangs (for the little they could be), no delays, nothing, just direct to the result! I am trying to contact out customer's LDAP admin in order to get additional info from the server logs. As soon as I can get this, I will update the thread. Thanks you all for your help! Em Ter, 2007-01-23 às 10:51 -0600, Joe Kaplan escreveu: If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Adfind + Admod help
I believe you know how, but may not have the programmatic tool knowledge yet. I think this is a great oppty to learn though, if you can make the time. Since the HR department did this manually, it almost screams that you could manually do this in same fashion. That's a lot of work most likely. Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD would also be in that realm, but as was mentioned elsewhere in the thread, it's not a question of the code, but the logic. Which you know already. Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) -ajm On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I'll go about this, it looks like I'll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don't know how to yet apparently. ~Ben *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 9:05 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 5:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to
RE: [ActiveDir] Adfind + Admod help
Thanks for the response Hunter. Yeah, that's pretty much the logic that I had come down to. By the way, what is the real difference between Powershell and VBScript anyway? I've been hearing more and more about Powershell lately, and since I'm going to take the time to learn a scripting language, I will want to make sure I learn the one that will have the most value to me from an administration perspective. Let me go talk to my local software dev here in our department. I'm sure we'll be able to come to a solution no problem. It just bugs me that I don't know how to do scripting like this yet. And I'll certainly holler if I run out of options. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes
RE: [ActiveDir] Adfind + Admod help
Yeah, I agree. I see the logic in how to get to the solution, but I just don’t have the programmatic tool knowledge yet. I may not have the time to hold off this project until I can figure it out myself programmatically, but I am going to set aside my evenings at home until I learn how to do this sort of thing myself. Hmm, I’m almost a little scared to ask what the answer is to the bonus question. Does it make a difference that he is our sole software dev employed by our IT department to do IT related work? J In any case, let’s hear the answer. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 10:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help I believe you know how, but may not have the programmatic tool knowledge yet. I think this is a great oppty to learn though, if you can make the time. Since the HR department did this manually, it almost screams that you could manually do this in same fashion. That's a lot of work most likely. Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD would also be in that realm, but as was mentioned elsewhere in the thread, it's not a question of the code, but the logic. Which you know already. Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) -ajm On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I'll go about this, it looks like I'll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don't know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department
[ActiveDir] OT: Network latency on VBScript-mapped drive letters.
So I have a VBScript that I use to map a network drive to a DFS share, as follows: strDriveLetter = S: strBaseDrivePath = \\domain name\dfs root\share name\ Set objNetwork = CreateObject(WScript.Network) objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath set objNetwork = nothing When I map the DFS root using a drive letter using this code in a login script, I get isolated-but-consistent client reports of network latency when opening or saving a file; Word/Excel/whatever will choke up for a good 5 or 6 seconds at a time. If I disconnect the script-mapped drive and access this resource from the same machine using any other method: * map the drive using the GUI, * map the drive from the CLI using 'net use', or * manually enter the UNC path from the Run line ...all latency goes away. It's not OS-specific as far as I can tell; the machines currently reporting the latency are a handful of XPSP2 and 2KSP4 machines that don't have much else unique in common. I've determined that it's not specifically DFS-related, as I've tested mapping directly to the physical servername instead of the DFS sharename and produced identical results. Neither is it relevant that the script is being run as part of a login script/GPO, as running the script manually from an affected desktop also produces the same behaviour. So it's either a VBScript thing, or it's something client-specific that I haven't isolated on the half-dozen desktops that are experiencing the issue. Google has thus far yielded no joy, has anyone run into this before? -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Adfind + Admod help
Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) A: Boss. Of course, the same could be said about the person that told you to setup the groups like that. But it could be helpful to keep some perspective I suspect. On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Yeah, I agree. I see the logic in how to get to the solution, but I just don't have the programmatic tool knowledge yet. I may not have the time to hold off this project until I can figure it out myself programmatically, but I am going to set aside my evenings at home until I learn how to do this sort of thing myself. Hmm, I'm almost a little scared to ask what the answer is to the bonus question. Does it make a difference that he is our sole software dev employed by our IT department to do IT related work? J In any case, let's hear the answer. ~Ben *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 10:21 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help I believe you know how, but may not have the programmatic tool knowledge yet. I think this is a great oppty to learn though, if you can make the time. Since the HR department did this manually, it almost screams that you could manually do this in same fashion. That's a lot of work most likely. Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD would also be in that realm, but as was mentioned elsewhere in the thread, it's not a question of the code, but the logic. Which you know already. Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) -ajm On 1/23/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I'll go about this, it looks like I'll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don't know how to yet apparently. ~Ben *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 9:05 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben *From:* [EMAIL
Re: [ActiveDir] OT - Exchange config questions
It's been a while since I've been responsible for mail systems, but I'm happy to help if you like. Due to the nature of the list, it might be best to ping off-line. Al On 1/23/07, Al Lilianstrom [EMAIL PROTECTED] wrote: We're looking at moving to Exchange 2007 (currently on Sun JES IMAP). Is there anyone out there with a 5 to 10K user base that would be willing to answer some questions? tia, al -- Al Lilianstrom CD/CSI/CSG [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Network latency on VBScript-mapped drive letters.
I saw something similar using kixtart-mapped drive letters a few months ago. The only thing affected seemed to be Office products and IE. The knowledge base described it as unable to browse the network, but I certainly saw it as ranging from severe latency to complete inability to browse the network or file shares. Cut and paste from an email I sent at the time: MS06-015 along with certain HP products can cause some conflicts. Side-effects include program freezes, an inability to follow a link you type into Internet Explorer, inability to open or save files in Office applications, inability to click the + sign while browsing My Documents or My Pictures. Also see http://support.microsoft.com/?kbid=918165 Of course this may or may not be the problem, but it is the only thing I have ever seen like what you are describing. Hope it helps Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Tuesday, January 23, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Network latency on VBScript-mapped drive letters. So I have a VBScript that I use to map a network drive to a DFS share, as follows: strDriveLetter = S: strBaseDrivePath = \\domain name\dfs root\share name\ Set objNetwork = CreateObject(WScript.Network) objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath set objNetwork = nothing When I map the DFS root using a drive letter using this code in a login script, I get isolated-but-consistent client reports of network latency when opening or saving a file; Word/Excel/whatever will choke up for a good 5 or 6 seconds at a time. If I disconnect the script-mapped drive and access this resource from the same machine using any other method: * map the drive using the GUI, * map the drive from the CLI using 'net use', or * manually enter the UNC path from the Run line ...all latency goes away. It's not OS-specific as far as I can tell; the machines currently reporting the latency are a handful of XPSP2 and 2KSP4 machines that don't have much else unique in common. I've determined that it's not specifically DFS-related, as I've tested mapping directly to the physical servername instead of the DFS sharename and produced identical results. Neither is it relevant that the script is being run as part of a login script/GPO, as running the script manually from an affected desktop also produces the same behaviour. So it's either a VBScript thing, or it's something client-specific that I haven't isolated on the half-dozen desktops that are experiencing the issue. Google has thus far yielded no joy, has anyone run into this before? -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] ftp access
I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
Re: [ActiveDir] ftp access
do you get same results in Microsoft's client? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 7:40 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
RE: [ActiveDir] ftp access
Could you try again with the attachment or log snippet in text form if the list server isn't accepting large attachments? Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Antonio Aranda [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/23/2007 01:56 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] ftp access I’m using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It’s happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413 Message scanned by TrendMicro Message scanned by TrendMicro
Re: [ActiveDir] Who Am I request
Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Question about DNS SRV registration.
Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: [ActiveDir] Question about DNS SRV registration.
Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately.
RE: [ActiveDir] ftp access
If you mean the command-line, yes. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 2:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access do you get same results in Microsoft's client? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio _ From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, Antonio Aranda [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
[ActiveDir] adsiedit question
Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Question about DNS SRV registration.
Read http://www.netpro.com/forum/files/authentication_topology.pdf Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Tue 1/23/2007 1:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: [ActiveDir] Question about DNS SRV registration.
