RE: [ActiveDir] Changing Logon server authentication !!
check the SITES and SUBNETS configuration...make sure the subnet of the Citrix servers in defined in AD and assigned to the correct site. also make sure the server (DC) B has not registered service records for the site of the Citrix servers. This can happen when that site initially does not have a DC, then a DC is added and the records for server B are for some reason not removed... Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Sun 2007-01-28 11:32 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing Logon server authentication !! Hi, We have a server A in US. We has a Server BC in India. Global catalog servers are Server A B. FSMO Roles are with the server B. Right now we are having Citrix member server D in US. When users are logging on the Citrix server, it takes logon authentication from Server B. When we use the set command it shows logon server name as Server B. Is it any way I can do so that it takes authentication only from server A when it is available. Regards, Senthil This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] remove orphan DC from the domain
correct! however he never mentioned the OS en SP level... ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Paul Williams Sent: Fri 2007-01-26 09:25 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] remove orphan DC from the domain If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I remember correctly, it tries a XFER and then does a Seize (as that's the logic for the Seize anyway). I believe this was added in SP1. --Paul - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 7:05 AM Subject: RE: [ActiveDir] remove orphan DC from the domain I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 *Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 6. Type quit, and then press ENTER. The Metadata Cleanup menu appears. 7. Type
RE: [ActiveDir] Overlapping AD Subnet Boundaries
it will go for the second site 10.10.41.0/24 (= best matching) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Cline Sent: Fri 2007-01-26 22:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] remove orphan DC from the domain
the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 6. Type quit, and then press ENTER. The Metadata Cleanup menu appears. 7. Type select operation target and press ENTER. 8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number. 9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain. 10. Type list sites and press ENTER. A list of sites, each with an associated number, appears. 11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose. 12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed. 13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server's computer account you want to remove. 14. Type quit and press ENTER. The Metadata Cleanup menu appears. 15. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility. Error 8419 (0x20E3) The DSA object could not be found Note You may also see this error when you try to bind to the domain controller that will be removed. Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata cleanup. 16. Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You should receive confirmation that the connection disconnected successfully. 17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching cname record in DNS. You do not want the DCs that
RE: [ActiveDir] remove orphan DC from the domain
I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 *Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 6. Type quit, and then press ENTER. The Metadata Cleanup menu appears. 7. Type select operation target and press ENTER. 8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number. 9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain. 10. Type list sites and press ENTER. A list of sites, each with an associated number, appears. 11. Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose. 12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed. 13. Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS
RE: [ActiveDir] AD Security Auditing
Hi, Have a look at: * http://www.kouti.com/adreport/ (not free) * ACLReport.vbs v1.01 (free - http://www.kouti.com/scripts.htm ACLReport.vbs v1.01 This script creates an HTML file named ACLReport.htm, that contains all the ACLs of a given Active Directory tree. By modifying three lines in the beginning of the script, you can choose: - Only OUs or all objects - Only normal-view objects or also advanced-view objects - Whether to display all ACEs or only non-inherited Regards Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Casey Robertson Sent: Tue 2007-01-23 23:33 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security Auditing We are embarking on a project to clean up our OUs structure and reassign permissions that have grown unmanageable over time. To accomplish this it would be nice to be able to dump permissions on all OU objects and individual object types (users, computers, etc) so that we can determine who has rights to what. The prospect of doing this manually is daunting at best and for the most part I have only seen 3rd party tools (read: expensive) that do this in an easy to use fashion. Any suggestions for tools, scripts etc would be appreciated. Either that or we can rebuild our OU structure J Casey Robertson This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Replication Problem !!
see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Senthil Kumar Sent: Thu 2007-01-18 18:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problem !! Hi, Does any body know how to remove lingering objects. When I use repadmin /removelingeringobjects it returns an error invalid arguments. Can anybody help me out. Regards, Senthil This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] adminsdholder
setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] adminsdholder
either explicit or inherited permissions will be replaced by the permissions defined on the adminsdholder object so if re-applying inheritance is not enough... you would need to define explicit defined permissions... for the default perms you can use the DEFAULT button and all custom added permissions would need to be defined again Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 17:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminsdholder Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx winmail.dat
RE: [ActiveDir] R2 Schema
just to use the PMC no schema change is needed... however, to deploy printer connections through GPOs and thus create corresponding objects in AD (under the GPO used to deploy the printer connection) you need to extend the schema Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sun 2007-01-14 22:12 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 Schema (for those on the off chance interested in the SBS impact) While SBS's r2 release does not give you the functionality of the real R2 bits, to have DFSRv2 on member servers you have to bump the schema on the SBS DC. The only parts of the real r2 that SBS 2003 R2 gets is FSRM and MMC 3.0. http://blogs.technet.com/sbs/archive/2006/02/28/420825.aspx More tech details there. The printer management console doesn't need a schema update that I recall.. you just need the R2 install on that server. I don't remember (don't think) I did anything on my DC when I enabled the Printer Management console on the member server. Vinnie Cardona wrote: Excellent. Thank you. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, January 13, 2007 4:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema the AD schema is (must be) extended with the R2 stuff when either: * you want to install R2 on a DC * you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 *Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 06:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Thank you Jorge...I was just a bit puzzled by one of the lines in the doc on the CD which states that the schema is only extended if you are planning on installing W2K3r2 on a W2K3 DC. I am still in the process of reading up on W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS requirements...I now understand more on the requirements. Thank you all for your help. Really do appreciate it. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 12, 2007 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema although the file servers are R2 because of the use of DFS-R (new replication mechanism), you MUST extend the AD schema so that the DFS-R information can be stored in AD Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 *Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 00:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our
RE: [ActiveDir] R2 Schema
the AD schema is (must be) extended with the R2 stuff when either: * you want to install R2 on a DC * you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 06:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Thank you Jorge...I was just a bit puzzled by one of the lines in the doc on the CD which states that the schema is only extended if you are planning on installing W2K3r2 on a W2K3 DC. I am still in the process of reading up on W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS requirements...I now understand more on the requirements. Thank you all for your help. Really do appreciate it. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 12, 2007 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema although the file servers are R2 because of the use of DFS-R (new replication mechanism), you MUST extend the AD schema so that the DFS-R information can be stored in AD Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 *Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 00:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] DC Locator process\Site Topology
aware once the client discovers there is no DC on its own subnet the dsgetsite api sends an dns query for the SRV _LDAP._tcp.dc._msdcsdomainname, i.e give me a DC that is responsible for the X domain. DC should then inform the client, based upon the IP information that the client belongs to x Site and for this site are X and X DC's are repsonbile. DsGetDcName finds a DC but in this case a DC in the core location, not its closest. True when the client is joined to the domain. When it is not joined to the domain the client does not issue a give me a DC in site X query. It issues a give me a DC in domain XYZ query. It receives a response from DNS with ALL the DCs listed that registered the domain wide service resource records. By default all the DCs register the domain wide service resource records and the site wide service resource records. To prevent, where a client in branch office site X is serviced by a DC in branch office site Y after issuing a query for give me a DC in domain XYZ, it is a best practice to disable registration of the domain wide service resource records by the branch office DCs and only allow the HUB (main) office DCs to that. Most probably you have configured that as you are saying the object creation is always done in the HUB. If you want to target the computer account creation to the nearest DC, either: · You use NETDOM manually · You create some script/tool that: o Checks IP of client o Matches that to a subnet in AD o Retrieves the AD site that has that subnet o Query DNS for a DC in that site and use that in NETDOM Example: NETDOM JOIN /DOMAIN:domain\DC /userD: domain\user /PasswordD:password /OU:DN of OU /REboot --- NETDOM JOIN Joins a workstation or member server to the domain. machine is the name of the workstation or member server to be joined /Domain Specifies the domain which the machine should join. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be joined /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain. /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds --- Met vriendelijke groeten / Kind regards, __ MVP Profile à https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10 MVP Home Site à https://mvp.support.microsoft.com/ MVP Overview à https://mvp.support.microsoft.com/mvpexecsum BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx __ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holt, Will Sent: Friday, January 12, 2007 12:43 To: 'activedir@mail.activedir.org' Subject: [ActiveDir] DC Locator process\Site Topology Hi All, # W2K3 DFM - Windows Server 2003 # FFM - Windows Sever Interim. I have the following site topology. Network: Two Core locations(MAN Gbps), on to which are attached 9 backbone locations(155Mbps). Access2 locations are attached to one backbone with a VPN(ISDN\DSL) fallback back to one of the Core locations. DC's are placed only on the core and backbone locations (this is domestic, i.e Germany). There are a total of 872 locations world wide. For the site (objects of type siteLink, subnet and site) information I have a scripted solution. Every network location has a site, and the subnets are allocated at this level enabling us to offer service location for DFS and print, i.e I have serverless sites which are covered by the relevant DC's on the core and backbone levels. I qualify the clients site awareness with nltest /server:XX /dsgetsite - no problems. I then qualify with nltest /server:DCNAME / dsgetsitecov that the server is covering the site with the value
RE: [ActiveDir] R2 Schema
although the file servers are R2 because of the use of DFS-R (new replication mechanism), you MUST extend the AD schema so that the DFS-R information can be stored in AD Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 00:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Seized Roles - Flatten DC?
Also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx from: http://support.microsoft.com/?id=255504 A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: donderdag 11 januari 2007 14:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seized Roles - Flatten DC? Dear collective, I am at a site where somebody has panicked, and all 5 roles have been seized in the last month, and have then been transferred back to the DCs they were previously on. I had thought that certain roles (RID, Schema and possibly Domain Naming) being seized meant you had to wipe the DCs, and re-install Windows before you could use them again. Problem is - I can't find anything on technet to back this up. Best I can find is an article saying that seizing the RID is a 'drastic measure'. Can anyone point me towards something which says, ideally - If you seize role X, you MUST do Y, or the rivers will turn to blood, you will be visited by a plague of locusts and your firstborn will be killed. Thanks in advance, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Seized Roles - Flatten DC?
You don't need to re-install windows. Forced demotion (offline) (using out-of-band management solution) and promotion of the DCs is enough with a metadata cleanup before the promotion however as the DCs have already been online you might as well use a normal demotion. After that MAKE SURE all roles are owned by a DC. Check the health of things to be sure! With transfering the role is handed over nicely to the other DC... With seizing the role is hijacked As the article says the old FSMO role owner still does its work until it knows someone else hijacked its role. Other DCs might still use the old FSMO while some use the new. You do not want that kind of stuff. Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: donderdag 11 januari 2007 15:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seized Roles - Flatten DC? On 11/01/07, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx from: http://support.microsoft.com/?id=255504 Thanks Jorge, Nothing about three days of darkness or locusts or the massacre of first-borns, but I think it ought to settle the argument. Of course, now they'll just want to dpromo the machines down, clean the metadata and bring them back up again. Nobody wants to re-install Windows on servers sitting in a datacentre miles away. Ho-hum, I tried my best... -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] IIS install
As of w2k3 there is a setting that prevents the installation of IIS, when enabled of course... Computer configuration\Administrative Templates\Windows Components\Internet Information Services\Prevent IIS Installation = [ENABLED | DISABLED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: donderdag 11 januari 2007 16:01 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IIS install I'm having a hard time installing the IIS. It said that it can copy files. Other then bad CD what could be keeping it from installing? Is there a GP setting that I'm not aware of that will keep the IIS from installing? Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Domain Admin
If he just needs administrative equivalent permissions on THOSE TWO MEMBER SERVERS you can put his account into the local administrators group of each server...If he is logged on, tell him to log out and log on AFTER you have added his account to the groups. DOMAIN ADMIN quirevalent permissions is a little bit too much imo as that gives him full access to everything in AD... Either you need to install the adminpak and/or you need to make them visible in the start menu For what tasks are the administrative equivalent permissions needed? Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Sent: woensdag 10 januari 2007 6:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admin I have a consultant that is asking for domain admin rights on 2 member servers. I have google it but nothing seems to work out right. The servers are on the domain but the consultant just has a domain user account. He can logon on to the servers while they are on the domain but the administrative tools is not there (as it should). I want to creat an OU and put the two machines in that ou and delegate control to the consultants domain user account. Any other way to do this without registry hacks or scripts? All assistance welcomed This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] How to change login authentication
You can't just change the authenticating DC from X to Y. A DC for authentication is located by using DNS. By default clients search for a DC that has records in DNS for their own site (DCs physically there or covering the site) and when none found a query for the DCs that have registered domain wide records (by the default all the DCs). For that to work correctly you need to: * Define your sites in AD correctly for one or more locations (most of the times each location has its own AD site definition) * Define the subnets within each location in AD and associate each subnet with an AD site that represents the location of the subnets Also make sure an AD site link exists with the sites associated to it so that DCs in each site/location can replicate with each other That way a client in site A will go for a DC in site A first and a client in site B will go for a DC in site B first. Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: woensdag 10 januari 2007 15:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to change login authentication Hi all, I have one Domain Contoller (name dc01) in India and other one DC (name dc02) in remote location. Bothe DC can Communication. I have told to change user login authentication from DC01 to DC02. So how I can perform this task. Pls help me. I din't find any doc related this. Thanks, Ajay This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] How to change login authentication
I thought of that... I think you mean DNS Priority (which will always use the DC with the lowest value) instead of DNS Weight (which would still use the other DC, but less/more frequently depending on the weight configuration) ;-)) You can't just change the authenticating DC from X to Y.-- I mean redirect a set of clients to one DC and another set of clients to the other DC (while either set never uses the other DC). As you said: it depends... because what does he mean with: I have told to change user login authentication from DC01 to DC02. Everything is in one site and DC02 must now be used OR clients in remote site must only use DC02 instead of also use DC01 Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: woensdag 10 januari 2007 15:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to change login authentication In addition to the below, if we assume that DC01 and DC02 are both in the *same* site, then perhaps ajay should consider DNS weighting, so that DC02 is used 'in preference' to DC01. As usual, it's a 'it depends' style question. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 10 January 2007 14:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to change login authentication You can't just change the authenticating DC from X to Y. A DC for authentication is located by using DNS. By default clients search for a DC that has records in DNS for their own site (DCs physically there or covering the site) and when none found a query for the DCs that have registered domain wide records (by the default all the DCs). For that to work correctly you need to: * Define your sites in AD correctly for one or more locations (most of the times each location has its own AD site definition) * Define the subnets within each location in AD and associate each subnet with an AD site that represents the location of the subnets Also make sure an AD site link exists with the sites associated to it so that DCs in each site/location can replicate with each other That way a client in site A will go for a DC in site A first and a client in site B will go for a DC in site B first. Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: woensdag 10 januari 2007 15:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to change login authentication Hi all, I have one Domain Contoller (name dc01) in India and other one DC (name dc02) in remote location. Bothe DC can Communication. I have told to change user login authentication from DC01 to DC02. So how I can perform this task. Pls help me. I din't find any doc related this. Thanks, Ajay This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] list logon user for the services in serveral server
for services use a script created by Dean Wells... get it here: http://www.jadonex.com/downloads/dec/DECscripts.zip http://www.jadonex.com/downloads/dec/DECscripts.zip PS joe/Dean: define coming soon ;-) for scheduled tasks create a script using schtasks (w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Tue 2007-01-09 17:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list logon user for the services in serveral server Hi, A SA just left the company and I am suspecting he installed several applications in several servers using his account, therefore I cant change his password or disable his account, is there an easy of finding which services are running on his account without having to go to each different server? Thanks Rezuma This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] AD Schema - adding an attribute
In addition to what Brian said... If you want to get OIDs for your organization to use in productive environment you can get your OIDs using this page: http://msdn.microsoft.com/certification/ad-registration.asp More info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/obtaining_a_root_oid_from_an_iso_name_registration_authority.asp Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 2007-01-09 18:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] SID Deleted users remains in NTS permission.
and to remove those orphaned SIDs you could use SUBINACL (make sure you download the lastest version from the MS site) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Akomolafe, Deji Sent: Thu 2007-01-04 10:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SID Deleted users remains in NTS permission. It's normal. You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Thu 1/4/2007 1:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID Deleted users remains in NTS permission. Hello all Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file directory ACLs. Is this normal ? If not,what could be the reason(s) how to investigate this issue ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Is ADAM free?
yes, it is free... you would still need to license the OS it runs on Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 2007-01-02 15:36 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is ADAM free? Is ADAM free? If not, how much does it cost? Thanks! -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] migration help
in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] migration help
please read the articles I mailed earlier Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 13:51 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] migration help Your right , basically i was thought of it . But company has bought Hp DL G4 servers for new windows 2003 dc , instead of Ml 530 , i have to use DL G4 servers for new installation . How do i proceed. Thanks - Original Message From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 11:24:39 AM Subject: RE: [ActiveDir] migration help in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a migration to a NEW forest high-level steps are * use the W2K3 SP1 CD! * update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member servers) * introduce w2k3 DCs * move stuff over from w2k DCs to w2k3 DCs * demote and decommission W2K DCs also see for additional information: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of badhusha sd Sent: Fri 2006-12-29 12:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] migration help Hi all I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the users acoounts are spread across all the servers (ie the active directory accounts are added to file server directory security to assign access to users for folders and files). now i am installing new servers for windows 2003 and i want to migrate the users account from windows 2000 to windows 2003 . how to i do , what happend to the user acconts after migration , what happens to the users accounts added to file server. how to do i retain the same user acconts in the file server directory permissions. please give me a solution for a proper migration. Thanks in advance. Bdahusha.s.d. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com http://mail.yahoo.com/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com winmail.dat
RE: [ActiveDir] Built in Security groups
easy... say something like: you cannot delete built-in groups/accounts ;-) that should silence the guys and gals above! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 2006-12-22 17:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Built in Security groups
by the way? what is the reason? I hope it is not something like security. If you were able to delete them, it would create more of a mess compared to the added value Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 2006-12-22 17:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Built in Security groups easy... say something like: you cannot delete built-in groups/accounts ;-) that should silence the guys and gals above! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 2006-12-22 17:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
[ActiveDir] WAY OT - BUT LOTS OF FUN: someboby's a$$ got fried ;-)
this is fun.. ;-) http://www.gilsblog.com/index.cfm?commentID=93 http://www.gilsblog.com/index.cfm cheers, Jorge PS.: sorry Gil! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] DFS-R replication through a firewall
thank you steve! Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 2006-12-21 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DFS-R replication through a firewall You can fix the port using DFSrdiag. See the following from: http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx Can DFS Replication replicate between branch offices without a VPN connection? Yes-assuming that there is a private Wide Area Network (WAN) link (not the Internet) connecting the branch offices. However, you must open the proper ports in external firewalls. DFS Replication uses the RPC Endpoint Mapper (port 135) and a randomly assigned ephemeral port above 1024. You can use the Dfsrdiag command line tool to specify a static port instead of the ephemeral port. For more information about how to specify the RPC Endpoint Mapper, see article 154596 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=73991). Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, December 20, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DFS-R replication through a firewall We open port 135 for our subnets only. We made changes to registry to force high ports through a range and open those ports in firewall policy. -Z.V. Almeida Pinto, Jorge de wrote: Hi Everyone, I assume everyone knows about: How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/kb/319553 I was wondering about the configuration for DFS-R. Does anyone have experience with that working through a firewall? (instead of opening 135 and a range of high ports) Thanks! cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ winmail.dat
RE: [ActiveDir] OT: DSGET/DSQUERY
It should work, I just tried it myself. jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: woensdag 20 december 2006 10:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DSGET/DSQUERY Hello, Windows 2003 Single Domain I have a security group with a 120 users which I want to export and add them to a new Security Group. I have tried using the following query but it fails. It says DSMOD Failed: The parameter is incorrect This is the query: dsget group cn=RBAC-Officer-X-X-R,ou=security groups,ou=testpol,dc=testpol,dc=org,dc=uk -members | dsmod group cn=MCMSSubscribers-X-A,ou=security groups,ou=testpol,dc=testpol,dc=org,dc=uk -addmbr Any ideas? or alternative methods. Amy Send instant messages to your online friends http://uk.messenger.yahoo.com This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] New subdomain
Dont know what is described in there but things to take care of are: * Domain Functional Level * DNS zone delegations for the new domain * Forwarding from the new child domain up the tree * Anonymous access configuration during creation * OU structure * GPO structure * delegation of control * etc. Just like every other domain, but nothing special though! Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: woensdag 20 december 2006 12:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] New subdomain i have to create a new Windows 2003 child domain in Active Directory. I ve found MS KB Q255248 which describes the actions but the KB applies to Windows Server 2000, only. Is there anything special with a Win 2003 child domain or can i use the steps described in KB255248 to create the child domain? Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] DFS-R replication through a firewall
Hi Everyone, I assume everyone knows about: How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/kb/319553 I was wondering about the configuration for DFS-R. Does anyone have experience with that working through a firewall? (instead of opening 135 and a range of high ports) Thanks! cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] AdminSDHolder orphans
? My first thought would be YES, it should reverse the changes it made previously...on the other side...why doesn't it already? there is a script...2003 is the second AD version... so I suspect something else might be the reason why it does not do it adminSDHolder sets the list you mention below when it finds a user or group that is a member of some protected group. That is easy to do because it only checks the known protected users, know protected groups and its members. Not that difficult to query. Now remove user X from a protected group or a group that is a member of a protected group. What is left over? Permissions still reflect the config of the adminSDHolder, inheritance is not enabled and adminCount=1. (1) By querying known protected users, know protected groups and its members you know who is protected. By querying for adminCount=1 you get the protected users and the users who once were protected. From that list remove everyone that is protected. Left overs are sec. princ. who are not protected anymore but still have adminCount=1 (assuming nobody sets adminCount=1 just for fun ;-) ). Set adminCount=0, enable inheritance and revert permissions back to schema default. Possible issues here are if some programs/apps have set their own permissions on objects. You do not know what was previously there except for the schema defaulf perms. The same still aplies know when you need to do it manually, so there would not be much difference (2) OR just get everyone with adminCount=1 and check if it is a direct member of a protected group or an indirect member of a protected group (group nesting). If not set adminCount=0, enable inheritance and revert permissions back to schema default. just some euro thoughts ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Tue 2006-12-19 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: � Replace the object�s security descriptor with that of the AdminSDHolder; � Disable permissions inheritance on the object; � Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder �orphans�. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Vista GPO
Yes... * No more SYSVOL bloat as all Administrative Templates are stored in a central location * For domain environments a central store can be created so that ADMX/ADML files are NOT stored (which is the default) with EACH GPO (for both local and domain). * Results in less replication traffic for the SYSVOL and less storage is needed * This central store MUST created in ..\SYSVOL\Domain\Policies\PolicyDefinitions and is thus NOT available by default. (Create on the PDC FSMO!) * Can be used in EVERY domain environment (W2K/W2K3/W2K7/etc.) * Can ONLY be managed with the GPMC and GPO Editor from Vista and Longhorn * GPMC and GPO Editor will first try to use the central store and then the server's local store * Just Copy %WINDIR%\PolicyDefinitions to ..\SYSVOL\Domain\Policies and create your own language specific sub directories if needed (EN-US will be available by default) Cheers, jorge Met vriendelijke groeten / Kind regards, __ MVP Profile → https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10 MVP Home Site → https://mvp.support.microsoft.com/ MVP Overview → https://mvp.support.microsoft.com/mvpexecsum BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx __ -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Lu, WeiMing Sent: Friday, December 15, 2006 00:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO With Vista ADMX format, is it a better implementation to have central ADMX storage on the DCs? === Weiming Lu Emory College Computing Support (404)727-7917 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 5:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Join a Domain
? why is this service record not DOMAIN related? (or am I missing something here) _ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa ^^^ what is SERVER-2? is that a domain? or a DC? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Mon 2006-12-11 20:46 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Join a Domain Also have a look at DNSLint - a great tool for checking your SRV records are published in DNS correctly. http://support.microsoft.com/kb/321046 Tony -- Original Message -- From: Al Mulnick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 11 Dec 2006 14:11:16 -0500 Based on that, you *should* have other issues going on with your domain controllers. That SRV record is a way for the client (your workstation you're trying to join) to find the domain controllers in it's site. But it's not finding them as expected, and therefore is unable to contact the domain. You'll want to check your DNS server and a) make sure you're using the proper one and b) ensure that the domain controllers are registering their records properly. Al On 12/11/06, John [EMAIL PROTECTED] wrote: There was an error in my one client machine to join a domain. Below are: An error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain server-2.blackstallions.com.sa. The error was: No records found for given DNS query. (error code 0x251D DNS_INFO_NO_RECORDS) The query was for the SRV record for _ldap._tcp.dc._msdcs.server- 2.blackstallions.com.sa What does this SRV record means? There is something I need to re-configure in the server? Let me know expert. Thanks. John -- Everyone is raving about the all-new Yahoo! Mail beta.http://us.rd.yahoo.com/evt=45083/*http://advision.webevents.yahoo.com/mailbeta Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] DFS vs Robocopy question
I prefer DFS over Robocopy as DFS stores it information in a central location.. Active Directory ;-)) I would go for DFS replicated with DFS-R, which is available on R2 servers. DFS-R is so much cooler when compared with NTFRS. For example DFS-R ONLY replicates changes whereas NTFRS replicates everything, even when only ONE bit has changed. Independent of which replication mechanism used, DFS is a site aware service. It tries to locate the nearest Root Target and Link Target. However, be aware that when auto site link bridging is disable you need additional configuration with REPADMIN. Remember however, domain based DFS is just like it says...domain-based and not forest based. A domain DFS namespace can only have root targets from the domain where the DFS namespace exists and not from other domains. So, DCs from the domain that hosts the domain based DFS root must be available and preferably nearby as those are contacted to refer the client to the DFS root, even if a client is in another domain in the forest. The DFS link targets can be in any domain however. So if a client wants to connect to \\SOMEDOMAIN.COM\DFSROOT$\DFSLINK 1 it contacts a DC in the SOMEDOMAIN.COM 2 the DCs checks the nearest DFS root for DFSROOT$ and refers the client to it 2 the client contacts the DFS root and refers the client to the nearest DFS link target for DFSLINK I could tell you a complete story about DFS and DFS-R but you can also read it yourself. You might wanna have a look at: Designing Distributed File Systems http://technet2.microsoft.com/WindowsServer/en/library/1aa249c0-40f3-4974-b67f-e650b602415e1033.mspx?mfr=true Met vriendelijke groeten / Kind regards, __ MVP Profile → https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10 MVP Home Site → https://mvp.support.microsoft.com/ MVP Overview → https://mvp.support.microsoft.com/mvpexecsum BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx __ -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Wednesday, December 06, 2006 17:34 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DFS vs Robocopy question Hi all I'm looking for feedback on a couple of scenarios for our environment. We have three W2K3 SP1 domains and WAN separated regions in a couple of them. When deploying software, hotfixes and such I want to go to the 'distribution point' for that domain/region so as not to traverse the WAN for downloads. Each distribution point needs to mirror the others. Each region has an app server where we maintain these distribution points for downloads, patches and such and currently is managed manually as far as keeping each server identical to the other. I'm not familiar with DFS other than what is and does and have not configured or used it. Robocopy seems okay but also has a lot of configuration to deal with. DFS seems to be the best but wanted to see what the experts thought. My concern is if I create the DFS hierarchy I'd still be pointed to one server for the files. In reading the documentation I see multiple roots can be established which I'm hoping would provide access to each regional distribution point and still replicate the latest uploads from one point to all others. Appreciate any feedback. Thanks Jerry This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Is it possible to determine who created an AD object?
If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I'm not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I'm not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message
RE: [ActiveDir] Is it possible to determine who created an AD object?
? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINSâEUR¦. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if IâEUR(tm)m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if IâEUR(tm)m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777
RE: [ActiveDir] Is it possible to determine who created an AD object?
? just like I wrote it and tony confirmed it do you have other experiences? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 21:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Test what I wrote in my other response. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINSâEUR¦. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if IâEUR(tm)m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if IâEUR(tm)m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
RE: [ActiveDir] Is it possible to determine who created an AD object?
? oh, and yes I did test it and got the results I mentioned earlier...when not a member of DA but a member of Adms it lists the object creator after changing the policy Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 22:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? BTW, speaking strictly about directory objects, if you use an account that is NOT a member of Domain Admins but IS a member of Administrators (DLG), the ownership of the object works exactly the same way as it does if the account is a member of Domain Admins and not a direct member of Administrators. File system objects are still a bit different. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, December 05, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I did Laura's test (the thread was wearing me down ;-)). Even with the policy set to Object Creator it still shows Domain Admins as the owner if I create an object with an account that is member of Domain Admins. In my case the Domain Admins group is a member of the built-in Administrators group. This means that I saw the option in the security tab to change the ownership from Domain Admins to either Administrators or the account I was logged in with. The conclusion is that you can't use this policy to change the behaviour for AD accounts. Might be different for local accounts on member servers and workstations - but I haven't tested this. Tony -- Original Message -- From: Laura A. Robinson [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 05 Dec 2006 13:44:47 -0500 Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS�. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I�m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I�m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE
RE: [ActiveDir] Is it possible to determine who created an AD object?
? sorry to say, but I have different results...mailed them offline to Laura Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 23:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Just to make sure everybody understands what I am saying, I'm going to summarize this one last time. If I create an object in AD while I am logged on with an account that is a member of Domain Admins, Domain Admins becomes the owner of the object. NOT the Administrators group. NOT the object creator. DOMAIN ADMINS. If I create an obect in AD while I am logged in with an account that is NOT a member of Domain Admins and IS a member of the built-in Administrators group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the object. NOT Administrators, and NOT the object creator. Period. End of story. The group policy setting System objects: Default owner for objects created by members of the Administrators group DOES NOT AFFECT DIRECTORY OBJECTS. Test. It. Yourself. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? just like I wrote it and tony confirmed it do you have other experiences? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 21:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Test what I wrote in my other response. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINSâEUR¦. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if IâEUR(tm)m
RE: [ActiveDir] Tombstone.
are you asking if it is possible to undelete a tombstone which was created when an object was deleted? Well, yes it is possible. When an object is deleted almost all of its attributes are lost except several important attributes. Undeleting the object will not return the values of those attributes. Only doing an authoritative restore or an undelete followed by a write back of attributes (from some repository) will fully restore the object also see: MS-KBQ840001_How to restore deleted user accounts and their group memberships in Active Directory Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Mon 2006-12-04 20:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Tombstone. ? Hi all, I have a query Is that possible to recover network object from AD tombstone. If not then wht is use of it. Regards, Ajay pardeshi This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Is it possible to determine who created an AD object?
look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Is it possible to determine who created an AD object?
? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM winmail.dat
RE: [ActiveDir] How to completely isolate a DC?
can you describe the type of change? DCs have two types of replication mechanisms...AD replication and FRS replication. For example disabling outbound AD replication does NOT disable FRS replication Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Andy Wang Sent: Thu 2006-11-16 21:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to completely isolate a DC? I need to make a change across our domain. My plan is to make the change on one DC and test it, then roll out to other 50 DCs. I tried to temporarily disable outbound replication of Active Directory with repadmin by doing this: repadmin /options +DISABLE_OUTBOUND_REPL To my surprise, the change I made still replicated to other DCs immediately. So how can I isolate a DC and make sure the change I made not replicate to other DCs? Thanks for your help! Andy This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel.
and don't forget: * MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange 2003 (http://support.microsoft.com/?id http://support.microsoft.com/?id=555262 =555262) * MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003 (http://support.microsoft.com/?id http://support.microsoft.com/?id=822942 =822942) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Fri 2006-11-17 10:16 To: ActiveDir.org Subject: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel. Hello all, I am intending to upgrade an Exchange 2000 environment to Exchange 2003 via a parallel installation as a opposed to an upgrade, as the hardware will not handle an upgrade The environment consists of a Front End Server and 4 Mailbox servers, there is no clustering involved. Does anyone have any experience of doing the installation vai this method and are there any major gotcha's? Any recomedations or perhaps a document? All I can find on ms is physical upgrade documentation. Many thanks, Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] How to completely isolate a DC?
did you raise it on the DC WITH the PDC FSMO role or just a DC? raising the DFL -- contacts the PDC FSMO raising the FFL -- contacts the schema master FSMO jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang Sent: Friday, November 17, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to completely isolate a DC? The change is to raise domain functional from Windows 2000 native to Windows 2003 mode. As I understand, once I raised domain function level, the ntMixedDomain attribute will be changed along with other functions (like domain controller rename,user password support on the InetOrgPerson objectClass, etc). I want to test it on a isolated production DC first. Just in case something happened, we can shutdown this DC without impact the whole domain. Other than physical isolation or put a firewall in front of the DC, is there any way to do it? Thanks! Andy On 11/17/06, joe [EMAIL PROTECTED] wrote: What exactly did you change and how did you change it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang Sent: Thursday, November 16, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to completely isolate a DC? I need to make a change across our domain. My plan is to make the change on one DC and test it, then roll out to other 50 DCs. I tried to temporarily disable outbound replication of Active Directory with repadmin by doing this: repadmin /options +DISABLE_OUTBOUND_REPL To my surprise, the change I made still replicated to other DCs immediately. So how can I isolate a DC and make sure the change I made not replicate to other DCs? Thanks for your help! Andy This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] How to completely isolate a DC?
how did you check the value of the DFL? ADUC? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Andy Wang Sent: Sat 2006-11-18 00:42 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to completely isolate a DC? The change is domain function level upgrade. So I guess the question is what replication mechanism does it use in terms of DFL change? Through FRS? From the test lab, the change replicated to other DCs immediately. Is this some kind of Urgent Replication? Andy On 11/17/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: can you describe the type of change? DCs have two types of replication mechanisms...AD replication and FRS replication. For example disabling outbound AD replication does NOT disable FRS replication Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Andy Wang Sent: Thu 2006-11-16 21:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to completely isolate a DC? I need to make a change across our domain. My plan is to make the change on one DC and test it, then roll out to other 50 DCs. I tried to temporarily disable outbound replication of Active Directory with repadmin by doing this: repadmin /options +DISABLE_OUTBOUND_REPL To my surprise, the change I made still replicated to other DCs immediately. So how can I isolate a DC and make sure the change I made not replicate to other DCs? Thanks for your help! Andy This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Locating empty GPOs in a domain / forest
http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-11-15 11:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Locating empty GPOs in a domain / forest Does anyone have a script or know of a process which can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or set. The customer has hundreds of GPOs so viewing them one by one using GPMC is not a viable option :/ Many thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Locating empty GPOs in a domain / forest
if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied IMHO, no settings means all settings in the GPO are set to Not Defined. Wouldn't it, for the case you mention, need to have reverse settings or original settings and thus have settings? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 2006-11-15 17:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Well, it depends upon the purpose of you quest, but you're correct. For example, you may not want to delete a GPO that has no settings (but does have versionNumber 0) because that may be a desirable state for it. In other words, if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied. Unless you know for sure that those settings have been undone, then you can't be sure the GPO is unused. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks Darren - that assumes the GPO is empty and always was empty, of course :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 15:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Another option is to perform an LDAP search on the cn=policies, cn=system container for GPC objects, and on each GPC object, look for a versionNumber attribute == 0. Its probably slightly faster than first generating the HTML report and then parsing it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks horhay :-^ I'd found the GPMC script but your extra logic is very useful :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 15 November 2006 12:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-11-15 11:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Locating empty GPOs in a domain / forest Does anyone have a script or know of a process which can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or set. The customer has hundreds of GPOs so viewing them one by one using GPMC is not a viable option :/ Many thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand
RE: [ActiveDir] Password Police Question on Forest-ChildDomain relationship
What passwords are you talking about? For which accounts? It will not let you change the password as the policy mentions: at least 1 day old Password policies are not defined in the default domain controllers policy, but in the default domain policy Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: maandag 13 november 2006 15:56 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Police Question on Forest-ChildDomain relationship Dear List readers, I have a Forest (W2K3 FFL) with an empty root domain and a single child domain (W2K3 FFL). Today I changed the password on all my servers in the child domain including the domain controllers. I meant to exclude them but did not. Now they have the same password as my member servers. I went to change the password again on the DCs in the child domain, but they will not let me. Your password must be at least 8 characters, cannot repeat any of your previous 0 passwords and must be at least 1 days old is the error I get. I have a domain policy set for the computers in the domain, whichhas the complexity specified above as far as characters, but the group policy (default Domain Controllers) for my DCs in the child domain is Not Defined in all of the password policy options. Nor is there anything defined in the Forest Root Default Domain Controllers policy, which I thought might be flowing down to my Child Domain DCs. I cannot find where the policy might be set keeping me from changing the password in my Child Domain DCs. Would anyone know where to find that setting? I would like to reset my Child DCs so their password is different. Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Timeout period on object moves?
Can you explain the steps you've taken? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Mon 2006-11-13 18:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Timeout period on object moves? All- I'm trying to track down some interesting behavior in GP processing. I am wondering how AD deals with object moves. Specifically, I am moving a computer object around between OUs and it appears that the computer itself is not picking up every move during GP processing as I would expect. I don't see where the behavior could be coming from on the client side (I even deleted the value in the registry where GP stores the DN of the object) and so I'm wondering if AD is doing something here when it returns the results of the LDAP query that the client does during GP processing to determine its location in AD. Its almost as if AD is caching the previous location of the object to dampen excessive object moves. Sounds weird but I'm wondering if anyone has an explanation to this? Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com http://www.gpoguy.com/ -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glancen=283155 , the definitive resource for Group Policy information. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Help with Replication Mess
point DCB1 to another DNS server and see what happens cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, November 10, 2006 21:40To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help with Replication Mess Hi - I am trying to sort out a long-standing replication mess. The configuration is three sites (W2k3 FL as per earlier email) connected over T1 lines in series (A-B-C). The layout is: Site A: - DCA1 (bridgehead) - DCA2 Site B: - DCB1 (self for DNS) - DCB2 (bridgehead; DCA1 for DNS) - DCB3 (DCA1 DCA2 for DNS) Site C: - DCC1 (bridgehead) There are two IP site links with equal cost: A-B and A-C. Site B is the problem. The event logs of DCB1 are filled with KCC and FRS errors. Also, depending on where you point your "Sites and Services" tool, you get different information about what DC is in what Site as well as phantom objects (such as the same DC in two sites, long demoted DCs lingering, dead sites still present). The goal for the weekend is to remove DCB1 and DCB2, leaving only DCB3. But, I am concerned that replication is not working correctly and that demoting them improperly will lead to bigger problems. What is the best way to go about cleaning this up? The DCs in Site A and C are fine. Can I just pull replication data from there? Thanks. -- nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] [Semi-OT] AD Integrated DNS entries
maybe another options is... use joe's ADFIND and query for dnsNode objects and specifically the dnsRecord attribute. And see if you can filter differences just a wild idea Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of WATSON, BEN Sent: Wed 2006-11-08 22:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Semi-OT] AD Integrated DNS entries Hi Al, Thanks for the response. Yeah, that was much of what I expected. I figured what I was looking for would be somewhere in the realm of extremely difficult to find or impossible and I guess I was right. I'll definitely look into the DNSCMD and DSACLS to see if that can provide any of the information I am looking for. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 08, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Semi-OT] AD Integrated DNS entries One of the nice to have's that was left out of Microsoft's integrated implementation was the ability to easily gather this type of information. IIRC, DNSCMD coupled with dsacls will give you some of that information. There are also some api's that are available to try and roll your own, but nothing that really gives good information IMHO. There's a kb somewhere out there that describes how to set the ownership of each record using dsacls due to a problem with dhcp registration of records using a particular service account. I don't recall exactly the kb, but take a look and see if you can't modify the dsacls command to report the ownership of the records. Al On 11/7/06, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, Simple question I hope. I was looking for a way to determine a couple things about DNS (A PTR records) entries in an Active Directory Integrated DNS environment... 1) Is there a way to determine whether the entry has been manually defined (and thus is never scavenged) or registered through dynamic updates? 2) Is there a way to determine the current age of a DNS entry? 3) Is there a way to determine who has the rights to make modifications to an entry through dynamic updates? Thanks as always, ~Ben This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
if you just want to migrate the servers from one domain to the other, you can use ADMT. However... if you also need to translate data, that is another story. File based data - ADMT Print services - SUBINACL Services - SUBINACL Shares - SUBINACL Registry - SUBINACL IIS - third party SQL - third party Citrix - don't know PS.: SUBINACL is in the resource kit, but make sure to download the latest version Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Danny Sent: Tue 2006-11-07 18:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually.. Thanks, ...D This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
although SUBINACL does have the ability to what I mentioned, ADMTv3 is a better option... my apologies for the quick information lets try this again ;-) File based data ACLs - ADMTv3 Print services ACLs- ADMTv3 Services ACLs- SUBINACL (only needed when ACEs set manually or through a GPO) Services Accounts- ADMTv3 (make sure you identify the custom service accounts FIRST on each server to be migrated. This also prevents the option change password at next logon being set as the user account is migrated. All accounts NOT identified as service accounts will have the option set. If needed you can revert this afterwards with ADMOD/ADModify) Shares ACLs- ADMTv3 Registry ACLs- ADMTv3 IIS - third party SQL - third party Citrix - don't know REMARK: if you have migrated users/groups WITH sIDHistory it may look like permissions have been translated. These are really translated when the actual translation task has been started/executed. When the translation task had not been executed (yet), you will see that permissions may show as TARGET\SEC PRINC instead of SOURCE\SEC PRINC. This is because of the use of sIDHistory within the target domain. The system translates this to the TARGET ACCOUNT NAME. In reality, when digging you will still see the SID of the source sec. principals. Just something to be aware of. This applies to everything that uses sIDs after migrating objects while data has not been translated yet For example: * looking at the ACL of the DNS service after the migration of the computer (which I changed prior to the migration of the computer account using an account of the source domain) subinacl /service \\w2k3r2srv\dns /display=dacl /pace =ad\jorgegroupACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS /pace =ad\jorgeuser ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS subinacl /service \\w2k3r2srv\dns /display=sddl +Service dns /sddl=O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;; ;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-101 9)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-1020) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) S-1-5-21-1153913138-43527854-1722840164-1019 = NT4\jorgegroup S-1-5-21-1153913138-43527854-1722840164-1020 = NT4\jorgeuser looking with LDP into the objects Dn: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN 2 objectClass: top; group; 1 cn: JORGEGROUP; 1 distinguishedName: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN; 1 objectGUID: 7c333aeb-589d-4da2-ad97-13c3f10a4e50; 1 objectSid: S-1-5-21-3495709831-2249124843-3216744473-8997; 1 sAMAccountName: JORGEGROUP; 1 sAMAccountType: 268435456; 1 sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1019; +++OLD SID 1 groupType: 0x8002 = ( GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED ); 1 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=LAN; Dn: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN 4 objectClass: top; person; organizationalPerson; user; 1 cn: JORGEUSER; 1 distinguishedName: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN; 1 name: JORGEUSER; 1 objectGUID: d719eb60-369a-448e-9554-96af1fae20b9; 1 userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD ); 1 objectSid: S-1-5-21-3495709831-2249124843-3216744473-8998; 1 sAMAccountName: JORGEUSER; 1 sAMAccountType: 805306368; 1 sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1020; +++OLD SID 1 userPrincipalName: [EMAIL PROTECTED]; 1 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=LAN; Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 2006-11-07 19:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next ADMT3 can replace subinacl... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 07, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next if you just want to migrate the servers from one domain to the other, you can use ADMT. However... if you also need to translate data, that is another story. File based data
RE: [ActiveDir] Subnet Object Question
Hi Brian, The following represents subnet 10.1.1.0/24, as you can see, it is used in the CN and NAME Expanding base 'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'... Result 0: (null) Matched DNs: Getting 1 entries: Dn: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN 2 objectClass: top; subnet; 1 cn: 10.1.1.0/24; 1 distinguishedName: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 1 instanceType: 0x4 = ( IT_WRITE ); 1 whenCreated: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight Time; 1 whenChanged: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight Time; 1 uSNCreated: 13938; 1 uSNChanged: 13938; 1 showInAdvancedViewOnly: TRUE; 1 name: 10.1.1.0/24; 1 objectGUID: d69ed007-4556-4f85-b018-d6ff405ae2f1; 1 systemFlags: 0x4000 = ( FLAG_CONFIG_ALLOW_RENAME ); 1 siteObject: CN=HQ,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 1 objectCategory: CN=Subnet,CN=Schema,CN=Configuration,DC=AD,DC=LAN Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Sun 2006-11-05 22:08 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Subnet Object Question Question on Subnet Objects - It appears that there is not an actual property designated for the subnet network/mask. Does anyone know does AD use the name or cn for this information/ Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] _MSDCS changes from 2000 to 2003
See: Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003 http://support.microsoft.com/?id=825036 cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: donderdag 2 november 2006 17:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _MSDCS changes from 2000 to 2003 Looking for the general consensus on best practice for a domain that was upgraded from 2000 to 2003 and switched to 2003 native mode. Looking at http://support.microsoft.com/kb/817470/, MS recommends that we point the primary dns of all our DCs to a single root controller in our empty forest root domain. Then there's some steps to 'switch' to the 2003 way of doing things. Is this going to help us in any way, and is this article a good idea to follow? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~
RE: [ActiveDir] ADMT v3 Profile cleanup options
* within the same forest -- no need to translate profiles (although different SID, GUID takes care of this) * between different forests -- profile translation is needed (different GUID and SID) you can use ADMT or any third party tool as soon as users start to use their new account you need to translate the profile Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Danny Sent: Fri 2006-10-27 15:32 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADMT v3 Profile cleanup options Computer and user migration with ADMT v3 scenario: Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much. Windows Server 2003 and Windows XP Pro SP2 environment. Thanks, ...D This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] list lastlogontime for every user script
I used Joe's tool (no sexual connotation here) because it was easy and fast never mind half of the world does it! ;-) ROTFMAO Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Fri 2006-10-27 20:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 27, 2006 12:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 26, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfind to generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 26, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] sysvol replication
ah yes, very true... In Longhorn, once Domain Functional Level is reached (i.e. all DCs in a domain run Longhorn Server and the switch to DFL 3 has been made), the DCs will switch to leveraging the new DFSR replication mechanism (which is basically what was made available with Win2003 R2). This is a very efficient for replicating files as it only replicates the actual changes - incl. ACEs. the changes only are due to RDC (Remote Differencial Compression) read more here: http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx?mfr=true search for : Remote Differential Compression details Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Fri 2006-10-20 00:45 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sysvol replication my reply was a little hurried - so what I meant was that in 2k/2k3 the NTFS permission/ACL changes will actually trigger a full replication of all files and folders that have been affected by the change of permissions (i.e. when the changes are applied at the top level, all files will be replicated). This is due to a limitation in the current version of FRS which always replicates the whole file for any change that happens to the files (and an ACL change is just seen as any other change). In Longhorn, once Domain Functional Level is reached (i.e. all DCs in a domain run Longhorn Server and the switch to DFL 3 has been made), the DCs will switch to leveraging the new DFSR replication mechanism (which is basically what was made available with Win2003 R2). This is a very efficient for replicating files as it only replicates the actual changes - incl. ACEs. and yes the SYSVOL replication follows your site-link schedules - however, since Win2k3 SP1 (and Win2k SP4) you can also (finally) trigger it manually via the NTFRSUTL tool. Also I've seen ocations where SYSVOL actually replicated outside the site-link schedule window - can't tell you right now under which circumstances this is the case. /Guido From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Thu 10/19/2006 8:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sysvol replication won't change until you deploy Longhorn and switch to LH DFL Guido, can you explain what you mean with this? (I know SYSVOL will be replicated with DFSR as soon as DFL=W2K7 is reached) thanks jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 2006-10-19 19:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sysvol replication Yes, not only for Win2k, but also for Win2k3 (won't change until you deploy Longhorn and switch to LH DFL) /Guido --- sent wirelessly using iPAQ 6900 -Original Message- From: Graham Turner [EMAIL PROTECTED] To: activedir@mail.activedir.org activedir@mail.activedir.org Sent: 10/19/06 5:29 PM Subject: [ActiveDir] sysvol replication Just a quick query on sysvol replication we have put in place strategy for delegation of directory shared as netlogon by way of adding an ACE to the NTFS permissions is it correct that on DC's running Windows 2000 SP4 that a change in the NTFS permissions will generate the change notifications such that the NTFS permission change is replicated to all DC's ?? in terms of schedule for sysvol does it use the schedule as determined by site link configuration ?? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail
RE: [ActiveDir] Security-enable all your distribution lists?
have a look at: Addressing Problems Due to Access Token Limitation http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en#filelist http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cDisplayLang=en Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Harvey Kamangwitz Sent: Sat 2006-10-21 01:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security-enable all your distribution lists? Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Vista WMI
joe, if you are talking about the "operatingSystem" attribute in AD, wellit depends Using the latest available builds here... if OS="Longhorn" and serverRole="writable DC"and media="Full Install" then "operatingSystem" attribute DOES NOT contain special characters if OS="Longhorn" and serverRole="read-only DC"and media="Full Install"then "operatingSystem" attribute DOES NOT contain special characters if OS="Longhorn" and serverRole="member server" and media="Server Core" then "operatingSystem" attribute DOES contain special characters if OS="Longhorn" and serverRole="member server" and media="Full Install" then "operatingSystem" attribute DOES contain special characters if OS="Vista Ultimate" then "operatingSystem" attribute DOES contain special characters Just bugged it again with MS jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 19, 2006 01:05To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista WMI This "corruption" is probably the fact that MSFT[1] put a copyright symbol in the name of the OS, it is even reflected in AD. I bugged this some time ago and got back a "you need to go talk to someone else" initially and then ~Eric tried to push it forward, I don't think it got fixed for Vista. Hopefully they will fix it for Longhorn because there will be quite a few people bitching who are doing things at the command line or like you with scripts. joe [1] That was said with a sneer and pretend I also said, "ITIW" -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, October 18, 2006 5:26 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Vista WMI Im trying to get a script working in Vista with no success. For some reason the OS caption on Vista looks corrupted, but when I enter it as its displayed in wmic, my script ignores it. I even tried to correct it, and still no success. Heres the script: Dim WshShell strComputer = "." Set WshShell = WScript.CreateObject("WScript.Shell") On Error Resume Next ' If Workstation, exit script Dim objWMIService, colOperatingSystems, objOperatingSystem, strComputer, objFSO Set objWMIService = GetObject("winmgmts:" "{impersonationLevel=impersonate}!\\" strComputer "\root\cimv2") Set colOperatingSystems = objWMIService.ExecQuery ("Select * from Win32_OperatingSystem") For Each objOperatingSystem in colOperatingSystems If objOperatingSystem.Caption = "Microsoft Windows 2000 Professional" then wscript.quit If objOperatingSystem.Caption = "Microsoft Windows XP Professional" then wscript.quit If objOperatingSystem.Caption = "Microsoftr Windows VistaT Ultimate" then wscript.quit If objOperatingSystem.Caption = "Microsoft Windows Vista Ultimate" then wscript.quit Next ' Check / Set registry settings for screen saver. Logoff user if settings are updated Dim isLocked, ssTimeout, ssActive, ScrnSave, wmi, objSet isLocked = WshShell.RegRead ("HKCU\Control Panel\Desktop\ScreenSaverIsSecure") ssTimeout = WshShell.RegRead ("HKCU\Control Panel\Desktop\ScreenSaveTimeout") ssActive = WshShell.RegRead ("HKCU\Control Panel\Desktop\ScreenSaveActive") ScrnSave = WshShell.RegRead ("HKCU\Control Panel\Desktop\SCRNSAVE.EXE") If (isLocked = 0) or (CInt(ssTimeout) 900) Or (ssActive = 0) Or (ScrnSave = "") Then WshShell.RegWrite "HKCU\Control Panel\Desktop\ScreenSaverIsSecure",1,"REG_SZ" WshShell.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveActive",1,"REG_SZ" WshShell.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeout",900,"REG_SZ" WshShell.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","%system root%\system32\logon.scr","REG_SZ" WshShell.Popup "ScreenSaver settings were not previously set. Settings have been updated. A logout is required to activate new settings. Click Ok and the system will logout you out now. Auto-logoff in 20 seconds.", 20, , 0 + 64 WshShell.Run LogonServer "\netlogon\shutdown.exe /l /f",0,true End If--- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by
RE: [ActiveDir] sysvol replication
The addition/change of an ACE on a folder or file is like the addition/change of file/folder... within a site it will replicate immediately and between sites according to the schedule as soon as the replication window opens Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Thu 2006-10-19 17:01 To: activedir@mail.activedir.org Subject: [ActiveDir] sysvol replication Just a quick query on sysvol replication we have put in place strategy for delegation of directory shared as netlogon by way of adding an ACE to the NTFS permissions is it correct that on DC's running Windows 2000 SP4 that a change in the NTFS permissions will generate the change notifications such that the NTFS permission change is replicated to all DC's ?? in terms of schedule for sysvol does it use the schedule as determined by site link configuration ?? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] sysvol replication
won't change until you deploy Longhorn and switch to LH DFL Guido, can you explain what you mean with this? (I know SYSVOL will be replicated with DFSR as soon as DFL=W2K7 is reached) thanks jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 2006-10-19 19:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sysvol replication Yes, not only for Win2k, but also for Win2k3 (won't change until you deploy Longhorn and switch to LH DFL) /Guido --- sent wirelessly using iPAQ 6900 -Original Message- From: Graham Turner [EMAIL PROTECTED] To: activedir@mail.activedir.org activedir@mail.activedir.org Sent: 10/19/06 5:29 PM Subject: [ActiveDir] sysvol replication Just a quick query on sysvol replication we have put in place strategy for delegation of directory shared as netlogon by way of adding an ACE to the NTFS permissions is it correct that on DC's running Windows 2000 SP4 that a change in the NTFS permissions will generate the change notifications such that the NTFS permission change is replicated to all DC's ?? in terms of schedule for sysvol does it use the schedule as determined by site link configuration ?? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Lingering info following domain rename with rendom
Tony, Don't forget to rename the DCs as that is an additional action after the domain rename jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 17, 2006 05:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lingering info following domain rename with rendom Aha, the rendom /clean was what I hadn't run. In typical fashion I ignored everything after /rendom /end (and GPFixUp). This is a lab environment after all :-) Thanks Steve - it was driving me nuts. Tony -- Original Message -- From: Steve Linehan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 16 Oct 2006 20:10:15 -0700 Have you run the rendom /clean operation yet? Also what is the output of netdom /enumerate:ALLNAMES ? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, October 16, 2006 9:19 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Lingering info following domain rename with rendom Hi all I've renamed a domain using the rendom utility. All appears to have gone well, but I now get 5781 Netlogon errors in the System event log complaining that it can't register DNS records associated with the old domain. This doesn't appear to affect anything, but I'm keen to know why this is happening. The SRV records for the new domain name are all registered correctly (AD integrated DNS). If I look in the netlogon.dns file I see records representing both the old domain name (let's say old.com) and the new domain name (new.com). The old zone was AD integrated, so I've trawled through AD looking for references to the old zone, but I can't find anything. I've looked in the following locations, but all seems normal, i.e. references to the new domain name. CN=MicrosoftDNS,CN=System,DomainDN DC=DomainDNSZones,DomainDN DC-ForestDNSZones,DomainDN I've tried clearing the server cache, but no joy. I've tried deleting the netlogon.dns and netlogon.dnb and restarting the netlogon service, but that didn't help. Each time the newly created netlogon.dns contains records corresponding to the old domain. The netlogon log file (with debugging turned on) contains the following references to the old domain: 10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsDomainNameAlias from (null) to old.com 10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating DnsForestNameAlias from (null) to old.com Any thoughts on where the old domain information might be coming from? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] WAY WAY OT: I'm shareing the Best Kept Secret I know.
1 nothing 2 nothing 3 nothing 4 nothing 5 nothing 6 nothing 7 nothing 8 nothing 9 nothing 10 nothing (just to be sure) ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fleming, Dave (DotComm)Sent: Tuesday, October 17, 2006 15:29Subject: [ActiveDir] I'm shareing the "Best Kept Secret" I know. Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave FlemingNetwork AdministratorDouglas-Omaha Technology Commission408 So. 18th St.Omaha NE 68102[EMAIL PROTECTED](402) 444-6290 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Forest trust divestitures
very very true interim forests... AND another part is responsability...first it's mine and THEN it is yours (and there is very little to nothing in between). In other words... a clear hand-over moment. although the selling company is responsable for the first phase the buying company should be involved in the first phase (although not leading) to be sure they know what they get and of course also how they get it. The buying company should setup requirements and discuss these with the selling company jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, October 10, 2006 21:45To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trust divestitures If I were the security officer for Company B, I would have real issues with this plan. Most companies with sufficient understanding of AD Security would not want any of their DCs placed in any location where the other companys network is still active (i.e. DCs from company A and company B on same network). Thats different in a merger, where the full IT infrastructure will be merged anyways. But youre talking about a divestiture of a PART of a company. The plan youre describing doesnt really scale well over time not sure if youre considering issues youre experiencing during the migration how long are you willing to run forest B without PDC/RID etc? What Ive done in similar situations is to implement an interims forest. Step 1: implement Interims Forest C in Company As network migrate objects and resources from divested BU over from Forest A to C. Test that the divested BU works in Forest C and that other Company A Bus continue to work fine as well. Potentially change naming convention of objects to that of Company B during the migration to Forest C. Troubleshoot as necessary. Step2: when ready separate network of Forest C from Company A and integrated it with network from Company B Step3: with sufficient time for planning the integration, migrate objects and resources from Forest C to B. If not done previously, adjust naming of objects convention during this migration. This sounds like a whole lot of extra work, but usually it pays off: it is the most secure way to separate the divested part of the company and doesnt put either company at (unwanted) risks. It also gives you more flexibility on when to do which step and wont cause any issues with either of the operational forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey KamangwitzSent: Monday, October 09, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest trust divestitures Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to
RE: [ActiveDir] OT: Ello!
sh!t..he found the list...and I hoped he would never find it well... I guess it did not work when I told him it was something like edir.org ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Paul van Geldrop Sent: Tue 2006-10-10 17:37 To: ActiveDir Subject: [ActiveDir] OT: Ello! Ello! Just thought I'd at least have the decency to announce my presence on this list. ;) Joined today and looking forward to learning from all the grey matter frequenting this list! Regards, Paul This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] finding users that password never expire.
to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))" and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, October 09, 2006 17:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that password never expire. Hello all, I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: RE : RE: [ActiveDir] finding users that password never expire.
userAccountControl=65536 check if all enabled options/bits (unique combination) represent a total of 65536 userAccountControl:1.2.840.113556.1.4.803:=65536 check if only the option/bit represented by 65536 is enabled Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Yann Sent: Mon 2006-10-09 20:24 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query userAccountControl=65536 and (userAccountControl:1.2.840.113556.1.4.803:=65536) ? Why couldn(t i find any results with my first query ? And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query ?? Thanks for your answer :) Yann Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit : to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled ADFIND -bit -default -f ((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536)) and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . winmail.dat
RE: [ActiveDir] User account deletion
by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] what is the meaning of OT in front of the subject
OT = Off Topic http://en.wikipedia.org/wiki/Off-topic ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, October 05, 2006 15:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] what is the meaning of OT in front of the subject Some of the subjects have that OT preceding the subject, what's that? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] MORE OT OT: wikis
only 10 types of people understand binary... one type does understand and the other type does not understand Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2006-10-05 20:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
are you by any chance trying to promote a R2 DC? If yes, use ADPREP from the SECOND CD from the R2 distribution set Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Steve Egan (Temp) Sent: Thu 2006-10-05 22:25 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now I'm the System/Network Engineer for Purcell Systems, and I'm afraid I've screwed the pooch on my network. Here's how: Shut down an antiquated FTP server after transferring files to the new FTP server. The old one's OS was Win2K, the new one is Win2003. I *did not* do anything to AD at the time this occurred. A day before I started working here (8/8/06) the server in Sweden was rebuilt by a local consultant. Hardware failure. He rebuilt from bare metal, and set up the DNS and AD incorrectly. The end result was a server sitting in its own domain. DNS was somehow told to replicate to the server, and was working fine. I next tried to put/rename/move the Sweden server into the Purcell.com domain. Oops, have to upgrade out of Win2000 mixed mode. No problem, I'll just transfer the AD, DNS, and PDC to a master machine running Win2003 and have lotsa machines (okay, one or two) running as PDCs and alternate DNS and AD, right? Here's where the pooch got this way - I'm a n00b when it comes to AD, and somehow in the transfer of functions I've messed up the domain something fierce. AD and DNS work just fine (replicate) on the USA and Poland servers, but I tried upgrading the Sweden server to the forest and things got cranky - it wouldn't upgrade because it swore up and down that the domain was still in pre-Win2003 mode. In frustration, I tore down DNS and AD on the Sweden server, and rebuilt them - not an easy task by remote control... The DNS rebuilt just peachy on the Sweden server, but when I go to install AD on it, it tells me that the domain ain't ready for prime time - I have to run adprep on the domain. I ran adprep the first time, and everything appeared to work just fine. Subsequent attempts are rebuffed - I've already prepared the domain, it tells me. The Sweden server just refuses to accept that the AD in the domain is Win2003 mode. I've checked - it's mode 2 on all the AD machines. The necessary containers for a Win2003 AD have been built! SOMEthing is preventing the ADPREP from executing properly. Here's a partial log entry from the Sweden server (adprep.log?): 10/05 01:34:26 [INFO] Searching for a domain controller for the domain PURCELLSYSTEMS.COM that contains the account PURCELLABSWE$10/05 01:34:27 [INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM for domain PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS for server \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time sync 10/05 01:34:27 [INFO] Forcing a time synch with \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the current time on \\FTP1.PURCELLSYSTEMS.COM: 5 10/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5). Ignoring 10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service NETLOGON to 1 returned 0 10/05 01:35:32 [INFO] Stopped NETLOGON 10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL 10/05 01:35:36 [INFO] Created system volume path 10/05 01:35:36 [INFO] Copying initial Directory Service database file C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36 [INFO] Installing the Directory Service10/05 01:35:36 [INFO] Calling NtdsInstall for PURCELLSYSTEMS.COM 10/05 01:35:36 [INFO] Starting Active Directory installation 10/05 01:35:36 [INFO] Validating user supplied options 10/05 01:35:36 [INFO] Determining a site in which to install 10/05 01:35:36 [INFO] Examining an existing Active Directory forest 10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizard cannot continue because the forest is not prepared for installing Windows Server 2003. Use the Adprep command-line tool to prepare both the forest and the domain. For more information about using the Adprep, see Active Directory Help. (8467) 10/05 01:35:40 [INFO] NtdsInstall for PURCELLSYSTEMS.COM returned 8467 10/05 01:35:40 [INFO] DsRolepInstallDs returned 8467 10/05 01:35:40 [ERROR] Failed to install to Directory Service (8467) 10/05 01:35:49 [INFO] Starting service NETLOGON10/05 01:35:49 [INFO] Configuring service NETLOGON to 2 returned 0 10/05 01:35:49 [INFO] The attempted domain controller operation has completed10/05 01:35:49 [INFO] DsRolepSetOperationDone returned 0
RE: [ActiveDir] Forest trusts
Both forests can be connected to each other as long as within the connected environment each domain name is unique (NetBIOS and DNS)... So if you have a forest called DOMAIN.COM (NetBIOS = DOMAIN) and another forest called SUB.DOMAIN.COM (NetBIOS = SUB) you can connect them to each and setup trusts between the forests. jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek Sent: Tuesday, October 03, 2006 15:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trusts Hello evr. I have two independent forests. Is it possible to trust forests which share a same name space. For example. I have domain in first forest domain.com and a domain in second forest my.domain.com. If not is it possible to migrate with some tools a domain my.domain.com to domain domain.com ? Thx Zdenek Lev List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Forest trusts
That will also be possible as long as forest 2 does not also have a DOMAIN.COM. That is what I meant with: Both forests can be connected to each other as long as within the connected environment each domain name is unique (NetBIOS and DNS)... jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek Sent: Tuesday, October 03, 2006 15:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts THX for your answer a what about migration SUB.DOMAIN.COM from forest 2 to forest 1 with domain DOMAIN.COM Z. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, October 03, 2006 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts Both forests can be connected to each other as long as within the connected environment each domain name is unique (NetBIOS and DNS)... So if you have a forest called DOMAIN.COM (NetBIOS = DOMAIN) and another forest called SUB.DOMAIN.COM (NetBIOS = SUB) you can connect them to each and setup trusts between the forests. jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek Sent: Tuesday, October 03, 2006 15:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trusts Hello evr. I have two independent forests. Is it possible to trust forests which share a same name space. For example. I have domain in first forest domain.com and a domain in second forest my.domain.com. If not is it possible to migrate with some tools a domain my.domain.com to domain domain.com ? Thx Zdenek Lev List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Move all OU and USERS from one forest to another forest
Have a look at: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspx jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, October 03, 2006 16:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move all OU and USERS from one forest to another forest Hi, I am trying to build a testing environment. I have the production forest and the testing forest, not connected at all. Is there an easy way of creating all the same OUs and users from one forest to the other?, each forest only have one domain, also, I only interested in moving some of the attributes,i.e. there is no MS exchange in the testing environment so I don't care about exchange attributes. I was going to build an script that will read from production LDAP and create objects in the other one, but is there is already something that, like a tool or script it will prefer to use it to save time. Can I use ADAM for this? Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Group Policy Problem
you are experiencing morphed folders within the SYSVOL. see: MS-KBQ328492_Folder Name Is Changed to FolderName_NTFRS_ MS-KBQ290762_Using the BurFlags registry key to reinitialize File Replication Service replica sets (depending on the situation this solution may need additional steps!!!) use one of the solutions to resolve the problem. the first one mentioned is preferred. jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd WilliamsSent: Tuesday, October 03, 2006 18:11To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy Problem The problem I am having with group policies has the following two symptoms 1) domain member computers are getting windows cannot query for the list of group policy objects in the event log 2) When I try and edit group policies I get either access denied, or cannot write to something like C:\WINDOWS\SYSVOL\sysvol\Domain Name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} It would seem the group policy contained in the {31B2F340-016D-11D2-945F-00C04FB984F9} folder is missing There are several folder which are named similar i.e. {31B2F340-016D-11D2-945F-00C04FB984F9}_NTFRS_01ececf7 I.e. have NTFRS appended to them. I have tried to recreate the policy by running DCGPOFIX . it recreates the {31B2F340-016D-11D2-945F-00C04FB984F9} folder with the policy. But after a few seconds this folder gets an NTFRS appended to it and all the error come back. It seems after recreating the group policy active directory just removes it. Has any one experience any thing similar or have any suggestions. BTW I have about 4 DC s in the domain Lloyd This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Urgent DFS Configuration
for some reason I missed this message nope that will not work in short: you can create the DFS root on any server and it does not need to be the server hosting the data. DFS root servers are servers that manage the DFS namespace (root, links) To create the root you need to have a shared folder on some server. THAT folder structure (as it will be a structure as soon as you create DFS links) represents the DFS namespace and does not host any data. The DFS links are references for a common path to one or multiple servers that host the same data stand-alone roots: * stored in registry * are not fault tolerant (unless hosted on a cluster) * do not support NTFRS replication * supports DFS-R replication on R2 domain roots: * stored in AD * arefault tolerant *support NTFRS replication * supports DFS-R replication on R2 for more information see: DFS Technical Reference http://technet2.microsoft.com/WindowsServer/en/library/20ffb860-f802-455c-9ca2-5194f79a9eb41033.mspx?mfr=true cheers, jorge From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 21, 2006 23:38To: undisclosed-recipientsSubject: RE: [ActiveDir] Urgent DFS ConfigurationImportance: High I am trying to create a DFS server (if there is such a thing) On server one I create a DFS root called testdfs, it then asks for the location of host server for this root. I then enter server2 name. They are two separate servers and the reason behind it is so that users connect to server1 and not server2, but I guess this is not possible (as it is not working). How would I set up a dfs structure? I guess this should be my question. Dont I need to configure it on the server that has the data? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 12:53 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration OK, explain the following: "I am configuring server1 with a standalone root, when asked for the host server I enter server2 " Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] SID History.
to read on how the access token is build see: http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.doc authentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts) sIDHistory just adds SIDs to the access token, after that the process is the same jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Mon 2006-09-25 19:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SID History. Unfortunately that's not even close to what I was having issues with Joe. I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation: I am a member of 50 groups in my user domain, I'm accessing something in my user domain. We have 150 trusted resource domains where I have 6 group memberships in each through SID history. Is the GC/DC going to query all trusted domains for my memberships through SID history? (resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote: I would recommend poking through the MSDN security docs. It sounds like there is a break in understanding of how the SIDs are used in combination with the DACLS. Start here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/how_dacls_control_access_to_an_object.asp but poke around that whole area. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Thursday, September 21, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID History. Conceptual situation: User domain Resource domain (s) I bring all users into a single AD environment, bringing over SID History information. Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] SID History.
it does not need to mention that... with sidhistory it just adds additional SIDs to the token where the same rules apply as mentioned in that doc Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object nope if a user (AccDomA) is member of some group in another domain (ResDomA) and that user has been migrated to another domain (AccDomB) with the sidhistory of its previous domain (AccDomA), the access token will contain it's new SID (AccDomA) and the sidhistory of the previous user (AccDomB). as soon as the user crosses the trust to access a resource protected by that some group, then the SID of that some group will be added (ResDomA) In other words, if user addomain\user1234 is accessing a file that is on server fileserver.addomain.com http://fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within addomain.com http://addomain.com ? only within the user's own domain. if the user was in ADDOMAIN and the server in NTResDom78, then the SIDs of groupmemberships within domain NTResDom78 would be added to the list because the resource access was across a trust the access token always includes all groups in the same domain as the user (including nesting within own domain) and all universal groups (direct or indirect membership) and eventual sidhistory values it is on a need to know basisimagine if it needed to ask the complete forest to see where group memberships existed. that would be a PITA as it needed to ask a DC for each domain in the forest for the domain local groups and to ask all member servers for local groups. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Mon 2006-09-25 21:55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SID History. Yeah, read that document before. It doesn't say whether it's going to go scanning domains for SID History memberships, so I have to assume that unless I have a group that points to a user's SID History SID within that AD environment (or in that authentication chain), then it's not going to add in more SIDs to the user's token. Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object. In other words, if user addomain\user1234 is accessing a file that is on server fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within addomain.com? On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: to read on how the access token is build see: http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.doc authentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts) sIDHistory just adds SIDs to the access token, after that the process is the same jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Mon 2006-09-25 19:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SID History. Unfortunately that's not even close to what I was having issues with Joe. I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation: I am a member of 50 groups in my user domain, I'm accessing something in my user domain. We have 150 trusted resource domains where I have 6 group memberships in each through SID history. Is the GC/DC going to query all trusted domains for my memberships through SID history? (resource
RE: [ActiveDir] Schema analyzer
look at the ADAM help file and search for ADSchemaAnalyzer Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Mon 2006-09-25 22:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema analyzer Hi, I need to compare our current AD schema to the one that comes out of the box when you install windows 2003+MS exchange. I have been told that with Schema Analyzer which comes with ADAM SP1 can do this... Has anyone done this before? I can figure out how to do it, anyone can lead to a doc where I can learn how to do it? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] I'm Baaaaaaack!
i do.. ;-) See anything "random" here: Dèjì RANDOM Akómöláfé? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Akomolafe, DejiSent: Fri 2006-09-22 04:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Not according to my birth certificate. See anything "random" here: Dèjì Akómöláfé? Me neither ;-p Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/21/2006 3:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Random is Deji's middle name. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, September 21, 2006 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! :) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Urgent DFS Configuration
a stand alone root cannot have more than 1 root server (unless on a cluster). only a domain based root can have more than one root server that is why I ask the Q below Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge deSent: Thu 2006-09-21 21:52To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration OK, explain the following: "I am configuring server1 with a standalone root, when asked for the host server I enter server2 " Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Replication Metadata
Title: RE: [ActiveDir] Replication Metadata hey joe, how about ADFIND with an attribute spellchecker? ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of joeSent: Thu 2006-09-21 03:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication Metadata ;o) that would do it.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour, JosephSent: Wednesday, September 20, 2006 4:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication MetadataNevermind, I guess I should learn to spell the attribute name correctly.Works great, Thanks!-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour,JosephSent: Wednesday, September 20, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication MetadataOk for some reason ADSI doesn't seem to like this attribute. I've tried_vbscript_ and System.DirectoryServices.In _vbscript_:meta = group.GetEx("ms-DSReplValueMetaData")In C#:string[] meta =(string[])group.Properties["ms-DSReplValueMetaData"].Value;The line in _vbscript_ throws an error saying it can't be found in the dircache. The C# line doesn't throw an error but does not give me the xmleither.I used dsquery against the same group and it gave me the xml.Can you see what I'm doing wrong?Thanks-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, September 14, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication MetadataYep, if _vbscript_ you want the XML versions...You should be able to do this in an hour You just need to pick therighthour. ;o)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour,JosephSent: Thursday, September 14, 2006 9:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication MetadataThat's great info; thanks joe. I'll take a look atmsDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to dothis in a _vbscript_ and avoid getting into any compiled solutions. Itold my boss I could do this in an hour because I thought I could justuse IADsTools, oopsie.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, September 14, 2006 5:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication MetadataI doubt that IADsTools was updated. They seemed to be trying to killthat asfar back as 2001. I think it was someone's pet project and they went toanother petting zoo to work... I know I found some time issues in itbackthen and some more later that I tried to get corrected and was whollyunsuccessful on both occasions.But the answer is... There is additional metadata available now forlookingat value level changes. The way IADsTools was probably getting the info(this is a guess, never saw the code) is through the attributereplPropertyMetaData but it very well could have been using the RPCbasedAPI call DsReplicaGetInfo.Probably the simplest mechanism to use now are the attributesmsDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by defaultwillreturn XML strings with the data. If you are equipped to handle it, youcaninstead make the calls much faster and pass less data on the wire byaskingfor the binary versions of those attributes by appending the ;binarymodifier.If you want to write DC API based code, you can use DsReplicateGetInfo2. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour,JosephSent: Friday, September 08, 2006 11:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication MetadataI'm using Robbie Allens example for using IADSTools.DCFunctions to readgroup object meta data. I just realized that now that we've upgraded to2003 I can no longer look at the member last changed field to determinewhen group membership last changed.I know that RepAdmin can look at the individual group changes so theremust be some updated API that I can use to do the same thing, I justcan't seem to find it.Can anyone point me in the right direction?ThanksList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
RE: [ActiveDir] How are folks setting hidden user attribs?
where is the [ActiveDir] part in the subject... (there goes my Outlook filter) ;-) for attribs not shown in the ADUC GUI, you can extend the GUI (search the archives for the MSDN link that shows how to do this) or you can add a VBS script to READ or WRITE the attribs. One of the examples can be found here: http://www.kouti.com/scripts.htm search for employeeID.vbs this of course also applies to other attribs cheers, jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Alex Fontana Sent: Thu 2006-09-21 09:03 To: ActiveDir@mail.activedir.org Subject: How are folks setting hidden user attribs? Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Urgent DFS Configuration
which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Urgent DFS Configuration
OK, explain the following: "I am configuring server1 with a standalone root, when asked for the host server I enter server2 " Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration That would be 2. Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 21, 2006 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS Configuration which server hosts the stand alone root? server 1 or 2? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 17:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS ConfigurationImportance: High All, I need some input on DFS. I am trying to set up DFS on a file server, well in reality two. I am configuring server1 with a standalone root, when asked for the host server I enter server2 and select the share drive I want to use. I then create DFS links to subfolders and they create just fine. The problem: When I try to access the links I created I cant Access Denied even though I share the folders in advance with appropriate permissions, and of course at this point the security tab from the shares disappears. So I cant make changes, and when I go and try to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers and when they come up the DFS root is gone from server1 but remains on server 2 along with all the DFS links. Please let me know what I am doing wrong. Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] SID History.
not sure if this is the answer to your Q (not clear what you mean), but lets give it a try... if you migrate a user with sidhistory, it will not include the group memberships of the object in the source domain just because the users old sid is in sidhistory. if you need to have the group memberships as well, you need to migrate the groups to preserver the group membership and to preserve the access to resources protected by those groups you need to include the sidhistory as well during migration is this the answer? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Thu 2006-09-21 22:58To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Assign User rights overs computers with AD
Hi Alberto, Use the restricted groups feature in a GPO For the group ADMINISTRATORS define/dictate which groups/users MUST/SHOULD (e.g. Domain Admins, and local administrator) be in the group ADMINISTRATORS. Everyone else not defined will not be listed and if defined prior to the configuration of the GPO will be kicked out jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Wed 2006-09-20 14:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Assign User rights overs computers with AD Hello. My name is Alberto, I'm from Nicaragua In our company the support team has granted every user administrator rights over their workstation, We recently migrated to Windows 2003 AD and I want to revoke the privileges tha users have on their computers. Can I do this through AD? It's around 300 users and I don't want to visit every single one of them. Thanks for your help. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] AD and static DNS
Each DC has two GUIDs... * the objectGUID identifies the DC itself and is used for replication. That is also the GUID that is registered in _MSDCS. This value can be found in the attribute called objectGUID on the NTDS Settings object that is owned by the DC. This GUID is created when promoting the server to a DC and is destroyed when demoting to server. So as long as the DC is a DC this GUID remains * the Invocation ID identifies the database instance on the DC and is used to record originating updates, which means on which database instance was something added ot changed. This value can be found in the attribute called Invocation ID on the NTDS Settings object that is owned by the DC. This GUID is created when promoting the server to a DC and is initially the same as the objectGUID. The invocation ID changes as soon as the DC is restored from a backup USING A SUPPORTED AD AWARE BACKUP MECHANISM or when an application partition is instantiated. all service records that registered by the DC are stored in the NETLOGON.DNS file (located in %WINDIR%\System32\Config). That file be used to import data into DNS Cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-09-20 21:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD and static DNS Does the GUID used for a DC change when the server is brought up through dcpromo, or does it remain the same as the base OS install. That is, can I take the current GUID and use it to prefill my static BIND records, or do I need to do the dcpromo and then create the records? Thanks, Andrew Fidel This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Ad Reporting Tools
my first and simple thought is: OLDCMP from joeware.net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Monday, September 18, 2006 12:04To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ad Reporting Tools Folks, I am struggling with a fairly simple request. We would like a simple report that lists how many PC's there are in each OU into an Excel Spreadsheet. Well I have managed to do this with CSVDE and the summary report in Excel. Is there a better (low cost) solution? Dave Wade E-Services 0161 474 5456 **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk** This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Elevating privileges from DA to EA
Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 14 September 2006 20:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [ [EMAIL PROTECTED]] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC - Inject code into lsass As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP? I knew that, I just preferred him to say it for himself... ;-) (BY THE WAY: Mark, did you go to the game?) it is also possible to rename a W2K3 DC when not in DFL=W2K3 (thus DFL=W2K native/mixed) AND it is supported! ;-) However, what Guido is saying IS preferred because it is a multiple step approach and does not cause the issues the other method does cause see: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/109.aspx jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, September 14, 2006 17:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? Yep, that was Win2k – once you’ve reached Win2k3 domain functional level, you can start adding another name to your DC, make it primary, reboot, ensure everything replicates well and registers in DNS, then remove the old name. Use NETDOM to do so. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 14, 2006 4:50 PMTo: ActiveDir@mail.activedir.org; ActiveDir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need toDEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark ParrisSent: Thu 2006-09-14 16:35To: ActiveDir.orgSubject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again.This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address.Make sure DNS functions correctly.RegardsMark ParrisBase IT LtdActive Directory ConsultancyTel +44(0)7801 690596-Original Message-From: "McClure, David (MED US)" [EMAIL PROTECTED]Date: Thu, 14 Sep 2006 10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?If you're running a Certificate Authority on that DC, you can't changethe computer name without first uninstalling Certificate Services. I'mnot sure what the impact would be on the chain of trust if you reinstallCertSvcs after the name change.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, September 14, 2006 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain controller whenchangingits IP?In SBSland they made a change IP address wizard for our DCs becauseinvariably we forget something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou can see what the wizard does.. which is are the changes you willneed to doJobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computername. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.ZhaoList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx---This message and any included attachments are from Siemens Medical SolutionsUSA, Inc. and are intended only for the addressee(s).The information contained herein may include trade secrets or privileged orotherwise confidential information. Unauthorized review, forwarding, printing,copying, distributing, or using such information is strictly prohibited and maybe unlawful. If you received this message in error, or have reason to believeyou are not authorized to
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
have at look at: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx which might help you on your way Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Jobsz Sent: Thu 2006-09-14 14:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Any impacts to domain controller when changingits IP? Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need toDEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Mark ParrisSent: Thu 2006-09-14 16:35To: ActiveDir.orgSubject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again.This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address.Make sure DNS functions correctly.RegardsMark ParrisBase IT LtdActive Directory ConsultancyTel +44(0)7801 690596-Original Message-From: "McClure, David (MED US)" [EMAIL PROTECTED]Date: Thu, 14 Sep 2006 10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?If you're running a Certificate Authority on that DC, you can't changethe computer name without first uninstalling Certificate Services. I'mnot sure what the impact would be on the chain of trust if you reinstallCertSvcs after the name change.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, September 14, 2006 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain controller whenchangingits IP?In SBSland they made a change IP address wizard for our DCs becauseinvariably we forget something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou can see what the wizard does.. which is are the changes you willneed to doJobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computername. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.ZhaoList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx---This message and any included attachments are from Siemens Medical SolutionsUSA, Inc. and are intended only for the addressee(s).The information contained herein may include trade secrets or privileged orotherwise confidential information. Unauthorized review, forwarding, printing,copying, distributing, or using such information is strictly prohibited and maybe unlawful. If you received this message in error, or have reason to believeyou are not authorized to receive it, please promptly delete this message andnotify the sender by e-mail with a copy to [EMAIL PROTECTED]Thank youList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx.ÿÁ²§²B§Ã¶v®§²rz§Ã¶v®± This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Strange password issue
Yes, there is. The password policy is checked as soon as the password entered (using characters) is written into the directory, whether it is a new password or a changed password. If a password hash is written into the directory the system cannot check if the password that generated the hash meets the password policy or not. Migration tools like ADMT and Quest DMW migrate passwords by migrating the hash and not the actual password. For those accounts that were migrated, the password policy comes into effect as soon as the user is forced to change the password, but until that time You mention Quest's migration tool. Are you saying the user was migrated from another forest/domain outside the existing forest and where it was created using ADUC? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2006-09-06 16:38 To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Rid Master recovery
in that case you would need to seize it also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, September 05, 2006 14:03To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rid Master recovery Guys , another question One of My RID master is crashed before transfering of FSMO role to other DC on the network , is that any possiblities to make an another domain as RID master ( backup is failed so i can not restore the failed RID master DC now) Thanks in advance "Almeida Pinto, Jorge de" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 11:18 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Rid Master also see: RID Master FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx cheers,jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 04, 2006 18:11To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how it is managed versus what records need to be in DNS for AD to work or how its app NC replicates. -- O'Reilly Activ
RE: [ActiveDir] Rid Master
also see: RID Master FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx cheers,jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 04, 2006 18:11To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how it is managed versus what records need to be in DNS for AD to work or how its app NC replicates. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Monday, September 04, 2006 10:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in hellI have a hell of a sense of humor (as Im sure a lot of geeks here do) this just isnt the place for it when people come here for help. /just sayin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Sunday, September 03, 2006 10:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in hell Nah.it looks more like the sender mistook this list for some other lists. On other lists, this would have been a engendered more rapid-fire flame war to the sender's satisfaction, even though the joke itself is very old and has outlived its useful shelf life. I'm sure he's disappointed that this list is so geeky and full of maroons with no sense of humors. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft