[ActiveDir] ldifde question
Title: ldifde question Hi, Using LDIFDE, Ive been able to export/import users, groups and OUs from and into our test AD, but Im trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] ldifde question
Title: ldifde question Ahan easy one then. Thanks Wook! mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 24, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldifde question Just add member to the list of attributes. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 24, 2006 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, Ive been able to export/import users, groups and OUs from and into our test AD, but Im trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] ldifde question
Cool, thanks guys. I was afraid I was going to run into issues because it's multi-valued. Seems to work fine. Thanks again mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 24, 2006 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldifde question Assuming that the structures are now the same, then if you modify your query as follows: -l cn,objectclass,ou,member, you should get an output that includes the DN of the members of each group. Then you should be able to import the output into your target AD. If the structures are not the same, then the DN will bite you during import, unless you manually adjust the output file before import. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Fri 3/24/2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldifde question Hi, Using LDIFDE, I've been able to export/import users, groups and OUs from and into our test AD, but I'm trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that? This command seems to give me the group names at least... ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks, Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
In task manager, assuming the script is not hung, cscript should be gradually consuming more and more chunks of memory, shouldnt it? That might be one way to tell. Sure makes the 2003 AD attribute a welcome change, doesnt it J mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 10, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks, Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
Manthats frustrating. I never had that issue, but its probably because I have fewer DCs and theyre all on fast links, 2 LAN and 2 T1 mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs OK it finally finished, but it says this error and output.txt is still 0 bytes: C:\Scriptscscript //nologo lastlogon.vbs output.txt C:\Scripts\lastlogon.vbs(143, 7) Provider: This operation returned because the the timeout period expired. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 10, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs In task manager, assuming the script is not hung, cscript should be gradually consuming more and more chunks of memory, shouldnt it? That might be one way to tell. Sure makes the 2003 AD attribute a welcome change, doesnt it J mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 10, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks, Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying
RE: [ActiveDir] Recommendations for spam issue
Russ, I've used two solutions for this issue, both of which I think turned out well: 1. Astaro Security Linux with mail protection subscription - available either as an appliance or a hardened Linux distro you can install on a decent PC 2. Sunbelt Software's IHATESPAM The 501c(3) I support, with about 15 desktops currently, uses the Astaro appliance solution From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Mon 3/6/2006 10:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommendations for spam issue If you were a 20 user non-profit organization that were having a serious problem with SPAM, had an Exchange server in-house but an external internet provider that was filtering and forwarding your e-mail but not doing a good job, what product or solution would you recommend? The problem is valid e-mails are being blocked and SPAM is getting through. Would something like Trend Client Server Security for SMB work well in this situation? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.winmail.dat
[ActiveDir] AD Oracle Integration
Title: AD Oracle Integration Anyone have any knowledge on what it takes to enable AD integration for Oracle? The dev teams want to AD-enable their apps using Oracle 10g as a back end so they dont have to maintain separate login accounts. Articles Ive found so far seem a little confusing apparently its not a flipped switch somewhere in Oracle J Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] OT: Linux and AD authentication
Title: OT: Linux and AD authentication Anyone know if there is a way to make a Linux box run a login script managed at the AD level (not local to the Linux machine) that could at minimum pop up our acceptable use policy? Its coming up because we have our Windows boxes displaying it on login, and management wants the Linux boxes to do the same. Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] OT: Linux and AD authentication
I should have explained that better Tomasz - the reason we want it managed within AD is to make sure the text displayed is the same everywhere. If it's part of a local script on the individual Linux box, we have to remember to change it in more than one place. There are other things we'd like to do with the login script though, not just the acceptable use policy display. Thanks guys - I'll check out the 2 products mentioned mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, March 01, 2006 11:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Linux and AD authentication Creamer, Mark wrote: Anyone know if there is a way to make a Linux box run a login script managed at the AD level (not local to the Linux machine) that could at minimum pop up our acceptable use policy? It's coming up because we have our Windows boxes displaying it on login, and management wants the Linux boxes to do the same. Vintela has a solution to process GPO at the Linux\Unix box. Is it not possible to make similiar script for Linux running on the linux box? What is this script displaying? -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quick CSVDE question
Bryan, see here: http://support.microsoft.com/?kbid=269181 or google the string mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, February 28, 2006 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quick CSVDE question Great thanks. Where did you find this 1.2.840... number? Is there a reference table somewhere? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Roberts Sent: Tuesday, February 28, 2006 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quick CSVDE question If you need to distinguish between true distribution groups and mail-enabled security groups you would be better querying the group type attribute. If you add this to the query you will only get back security-enabled groups, regardless of mail status. (groupType:1.2.840.113556.1.4.803:=2147483648) John Roberts JLR Technology Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, February 28, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quick CSVDE question Nevermind, I added mail to the filters and then parsed the data accordingly. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, February 28, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quick CSVDE question I'm trying to export a list of security groups, but not distribution groups. The string below gets all groups, is there a way I can exclude DLs? csvde -f c:\groups.csv -s ad7 -d dc=tcu,dc=edu -p subtree -r((objectCategory=Group)(objectClass=group)) -l displayname,samaccountname,description Thanks, Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MVP mini summit at DEC 2006
Cool - that's the little town where a dead body shows up week after week on CSI mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, February 23, 2006 9:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] MVP mini summit at DEC 2006 I think the statement works either with it or without it. :-) (And remember, it's in -Henderson-, not Las Vegas! No gambling, no showgirls, just a quiet little geek conference in the middle of the desert. Nothing to see here, move along. ;-)) On 2/23/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Forgot the ;-) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I believe Vegas comes standard with Drugs, booze and loose women. [EMAIL PROTECTED] wrote: Daft question maybe, but is this open to MVPs only? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: 23 February 2006 00:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MVP mini summit at DEC 2006 Alym has scheduled a MVP mini summit session at the conclusion of DEC 2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of the DEC session rooms (tbd). Drugs, booze, and loose women will follow... or at least that's what I was led to believe. :) Alym is swamped with another project, but will be providing the official announcement in a few days. I just wanted to make MVPs aware of it in case you had scheduled a flight out on Wednesday afternoon. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ADUC question
Title: ADUC question Noticed something I dont think Ive seen before. Domain structure: empty root + 2 subdomains with users in them. My normal day-to-day account is not a domain admin, and I live in Subdomain A. I open ADUC, focused on Subdomain A, and search Subdomain B for a user. When I find that user, I click on the Member of tab for that user. All I see are that users global group memberships in Subdomain B. If our Account Admin (shes not a Domain Admin but has been delegated the rights to create and modify users) opens ADUC and does the same thing, when she looks at the Member Of tab for the same user, she sees not only the Subdomain B global groups, but also the Universal Groups that user is a member of, which live in Subdomain A. I thought it would be because my console was not focused on a Global Catalog, but I tried it on GC and non-GC domain controllers. Any idea why she sees the Universal groups and no one else does? Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Wireless and logon script
Title: Wireless and logon script Thanks Chris! mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 08, 2006 4:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Wireless and logon script Sorry, typo on the KB number, link is http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Regards Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: 06 February 2006 18:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Wireless and logon script Chris, Im not having success finding that KB. Is that the right number? Thanks! mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 11:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Wireless and logon script What O/S and Service Pack are you running and are you using USB WLAN Cards? We recently deployed a Wireless Infrastructure and had a similar issue with Computer GPO's and Start Up scripts not being applied. Turns out the GPO processing and Start up scripts were running before a network connection was made on our Workstations that used a USB WLAN Card. After applying XP sp2 and making a registry change using a custom adm templateall was fine. See MS KB 840649 for the registry settings to modify. Regards Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: 06 February 2006 15:48 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Wireless and logon script Can someone explain the mechanics of the logon for me, when the user is on a wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I havent been involved with their setup. Basically the deal is when a user logs in to a wired LAN connection, the logon script always runs. When they log on with wireless, the logon script does not run. To me as a casual observer, it looks like the authentication does not happen until after a cached logon takes place and the user attempts to reach a resource requiring authentication, such as Exchange. Thanks, Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Mae'r e-bost hwn (ac unrhyw atodiadau) yn gyfrinachol a gall gynnwys barn bersonol nad yw'n farn Ymddiriedolaeth GIG Gofal Iechyd Gwent oni bai fod hynny wedi ei ddatgan yn benodol Os ydych chi wedi ei dderbyn trwy gamgymeriad, dilewch o'ch system, peidiwch a defnyddio, copio na datgelu'r wybodaeth mewn unrhyw fodd. Hysbyswch y sawl a'i anfonodd am y camgymeriad hwn ar unwaith os gwelwch yn dda. This e-mail (and any attachments) is confidential and may contain personal views which are not the views of Gwent HealthCare NHS Trust unless specifically stated. If you have received it in error, delete it from your system, do not use, copy or disclose the information in any way. Please notify the sender immediately of this error. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Mae'r e-bost hwn (ac unrhyw atodiadau) yn gyfrinachol a gall gynnwys barn bersonol nad yw'n farn Ymddiriedolaeth GIG Gofal Iechyd Gwent oni bai fod hynny wedi ei ddatgan yn benodol Os ydych chi wedi ei dderbyn trwy gamgymeriad, dilewch o'ch system, peidiwch a defnyddio, copio na datgelu'r wybodaeth mewn unrhyw fodd. Hysbyswch y sawl a'i anfonodd am y camgymeriad hwn ar unwaith os gwelwch yn dda. This e-mail (and any attachments) is confidential and may contain personal views which are not the views of Gwent HealthCare NHS Trust unless specifically stated. If you have received it in error, delete it from your system, do not use, copy or disclose
RE: [ActiveDir] OT: Tracking File Deletes
Also, Just received a message from ScriptLogic about their new File Auditing tool: (NFI). Looks interesting http://www.scriptlogic.com/products/filesystemauditor/ mc This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site Links
Do you have manually created links? Youll likely get a lot better answers than mine, but basically when I had replication problems, I eventually determined that a lot of it was my own causing. Basically, I had no reason to create any site links manually, which I had done. I got rid of those, changed the costs per recommendations on this list, and let the KCC do the rest. Its been perfect ever since. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, February 07, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site Links AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Wireless and logon script
Title: Wireless and logon script Can someone explain the mechanics of the logon for me, when the user is on a wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I havent been involved with their setup. Basically the deal is when a user logs in to a wired LAN connection, the logon script always runs. When they log on with wireless, the logon script does not run. To me as a casual observer, it looks like the authentication does not happen until after a cached logon takes place and the user attempts to reach a resource requiring authentication, such as Exchange. Thanks, Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Wireless and logon script
Title: Wireless and logon script Chris, Im not having success finding that KB. Is that the right number? Thanks! mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 11:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Wireless and logon script What O/S and Service Pack are you running and are you using USB WLAN Cards? We recently deployed a Wireless Infrastructure and had a similar issue with Computer GPO's and Start Up scripts not being applied. Turns out the GPO processing and Start up scripts were running before a network connection was made on our Workstations that used a USB WLAN Card. After applying XP sp2 and making a registry change using a custom adm templateall was fine. See MS KB 840649 for the registry settings to modify. Regards Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: 06 February 2006 15:48 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Wireless and logon script Can someone explain the mechanics of the logon for me, when the user is on a wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I havent been involved with their setup. Basically the deal is when a user logs in to a wired LAN connection, the logon script always runs. When they log on with wireless, the logon script does not run. To me as a casual observer, it looks like the authentication does not happen until after a cached logon takes place and the user attempts to reach a resource requiring authentication, such as Exchange. Thanks, Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Mae'r e-bost hwn (ac unrhyw atodiadau) yn gyfrinachol a gall gynnwys barn bersonol nad yw'n farn Ymddiriedolaeth GIG Gofal Iechyd Gwent oni bai fod hynny wedi ei ddatgan yn benodol Os ydych chi wedi ei dderbyn trwy gamgymeriad, dilewch o'ch system, peidiwch a defnyddio, copio na datgelu'r wybodaeth mewn unrhyw fodd. Hysbyswch y sawl a'i anfonodd am y camgymeriad hwn ar unwaith os gwelwch yn dda. This e-mail (and any attachments) is confidential and may contain personal views which are not the views of Gwent HealthCare NHS Trust unless specifically stated. If you have received it in error, delete it from your system, do not use, copy or disclose the information in any way. Please notify the sender immediately of this error. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Lotus Sametime and LDAP access to AD
Title: Message Wow! Exactly the kind of crap joe and I and others were talking about the other day. Lets crash AD to make poor programming work mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, February 02, 2006 12:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Lotus Sametime and LDAP access to AD Has anyone on the list ever run into this ? A systems integrator I know told me that they were trying to integrate Lotus SameTime with AD as part of an enterprise portal configuration. Apparently SameTime can authenticate using LDAP binds and also grab user information which SameTime uses for its configuration. Anyhow, it chokes when it tries to retrieve the user information. Apparently, they try to query on all users within the specified scope, but without using the LDAP paging control. The integrator sent me this URL to the technote published by IBM on the subject http://www.ibm.com/support/docview.wss?rs=899uid=swg21090028 From thereferenced technote: Currently, Sametime must pull all users from the LDAP server and will reach the limit set on the LDAP server, if a limit is set to be lower than the amount of users that Sametime can search for. And then this little gem: The following can resolve the error on an Active Directory server: In Active Directory, go to a command line and type: ntdsutil ldap policies connections connect to server local server name set creds local domain name administrator admin password quit show values set MaxPageSize to 10 commit changes Note If the amount of users/groups on the AD server is larger than 100,000, the MaxPageSize value should be set higher. When I regained my composure, I replied with a note to the effect that there is absolutely no way I would advocate opening that throttle by a factor of 100 (or more!). There have been numerous threads on this listabout MaxPageSize, usually ending with a pronouncement from ~Eric or joe saying Just don't do it - useLDAP paging. I'm just curious if anyone else has runinto this with SameTime, and also whether Microsofthas directly addressed this kind of advice from IBM or anyone else. Dave This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] distributing large service pack files
Title: distributing large service pack files The structure of our WAN is such that we have lots of small offices all over the country, each with a few to a hundred or so PCs, connected by not-so-fast links. The biggest locations have T1s, but many dont. Keeping these things patched is a nightmare. We do not have distributed servers, and really nothing except the PCs themselves to cache something for local delivery. Which brings me to my questionis it even conceivable that something like an internal-only BitTorrent could be leveraged to distribute something as large as a service pack? I think it might be more efficient than a 3rd party patch management solution or WSUS, which I cant use because of not having distributed file caches. If this is nutty, dish out the dirt, but Ill want to understand why its nutty too J Thanks Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] distributing large service pack files
Hmm. That's an answer I didn't expect. Good info. Thanks Susan. I know I need to play more with WSUS. The only place I have installed it was in a 20 node network with an older server hosting WSUS only, and it killed the performance on the server. So I (not very scientifically I admit) extrapolated that it would be a disaster in a large corporate environment. No, I didn't install all languages :-) I'm sure I did something wrong, just haven't gone back to revisit it yet. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, February 02, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] distributing large service pack files Not to mention it's my understanding that it's not legal to distribute service packs outside the MS cloud and host MS code like service packs/hotfixes like that. This is why universities cannot hand out SP cdroms and some such things. Since the Department of Justice... it's been my impression that MS tends to want to control the bits so they can yank parts if need be [see recent SP update notifications for Office due to stupid lawsuit between guy and MS on Access] WSUS had to get some eula's rewritten to allow the geeks to do allow consultants to do patching and what not. Molkentin, Steve wrote: Mark, WSUS (and SMS for that matter) uses the Background Intelligent Transfer Service (that's what it's called) to do just this on large files, in that it is smart enough to recognise downtime on your network to send files, and manages the resumption of large files if it had to stop transferring them. It is pretty seamless in my experience - all our links are less than T1 (except for the internet pipe into our head office), and we manage to push a lot of stuff around using WSUS quite well with no interruption to business. It's not hard to setup an older PC as a local WSUS cache - it needs little in the way of processor and RAM (really), and will get over any cost issue and give you the ability to distribute, etc. Additionally, it takes away all the responsibility of the staff member to install/connect/download the service pack (and don't start me on the fact that they shouldn't have admin rights to install it in the first place). My $0.02 inc GST... themolk. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Creamer, Mark *Sent:* Friday, 3 February 2006 6:18 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] distributing large service pack files The structure of our WAN is such that we have lots of small offices all over the country, each with a few to a hundred or so PCs, connected by not-so-fast links. The biggest locations have T1s, but many don't. Keeping these things patched is a nightmare. We do not have distributed servers, and really nothing except the PCs themselves to cache something for local delivery. Which brings me to my question...is it even conceivable that something like an internal-only BitTorrent could be leveraged to distribute something as large as a service pack? I think it might be more efficient than a 3^rd party patch management solution or WSUS, which I can't use because of not having distributed file caches. If this is nutty, dish out the dirt, but I'll want to understand why it's nutty too J Thanks ***Mark Creamer* *Systems Engineer* Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender
RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account.
What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran everything under my own account - maybe not, but I generally do. As far as RDP, I usually disable everyone's ability to TS in, and enable only my own account. But I always change the port to some weird random number, just to thwart the majority of the script kiddies. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, January 28, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account. :-) Don't install the 5th part of the SBS sp1 service pack bundle then. 'cause it kinda wants to be only run under that 500 account. I've got a SBSer installing WSUS under an alternative Admin account and the installs that he's done under the 500 account the computers check in just fine...the ones under the alternative account are having issues. He's applied the compression hotfix and done client side targeting and still no go. He's redoing the group policy settings under the 500 account now. Al Mulnick wrote: I can honestly think of no plausible reason that any vendor I want to do business with would require that I use that or any specific account. There is never a time when that's acceptable. Wait. I want to be clear about this. There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account. Any time I've been faced with that concept, I and my colleagues have always pushed back on the vendor to specify exactly what rights and any other pertinent details were needed. If they couldn't or otherwise wouldn't provide the details, then we emphatically recommend no sale. If that doesn't prevent the sale, we loop in the security folks to accept responsibility for the compliance and other security issues that this may introduce. If they were fine with it, then I no longer have a stake in the game for that. Instead, I no have a scape goat for anything to goes wrong ;) There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account. Never. On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: There have been times in recent past that certain installs or applications only work under the 500 account aka the real admin account down here in SBSland. In Big server land... do you also find this to be true with apps that need to be installed on the server? For many of you you are obviously remote admin'ing. Do you ..when using that 500 account... accept the risk of that Admin account/password over TS/3389? Only over VPN? Only use that 500 account in certain vlans/subnets/whatevers that obviously we in SBSland never carve up our domain structures in? For SOX purposes only have a documented use of that 500 account? For all other times do you use admin equivalent? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account.
OK, I must have logged in that way then. I was local that day, not remote. Very, very good to know...I have a couple more coming up next week. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, January 28, 2006 4:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account. Windows 2003 sp1 Sharepoint sp1 [can use sp2 instead] Exchange sp1 [can use sp2 instead] XP sp2 SBS specific SP1 this is the one we've found has needed the 500 account --- If premium SQL server 2000 sp4 ISA 2004 [must have media..CANNOT be done remotely] Creamer, Mark wrote: What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran everything under my own account - maybe not, but I generally do. As far as RDP, I usually disable everyone's ability to TS in, and enable only my own account. But I always change the port to some weird random number, just to thwart the majority of the script kiddies. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, January 28, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account. :-) Don't install the 5th part of the SBS sp1 service pack bundle then. 'cause it kinda wants to be only run under that 500 account. I've got a SBSer installing WSUS under an alternative Admin account and the installs that he's done under the 500 account the computers check in just fine...the ones under the alternative account are having issues. He's applied the compression hotfix and done client side targeting and still no go. He's redoing the group policy settings under the 500 account now. Al Mulnick wrote: I can honestly think of no plausible reason that any vendor I want to do business with would require that I use that or any specific account. There is never a time when that's acceptable. Wait. I want to be clear about this. There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account. Any time I've been faced with that concept, I and my colleagues have always pushed back on the vendor to specify exactly what rights and any other pertinent details were needed. If they couldn't or otherwise wouldn't provide the details, then we emphatically recommend no sale. If that doesn't prevent the sale, we loop in the security folks to accept responsibility for the compliance and other security issues that this may introduce. If they were fine with it, then I no longer have a stake in the game for that. Instead, I no have a scape goat for anything to goes wrong ;) There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account. Never. On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: There have been times in recent past that certain installs or applications only work under the 500 account aka the real admin account down here in SBSland. In Big server land... do you also find this to be true with apps that need to be installed on the server? For many of you you are obviously remote admin'ing. Do you ..when using that 500 account... accept the risk of that Admin account/password over TS/3389? Only over VPN? Only use that 500 account in certain vlans/subnets/whatevers that obviously we in SBSland never carve up our domain structures in? For SOX purposes only have a documented use of that 500 account? For all other times do you use admin equivalent? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise
[ActiveDir] Logon issue
Title: Logon issue We have an unusual situation I cant find a solution for and I wanted to see if others had experienced it. A few of our remote locations connect to corporate via DSL and VPN. We normally have a logon script engine (ScriptLogic) that runs for each logon. PCs run Windows XP, and get DHCP and logon services from the corporate location. In several cases, when a specific user (and there are more than one) logs on to a PC with the problem, the logon takes up to 20 minutes to log on. When another user logs on to the same PC in the same location, the logon is instantaneous. The same symptoms are happening in several locations, involving different users, but in each case, a different user can log on fine on the affected PC. Our networks folks watched the traffic in Compuware and determined that in the logons that are a problem, there is significant Kerberos traffic, back and forth, back and forth. My first thought was corrupt or excessively large profile, but we dont use roaming profiles, and the PC has been re-imaged. We also recreated accounts for a couple of users. The problem goes away for a couple of weeks, and then its back. Im just now getting involved because the network team initially thought it was their issue. Is there anything you can suggest I can look at? Thanks, Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Developer Best Practices doc
Whats frustrating to me, is that even some of the most significant players in many software categories (and hardware for that matter) are not allowing some of the Microsoft best practices listed in these documents to be used. (Im not referring to in-house development this time) Example: An app that requires one or more hard-coded domain controllers, because the app was not designed to know how to search for an available server (WebMethods). Or one that has to be patched to know how to do referral chasing because we have multiple domains and not all the needed attributes are in the GC (Cognos). What do you guys do? Surely you cant expect to always be able to take the high-ground and say to a business unit you cant bring in this new state-of-the-art application because it isnt querying the AD correctly. Especially if it works (in their minds, albeit not efficiently in mine). Id be laughed out of a job. AD is just one small part of the big package. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, January 24, 2006 11:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Developer Best Practices doc Yep, Joe and Ryan have a book they put together for NET program for the Directory Services stuff. I believe it is completed from a writing standpoint, just doing all of the stuff it takes to get it ready to get it out the door. I am not a NET person but I reviewed it for the directory related logic and processes (i.e. queries and the general thoughts of how you would attack things). Again not being a NET person, it still seemed to be pretty good, it read fairly well. Other than that, I would point at the writing efficient apps document from MS as well as the MSDN docs on using AD. Specific DOCs http://msdn.microsoft.com/library/default.asp?url=""> http://msdn.microsoft.com/library/default.asp?url=""> http://msdn.microsoft.com/library/default.asp?url=""> http://msdn.microsoft.com/library/default.asp?url=""> ADAM docs are good to learn from as well http://msdn.microsoft.com/library/default.asp?url=""> Gil wrote the book that I initially learned to write apps from called Active Directory Programming. It is broken up into ADSI and LDAP sections. It isn't the end all be all and there is an occasional issue but it obviously got me going in the right direction. I still refer back to it on occasion. Other than that, make them read some of the better AD books out there to really understand the idea and capabilities and uses behind AD. Yes it is an LDAP directory but if you only go in thinking that you will probably not write the best apps you can write. Recommended books would be Sakari's book, get Second Edition and if I may be so bold and not sound bad doing so, O'Reilly Active Directory Third Edition. Oh finally, send them into the various AD Programming Interface and ADSI newsgroups to see the kinds of questions other folks are asking about how to do this stuff. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 24, 2006 4:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Developer Best Practices doc I believe Joe Kaplan and Ryan Dunn have a book which is going to be published soon on the matter. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Tue 1/24/2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Developer Best Practices doc IIRC, There are several books that relate to this. Somebody on this list may have written one even :) That said, I think the normal applies to the best practices: Use efficient LDAP queries (see Microsoft web site;several blogs as well) when LDAP is used Use .NET best practices for dealing with code Try to stay away from legacy practices where possible (WINNT provider if using ADSI) Limit queries to the exact information needed. Be sure to remember that group membership gets truncated to a limited number of members if using intuitive methods to read them. Limitation of .NET. I'm sure there are other pieces, but I've not had to write one more specific than that. On 1/24/06, Creamer, Mark [EMAIL PROTECTED] wrote: Anybody seen/created a best practices document to ' teach' internal application development teams to interact with AD? I' ve just been asked to do one and could use some guidance on things to include. Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that y
RE: [ActiveDir] Developer Best Practices doc
Bravo Susan...I guess that's one way mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 25, 2006 4:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Developer Best Practices doc www.threatcode.com You want me to start a new division? We have to get people to care by shaming them into changing their ways. Creamer, Mark wrote: What's frustrating to me, is that even some of the most significant players in many software categories (and hardware for that matter) are not allowing some of the Microsoft best practices listed in these documents to be used. (I'm not referring to in-house development this time) Example: An app that requires one or more hard-coded domain controllers, because the app was not designed to know how to search for an available server (WebMethods). Or one that has to be patched to know how to do referral chasing because we have multiple domains and not all the needed attributes are in the GC (Cognos). What do you guys do? Surely you can't expect to always be able to take the high-ground and say to a business unit - you can't bring in this new state-of-the-art application because it isn't querying the AD correctly. Especially if it works (in their minds, albeit not efficiently in mine). I'd be laughed out of a job. AD is just one small part of the big package. */mc/* *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Tuesday, January 24, 2006 11:16 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Developer Best Practices doc Yep, Joe and Ryan have a book they put together for NET program for the Directory Services stuff. I believe it is completed from a writing standpoint, just doing all of the stuff it takes to get it ready to get it out the door. I am not a NET person but I reviewed it for the directory related logic and processes (i.e. queries and the general thoughts of how you would attack things). Again not being a NET person, it still seemed to be pretty good, it read fairly well. Other than that, I would point at the writing efficient apps document from MS as well as the MSDN docs on using AD. Specific DOCs http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/efficientadapps.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/using_active_directory.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/creating_efficient_queries.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/active_directory_service_in terfaces_adsi.asp ADAM docs are good to learn from as well http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adam/adam/active_directory_applicatio n_mode.asp Gil wrote the book that I initially learned to write apps from called Active Directory Programming. It is broken up into ADSI and LDAP sections. It isn't the end all be all and there is an occasional issue but it obviously got me going in the right direction. I still refer back to it on occasion. Other than that, make them read some of the better AD books out there to really understand the idea and capabilities and uses behind AD. Yes it is an LDAP directory but if you only go in thinking that you will probably not write the best apps you can write. Recommended books would be Sakari's book, get Second Edition and if I may be so bold and not sound bad doing so, O'Reilly Active Directory Third Edition. Oh finally, send them into the various AD Programming Interface and ADSI newsgroups to see the kinds of questions other folks are asking about how to do this stuff. joe *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Desmond *Sent:* Tuesday, January 24, 2006 4:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Developer Best Practices doc **I believe Joe Kaplan and Ryan Dunn have a book which is going to be published soon on the matter.** **Thanks,** **Brian Desmond** [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]** **c - 312.731.3132** *From:* [EMAIL PROTECTED] on behalf of Al Mulnick *Sent:* Tue 1/24/2006 3:50 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Developer Best Practices doc IIRC, There are several books that relate to this. Somebody on this list may have written one even :) That said, I think the normal applies to the best practices: Use efficient LDAP queries (see Microsoft web site;several blogs as well) when LDAP is used Use .NET best practices for dealing with code Try to stay away from legacy practices where possible
[ActiveDir] Developer Best Practices doc
Title: Developer Best Practices doc Anybody seen/created a best practices document to teach internal application development teams to interact with AD? Ive just been asked to do one and could use some guidance on things to include. Mark Creamer Systems Engineer Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040 Email: [EMAIL PROTECTED] | http://www.cintas.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] OT: DEC 2006
There's one on eBay right now. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, January 13, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 I remember those. That was my last year at U of L and they announced that the next year all engineering students would be required to buy a rainbow. The cost was to be spread over 4 years of tuition. Fortunately, the rainbow proved itself an instant flop and U of L dropped that plan. If memory serves, they did run MSDOS, but they didn't have a pc compatible BIOS so that while they gave the impression that they were PC compatible, in reality they wouldn't run anything that required BIOS calls (which was 99% of the software out there). We used a lot of HP 150 touch screens, and they were the same way. Also, you had to buy pre-formatted floppies from DEC - you couldn't format your own. At least until someone leaked the formatting utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 9:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones that did play were pretty good at it and were winning too much. I'll not be attending but I'm sending someone that works for me instead. Have a good conference. John McGlinchey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 10, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 I think you are going to find the same at Green Valley - http://www.greenvalleyranchresort.com/gaming/index.html Leave your car and house titles at home! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Kat Collins - The Email of the species is more powerful than the Mail! The human voice is the organ of the soul. Henry Wadsworth Longfellow List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are
RE: [ActiveDir] OT: DEC 2006
On-site support visit. I count 12 Applebee’s locations in the greater Vegas area. Surely there’s a piece of AD broken in one of them J Me? We’ve got pants and shirts scattered all over Vegas hotels and casinos and I still can’t go L mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 10, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 Ditto for me… My title doesn’t start with a C _ _ so I’m afraid to even ask for a paid trip to Vegas J --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Monday, January 09, 2006 1:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 I would love to go, unfortunately as most people on the list unless our employeers pay for it, we just can not afford to attend. Jose - Original Message - From: McLeod, Scotty To: ActiveDir@mail.activedir.org Sent: Monday, January 09, 2006 7:45 AM Subject: RE: [ActiveDir] OT: DEC 2006 Am attending again, looking forward to it. Scotty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 05 January 2006 22:17 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€’s. Mark This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] AD or is this Exchange task?
Title: AD or is this Exchange task? Thanks Tony. One question if someone knows Below is an excerpt from the script. What should the syntax for the folder path be? ' This code toggles the mail-enabled status of the selected folder. ' -- SCRIPT CONFIGURATION -- strComputerName = serverName strPubFolderPath = folderPath In our Public Folder list when I look at it in Outlook, it shows: Public Folders/All Public Folders/HR Managers, and then under that is all the folders whose mail-enable status I want to turn off. These are named HR001, HR002, etc. What should the strPublicFolderPath look like to accomplish this? Thanks again! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, December 21, 2005 4:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? Another method to do this is to use WMI. Heres sample script from the Exchange Server Cookbook. http://www.exchangecookbook.com/files/09-08-change-PF-mail-enable-status.txt Bear in mind that if you are running in mixed mode then Exchange 5.5 expects all PFs to be mail-enabled. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, 22 December 2005 9:13 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? The supported mechanism is to use the CDOEXM maildisable method. http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, December 21, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD or is this Exchange task? Ive been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I havent been able to uncover much documentation on this topic, except for one guys horror story. Ill tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do. Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] AD or is this Exchange task?
I think Im pretty close on this, but am unable to get past an error. When I run the script (which initially I configured to only tell me whether or not the various folders are mail-enabled), I get an error 0x80041010. My research suggests this is either because something is misspelled in the WMI query, or that the Class doesnt even exist in the given namespace. I tried running it on the server itself, but same result. Then I opened Scriptomatic V2 and selected the Root/MicrosoftExchangeV2 namespace, and sure enough, Exchange_PublicFolder does not show up as a class in that namespace. So I guess thats why the error happens, but how do I fix it? Script is below Thanks! strComputerName = myServer strPubFolderPath = /Public Folders/All Public Folders/HR Managers/ strE2K3WMIQuery = winmgmts:// strComputerName /root/MicrosoftExchangeV2 ' query for the specific folder we want Set wmiService = GetObject(strE2K3WMIQuery) query = Select * From Exchange_PublicFolder Where Path=' strPubFolderPath ' Set targetFolder = wmiService.ExecQuery(query) ' report on the mail-enabled status, then toggle it For Each folder In targetFolder If folder.IsMailEnabled Then WScript.Echo folder.Name is mail-enabled as folder.TargetAddress Else WScript.Echo folder.Name is not mail-enabled End If Next From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, December 22, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD or is this Exchange task? IIRC, it's Public Folders/All Public Folders/HR Managers/HR001 Al On 12/22/05, Creamer, Mark [EMAIL PROTECTED] wrote: Thanks Tony. One question if someone knows Below is an excerpt from the script. What should the syntax for the folder path be? ' This code toggles the mail-enabled status of the selected folder. ' -- SCRIPT CONFIGURATION -- strComputerName = serverName strPubFolderPath = folderPath In our Public Folder list when I look at it in Outlook, it shows: Public Folders/All Public Folders/HR Managers, and then under that is all the folders whose mail-enable status I want to turn off. These are named HR001, HR002, etc. What should the strPublicFolderPath look like to accomplish this? Thanks again! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray Sent: Wednesday, December 21, 2005 4:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? Another method to do this is to use WMI. Here's sample script from the Exchange Server Cookbook. http://www.exchangecookbook.com/files/09-08-change-PF-mail-enable-status.txt Bear in mind that if you are running in mixed mode then Exchange 5.5 expects all PFs to be mail-enabled. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, 22 December 2005 9:13 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? The supported mechanism is to use the CDOEXM maildisable method. http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, Mark Sent: Wednesday, December 21, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD or is this Exchange task? I've been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I haven't been able to uncover much documentation on this topic, except for one guy's horror story. I'll tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do. Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a na
RE: [ActiveDir] AD or is this Exchange task?
No, actually 2000, at least on the Exchange server hosting the public folders. There are a couple of them which are 2003. Earlier posters only mentioned this not working with 5.5, which I do not have. Will this not work with 2000? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Thursday, December 22, 2005 1:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? You are Exchange Server 2003, right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, December 22, 2005 1:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? I think Im pretty close on this, but am unable to get past an error. When I run the script (which initially I configured to only tell me whether or not the various folders are mail-enabled), I get an error 0x80041010. My research suggests this is either because something is misspelled in the WMI query, or that the Class doesnt even exist in the given namespace. I tried running it on the server itself, but same result. Then I opened Scriptomatic V2 and selected the Root/MicrosoftExchangeV2 namespace, and sure enough, Exchange_PublicFolder does not show up as a class in that namespace. So I guess thats why the error happens, but how do I fix it? Script is below Thanks! strComputerName = myServer strPubFolderPath = /Public Folders/All Public Folders/HR Managers/ strE2K3WMIQuery = winmgmts:// strComputerName /root/MicrosoftExchangeV2 ' query for the specific folder we want Set wmiService = GetObject(strE2K3WMIQuery) query = Select * From Exchange_PublicFolder Where Path=' strPubFolderPath ' Set targetFolder = wmiService.ExecQuery(query) ' report on the mail-enabled status, then toggle it For Each folder In targetFolder If folder.IsMailEnabled Then WScript.Echo folder.Name is mail-enabled as folder.TargetAddress Else WScript.Echo folder.Name is not mail-enabled End If Next From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, December 22, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD or is this Exchange task? IIRC, it's Public Folders/All Public Folders/HR Managers/HR001 Al On 12/22/05, Creamer, Mark [EMAIL PROTECTED] wrote: Thanks Tony. One question if someone knows Below is an excerpt from the script. What should the syntax for the folder path be? ' This code toggles the mail-enabled status of the selected folder. ' -- SCRIPT CONFIGURATION -- strComputerName = serverName strPubFolderPath = folderPath In our Public Folder list when I look at it in Outlook, it shows: Public Folders/All Public Folders/HR Managers, and then under that is all the folders whose mail-enable status I want to turn off. These are named HR001, HR002, etc. What should the strPublicFolderPath look like to accomplish this? Thanks again! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray Sent: Wednesday, December 21, 2005 4:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? Another method to do this is to use WMI. Here's sample script from the Exchange Server Cookbook. http://www.exchangecookbook.com/files/09-08-change-PF-mail-enable-status.txt Bear in mind that if you are running in mixed mode then Exchange 5.5 expects all PFs to be mail-enabled. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, 22 December 2005 9:13 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? The supported mechanism is to use the CDOEXM maildisable method. http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, Mark Sent: Wednesday, December 21, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD or is this Exchange task? I've been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I haven't been able to uncover much documentation on this topic, except for one guy's horror story. I'll tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do. Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. A
[ActiveDir] AD or is this Exchange task?
Title: AD or is this Exchange task? Ive been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I havent been able to uncover much documentation on this topic, except for one guys horror story. Ill tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do. Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] AD or is this Exchange task?
Title: AD or is this Exchange task? Cool!. Ive used autoitx.dll control in my scripts before for weird little macro-like tasks, but I didnt know about this. Thanks Ken! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, December 21, 2005 3:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD or is this Exchange task? As much as I like to whip up perl code, I usually use AutoIt http://www.autoitscript.com/autoit3/for one-shot things like this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, December 21, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD or is this Exchange task? Ive been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I havent been able to uncover much documentation on this topic, except for one guys horror story. Ill tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do. Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Script to find Computers under particular OUs
Wouldnt it be faster/more efficient to search for all computer objects and output the entire distinguishedname (which would obviously include the ou name)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Tuesday, December 20, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to find Computers under particular OUs I am trying to find a way to write script. The scenario is a bit like this, I have few OU under which there are Computers. I need to check if computer names are supplied from the text file then it will have to run against those particular OUs. If it can find machine under those particular OUs then it will write something like found or not found depending upon the search result. I know how to query against entire AD but I am looking a way out where I can just supply or hardcode the OUs and it will search against those multiple OUs only and not entire AD. Any help in this regard is much appreciated. Sincerely, J This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Ntds.dit file corruption
Net share joesdevfolder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 08, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption Error detection and correction seems to be about 60-90% of any program that does it well, in other words most of the code is to validate you are working with what you should be working with. For user facing apps that usually means a ton of code around detecting/correcting data entry issues. For apps that don't directly interact with a user it is about data consistency and validity of anything based into it from any external source (disk, another function, etc). I once made a very very stupid comment around this. When I was in college a high level math teacher[1] once asked what I wanted to do with computers. I said I wanted to work on system software instead of user applications because I hated wasting all of the time on checking to make sure the information was correct that I was getting because users always enter stupid things. That generated a 90 minute discussion where I got the crap beat out of me for saying something so obtuse. But realistically, at the time, and until about 5 years ago for a lot of MS software, my comment was accurate. System software didn't have a lot of checks for data validity and consistency. That conversation, although it melted my ego and made me crawl back to my dorm in the bushes so people couldn't see me, drammatically changed my outlook on how software should be written. That error checking is one of the core pieces of secure code writing. If you only let through things you expect and you know you handle, it is a lot tougher to compromise a component. If I apply this to joeware, I whip up joeware tools left and right all of the time that are great for me. I know the boundaries. When I have time to spend 10 times longer on a program than I did when I initially wrote it to do what I needed then I can make it so others can use it. There is a ton of stuff in my dev\cpp folder that only I get to use and probably never will make it to anyone else simply because I don't have the time to put in all of the error correction, etc to make it safely useable by others. joe [1] I think I was in Calc IV or something like that where you have maybe 10 people in the class at Michigan State University versus the normal several hundred. It was definitely a math teacher instead of a CIS teacher though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Thursday, December 08, 2005 10:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I'd agree with that... but I know from doing small scripts that when I put them in someone else's hands, and I start adding in detection for this, and that, and error handling, eventually what was a 20 line script has grown into 1000+ lines and loads of subs and functions without actually adding to the end result if it had been entered correctly initially. Here I'm referring to simply inputting an IP address, and then having to break it down and check it and ensure that a valid address is put back in through WMI. Probably less than the size of the code for the welcome dialog for dcpromo :0 So while it's nice to detect all the scenarios that could create corruptions or irregularities or unexpected conditions, I think sometimes we need to be able to run the Active Directory Zamboni to go through the database when everyone's asleep and find, and fix and/or report on, these irregularities. A huge and better Zamboni wouldn't slow down the whole directory in real time, and while it wouldn't be the solution to every instance, perhaps it would help us be more proactive without having to know what tools to run when for detection. Not that there isn't a Zamboni, just that maybe here are some more things for it to do. Just some ideas... Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 08, 2005 7:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption Yep, any time you can correct for an error versus just fail out on detection (or even worse not detect) it is a good thing. I expect someone was sitting around one day saying, hey you know how we detect these problems and you know how it is often a single bit... I bet we could find a way to detect which bit and fix it... Or possibly someone just realized, hey we have enough info to determine this so we don't have to throw an error... Either way... Good job. I wonder what the doubling of pages sizes in E12 (to make it the same as AD Page Sizes) will do to impact the percentages of occurrence. Honestly if it saves just one recovery a month that would probably be worth it to Exchange and probably to SBS AD as well. For non-SBS AD deployments it shouldn't be as
RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer
Just curious - what's MONAD's goal supposed to be, other than having an acronym that sounds like a military facility? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer You know that the scriptomatic 2 HTA will create Perl script that does WMI right I am not a huge fan of WMI but there are times in the scripting world if you want to stick to pure script it is in the only way to do what you want and I will use it if I don't have time (or ability as in the case of mailbox reconnects or getting info on what DCs are being used by DSACCESS) to write native code to do what I need. If you have perl in your pocket there really is no need to learn vbscript other than enough to look at examples which doesn't take much learning. MONAD might be worth learning but I am still not sure about it. They have scaled it back so much from what they were initially talking about when I thought, that is seriously cool. I certainly don't feel that it is going to turn a bunch of people into scripters by just being released. The model will confuse the crap out of most people as it is even more involved than vbscript which people don't want to learn because it is too much like programming. I have made some recommendations to folks at MS all the way up to Iain McDonald (great guy) that all of the MS management tools should have a switch to output MONAD code so that someone could do something once in the GUI and get a MONAD script generated automatically that does the same thing. Then they can tweak that to do other things. It is the only way I visualize that MONAD will really take off like people seem to think it will, at least over and above perl and vbscript. In other words, I don't see anything there that will take someone who wasn't a scripter and wasn't thinking about being a scripter to become one. You will have the same bunch of yahoos writing scripts but they will be doing it in MONAD instead of vbscript or VB. It is sort of like .NET in general, it certainly didn't produce a whoosh of a zillion new coders. Some of the folks that were already writing in other languages adopted it, some, older school, steadfastly avoided it. Personally I might consider .NET for a web site, other than that, not really. If it becomes ubiquitous and MS actually starts coding low level system and kernel stuff in it I might start looking at it. As it stands right now I feel the same way that many of my friends do one of which has renamed .NET to .FAT which I think is pretty funny. He even told me if I started writing my tools in it he would refuse to use them. I expect there are others. Maybe MS needs to rename it because I know when I hear .NET I think fat and lazy. I don't know why, I just do. I have seen enough posts in the newsgroups of issues and limitations and don't feel the benefits outweigh them. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, November 30, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Well, I just think that most of the people in the command line and/or scripting camp like to encourage others to learn to use them simply because they feel it's to your benefit. I don't think they really like to promote the you're not a real admin... sentiment. Or at least I hope not :-) Right now in my org, I'm in the minority using the CLI. I just prefer working that way and don't knock my colleagues for their methods, but rather show them other ways to get at the info they need. CLI and scripting fosters your knowledge of what's happening in the background, helps you learn the product and truly is a great way to automate tasks! (if not THE way) For the longest time I've been meaning to learn VBscript, but haven't devoted enough time to go for it yet. From what I've seen so far, it scares me :-P but I still intend to give it a shot. I've been getting by with Perl and CMD shell for now (I came from a KSH/*nix background). Have you seen some of the sample command shell scripts Dean has put together? Or the stuff that Alain Lissoir can do with WMI? Wow! Anyway, this topic has drifted further now, but I'm going to resist the urge to change the subject line. The last time I did that, we had a little side bit just on the fact that the subject line changed! :-D -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're
RE: [ActiveDir] AD Schema Attribute
Title: RE: [ActiveDir] AD Schema Attribute I like that its multi-valued. No need to limit someone to a single favorite, despite that being a bit contradictory J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, November 30, 2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema Attribute Check out Tomek's blog about this: http://blogs.dirteam.com/blogs/tomek :) C From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Wed 11/30/2005 4:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD Schema Attribute Note that it's multi-valued ... what can I say, we're British and there's [EMAIL PROTECTED] all else to do :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, November 28, 2005 11:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema Attribute Now this is fun... The AD Schema contains the following attribute: distinguishedName=CN=drink,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN CN=drink adminDescription=The drink (Favourite Drink) attribute type specifies the favorite drink of an object (or person). isSingleValued=FALSE ;-) Cheers, Jorge PS.: I read about this here: http://blogs.dirteam.com/blogs/tomek/archive/2005/11/29/drink_attr.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] OT: Licensing compliance SBS
Title: OT: Licensing compliance SBS Folks, in an issue not related to my regular employer other than they recommended meIve been asked to assist a small non-profit with their SBS 2003 so they can use calendaring in Exchange (currently Exchange is turned off there). I want to be able to assure them of their licensing compliance because the consultant who installed everything seems to have been less than above-board in that respect. Is there anything I can look at/document/verify within the SBS tools that will tell me that 1. The server license is valid 2. The client licenses (and how many) are valid Also, since I dont have any experience with SBS other than a very old version, does a client purchase one CAL that applies to all products utilized on the SBS server, or are there individual CALS for server, Exchange, etc? Thanks folks I just want to make sure I give these guys the best possible information. Best regards This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] OT: Licensing compliance SBS
Great info, Thanks Susan. I'll know more this weekend. Danny, thx for your reply as well. OK, back to real work for me... :-D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 2:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Licensing compliance SBS Oh dear... licensignI'm getting a headache already 1. If a nfp he should have gone through Techsoup.org where he could have bought DIRT CHEAP licenses for a 501c3 org. 2. He should have a cdrom, paperwork, etc. to prove the licenses. We aren't on the honor system and if he bought a retail box, no open license/open value he has to keep the docs. If open value/license the agreement is up on the eopen.microsoft.com website. On the back of the cdrom 1 is the product key code. All of our SBS servers need/must go through WPA. CALs. Again, unless open value/license, he needs to have this piece of paper with a product key code that is entered into the system and activated. The SBS cals are like core cals... they cover everything on that SBS box [this is why they are $99 a cal], they also cover a member server as well [we don't need to buy server cals for a member server used for TS purposes but we do need to buy TS cals or have leftover pre 4/23/2003 Win XP boxes] Follow the wizards and is the Exchange 'turned off' or not installed? If not installed use the add/remove Small Business server and you do a maintenance install. Use the wizards, tweak afterwards is our motto. [and for the record the FSMO moving argument is moot in SBSland our PDC has to hold them all but a member server can be an additional domain controller] The first 5 cals are either device or userafter that you buy whichever type. To ensure that you don't lose the cals. we're not on the honor systemthey get counted and enforced via licensing logging that you cannot shut off. ensure that the A/V is not scanning the licenses. c:\winnt\system32\licstr.cpa c:\winnt\\system32\lls Exclude those. In the todo list there is a license console' that lists how many licenses you have and how many have been used. SBS's counting is a bit like the CPAs for Enron... it fudges a bit and thus has a bit of fluff in there. What you see is the max used not the currently used. The console will not tell you if the licenses in use after the first 5 are device or user. If they don't have the paperwork ping me back with the name of the consultant as I know some MS partner folks. Creamer, Mark wrote: Folks, in an issue not related to my regular employer other than they recommended me...I've been asked to assist a small non-profit with their SBS 2003 so they can use calendaring in Exchange (currently Exchange is turned off there). I want to be able to assure them of their licensing compliance because the consultant who installed everything seems to have been less than above-board in that respect. Is there anything I can look at/document/verify within the SBS tools that will tell me that 1. The server license is valid 2. The client licenses (and how many) are valid Also, since I don't have any experience with SBS other than a very old version, does a client purchase one CAL that applies to all products utilized on the SBS server, or are there individual CALS for server, Exchange, etc? Thanks folks - I just want to make sure I give these guys the best possible information. Best regards This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any
RE: [ActiveDir] Query out all user members in nested groups
Robbie Allen's AD Cookbook covers this topic as well: http://rallenhome.com/books/adcookbook/src/07.03-view_nested_group_membership.vbs.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Friday, November 25, 2005 5:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Query out all user members in nested groups I am trying to find a way to list all user accounts that are members of a given group, _including_ those in nested groups. I didn't find anything useful in my cache of historical LDAP emails, and it seems from the internet people are more interested in finding what groups a user has membership in - opposite to my perspective. Any advice if this is possible? thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory 3rd Book
Who wants to hear Joe do a Cornet solo at DEC???!!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 18, 2005 9:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book You will probably find me, if you can find me there, in the penny slots or on one of those darn Wheel of Fortune slot machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, November 16, 2005 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book I am hoping to bring a copy with me to Henderson, NV in March 2006 (DEC2006). Hopefully, the author will be there to sign it! Mike Thommes From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 11/16/2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Hey Joe, If I buy it. Will you autograph it? I already asked Robbie to present at our user group and do a book signing. Would you be interested as well? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, November 16, 2005 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Not available yet, it is Active Directory Third Edition. From O'Reilly publishing. As soon as Amazon has it available I will have a link to it from my website - http://www.joeware.net and announce it in my blog http://blog.joeware.net. If you don't like purposely enflaming blog entries I recommend pointing the RSS feed at the tech specific links though you still won't avoid them, just the non-technical ones. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell Sent: Tuesday, November 15, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book I'm sorry for coming into this late - can you give me the exact name of the book so I can look for it?? Thanks Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, November 05, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Interesting, O'Reilly doesn't even have it listed yet. I just heard from the O'Reilly that it is finally out of copy-edit. On the co-author piece. Alistaire wrote the initial edition, Robbie did the 2nd Edition update, I did the 3rd Edition update. You may want to ask the reviewers (they almost all read and response heavily on this list) but I am quite sure there is sufficient updates to warrant someone who has the 2nd Edition to get the 3rd Edition. There should be a chapter that will be floating around for the book that you can look at, I requested that it be Chapter 11 which is the security chapter as I spent considerable time reworking it. If someone is familiar with an older edition they will almost certainly note the changes. I go into great detail on the evil that is SBS and why it shouldn't be used. Or did I??? Hmmm the SBS folks will just have to buy it to find out. ;o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Tuesday, November 01, 2005 11:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory 3rd Book The Active Directory 3rd Book with Joe as co-author seems will be released somewhere in February 2006 based on http://www.bookpool.com/sm/0596101732 . (Bookpool is having discounted O'reilly book sale this month, and accept pre-order, though I do not have any relation with bookpool other than being as a customer who is looking to buy a couple books and noticed this book) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
[ActiveDir] IP addresses on Name Server tab
Title: IP addresses on Name Server tab I have one server that has two NICs (there are others configured the same way). On this particular server, I have a persistent problem. The IP addresses for both NICs keep showing back up on the name server tab for the zone that this server manages. On the other server in the same domain, this doesnt happen. I only have the one NIC which I want DNS to respond to and not the other. I realize this probably isnt worded very well, but heres basically what it looks like: On the name server tab, all of my DNS servers are listed like so: Server1 [10.1.x.x] Server2 [10.1.x.x] ProblemServer [10.1.x.x 10.2.x.x] I thought what controlled this was the checkbox in DNS settings that says Register this Connections addresses in DNS. But that box is not checked. I only want the one address to be listed for this server on the name server tab. How do I get the second address to stop showing up? Thanks! This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Export Users in a group
Title: Export Users in a group See the AD scripts at www.rallenhome.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: Monday, November 14, 2005 10:27 AM To: Active Directory Mailing List Subject: [ActiveDir] Export Users in a group Hi all AD Gurus, I was wondering if anyone had a script to export users in a group in AD? Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] dumping DL permissions
One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
Its a filtering program that we use attached to ISA server. Basically it looks at each request and lets it through or redirects to our AUP internal web page. I was on joeware.net earlier this week, and it didnt block me. So I just went to www.surfcontrol.com (Test a Site link) to make sure it wasnt mis-categorized, because they will change it if found to be wrong. They have it as Computing and Internet. Hmmm. So were blocking that category now? I dont think so..Ive asked our admin to take a look. Either way, we can override here locally. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think withsome small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate
[ActiveDir] Pulling DHCP data
Has anyone in the group seen a tool or script to dump the information in DHCP to a file? My DHCP admins want to see what MAC addresses are assigned to what IP address. Its too large to do by hand because there are a couple of hundred scopes and 10s of thousands of addresses. Thanks! This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Pulling DHCP data
Thanks guysIm sure one of these two tools will do it. Much appreciated as always From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 10, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pulling DHCP data DHCPCMD from the reskit should give you what you're looking for. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McLeod, Scotty Sent: Thursday, November 10, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pulling DHCP data Sorry away from my main computer at the moment but we have dumped DHCP data in the past using NETSH and from memory the dump command. Hope it helps. Scotty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: 10 November 2005 14:52 To: activedir@mail.activedir.org Subject: [ActiveDir] Pulling DHCP data Has anyone in the group seen a tool or script to dump the information in DHCP to a file? My DHCP admins want to see what MAC addresses are assigned to what IP address. Its too large to do by hand because there are a couple of hundred scopes and 10s of thousands of addresses. Thanks! This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Need ADSI Scripting help.
Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Need ADSI Scripting help.
Yes, but oldcmp does have significant levels of are you sure built in. Anyway, there is a nice perl solution you might want to look at on Robbie Allen's site, at http://rallenhome.com/books/adcookbook/src/08.08-find_inactive_computers.pls.txt In the book, Robbie explains why one would use Perl for this task rather than VBScript. That's all I've seen...maybe there's something on Microsoft's Script Center mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: TS Security Warning and GPO
Title: OT: TS Security Warning and GPO We have a number of terminal servers running various apps, with a OU-level GPO managing their settings. A new Windows 2003 terminal server was recently added to the OU, and it is the only one running an older legacy app. When a user starts the application, it pops up a warning saying The publisher could not be verified. Are you sure you want to run this software? I havent been able to figure out how to turn off this warning. Does anyone know how to set it either on this server or at my GPO? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] OT: Outsourcing OS Patching
Why wouldn't any decent consulting group do whatever you want them to do for their fee? Xerox for example, IBM also. I know we have them both doing work for us on various platforms. We just agree on the services provided, and that's that. What do they mean no competitors?, or maybe I'm misunderstanding One thought though - I think I'd still want the control to say do this patch, but not that service pack yet, etc. I would think you want to maintain control to make sure that your applications are tested before a SP is introduced, right? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Thursday, September 15, 2005 4:22 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] OT: Outsourcing OS Patching Group, Odd question. I just got out of a meeting with a consulting group that wants us to outsource the patching of our servers that are not in our data center (we have a number of servers that are at our remote locations and our staff is struggling with our patching cycle on these for one reason or another). Does anyone know of an outsourcing group that will only do the MS patchiness on the servers and let the owners of the boxes do everything else? We are looking for a basis of comparison and this consultant said that they don't have any competitors in this field. Either people outsource all of their servers, all of the services or they don't outsource at all. They don't know of anyone who only outsourcers the patching and monitoring of the boxes. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Cisco ACS and GC configuration
Title: Cisco ACS and GC configuration Id like to be able to point our Cisco ACS server to our global catalogs to authenticate users (LDAP config rather than Windows). Is anyone on the list using this configuration that could help me figure out what to enter into the various fields? One question in particularit wants to know the users container and groups container. If I was using port 389, and a single domain, I would probably enter CN=Users there. But what is the container entry for users and groups when Im pointing to a GC? I have several domains with users in the same forest, so a GC makes sense here (I think). J Thanks as always, Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] OU permissions for user object
Hehewhere else can you get some much information *and* entertainment in one place! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, September 07, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU permissions for user object My personal and professional opinion? tick tick tick tick tick tick tick click bm You have a time bomb. Could be fine for a long time, could blow up entirely in your face tomorrow leaving only scattered parts of hands and feet or things that appear to possibly be part of hands and feet but in actually could be bits of spleen and liver. The only thing I can say for sure, you have no clue what you truly have in your directory and you have no control over the environment. I understand that you didn't do this. The person willing to open up and say they have an issue isn't*usually*the same person who came up with the idea or likes the idea, that person sits behind a desk coverning up for the time the bomb goes off never saying a word about it, if they realize at all that they have built a bomb (or they already left). Sort of like the little dog that pees on the carpet and looks around at everyone else seeming to say, why did you pee on the carpet?. If I were brought into the situation and was told my job was to provide a secure, stable, efficient environment. I would do the same thing I did for the very very very large widget factory I used to work for and point this out to management as insidiously evil and explain in great detail just how badly it could hurt and how at that moment, you have no idea who has been reading what files on any machines or reading whose mail (Assuming Exchange), or sending mail as other users, and that any SLAs you have are almost certainly impossible to guarantee because you have no/none/nada, control over the environment. I would then say, if this is fine, I would appreciate a get out of jail free card right now indicating you understand what I have said and that when something goes down later due to this, I can pull that card out and say, look, you said that you want it this way. If the manager truly understands what you are saying, it is doubtful they will want things to stay the same. Basically, you need management backing because people are not going to be happy as you back out rights. For the next step, I would yank every person's (that wasn't of the chosen 3 or 4 people) domain admin and server operator and any other excessive permissions they had to DCs . We would then be working our butts off handling all of the work being done by everyone else that supposedly needed domain admin. This prevents the environment from changing unbeknownest you[1] and it teaches you what is being done. It is a lot of extra work, but it helps you learn what is being done and maybe some of the whys so you can come up with the proper solutions. File and print can be done properly on DCs, I think it is a horrendous idea and a great way to cause issues and reduce overall FPavailability but it can be done. I would sooner throw file and print on a little BSD box than put it on DCs, but there are times when you can't avoid it. But you need to understand how it is being managed because the DAs own the DCs. So now that you are handling all of that work, you spend a little time each day working up the proper solution which involves either getting that crap onto other machines or coming up with an effective way to manage it. You obviously have the alternative of coming up with a solution first, but it is a good chance you will miss something if you don't fully understand why people need it. But maybe this is how you have to do it, at that point, forget about the domain, focus on that solution. No use trying to make the domain better since someone else can just tork it back up. Don't start making the domain better until you have control of it otherwise it will take you forever to get anything done. Any time there was something that I felt was wrong and was too much power to give out on DCs or in AD, instead of simply saying no, if the function was truly critical (versus one person's idea of critical) I always offered an alternative even if the alternative was, take on extra work until I can find a better way. Take, for instance, the EMC Celarra POS boxes. They required domain admin to properly add them to the domain, I fought like cats and dogs to make it so they weren't added to production until that part (and many other things) was corrected. I and the others fighting it were overruled. Instead of giving out domain admin rights,my managersaid fine, if someone wants one added, they come to me andI add them. No one else.. But that's a bottle neck or what if you aren't here?, response... tough, these shouldn't be going into the production environment anyway because they are half-ass. In general, it was far more important to me
RE: [ActiveDir] Where to begin...
Are you running AD on Windows 2000 or 2003? Windows DNS or BIND? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Atkins Sent: Wednesday, September 07, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Where to begin... Good Morning. I'm brand new to the list and am seeking assistance out of desperation/frustration. I think that I should preface my story with the statement that I am not an experienced Microsoft admin, but am partially filling a void in our organization. Most of my experience is Unix/Linux, but my Microsoft experience has been trial by fire... OK, here's the deal: Over the past few weeks I have been seeing some strange behavior with our PDC. After applying MS security updates 3 weeks ago, I have had some interesting issues related to authentication and DNS. It started with our Sophos (AV) Console not being able to 'push' software out to new workstations due to invalid credentials, even though we were using a domain admin account. After some research, I thought that I had nailed it down to Hotfix KB899587, which was a security patch for Kerbos. I removed the hotfix, but after several days put it back as it appeared to make things worse. As of late I have had issues with NT workstations suddenly not being able to authenticate or just not being able to see other workstation's shares. I thought (again) that I had narrowed it down to DNS, but, even though I was able to fix a few minor issues with PTR records, the problem still exists. Here are a few examples of what I am seeing: Scenario #1: NT Workstation Original issue was that the user could not log on using her domain account. I removed, then rejoined the workstation to the domain (several times). Domain authentication now works, but when browsing the network shares, that workstation cannot 'see' the PDC's shares (access denied), but I can see all of the other shares, including the BDC's. I verified the share permissions were OK. Also, when joining it to the domain, I had to create the computer in AD prior to joining. It would not allow me to create the object using the check box at the bottom. Scenario #2: XP workstation This morning, following the change of the PTR records that were in error, a user complained that she could no longer log onto her workstation using her domain account. There errors that I see are NET LOGON 5790 unable to locate a suitable domain controller. This one just happened, but there have been multiple issues across the network. I would greatly appreciate some insight. I'm not sure what I can provide to assist... Thanks, -- Brian An adventure is never an adventure when it's happening. Challenging experiences need time to ferment, and an adventure is simply physical and emotional discomfort recollected in tranquility. -- Tim Cahill List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
I too am a Sungard refugee - twice this year already. The doc they hand you to rebuild your systems is pretty much like the one referenced below. We have found it less than reliable (especially when using Compaq/HP backups and restoring to Dell or vice-versa). The last few times we went, we junked the Sungard technique and used Veritas' system state restore, which has been *far* more successful. Still, the idea of doing a DR test with mostly VMWare disk images would really put a smile on this OLD guy's face :-) Hopefully by next year we'll have at least some of those to do. -Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes And, knowing fully that I'm replying to myself - I don't, nor have I ever used SunGuard, so I have no idea what 'card' they hand a client. I'd assume that it's something along the lines of the procedures lined out in: http://support.microsoft.com/default.aspx?scid=kb;en-us;249694 Which is still fraught with difficulty and lower than resonable success rate for most of the people and customers that I've talked with. I'm just indicating that there *IS* some difficulty involved - instructions neatly laid out or not. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Help me understand where I'm missing this (I've been in a con-call for 3.5 hours this AM...). Isn't the registry backed up as part of the System State? And, doesn't the registry pretty much make something 'hardware dependent' to some great degree, just by its very nature? I'm sure that there's something very simple that I'm missing. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, August 08, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE#
RE: [ActiveDir] Biggest AD Gripes
I dislike that it is painful (if not impossible) for a non-developer (administrator) to extend the GUI interface for ADUC to include other and/or custom attributes. I dislike that there aren't better tools created and maintained by Microsoft for capacity planning. (HELLO...When will MS update the AD Sizer??!!) mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 02, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Biggest AD Gripes So what are everyone's biggest AD Gripes? I am not talking about gripes about things that use AD like GPOs[1] or Exchange or NFS or anything else like that. I mean actual AD really missed the boat because of this that or the other thing. Like o I dislike that when you defunct an attribute it doesn't purge the information in the directory for that attribute. o The fact that AD Security policy is managed through a technology dependent on AD and replicates both within AD and the other technology. o I dislike that there is no true schema delete. o I dislike the fact that I can't specify which branches of the tree replicate where. o I dislike the fact that GUIDs are represented in multiple ways in the directory. o I dislike the implementation of property sets especially since they could be so incredible awesomely cool. Specifically I dislike that an attribute can only be in a single property set. o I dislike creator/owner on SDs. o I dislike the lack of configurable business rules. o I dislike the fact that I can't run multiple domains on a single domain controller. Etc etc. I have more but lets see what others say. Everyone pipe up. Let's pretend that MS will actually see this, let's further say let's pretend MS AD Developers will see this. What would you tell them if you were sitting in the room with them? joe [1] I do not consider GPOs to be part of AD. They are a technology that leverages AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replicating AD
Title: Message I use LDIFDE to export all the objects, save that to a CD, and then import it into the lab domain. Another option would be to add a new DC to your domain, allow it to replicate, take it offline, and manually clean up the removed DC from AD. I dont particularly like that option others could say better than I whether thats a good suggestion or not. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, August 02, 2005 12:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replicating AD Im trying to setup a test AD that's identical to the production AD with the same OU structure and user accounts. I'd like to avoid having to manually creating them by hopefully finding a tool that would import all those object. Does any one know of such a tool? Antonio This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] _gc and _ldap SRV records
A question about DNS SRV records for my DCs and Global Catalog servers...should every AD-integrated DNS server in my entire forest have _gc and _ldap records for every GC and DC in the forest? It looks like the records listed vary from one domain to another in my DNS, and I wonder if they should all have the same records regardless of the forest domain the DNS server is in Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] problem with NameTranslate
Title: problem with NameTranslate Our developers are seeing an extremely slow output from the following example script. It takes about 30 seconds to translate a WinNT name to LDAP distinguished name. Can anyone tell me what to look for to troubleshoot this process? It used to be very quick, and in fact still is on some systems within the same subnet as where Im testing from. Thanks **Script ' Constants for the NameTranslate object. Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_NT4 = 3 Const ADS_NAME_TYPE_1779 = 1 ' Specify the NetBIOS name of the domain and the NT name of the user. strNTName = MyDomain\MyUser ' Use the NameTranslate object to convert the NT user name to the ' Distinguished Name required for the LDAP provider. Set objTrans = CreateObject(NameTranslate) ' Initialize NameTranslate by locating the Global Catalog. objTrans.Init ADS_NAME_INITTYPE_GC, ' Use the Set method to specify the NT format of the object name. objTrans.Set ADS_NAME_TYPE_NT4, strNTName ' Use the Get method to retrieve the RPC 1779 Distinguished Name. strUserDN = objTrans.Get(ADS_NAME_TYPE_1779) ' Bind to the user object in Active Directory with the LDAP provider. Set objUser = GetObject(LDAP:// strUserDN) MsgBox(objUser.distinguishedName) MsgBox(objUser.Name) ***End of Script Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Determining active user accounts
Title: Determining active user accounts We need to get a count of users that are active, so we can make sure our purchasing of 2003 User CALs is as accurate as possible. However, every employee of the company has an account in Active Directory, but only a certain percentage of those users ever access a server or need to authenticate. Whats the best way to determine how many users we need to have a User CAL for? Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Determining active user accounts
Thanks Laura, good suggestion. I forgot I could use oldcmp for users as well. Great tool, Joe. Thanks mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, June 16, 2005 3:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Wouldn't the accounts that don't need server access show up as inactive if you ran them through joe's 'oldcmp'? If so, then couldn't you get a fair approximation from: CALs required = [Total user objects] - [user objects flagged by oldcmp] ? [Insert standard Call your reseller for definitive licensing advice disclaimer here.] - Laura -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, June 16, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Determining active user accounts We need to get a count of users that are active, so we can make sure our purchasing of 2003 User CALs is as accurate as possible. However, every employee of the company has an account in Active Directory, but only a certain percentage of those users ever access a server or need to authenticate. What's the best way to determine how many users we need to have a User CAL for? Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] safest disk configuration
Title: safest disk configuration What are the admins of some of the larger directories using for disk configuration on their DCs? Mirrored OS and RAID 5 for the NTDS drive(s)? Logs separate? Thanks Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Using AD Sizer
Title: Using AD Sizer Im trying to run through the Microsoft-provided free Active Directory Sizer tool to approximate what new hardware should look like so we can replace some older DCs. I havent used this thing before, and a couple of things are unclear to me: 1. It asks How many additional attributes will you have per user? Are they talking about schema changes we may have made for user accounts? 2. It asks for Avg logon rate per second in Interactive, Batch, and Network logons. How can I approximate something like that? Alternatively, has anyone seen a better tool to get this information? We are still Windows 2000 AD no 2003 DCs yet. Thanks Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Prevent Redirection for My Music, My Videos, etc.
I remembered seeing this tip on annoyances.org. Maybe it would help? http://www.annoyances.org/exec/show/article05-100 mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 08, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Prevent Redirection for My Music, My Videos, etc. Hi: We use a group policy to redirect My Documents to a network share. Is it possible to prevent the redirection of subfolders from My Documents such as My Music, My Videos, My Virtual Machines, My Pain in the Ass? If so, how? Thanks. -- nme This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] whenCreated and createTimeStamp
In the Schema documentation on MSDN, it looks like whenCreated and createTimeStamp are used for the same thing, but whenCreated is in the Global Catalog. If I want to report on the date each account was created in the entire forest, am I safe to use the whenCreated attribute so I can use the GC as my source? Are the values ever different for any reason? Thanks Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Seeking AD monitoring software recomendations
Gil must be OOTO today :-) mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: Sunday, June 05, 2005 8:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations What is the biggest difference between MOM 2005 and Netpro ? - Original Message - From: Mark Parris [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, June 05, 2005 5:00 PM Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations MOM 2005, and do you think you have enough DC's? ;-) Mark -Original Message- From: Mark [EMAIL PROTECTED] Date: Sun, 5 Jun 2005 16:46:44 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Seeking AD monitoring software recomendations I work for a large enterprise company running w2k3 in 2003 mode with the expectation the main user domain will hold 150K users. Currently has about 80 DCs. We finally have funding to buy some AD specific monitoring tools. I am looking for an application(s) that will tell us when AD is not functioning as it should in a simple screen and email us. Would like to be able to bench mark systems. Will tell us when someone changed a piece of the infrastructure (Auditing) Would like to have the install done in about a week and be proficient in about a month. I need a system I do not have to spend a lot of time with, and will tell me when something wrong/changed. anyone have any good suggestions ? Thanks, You guys are great! M. Lunsford List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User account and home directory management
There are many create user scripts that you should be able to alter to suit your needs. I would try Windows Script Center (just google that, and youll see it). Also, Robbie Allens site at www.rallenhome.com, and Clarence Washingtons script site at http://cwashington.netreach.net mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Stanford Sent: Monday, June 06, 2005 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User account and home directory management Hi to all on the list. Forgive me if this subject has been covered, as I am new to the list. I manage a school network, and one of the issues I face is that an AD user account, the user profile and the user's home directory share are inextricably linked. I need to be able to create users and shares in on go, so that the account is set up, the share and profilecreated, and permissions set, and the details entered into the AD object. Does anyone know of any software or scripts that would accomplish this? I would ideally like to be able to do it for individual users or in bulk. Thanks in advance, Dan Stanford. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] deleting specific values from multi-val attribute
Thanks Sakari ( Dèjì). That's how I set it up and it worked fine. I appreciate the pointers, as always. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Friday, May 27, 2005 8:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] deleting specific values from multi-val attribute Hi Mark,  You would use a line such as the following:  Const ADS_PROPERTY_DELETE = 4 Call objUser.PutEx(ADS_PROPERTY_DELETE, otherHomePhone, _  Array(111-,444-))  This would delete the two numbers specified (111- and 444-).  Yours, Sakari  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, May 26, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] deleting specific values from multi-val attribute We have a multi-values custom attribute that is used with one of our applications. Some of the values stored there for some users are obsolete and I've been asked to clean them up. So I'm looking for a method to look at each user object, enumerate the values in this specific attribute, and delete the value that matches what I'm looking for, while leaving the other values of the attribute alone. Any advice on this? I have some scripts I can alter - I just need to understand the enumeration of the attribute values. Thanks Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] deleting specific values from multi-val attribute
We have a multi-values custom attribute that is used with one of our applications. Some of the values stored there for some users are obsolete and Ive been asked to clean them up. So Im looking for a method to look at each user object, enumerate the values in this specific attribute, and delete the value that matches what Im looking for, while leaving the other values of the attribute alone. Any advice on this? I have some scripts I can alter I just need to understand the enumeration of the attribute values. Thanks Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Enterprise Certificate Authority
Title: Enterprise Certificate Authority In a recovery test, I discovered today that our enterprise root certificate server was not one of the AD servers that was restored. However, there is another AD server with cert services running that is not the enterprise root CA. Now my users cannot use LDAP over SSL. So my question is, can I install cert services on one of the other domain controllers and make it the enterprise root CA? Understand that this is a test environment only, so I'm not messing up production if whatever you suggest is destructive to the CA that is online in the test environment. But i need to enable LDAP over SSL somehow. Thanks This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] FW: SUGGESTION: LDAP Browser v.2.6 (build 650)
This is the response from the Softerra folks, regarding the paging functionality in case anyone is interested. Thanks mc From: Kirill Kovalenko [mailto:[EMAIL PROTECTED] Sent: Friday, May 13, 2005 2:12 AM To: Creamer, Mark Subject: RE: SUGGESTION: LDAP Browser v.2.6 (build 650) Dear Mr. Creamer, LDAP Browser 2.X does not support paging. LDAP Administrator 3.X supports both Simple Paging and VLV. You can order [1] a trail version of the LDAP Administrator at our web site [2]. Please read documentation [3] for details. [1] http://ldapadministrator.com/download/tryIt.php [2] http://ldapadministrator.com/ [3] http://ldapadministrator.com/resources/english/help/la31/index.php (Browsing Directory - Managing Large Numbers of Entries) Sincerely yours, Kirill Kovalenko Product Manager Softerra LLC http://www.softerra.com http://www.ldapadministrator.com This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Softerra's LDAP Browser
Thanks for an excellent discussion guys. As usual, I learned something more than I bargained for. Tom, I understood the implications of changing MaxPageSize, and thats not an option for us because our directory is too big as well as for the reasons some of the others pointed out. But I just sent a suggestion to Softerra about adding paging as an enhancement, or to point out how to do it if the capability already exists. If they respond, Ill share the info. In the mean time, I remembered reading about a nice Excel add-in (Marcos Excel Management Macro, or MEMM) that does many of the same things LDAP browser would do, and it will allow paging the result set. If anyone is interested, I found it here: http://bink.nu/Article3399.bink Thanks again for the help and advice mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, May 10, 2005 4:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Softerra's LDAP Browser I thought by default the max # of records that can be retrieved from a query is 1000. I think you can fun ntdsutil to change this or better yet, if running against win2k, you can use paging. you set it with ldp.exe and an ldap control( i forget the number). also with win2k3 you can use VLV -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Softerra's LDAP Browser Ive been playing around a little with Softerras LDAP Browser (the freeware version), and I cant seem to be able to get it to return more than the standard 1000 records in the result set. The FAQ says to set the entry count limit to zero, but I still only get 1000. Has anyone else used this tool and figured out how to return all records? Id love to use this thing as an ad hoc query tool. Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Softerra's LDAP Browser
I agree. But LDAP browser is also freeware. Just another option mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Softerra's LDAP Browser Ive never used the Softerra browser, so I may be missing something, but what exactly does it do that you cant get with ldp.exe for free? The nice thing about ldp is that is has support for ALL of the MS proprietary SASL bind mechanisms and nice support for all of the special controls such a paging, VLV, ASQ, deleted items, etc. that AD supports. The never versions also have really nice support for mapping many AD datatypes to friendly strings, which saves you a lot of time. Granted, it isnt super-pretty, but it gets the job done. Once you change the default font, it is prettier. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, May 11, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Softerra's LDAP Browser Thanks for an excellent discussion guys. As usual, I learned something more than I bargained for. Tom, I understood the implications of changing MaxPageSize, and thats not an option for us because our directory is too big as well as for the reasons some of the others pointed out. But I just sent a suggestion to Softerra about adding paging as an enhancement, or to point out how to do it if the capability already exists. If they respond, Ill share the info. In the mean time, I remembered reading about a nice Excel add-in (Marcos Excel Management Macro, or MEMM) that does many of the same things LDAP browser would do, and it will allow paging the result set. If anyone is interested, I found it here: http://bink.nu/Article3399.bink Thanks again for the help and advice mc This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] client time zones
Am I correct that NTP serves only UTC time settings and that time zone information is all client-side? In other words, a 2000 or above client would receive a time setting from Win32Time in an AD domain, but that would in no way affect the PCs time zone, correct? Thanks! Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] client time zones
Cool. Thx Joe mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 11, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] client time zones Correct. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, May 11, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] client time zones Am I correct that NTP serves only UTC time settings and that time zone information is all client-side? In other words, a 2000 or above client would receive a time setting from Win32Time in an AD domain, but that would in no way affect the PCs time zone, correct? Thanks! Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Softerra's LDAP Browser
Ive been playing around a little with Softerras LDAP Browser (the freeware version), and I cant seem to be able to get it to return more than the standard 1000 records in the result set. The FAQ says to set the entry count limit to zero, but I still only get 1000. Has anyone else used this tool and figured out how to return all records? Id love to use this thing as an ad hoc query tool. Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] ADFind syntax
Charlie, there's a -nodn switch mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, May 06, 2005 10:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind syntax Hey Joe; I have a question for you (or anyone else who knows!) about ADFind. Let's say I'm searching for, for example, a list of users (samaccountname) in an OU. I run the query, and it comes back with the DN and the attribute value. Is there a way to make it not display the DN? I sometimes need to make lists that will export quickly to a doc for non-admins to read, and the DN throws them off. :-) I can export to a spreadsheet and trim it, but I thought perhaps there's a native way to do it... I figured out how to do this in dsquery; dsquery user ou=employees,dc=domain,dc=com -scope onelevel -limit 1000 | dsget user -display Can something like that be done with ADFind? Thanks... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: End Process permission
Anyone know how I can grant a non-admin the permission to end a running process? Im not finding anything in Group Policy unless Im overlooking it. Thanks! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Script
Check out ScriptLogic if youre looking for a fast solution. But like ASBs tag line says, FAST, CHEAP, SECURE, pick any Two. By the way, a lot of what ScriptLogic does is built into KiXtart, so if youre interested in investing the time in the scripts, you can achieve mostly the same thing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, April 28, 2005 11:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script Anyone have a good script for updating Critical Updates? I can create a batch file that execute all the updates when a user logs in, but I want it to run only once and not every time someone logs in. I have Shavlik Pro, but the damn thing is slow and resource hog. Thank you, Z.V This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Importing AD into a test lab ...
Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE method), with the names changed to protect the guilty. A couple of batch scripts are included that you can modify. Hope it helps. *** 1. Ldifde is loaded by default on servers but not workstations. If running this command on a workstation, you must first copy the ldifde.exe file from the WINNT\System32 folder on a server to a location on your system. 2. Since the command with all of the required attributes is quite long, batch files have been created. The contents of these files are listed in the appendix. 3. The batch files reference specifically the my.domain.com domain, export server SERVER1 (production) and import server SERVER99 (lab). If any of these components change or if the goal is to export/import a different domain, the appropriate changes will have to be made to the batch files 4. Including many attributes creates a very large export file. Verify that enough disk space is available before beginning (about 70 MB currently) 5. Other command options are available, see KB237677 at this link: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s upport/kb/articles/Q237/6/77.ASPNoWebContent=1 6. Passwords are not included in the export. Therefore, when the import is performed, passwords for each user are blank 7. Administrator is not included in the export, to avoid overwriting the existing Administrator Section 1: Export OUs and Users from the Production Directory 1. Log on to the exporting domain as an administrator 2. Batch files are located on \\SERVER1\C$\SCRIPTS 3. Run the batch file export_OUs.bat (see appendix for command) Note: folder c:\temp must already exist. File created will be exportOU.ldf 4. Run the batch file export_users.bat (see appendix for command) Note: File created will be exportUser.ldf 5. Save the two ldf files to a CD since the production and test environments are not networked together 6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the same CD: a. Import_ous.bat b. Import_users.bat Section 2: Import OUs and Users into the Test Lab Active Directory 1. Copy the files from the CD to C:\Temp on the import domain controller SERVER99 2. Remove the read-only attribute from the files 3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are missing in the test lab that are present in the production environment, they will be created. Others are ignored 4. From the command prompt, launch c:\temp\import_users.bat. If any users are missing in the test lab that are present in the production environment, they will be created with their associated attributes. Accounts are created disabled, and the password set to null. This is because LDIFDE does not support exporting/importing passwords 5. When the batch files have completed, verify that no errors were reported, and check for the existence of the new users in ADUC. 6. Close the command prompt window and delete the contents of c:\temp Appendix Script Contents Export_OUs.bat ldifde - f c:\temp\exportOu.ldf -s server1 -d dc=my,dc=domain,dc=com -p subtree -r (objectClass=organizationalUnit) -l cn,objectclass,ou Export_Users.bat ldifde - f c:\temp\exportusers.ldf -s server1 -d dc=my,dc=domain,dc=com -p subtree -r ((objectCategory=person)(objectClass=User)(givenname=*)) - l cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL astSet,displayName,distinguishedName Import_OUs.bat ldifde - i -k -f c:\temp\exportou.ldf -s server99 Import_Users.bat ldifde - i -k -f c:\temp\exportusers.ldf -s server99 * -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Guido, thanks for your help on this! Best regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Excellent explanation. Thanks again!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Mark, that depends more on the usage scenarios of your domains. If you have many cross-domain shared resources, e.g. where users working on computer in sub1.domain.com often need to access servers in the sub2.domain.com domain, a secondary could cause less traffic and would be more independend on the availability of a DC/DNS server of sub2. If it is the exception, then I wouldn't bother creating those secondaries (however, you may still want to add secondaries to the root of the domain saving another hop to get those names resolved) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Dienstag, 26. April 2005 20:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged
[ActiveDir] Recommended DNS settings in 3 domain forest
I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] startup scripts not running
It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. Its in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I fixed it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isnt is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. Im using the Exec method of the wscript object, such as: Ws.exec(myexecutable.exe) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. Im having trouble figuring out why the script wont launch on its own. The only thing Ive found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case thats the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
Good point Joe, I dont know. Im basing the not working assumption on the end result not being there, namely that the group has not been added to the RDP permissions. However when I run it manually after logging in, the group is added. Next I tried adding a Do Until loop in the script, looking for the executable to return a 0. That never happens. The startup script runs forever J So based on that, and what you said, I guess I need to ask the programmer (this app is home-grown) what error is thrown if it doesnt work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 29, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Ok, do you know for a fact that the exe isn't running or is it simply not outputting an error if it fails? The reboot issue I mentioned before appeared to be that shutdown wasn't being run, it was running, it was hitting a device not ready error and wasn't outputting it. Once I wrote a tool that definitely output errors when it ran into them, it was crystal clear that something was preventing shutdown from working when running in a startup script. It goes back to a type of error handling some programs use. Some will encounter an error and dump out with any errors it doesn't know how to handle. Some will dump out only with errors it knows how to handle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, March 29, 2005 8:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. Its in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I fixed it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isnt is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. Im using the Exec method of the wscript object, such as: Ws.exec(myexecutable.exe) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. Im having trouble figuring out why the script wont launch on its own. The only thing Ive found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case thats the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase
[ActiveDir] startup scripts not running
I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. Im having trouble figuring out why the script wont launch on its own. The only thing Ive found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case thats the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isnt is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. Im using the Exec method of the wscript object, such as: Ws.exec(myexecutable.exe) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. Im having trouble figuring out why the script wont launch on its own. The only thing Ive found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case thats the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] LDAP and related Exchange question
What if you married Yamila Diaz-Rahi...would the dash cause additional issues? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Assign a new unique name and link it to the old name and the old name is still never reused except in the case that the person's name changes back which has happened. Say if I got married to Eliza Dushku, my new ID would be something like jdushku3 or something. Let's say after a few years I marry Denise Richards... Then I go back to jricha34. However jdushku3 would always still only reference me. Their biggest issue is that they are currently limited to 3-8 characters. At some point they will have to expand that range. I think it depends on what systems it has to go onto, what the flexibility is of those systems, and what you want to be the master of the whole thing. If you can make AD the master source and the other directories/stores/etc can accept a guid then it would work. Otherwise, you are correct, you need to come up with some other unique mechanism. Basically look at the least flexible piece that has to stay long term and build from there. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question How did they handle people changing their names? I see the ID, but does that ID make sense when the user changes their name from Joe to 'They' or something along those lines? That goes back to the idea of coming up with a unique identifier that expands the horizon beyond the AD forest(s) and into the rest of the realm. I maintain that at some point in just about every country and every company, there is a unique identifier that ensures that person gets their proper compensation. Not that it couldn't be messed up, but you'd know quickly if your paycheck were lower than expected or paid to you in Yuan vs. Rubles if that's what you expected. This needs to stretch beyond AD from what I can tell. Is that an incorrect assumption Marcus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I would tend to agree, I think objectGUID would be fine though it is a pain to deal with since it is binary. Another thing to consider is to stop the random wonton creation of samaccountnames. When someone gets hired, they get assigned from one source their ID for use within the company. That ID is used everywhere and forever identifies that person and is never reused anywhere else in that company. Someother company gets merged in, everyone gets new SAM IDs from the same source. One company I worked for I am the only and will always be the only jricha34 to ever be there. If I somehow for some reason go work on that network again I will get spun up a jricha34 ID for use. This is a company with hundreds of thousands of users and huge turnover every year and they still maintain all of those unique identifiers even if the actual NT or mainframe IDs are deleted so I know it is feasible for smaller companies. There was another single source for UIDS if you needed them and if you lost and got access to UNIX again, it would be with the same UID. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, March 04, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Why wouldn't objectGuid be appropriate? AD generates the objectGuid attribute using UuidCreate() (or some variation) that is guaranteed with reasonable certainty to generate values that are unique across all machines, not just DCs in the forest. If you need a globally unique, immutable identifer, the objectGuid attribute should do the trick. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question GUID is likely NOT an option in a multiple forest scenario or multiple identity stores. But the concept can be applied to the sphere of identity stores you have responsibility for. It's just that the system won't do it for you out of the box. So one thought that comes to mind is to inject a Cox-specific GUID into each identity store from the authoritative source(s) and then use that to find what you need programmatically. That's a bigger undertaking than you may be able to go after, but it ultimately solves the issues that are so troublesome. Some where, you have
RE: [ActiveDir] The missing fields
And scream YOU'RE FIRED! in unison at the first buffer overflow??? I wanna go to that bar! mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 01, 2005 3:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields I would watch that. Call it something like the making of the mail system and it shows the Exchange Dev guys working on the product and learning along the way. For exciting commercial scenes they could show someone typing a poor AD query or putting in an unchecked buffer copy You could have big parties in bars where the geeks could look on and say things like, can you believe they wrote that routine that way!?!?! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Tuesday, March 01, 2005 1:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields I guess watching programmers code would be no more boring than any of the other reality shows...how about Fear Factoring, or the Amazing Race Condition ? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, March 01, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields Programming as taught by Catholic nuns! Father Djykstra and Sister Grace (Murray Hopper)! What a great concept. It ould be a sitcom. Or even beter a reality show (that way you don't have to pay those expensive script writers). -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Tuesday, March 01, 2005 11:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields Was that before or after they smacked your knuckles with a wooden ruler? ;) If more places would teach coding like that, there'd be a lot more, better code going around. Dave //SIGNED// David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 01, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields Robbie also says you should cut me a government check for $3.2 billion and I should email you a copy of adfind and admod. You can list them as a hammer and a screwdriver or a WoMD detector or something. If I had that kind of money to play with can you imagine the joeware that would be available? OMG! I would have to hire more coders. I would treat it like school, or at least the school I went through. If you write something bad you sit in a classroom with everyone watching the screen and the teacher says, and this is an example of what Mr. Richards thinks is good code as he puts in 5000 characters into a buffer according to the specs needed to be 256 characters and it slowly self-destructs the machine Mr. Richards, when I say in the spec the buffer should be 256 bytes, that doesn't mean make the buffer 256 bytes and leave it at that. I expect you to actually make sure no one puts more than 256 bytes in it! Actually, I wish more college professors had taught that way. We also had fun times around integer overflows and other fun and interesting coding flaws like why M and m really aren't the same even though we don't pronounce them differently, etc. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 01, 2005 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields Buy-guy is Robbie Allen's label for me. No, no kick back (Although they are a Maryland company), just think it is a really effective tool for bulk administration. I tend to be scripting / LDIF challenged early in the AM, and late at night (Who am I kidding, I am just scripting challenged). I have been able to automate so much work these past two weeks using this tool, so I offer it as a possible solution. Toddler -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields A buy guy?? I would be happy to sell you a copy of adfind and admod if that is the only thing holding you back. How much you want to spend on them? In the meanwhile, you getting a kickback from Javelina? That has got to be the 4 post or so in a week where you have dropped that name. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 01, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The missing fields For a cost conscious
RE: [ActiveDir] Some thoughts on securing sensitive accounts....
We built a fairly simple break the glass application that adds a person to the necessary group, logs the action, emails the security team, etc. Only members of a certain group can be elevated that way. Then all we do is log off, back on, and do the work. The membership expires in a couple of hours automatically mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts How about a generic ent. Admin account? One with an obsure name and 10 foot password? Only selected support/admin people have the password? Just thinking out loud here. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: 25 février 2005 15:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts What do you do when you have an AD support group than need access to Enterprise Admin privs if you only have one Enterprise Admin? I know I wouldn't want to be the only guy with those privs in the middle of the night on a weekend when I'm not on call ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts Then you have your actual Enterprise Admins and that should be a small group, maybe 2-5 people depending on your size (I worked on a team of 3 people and supervisor for a 250,000 user deployment). So I'm assuming that you have more than 1 Enterprise admin in your root domain? Isn't that agains't all the white papers out there stating that you shouldn't have more than one ent. admin. in your forest and all other admins should be domain admins in their own respective domain? Or did you use enterprise admin as a generic term? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, February 25, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Some thoughts on securing sensitive accounts Hi folks, I'm was thinking the other day of the best way to secure schema and enterprise admin accounts. What would you do if you had carte blanche to secure sensitive accounts in an enterprise directory? First things that came to mind were using mandatory smart cards for SA and EA accounts kept in a safe where only designated employes knew the pinsAny other thoughts? Thanks! Francis Ouellet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] delegating group management
Hi guys, I'm fairly sure I can do this. But thanks to recent security changes, I can no longer just fire up the delegation of authority wizard to make sure...can I grant the ability to manage membership of groups to a given group of user admins, without giving them the ability to change other attributes of the users themselves? I'm thinking the best way to do this is to place all the groups in an OU, and run the wizard to apply just the necessary permissions on those groups in the OU. Mark Creamer Systems Engineer Cintas Corporation The Service Professionals This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logon Scripts
This would give you the results for everyone in the Users container, SAM ID and login script, with a | in between. Run from cscript or you'll get to click OK on each user! :-) Dim OU, oUser, UserObj set OU = GetObject(LDAP://CN=Users,DC=my,DC=domain,DC=COM;) For Each UserObj in OU WScript.Echo UserObj.sAMAccountName | UserObj.LoginScript Next WScript.Quit mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Saliba Sent: Tuesday, February 22, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon Scripts Is there anyway to tell without clicking into each user's properties to tell which logon script they use? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script to convert userID to first and lastname of users
I'm assuming by convert you mean associate? (i.e. given a user ID, show me the Full Name? You could use adfind (www.joeware.net) adfind -b dc=mydomain,dc=com -gc -f objectCategory=person sAMAccountName Name That returns something like: dn:CN=Robert Smith,CN=Users,DC=mydomain,DC= name: Robert Smith sAMAccountName: SmithR mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese Fahmy Sent: Thursday, February 17, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] script to convert userID to first and lastname of users I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] W32Time and *nix
Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time sync on non-domain W2K server?
Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/