Hello Yann, this is usual and happens because Site B was configured in Active Directory before DC B was there and assigned to that site. Automatic Site Coverage is the process which is taking care of this effect. What it does, is making sure that every site in Active Directory has DCs. If a DC detects a site which has no DCs assigned to it, it will try to figure out if hes a close DC (not crossing multiple site-links) and assigning himself to that site. So since Site B was configured and DC A was the only DC in your environment, DC A decided to advertise himself as DC in Site B. However since DC B exists now, DC A will not refresh those records, and if you have aging and scavenging configured the old records of DC A in Site B will vanish. You can also delete those records if you wish, as long as the records of DC B are registered in Site B you can delete the records of DC A in Site B, however make sure that you are only deleting the SRV-Records underneath the DNS-Subdomains of the Site-specific Records in the Site B-DNS-Domains (looks like folders in the DNS Managementconsole). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: blocked::http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: blocked::http://www.windowsserverfaq.org/ http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Dienstag, 23. Januar 2007 22:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann _ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com Questions/Réponses.
RE : RE: [ActiveDir] Question about DNS SRV registration.
Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work .. but i will follow into your direction. Thanks again, Yann Molkentin, Steve [EMAIL PROTECTED] a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: [ActiveDir] adsiedit question
Disregard...I figured it out. I missed a character change further down the value string. Doh! But I now have a better understanding of that error. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 4:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] AD Security Auditing
We are embarking on a project to clean up our OUs structure and reassign permissions that have grown unmanageable over time. To accomplish this it would be nice to be able to dump permissions on all OU objects and individual object types (users, computers, etc) so that we can determine who has rights to what. The prospect of doing this manually is daunting at best and for the most part I have only seen 3rd party tools (read: expensive) that do this in an easy to use fashion. Any suggestions for tools, scripts etc would be appreciated. Either that or we can rebuild our OU structure J Casey Robertson
RE: RE : RE: [ActiveDir] Question about DNS SRV registration.
I would not recommend that you do this. Please read the document I referenced in my previous response. Also, see Ulf's brief description/explanation of the behavior that you are seeing. I really recommend that you try to understand what is going on here. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Tue 1/23/2007 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work ... but i will follow into your direction. Thanks again, Yann Molkentin, Steve [EMAIL PROTECTED] a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: [ActiveDir] adsiedit question
Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Security Auditing
Sometimes, rebuilding OUs is not a Bad Idea :) Try DSacls or something GUI-sh from Netpro and co. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Casey Robertson Sent: Tue 1/23/2007 2:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security Auditing We are embarking on a project to clean up our OUs structure and reassign permissions that have grown unmanageable over time. To accomplish this it would be nice to be able to dump permissions on all OU objects and individual object types (users, computers, etc) so that we can determine who has rights to what. The prospect of doing this manually is daunting at best and for the most part I have only seen 3rd party tools (read: expensive) that do this in an easy to use fashion. Any suggestions for tools, scripts etc would be appreciated. Either that or we can rebuild our OU structure J Casey Robertson
RE: [ActiveDir] adsiedit question
I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] Who Am I request Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Who Am I request
You can do an x-domain simple bind within the forest. You can not do it x-forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, January 23, 2007 3:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Who Am I request I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] Who Am I request Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info :
RE: [ActiveDir] adsiedit question
It might be easier to delete the AD user objects representing the wrongly homed SystemMailboxes, purge the mailboxes and then recreate them using one of the two methods described here: http://support.microsoft.com/kb/316622 Cheers Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Wednesday, 24 January 2007 11:59 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adsiedit question
I'm forced to ask - why do you want to move SystemMailboxes? You shouldn't ever need to. There is a reason that the move mailbox wizard doesn't move them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 5:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: RE : RE: [ActiveDir] Question about DNS SRV registration.
Deji, Ulf, All, Good article - thanks. Also thanks to Ulf - that was a much better solution and much better idea than mine. I do not profess to be a DNS legend, but am continuing to learn... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Wednesday, 24 January 2007 8:42 AM To: ActiveDir@mail.activedir.org Subject: RE: RE : RE: [ActiveDir] Question about DNS SRV registration. I would not recommend that you do this. Please read the document I referenced in my previous response. Also, see Ulf's brief description/explanation of the behavior that you are seeing. I really recommend that you try to understand what is going on here. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Tue 1/23/2007 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work ... but i will follow into your direction. Thanks again, Yann Molkentin, Steve [EMAIL PROTECTED] a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann
Re: [ActiveDir] Who Am I request
It works and has a pretty good performance. Thanks a lot! Alexandr Dne středa 24 leden 2007 00:18 Joe Kaplan napsal(a): I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] Who Am I request Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] adsiedit question
You shouldn't be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 5:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] ftp access
I do. That sounds a lot like a bug to me. What version of IIS? On 1/23/07, Antonio Aranda [EMAIL PROTECTED] wrote: If you mean the command-line, yes. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 2:56 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access do you get same results in Microsoft's client? On 1/23/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I'm using IIS and I used ie and smartftp to test. I attached the log that shows when it was working and when it stopped working and then when it started working right after the user changed the password. It seems to stop working not when their password expires but when they start getting the warning that their password is going to expire. It's happened to three different users and the fix has been the same. There is no anonymous access to anything. Thanks for your help Antonio -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 7:40 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] ftp access Can you provide some more details? What are they using to access their shares? (client?) What are you using to provide ftp access? (IIS?) How did you prove that this is the case? Log files? Trial and error? Anything else that's relevant? Al On 1/22/07, *Antonio Aranda* [EMAIL PROTECTED] wrote: I've setup ftp access to users' network drives so they have access to them remotely. I recently notice some thing very peculiar. Their ftp access stops working when they start getting warnings that their password is going to expire. I don't know if this just a coincidence but once they change their password it starts working again. If any one knows anything about this, I would appreciate any advice. Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
Re: [ActiveDir] Who Am I request
Thanks for clearing that up. I appreciate it. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 5:52 PM Subject: RE: [ActiveDir] Who Am I request You can do an x-domain simple bind within the forest. You can not do it x-forest. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Adfind + Admod help
Powershell is the latest-greatest command shell for Windows. http://www.microsoft.com/technet/scriptcenter/webcasts/ps.mspx has some webcasts on it, and http://www.microsoft.com/windowsserver2003/technologies/management/power shell/faq.mspx is the FAQ. I don't see VBScript going away anytime soon, but I suspect that PS is going to be the way of the future in many respects, especially for sys admin types. The downside, for now, is that there isn't the depth and breadth of resources available yet for PS that exist for VBScript. That's slowly changing, but will take some time. The script center is a good spot to poke through sample code for either one: http://www.microsoft.com/technet/scriptcenter/default.mspx Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thanks for the response Hunter. Yeah, that's pretty much the logic that I had come down to. By the way, what is the real difference between Powershell and VBScript anyway? I've been hearing more and more about Powershell lately, and since I'm going to take the time to learn a scripting language, I will want to make sure I learn the one that will have the most value to me from an administration perspective. Let me go talk to my local software dev here in our department. I'm sure we'll be able to come to a solution no problem. It just bugs me that I don't know how to do scripting like this yet. And I'll certainly holler if I run out of options. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure
RE: [ActiveDir] AD Security Auditing
Hi, Have a look at: * http://www.kouti.com/adreport/ (not free) * ACLReport.vbs v1.01 (free - http://www.kouti.com/scripts.htm ACLReport.vbs v1.01 This script creates an HTML file named ACLReport.htm, that contains all the ACLs of a given Active Directory tree. By modifying three lines in the beginning of the script, you can choose: - Only OUs or all objects - Only normal-view objects or also advanced-view objects - Whether to display all ACEs or only non-inherited Regards Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Casey Robertson Sent: Tue 2007-01-23 23:33 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security Auditing We are embarking on a project to clean up our OUs structure and reassign permissions that have grown unmanageable over time. To accomplish this it would be nice to be able to dump permissions on all OU objects and individual object types (users, computers, etc) so that we can determine who has rights to what. The prospect of doing this manually is daunting at best and for the most part I have only seen 3rd party tools (read: expensive) that do this in an easy to use fashion. Any suggestions for tools, scripts etc would be appreciated. Either that or we can rebuild our OU structure J Casey Robertson This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat