[ActiveDir] ldifde question

[Creamer, Mark]

Title: ldifde question






Hi, Using LDIFDE, Ive been able to export/import users, groups and OUs from and into our test AD, but Im trying to figure out whether with the group export, can I export their memberships as well? Is there a better way to do that?

This command seems to give me the group names at least

ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre

e -r ((objectCategory=group)(name=*)) -l cn,objectclass,ou

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] ldifde question

[Creamer, Mark]

Title: ldifde question








Ahan easy one then. Thanks Wook!





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, March 24, 2006 12:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldifde
question





Just add member to the list of attributes.



Wook











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, March 24, 2006 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldifde
question





Hi,
Using
LDIFDE, Ive been able to export/import users, groups and
OUs
from and into our test AD, but Im trying to figure out whether with the group
export, can I export their memberships as well? Is there a better way to do
that?

This
command seems to give me the group names at least

ldifde
-f c:\temp\exportOu.ldf -s myDC -d
dc=my,dc=domain,dc=com -p subtre

e
-r ((objectCategory=group)(name=*)) -l
cn,objectclass,ou

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] ldifde question

[Creamer, Mark]

Cool, thanks guys. I was afraid I was going to run into issues because it's 
multi-valued. Seems to
work fine. Thanks again

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, March 24, 2006 12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldifde question

Assuming that the structures are now the same, then if you modify your query
as follows:
-l cn,objectclass,ou,member, you should get an output that includes the DN
of the members of each group. Then you should be able to import the output
into your target AD. If the structures are not the same, then the DN will
bite you during import, unless you manually adjust the output file before
import.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Creamer, Mark
Sent: Fri 3/24/2006 8:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldifde question



Hi, Using LDIFDE, I've been able to export/import users, groups and OUs from
and into our test AD, but I'm trying to figure out whether with the group
export, can I export their memberships as well? Is there a better way to do
that?

This command seems to give me the group names at least...

ldifde -f c:\temp\exportOu.ldf -s myDC -d dc=my,dc=domain,dc=com -p subtre

e -r  ((objectCategory=group)(name=*)) -l cn,objectclass,ou

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH  45040

Email: [EMAIL PROTECTED] | http://www.cintas.com


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be unlawful. Please reply
to the message immediately by informing the sender that the message was
misdirected. After replying, please delete and otherwise erase it and any
attachments from your computer system. Your assistance in correcting this
error is appreciated.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Richard Mueller's LastLogon.vbs

[Creamer, Mark]

Yeah  its building data into
a dictionary object. It will pump everything into the text file when its
finished. I think it took about 15 minutes with 30,000 users and 4 DCs





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, March 10, 2006 9:02
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Richard
Mueller's LastLogon.vbs







Has anyone used this? I kicked it off about a half
hour ago and I can't tell if it's doing anything. The output.txt is still
0 bytes and the command line hasn't returned to me yet. It's acting hung
but I dont know if it just takes a very long time or not. Any experiences
with this script?

Thanks,
Russ







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.



~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Richard Mueller's LastLogon.vbs

[Creamer, Mark]

In task manager, assuming the script is not
hung, cscript should be gradually consuming more and more chunks of memory, shouldnt
it? That might be one way to tell. 



Sure makes the 2003 AD attribute a welcome
change, doesnt it J





mc 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: Friday, March 10, 2006 9:13
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Richard
Mueller's LastLogon.vbs





doh. We have 12,000 users and 79
DCs. Should be interesting. 


Thanks









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, March 10, 2006 8:05
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Richard
Mueller's LastLogon.vbs

Yeah  its building data into
a dictionary object. It will pump everything into the text file when its
finished. I think it took about 15 minutes with 30,000 users and 4 DCs





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, March 10, 2006 9:02
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Richard
Mueller's LastLogon.vbs







Has anyone used this? I kicked it off about a half
hour ago and I can't tell if it's doing anything. The output.txt is still
0 bytes and the command line hasn't returned to me yet. It's acting hung
but I dont know if it just takes a very long time or not. Any experiences
with this script?

Thanks,
Russ




This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 








This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.



~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Richard Mueller's LastLogon.vbs

[Creamer, Mark]

Manthats frustrating. I
never had that issue, but its probably because I have fewer DCs and theyre
all on fast links, 2 LAN and 2 T1





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, March 10, 2006 11:28
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Richard
Mueller's LastLogon.vbs





OK it finally finished, but it says this
error and output.txt is still 0 bytes:



C:\Scriptscscript //nologo
lastlogon.vbs  output.txt
C:\Scripts\lastlogon.vbs(143, 7) Provider: This operation returned because the
the timeout period expired.









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, March 10, 2006 8:18
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Richard
Mueller's LastLogon.vbs

In task manager, assuming the script is
not hung, cscript should be gradually consuming more and more chunks of memory,
shouldnt it? That might be one way to tell. 



Sure makes the 2003 AD attribute a welcome
change, doesnt it J





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, March 10, 2006 9:13
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Richard
Mueller's LastLogon.vbs





doh. We have 12,000 users and 79
DCs. Should be interesting. 


Thanks









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, March 10, 2006 8:05
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Richard
Mueller's LastLogon.vbs

Yeah  its building data into
a dictionary object. It will pump everything into the text file when its
finished. I think it took about 15 minutes with 30,000 users and 4 DCs





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, March 10, 2006 9:02
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Richard
Mueller's LastLogon.vbs







Has anyone used this? I kicked it off about a half
hour ago and I can't tell if it's doing anything. The output.txt is still
0 bytes and the command line hasn't returned to me yet. It's acting hung
but I dont know if it just takes a very long time or not. Any experiences
with this script?

Thanks,
Russ




This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 





This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 








This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying

RE: [ActiveDir] Recommendations for spam issue

[Creamer, Mark]

Russ, I've used two solutions for this issue, both of which I think turned out 
well:
 
1. Astaro Security Linux with mail protection subscription - available either 
as an appliance or a
hardened Linux distro you can install on a decent PC
2. Sunbelt Software's IHATESPAM
 
The 501c(3) I support, with about 15 desktops currently, uses the Astaro 
appliance solution



From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Mon 3/6/2006 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommendations for spam issue


If you were a 20 user non-profit organization that were having a serious 
problem with SPAM, had an
Exchange server in-house but an external internet provider that was filtering 
and forwarding your
e-mail but not doing a good job, what product or solution would you recommend?  
The problem is valid
e-mails are being blocked and SPAM is getting through.  

Would something like Trend Client Server Security for SMB work well in this 
situation?
~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.winmail.dat

[ActiveDir] AD Oracle Integration

[Creamer, Mark]

Title: AD Oracle Integration






Anyone have any knowledge on what it takes to enable AD integration for Oracle? The dev teams want to AD-enable their apps using Oracle 10g as a back end so they dont have to maintain separate login accounts. Articles Ive found so far seem a little confusing  apparently its not a flipped switch somewhere in Oracle J

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] OT: Linux and AD authentication

[Creamer, Mark]

Title: OT: Linux and AD authentication






Anyone know if there is a way to make a Linux box run a login script managed at the AD level (not local to the Linux machine) that could at minimum pop up our acceptable use policy? Its coming up because we have our Windows boxes displaying it on login, and management wants the Linux boxes to do the same.

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] OT: Linux and AD authentication

[Creamer, Mark]

I should have explained that better Tomasz - the reason we want it managed 
within AD is to make sure
the text displayed is the same everywhere. If it's part of a local script on 
the individual Linux box,
we have to remember to change it in more than one place. There are other things 
we'd like to do with
the login script though, not just the acceptable use policy display.

Thanks guys - I'll check out the 2 products mentioned

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Tomasz Onyszko
Sent: Wednesday, March 01, 2006 11:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Linux and AD authentication

Creamer, Mark wrote:
 Anyone know if there is a way to make a Linux box run a login script 
 managed at the AD level (not local to the Linux machine) that could at 
 minimum pop up our acceptable use policy? It's coming up because we have 
 our Windows boxes displaying it on login, and management wants the Linux 
 boxes to do the same.

Vintela has a solution to process GPO at the Linux\Unix box.

Is it not possible to make similiar script for Linux running on the 
linux box? What is this script displaying?

-- 
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Quick CSVDE question

[Creamer, Mark]

Bryan, see here:
http://support.microsoft.com/?kbid=269181
 or google the string

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Lucas, Bryan
Sent: Tuesday, February 28, 2006 11:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quick CSVDE question

Great thanks.  Where did you find this 1.2.840... number? Is there a
reference table somewhere?

Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Roberts
Sent: Tuesday, February 28, 2006 10:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quick CSVDE question

If you need to distinguish between true distribution groups and
mail-enabled
security groups you would be better querying the group type attribute.
If you add this to the query you will only get back security-enabled
groups,
regardless of mail status.

(groupType:1.2.840.113556.1.4.803:=2147483648)

John Roberts
JLR Technology Solutions
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Tuesday, February 28, 2006 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quick CSVDE question

Nevermind, I added mail to the filters and then parsed the data
accordingly.

Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Tuesday, February 28, 2006 9:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Quick CSVDE question

I'm trying to export a list of security groups, but not distribution
groups.
The string below gets all groups, is there a way I can exclude DLs?

csvde -f c:\groups.csv -s ad7 -d dc=tcu,dc=edu -p subtree
-r((objectCategory=Group)(objectClass=group)) -l
displayname,samaccountname,description

Thanks,

Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MVP mini summit at DEC 2006

[Creamer, Mark]

Cool - that's the little town where a dead body shows up week after week on CSI

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Laura E. Hunter
Sent: Thursday, February 23, 2006 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] MVP mini summit at DEC 2006

I think the statement works either with it or without it.  :-)

(And remember, it's in -Henderson-, not Las Vegas!  No gambling, no
showgirls, just a quiet little geek conference in the middle of the
desert.  Nothing to see here, move along.  ;-))

On 2/23/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:
 Forgot the ;-)

 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
  I believe Vegas comes standard with Drugs, booze and loose women.
 
  [EMAIL PROTECTED] wrote:
  Daft question maybe, but is this open to MVPs only?
 
 
  neil
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
  Sent: 23 February 2006 00:09
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] MVP mini summit at DEC 2006
 
  Alym has scheduled a MVP mini summit session at the conclusion of DEC
  2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of
  the DEC session rooms (tbd). Drugs, booze, and loose women will
  follow... or at least that's what I was led to believe. :)
 
  Alym is swamped with another project, but will be providing the official
  announcement in a few days. I just wanted to make MVPs aware of it in
  case you had scheduled a flight out on Wednesday afternoon.
 
  -gil
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
  PLEASE READ: The information contained in this email is confidential and
  intended for the named recipient(s) only. If you are not an intended
  recipient of this email please notify the sender immediately and
  delete your
  copy from your system. You must not copy, distribute or take any further
  action in reliance on it. Email is not a secure method of
  communication and
  Nomura International plc ('NIplc') will not, to the extent permitted
  by law,
  accept responsibility or liability for (a) the accuracy or
  completeness of,
  or (b) the presence of any virus, worm or similar malicious or disabling
  code in, this message or any attachment(s) to it. If verification of
  this
  email is sought then please request a hard copy. Unless otherwise stated
  this email: (1) is not, and should not be treated or relied upon as,
  investment research; (2) contains views or opinions that are solely
  those of
  the author and do not necessarily represent those of NIplc; (3) is
  intended
  for informational purposes only and is not a recommendation,
  solicitation or
  offer to buy or sell securities or related financial instruments.  NIplc
  does not provide investment services to private customers.
  Authorised and
  regulated by the Financial Services Authority.  Registered in England
  no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St
  Martin's-le-Grand,
  London, EC1A 4NP.  A member of the Nomura group of companies.
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] ADUC question

[Creamer, Mark]

Title: ADUC question






Noticed something I dont think Ive seen before. Domain structure: empty root + 2 subdomains with users in them. My normal day-to-day account is not a domain admin, and I live in Subdomain A.

I open ADUC, focused on Subdomain A, and search Subdomain B for a user. When I find that user, I click on the Member of tab for that user. All I see are that users global group memberships in Subdomain B. 

If our Account Admin (shes not a Domain Admin but has been delegated the rights to create and modify users) opens ADUC and does the same thing, when she looks at the Member Of tab for the same user, she sees not only the Subdomain B global groups, but also the Universal Groups that user is a member of, which live in Subdomain A. 

I thought it would be because my console was not focused on a Global Catalog, but I tried it on GC and non-GC domain controllers. Any idea why she sees the Universal groups and no one else does?

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Wireless and logon script

[Creamer, Mark]

Title: Wireless and logon script








Thanks Chris!





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 08, 2006
4:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Wireless
and logon script





Sorry, typo on the KB number, link is



http://support.microsoft.com/default.aspx?scid=kb;en-us;840669



Regards



Chris









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: 06 February 2006 18:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Wireless
and logon script

Chris, Im not having success
finding that KB. Is that the right number?

Thanks!





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 06, 2006
11:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Wireless
and logon script





What O/S and Service Pack are you running
and are you using USB WLAN Cards? 



We recently deployed a Wireless
Infrastructure and had a similar issue with Computer GPO's and Start Up scripts
not being applied. Turns out the GPO processing and Start up scripts were
running before a network connection was made on our Workstations that used a
USB WLAN Card.



After applying XP sp2 and making a
registry change using a custom adm templateall was fine.



See MS KB 840649 for the registry settings
to modify.



Regards



Chris









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: 06 February 2006 15:48
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Wireless and
logon script

Can
someone explain the mechanics of the logon for me, when the user is on a
wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but
I havent been involved with their setup. Basically the deal is when a user
logs in to a wired LAN connection, the
logon script always runs. When they log on with wireless, the logon script does
not run. To me as a casual observer, it looks like the authentication
does not happen until after a cached logon takes place and the user attempts to
reach a resource requiring authentication, such as Exchange. 

Thanks,

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.
Mae'r e-bost hwn (ac unrhyw atodiadau) yn gyfrinachol a gall gynnwys barn
bersonol nad yw'n farn Ymddiriedolaeth GIG Gofal Iechyd Gwent oni bai fod hynny
wedi ei ddatgan yn benodol Os ydych chi wedi ei dderbyn trwy gamgymeriad,
dilewch o'ch system, peidiwch a defnyddio, copio na datgelu'r wybodaeth mewn
unrhyw fodd. Hysbyswch y sawl a'i anfonodd am y camgymeriad hwn ar unwaith os
gwelwch yn dda.

This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of Gwent HealthCare NHS Trust unless specifically
stated. If you have received it in error, delete it from your system, do not
use, copy or disclose the information in any way. Please notify the sender
immediately of this error. 


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.
Mae'r e-bost hwn (ac unrhyw atodiadau) yn gyfrinachol a gall gynnwys barn
bersonol nad yw'n farn Ymddiriedolaeth GIG Gofal Iechyd Gwent oni bai fod hynny
wedi ei ddatgan yn benodol Os ydych chi wedi ei dderbyn trwy gamgymeriad,
dilewch o'ch system, peidiwch a defnyddio, copio na datgelu'r wybodaeth mewn
unrhyw fodd. Hysbyswch y sawl a'i anfonodd am y camgymeriad hwn ar unwaith os
gwelwch yn dda.

This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of Gwent HealthCare NHS Trust unless specifically
stated. If you have received it in error, delete it from your system, do not
use, copy or disclose

RE: [ActiveDir] OT: Tracking File Deletes

[Creamer, Mark]

Also, Just received a message from ScriptLogic about their new File Auditing 
tool: (NFI). Looks
interesting

http://www.scriptlogic.com/products/filesystemauditor/


mc

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Site Links

[Creamer, Mark]

Do you have manually created links? Youll
likely get a lot better answers than mine, but basically when I had replication
problems, I eventually determined that a lot of it was my own causing.
Basically, I had no reason to create any site links manually, which I had done.
I got rid of those, changed the costs per recommendations on this list, and let
the KCC do the rest. Its been perfect ever since.





mc 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Adeel Ansari
Sent: Tuesday, February 07, 2006
2:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site Links







AD Experts, 











Is there any best practices for
creatingand managing site links? The problem I am facing where I have
manyhub and spoke sites with well over 20 site links. What is the best
procedure to fix this issue? 











-Adeel







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] Wireless and logon script

[Creamer, Mark]

Title: Wireless and logon script






Can someone explain the mechanics of the logon for me, when the user is on a wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I havent been involved with their setup. Basically the deal is when a user logs in to a wired LAN connection, the logon script always runs. When they log on with wireless, the logon script does not run. To me as a casual observer, it looks like the authentication does not happen until after a cached logon takes place and the user attempts to reach a resource requiring authentication, such as Exchange. 

Thanks,

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Wireless and logon script

[Creamer, Mark]

Title: Wireless and logon script








Chris, Im not having success
finding that KB. Is that the right number?

Thanks!





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 06, 2006
11:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Wireless
and logon script





What O/S and Service Pack are you running
and are you using USB WLAN Cards? 



We recently deployed a Wireless
Infrastructure and had a similar issue with Computer GPO's and Start Up scripts
not being applied. Turns out the GPO processing and Start up scripts were
running before a network connection was made on our Workstations that used a
USB WLAN Card.



After applying XP sp2 and making a
registry change using a custom adm templateall was fine.



See MS KB 840649 for the registry settings
to modify.



Regards



Chris









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: 06 February 2006 15:48
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Wireless and
logon script

Can
someone explain the mechanics of the logon for me, when the user is on a
wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but
I havent been involved with their setup. Basically the deal is when a
user logs in to a wired LAN connection, the
logon script always runs. When they log on with wireless, the logon script does
not run. To me as a casual observer, it looks like the authentication
does not happen until after a cached logon takes place and the user attempts to
reach a resource requiring authentication, such as Exchange. 

Thanks,

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.
Mae'r e-bost hwn (ac unrhyw atodiadau) yn gyfrinachol a gall gynnwys barn
bersonol nad yw'n farn Ymddiriedolaeth GIG Gofal Iechyd Gwent oni bai fod hynny
wedi ei ddatgan yn benodol Os ydych chi wedi ei dderbyn trwy gamgymeriad,
dilewch o'ch system, peidiwch a defnyddio, copio na datgelu'r wybodaeth mewn
unrhyw fodd. Hysbyswch y sawl a'i anfonodd am y camgymeriad hwn ar unwaith os
gwelwch yn dda.

This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of Gwent HealthCare NHS Trust unless specifically
stated. If you have received it in error, delete it from your system, do not
use, copy or disclose the information in any way. Please notify the sender
immediately of this error. 





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Lotus Sametime and LDAP access to AD

[Creamer, Mark]

Title: Message








Wow!

Exactly the kind of crap joe and I and
others were talking about the other day. Lets crash AD to make poor
programming work





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Thursday, February 02, 2006
12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lotus
Sametime and LDAP access to AD







Has anyone on the list ever run into this
? A systems integrator I know told me that they were trying to integrate
Lotus SameTime with AD as part of an enterprise portal configuration.
Apparently SameTime can authenticate using LDAP binds and also grab user
information which SameTime uses for its configuration.











Anyhow, it chokes when it tries to
retrieve the user information. Apparently, they try to query on all users
within the specified scope, but without using the LDAP paging control.
The integrator sent me this URL to the technote published by IBM on the subject




http://www.ibm.com/support/docview.wss?rs=899uid=swg21090028

From thereferenced technote:

Currently, Sametime must pull all users from the LDAP server and
will reach the limit set on the LDAP server, if a limit is set to be lower than
the amount of users that Sametime can search for.

And then this little gem:
The following can resolve the error on an Active
Directory server: 


 In Active Directory, go to a
 command line and type:
 
 ntdsutil
 ldap policies
 connections
 connect to server local server name
 set creds local domain name administrator admin password
 quit
 show values
 set MaxPageSize to 10
 commit changes
 
 Note If the amount of
 users/groups on the AD server is larger than 100,000, the MaxPageSize
 value should be set higher.
 




When I regained my composure, I replied
with a note to the effect that there is absolutely no way I would advocate opening
that throttle by a factor of 100 (or more!). There have been numerous
threads on this listabout MaxPageSize, usually ending with a
pronouncement from ~Eric or joe saying Just don't do it - useLDAP
paging.











I'm just curious if anyone else has runinto
this with SameTime, and also whether Microsofthas directly addressed this
kind of advice from IBM or anyone else.











Dave










This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] distributing large service pack files

[Creamer, Mark]

Title: distributing large service pack files






The structure of our WAN is such that we have lots of small offices all over the country, each with a few to a hundred or so PCs, connected by not-so-fast links. The biggest locations have T1s, but many dont. Keeping these things patched is a nightmare. We do not have distributed servers, and really nothing except the PCs themselves to cache something for local delivery. Which brings me to my questionis it even conceivable that something like an internal-only BitTorrent could be leveraged to distribute something as large as a service pack? I think it might be more efficient than a 3rd party patch management solution or WSUS, which I cant use because of not having distributed file caches. If this is nutty, dish out the dirt, but Ill want to understand why its nutty too J

Thanks

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] distributing large service pack files

[Creamer, Mark]

Hmm. That's an answer I didn't expect. Good info. Thanks Susan. I know I need 
to play more with WSUS.
The only place I have installed it was in a 20 node network with an older 
server hosting WSUS only,
and it killed the performance on the server. So I (not very scientifically I 
admit) extrapolated that
it would be a disaster in a large corporate environment. No, I didn't install 
all languages :-) I'm
sure I did something wrong, just haven't gone back to revisit it yet.

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, February 02, 2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] distributing large service pack files

Not to mention it's my understanding that it's not legal to distribute 
service packs outside the MS cloud and host MS code like service 
packs/hotfixes like that.

This is why universities cannot hand out SP cdroms and some such things.

Since the Department of Justice... it's been my impression that MS tends 
to want to control the bits so they can yank parts if need be [see 
recent SP update notifications for Office due to stupid lawsuit between 
guy and MS on Access]

WSUS had to get some eula's rewritten to allow the geeks to do allow 
consultants to do patching and what not.

Molkentin, Steve wrote:

 Mark,
 WSUS (and SMS for that matter) uses the Background Intelligent 
 Transfer Service (that's what it's called) to do just this on large 
 files, in that it is smart enough to recognise downtime on your 
 network to send files, and manages the resumption of large files if it 
 had to stop transferring them. It is pretty seamless in my experience 
 - all our links are less than T1 (except for the internet pipe into 
 our head office), and we manage to push a lot of stuff around using 
 WSUS quite well with no interruption to business.
 It's not hard to setup an older PC as a local WSUS cache - it needs 
 little in the way of processor and RAM (really), and will get over any 
 cost issue and give you the ability to distribute, etc. Additionally, 
 it takes away all the responsibility of the staff member to 
 install/connect/download the service pack (and don't start me on the 
 fact that they shouldn't have admin rights to install it in the first 
 place).
 My $0.02 inc GST...
 themolk.

 
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of
 *Creamer, Mark
 *Sent:* Friday, 3 February 2006 6:18 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] distributing large service pack files

 The structure of our WAN is such that we have lots of small
 offices all over the country, each with a few to a hundred or so
 PCs, connected by not-so-fast links. The biggest locations have
 T1s, but many don't. Keeping these things patched is a nightmare.
 We do not have distributed servers, and really nothing except the
 PCs themselves to cache something for local delivery. Which brings
 me to my question...is it even conceivable that something like an
 internal-only BitTorrent could be leveraged to distribute
 something as large as a service pack? I think it might be more
 efficient than a 3^rd party patch management solution or WSUS,
 which I can't use because of not having distributed file caches.
 If this is nutty, dish out the dirt, but I'll want to understand
 why it's nutty too J

 Thanks

 ***Mark Creamer*

 *Systems Engineer*

 Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

 Email: [EMAIL PROTECTED] | http://www.cintas.com


 This e-mail transmission contains information that is intended to
 be confidential and privileged. If you receive this e-mail and you
 are not a named addressee you are hereby notified that you are not
 authorized to read, print, retain, copy or disseminate this
 communication without the consent of the sender and that doing so
 is prohibited and may be unlawful. Please reply to the message
 immediately by informing the sender that the message was
 misdirected. After replying, please delete and otherwise erase it
 and any attachments from your computer system. Your assistance in
 correcting this error is appreciated.


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account.

[Creamer, Mark]

What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran 
everything under my own
account - maybe not, but I generally do.

As far as RDP, I usually disable everyone's ability to TS in, and enable only 
my own account. But I
always change the port to some weird random number, just to thwart the majority 
of the script kiddies.

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk of
the 500 account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that 500 account.

I've got a SBSer installing WSUS under an alternative Admin account and 
the installs that he's done under the 500 account the computers check 
in just fine...the ones under the alternative account are having 
issues.  He's applied the compression hotfix and done client side 
targeting and still no go.  He's redoing the group policy settings under 
the 500 account now.

Al Mulnick wrote:

 I can honestly think of no plausible reason that any vendor I want to 
 do business with would require that I use that or any specific 
 account.  There is never a time when that's acceptable.  Wait.  I want 
 to be clear about this. There is never a time when it is acceptable to 
 tell me that I MUST install and run under a specific named account. 
  
 Any time I've been faced with that concept, I and my colleagues have 
 always pushed back on the vendor to specify exactly what rights and 
 any other pertinent details were needed.  If they couldn't or 
 otherwise wouldn't provide the details, then we emphatically recommend 
 no sale.  If that doesn't prevent the sale, we loop in the security 
 folks to accept responsibility for the compliance and other security 
 issues that this may introduce. If they were fine with it, then I no 
 longer have a stake in the game for that.  Instead, I no have a scape 
 goat for anything to goes wrong ;)
  
 There is never a time when it is acceptable to tell me that I MUST 
 install and run under a specific named account. Never.  

  
 On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:

 There have been times in recent past that certain installs or
 applications only work under the 500 account aka the real admin
 account down here in SBSland.

 In Big server land... do you also find this to be true with apps that
 need to be installed on the server?

 For many of you you are obviously remote admin'ing.

 Do you ..when using that 500 account... accept the risk of that Admin
 account/password over TS/3389?

 Only over VPN?  Only use that 500 account in certain
 vlans/subnets/whatevers that obviously we in SBSland never carve
 up our
 domain structures in?

 For SOX purposes only have a documented use of that 500 account?

 For all other times do you use admin equivalent?


 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/



-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the 500 account.

[Creamer, Mark]

OK, I must have logged in that way then. I was local that day, not remote. 
Very, very good to know...I
have a couple more coming up next week.

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk of
the 500 account.

Windows 2003 sp1
Sharepoint sp1 [can use sp2 instead]
Exchange sp1 [can use sp2 instead]
XP sp2
SBS specific SP1   this is the one we've found has needed the 500 account

---

If premium
SQL server 2000 sp4
ISA 2004 [must have media..CANNOT be done remotely]

Creamer, Mark wrote:

What's the 5th part? I just did a full SBS sp1 install, and I *think* I ran 
everything under my own
account - maybe not, but I generally do.

As far as RDP, I usually disable everyone's ability to TS in, and enable only 
my own account. But I
always change the port to some weird random number, just to thwart the 
majority of the script
kiddies.

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question 
about the use and risk
of
the 500 account.

:-)

Don't install the 5th part of the SBS sp1 service pack bundle then. 
'cause it kinda wants to be only run under that 500 account.

I've got a SBSer installing WSUS under an alternative Admin account and 
the installs that he's done under the 500 account the computers check 
in just fine...the ones under the alternative account are having 
issues.  He's applied the compression hotfix and done client side 
targeting and still no go.  He's redoing the group policy settings under 
the 500 account now.

Al Mulnick wrote:

  

I can honestly think of no plausible reason that any vendor I want to 
do business with would require that I use that or any specific 
account.  There is never a time when that's acceptable.  Wait.  I want 
to be clear about this. There is never a time when it is acceptable to 
tell me that I MUST install and run under a specific named account. 
 
Any time I've been faced with that concept, I and my colleagues have 
always pushed back on the vendor to specify exactly what rights and 
any other pertinent details were needed.  If they couldn't or 
otherwise wouldn't provide the details, then we emphatically recommend 
no sale.  If that doesn't prevent the sale, we loop in the security 
folks to accept responsibility for the compliance and other security 
issues that this may introduce. If they were fine with it, then I no 
longer have a stake in the game for that.  Instead, I no have a scape 
goat for anything to goes wrong ;)
 
There is never a time when it is acceptable to tell me that I MUST 
install and run under a specific named account. Never.  

 
On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:

There have been times in recent past that certain installs or
applications only work under the 500 account aka the real admin
account down here in SBSland.

In Big server land... do you also find this to be true with apps that
need to be installed on the server?

For many of you you are obviously remote admin'ing.

Do you ..when using that 500 account... accept the risk of that Admin
account/password over TS/3389?

Only over VPN?  Only use that 500 account in certain
vlans/subnets/whatevers that obviously we in SBSland never carve
up our
domain structures in?

For SOX purposes only have a documented use of that 500 account?

For all other times do you use admin equivalent?


--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/





  


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise

[ActiveDir] Logon issue

[Creamer, Mark]

Title: Logon issue






We have an unusual situation I cant find a solution for and I wanted to see if others had experienced it. A few of our remote locations connect to corporate via DSL and VPN. We normally have a logon script engine (ScriptLogic) that runs for each logon. PCs run Windows XP, and get DHCP and logon services from the corporate location.

In several cases, when a specific user (and there are more than one) logs on to a PC with the problem, the logon takes up to 20 minutes to log on. When another user logs on to the same PC in the same location, the logon is instantaneous. The same symptoms are happening in several locations, involving different users, but in each case, a different user can log on fine on the affected PC.

Our networks folks watched the traffic in Compuware and determined that in the logons that are a problem, there is significant Kerberos traffic, back and forth, back and forth.

My first thought was corrupt or excessively large profile, but we dont use roaming profiles, and the PC has been re-imaged. We also recreated accounts for a couple of users. The problem goes away for a couple of weeks, and then its back.

Im just now getting involved because the network team initially thought it was their issue. Is there anything you can suggest I can look at?

Thanks,

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Developer Best Practices doc

[Creamer, Mark]

Whats frustrating to me, is that
even some of the most significant players in many software categories (and
hardware for that matter) are not allowing some of the Microsoft best practices
listed in these documents to be used. (Im not referring to in-house development
this time)



Example: An app that requires one or more
hard-coded domain controllers, because the app was not designed to know how to
search for an available server (WebMethods). Or one that has to be patched to
know how to do referral chasing because we have multiple domains and not all
the needed attributes are in the GC (Cognos).



What do you guys do? Surely you cant
expect to always be able to take the high-ground and say to a business unit 
you cant bring in this new state-of-the-art application because
it isnt querying the AD correctly. Especially if it works (in
their minds, albeit not efficiently in mine). Id be laughed out of a
job. AD is just one small part of the big package.





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 24, 2006
11:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Developer
Best Practices doc





Yep, Joe and Ryan have a book they put
together for NET program for the Directory Services stuff. I believe it is
completed from a writing standpoint, just doing all of the stuff it takes to
get it ready to get it out the door. I am not a NET person but I reviewed it
for the directory related logic and processes (i.e. queries and the general
thoughts of how you would attack things). Again not being a NET person, it
still seemed to be pretty good, it read fairly well. 



Other than that, I would point at the
writing efficient apps document from MS as well as the MSDN docs on using AD.
Specific DOCs



http://msdn.microsoft.com/library/default.asp?url="">

http://msdn.microsoft.com/library/default.asp?url="">

http://msdn.microsoft.com/library/default.asp?url="">

http://msdn.microsoft.com/library/default.asp?url="">



ADAM docs are good to learn from as well

http://msdn.microsoft.com/library/default.asp?url="">





Gil wrote the book that I initially
learned to write apps from called Active Directory Programming. It is broken up
into ADSI and LDAP sections. It isn't the end all be all and there is an
occasional issue but it obviously got me going in the right direction. I still
refer back to it on occasion. 



Other than that, make them read some of
the better AD books out there to really understand the idea and capabilities
and uses behind AD. Yes it is an LDAP directory but if you only go in thinking
that you will probably not write the best apps you can write. Recommended books
would be Sakari's book, get Second Edition and if I may be so bold and not
sound bad doing so, O'Reilly Active Directory Third Edition.



Oh finally, send them into the various AD
Programming Interface and ADSI newsgroups to see the kinds of questions other
folks are asking about how to do this stuff.



 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, January 24, 2006
4:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Developer
Best Practices doc





I believe Joe Kaplan and
Ryan Dunn have a book which is going to be published soon on the matter.















Thanks,





Brian Desmond





[EMAIL PROTECTED]











c - 312.731.3132















From:
[EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Tue 1/24/2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Developer
Best Practices doc







IIRC, There are several books that relate to this. Somebody on
this list may have written one even :)











That said, I think the normal applies to the best practices: 





Use efficient LDAP queries (see Microsoft web site;several blogs as
well) when LDAP is used





Use .NET best practices for dealing with code





Try to stay away from legacy practices where possible (WINNT provider
if using ADSI)





Limit queries to the exact information needed.





Be sure to remember that group membership gets truncated to a limited
number of members if using intuitive methods to read them. Limitation of .NET. 











I'm sure there are other pieces, but I've not had to write one more
specific than that. 







On 1/24/06, Creamer,
Mark [EMAIL PROTECTED]
wrote: 

Anybody
seen/created a best practices document to ' teach'
internal application development teams to
interact
with AD? I' ve just been asked to do one and could use some guidance on
things to include.

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that y

RE: [ActiveDir] Developer Best Practices doc

[Creamer, Mark]

Bravo Susan...I guess that's one way

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, January 25, 2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Developer Best Practices doc

www.threatcode.com

You want me to start a new division?

We have to get people to care by shaming them into changing their ways.

Creamer, Mark wrote:

 What's frustrating to me, is that even some of the most significant 
 players in many software categories (and hardware for that matter) are 
 not allowing some of the Microsoft best practices listed in these 
 documents to be used. (I'm not referring to in-house development this 
 time)

 Example: An app that requires one or more hard-coded domain 
 controllers, because the app was not designed to know how to search 
 for an available server (WebMethods). Or one that has to be patched to 
 know how to do referral chasing because we have multiple domains and 
 not all the needed attributes are in the GC (Cognos).

 What do you guys do? Surely you can't expect to always be able to take 
 the high-ground and say to a business unit - you can't bring in this 
 new state-of-the-art application because it isn't querying the AD 
 correctly. Especially if it works (in their minds, albeit not 
 efficiently in mine). I'd be laughed out of a job. AD is just one 
 small part of the big package.

 */mc/*

 

 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *joe
 *Sent:* Tuesday, January 24, 2006 11:16 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Developer Best Practices doc

 Yep, Joe and Ryan have a book they put together for NET program for 
 the Directory Services stuff. I believe it is completed from a writing 
 standpoint, just doing all of the stuff it takes to get it ready to 
 get it out the door. I am not a NET person but I reviewed it for the 
 directory related logic and processes (i.e. queries and the general 
 thoughts of how you would attack things). Again not being a NET 
 person, it still seemed to be pretty good, it read fairly well.

 Other than that, I would point at the writing efficient apps document 
 from MS as well as the MSDN docs on using AD. Specific DOCs

 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/efficientadapps.asp

 http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/using_active_directory.asp


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/creating_efficient_queries.asp


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/active_directory_service_in
terfaces_adsi.asp

 ADAM docs are good to learn from as well


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adam/adam/active_directory_applicatio
n_mode.asp

 Gil wrote the book that I initially learned to write apps from called 
 Active Directory Programming. It is broken up into ADSI and LDAP 
 sections. It isn't the end all be all and there is an occasional issue 
 but it obviously got me going in the right direction. I still refer 
 back to it on occasion.

 Other than that, make them read some of the better AD books out there 
 to really understand the idea and capabilities and uses behind AD. Yes 
 it is an LDAP directory but if you only go in thinking that you will 
 probably not write the best apps you can write. Recommended books 
 would be Sakari's book, get Second Edition and if I may be so bold and 
 not sound bad doing so, O'Reilly Active Directory Third Edition.

 Oh finally, send them into the various AD Programming Interface and 
 ADSI newsgroups to see the kinds of questions other folks are asking 
 about how to do this stuff.

 joe

 

 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Desmond
 *Sent:* Tuesday, January 24, 2006 4:33 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Developer Best Practices doc

 **I believe Joe Kaplan and Ryan Dunn have a book which is going to be 
 published soon on the matter.**

 **Thanks,**

 **Brian Desmond**

 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]**

 **c - 312.731.3132**

 

 *From:* [EMAIL PROTECTED] on behalf of Al Mulnick
 *Sent:* Tue 1/24/2006 3:50 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] Developer Best Practices doc

 IIRC, There are several books that relate to this. Somebody on this 
 list may have written one even :)

 That said, I think the normal applies to the best practices:

 Use efficient LDAP queries (see Microsoft web site;several blogs as 
 well) when LDAP is used

 Use .NET best practices for dealing with code

 Try to stay away from legacy practices where possible

[ActiveDir] Developer Best Practices doc

[Creamer, Mark]

Title: Developer Best Practices doc






Anybody seen/created a best practices document to teach internal application development teams to interact with AD? Ive just been asked to do one and could use some guidance on things to include.

Mark Creamer

Systems Engineer

Cintas Corporation | 6800 Cintas Boulevard | Mason, OH 45040

Email: [EMAIL PROTECTED] | http://www.cintas.com





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] OT: DEC 2006

[Creamer, Mark]

There's one on eBay right now. 

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken
Cornetet
Sent: Friday, January 13, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DEC 2006

I remember those. That was my last year at U of L and they announced
that the next year all engineering students would be required to buy a
rainbow. The cost was to be spread over 4 years of tuition. Fortunately,
the rainbow proved itself an instant flop and U of L dropped that plan.

If memory serves, they did run MSDOS, but they didn't have a pc
compatible BIOS so that while they gave the impression that they were PC
compatible, in reality they wouldn't run anything that required BIOS
calls (which was 99% of the software out there). We used a lot of HP 150
touch screens, and they were the same way.

Also, you had to buy pre-formatted floppies from DEC - you couldn't
format your own. At least until someone leaked the formatting utilities.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins
Sent: Wednesday, January 11, 2006 9:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DEC 2006

Anyone remember the Rainbow?  It was DEC's attempt at a Personal
computer.  Launched in early '83, if I remember...  ran its own
proprietary DEC-OS and was not compatible with any IBM-DOS apps.  It
died a year or two later, but the marketing stickers held up for about
10 years!!  I had one stuck to my daughter's mirror and damned if I
could get it off!!

And the DECwriter and the Gold key. a - sweet memories!!

On 1/11/06, joe [EMAIL PROTECTED] wrote:
 Ah but people using DEC and attending DECUS were smarter than the 
 average bear To this day the people I meet who grew up on DEC are 
 more well rounded and knowledgeable in the field than the norm.

 The good ol days... Anyone remember Mike Mayfield and the RSTS/E 
 Monitor Internals books he wrote? Only place to get the real scoop on 
 the internals so you could really wreak havoc. I think he also wrote 
 the original Trek too so if your system was still up after poking 
 around in the internals you could play a video game on your DecWriter
or VT52.

 I got my first official corporate support position supporting OS/2 and

 Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or 
 so people in the panel interview started asking me questions about the

 equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I 
 couldn't answer any of the questions so they saw DEC on my resume and 
 started asking DEC questions and a couple of hours later we were all 
 laughing and I had my choice of the three open positions they had even
though I knew nothing about any of them.
 :)




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of John 
 McGlinchey
 Sent: Tuesday, January 10, 2006 4:13 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: DEC 2006

 My experience is just the opposite. I attended DECUS (The other DEC, 
 Digital Equipment Computer Users Society Symposia) a few times back in

 the 90's and the casinos complained that the attendees were not losing
enough money.
 This was attributed to 1) most of the attendees knew the odds were 
 against them so they kept their money in their pockets where it 
 belonged and 2) the ones that did play were pretty good at it and were
winning too much.

 I'll not be attending but I'm sending someone that works for me
instead.
 Have a good conference.

 John McGlinchey

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
  Michael M.
  Sent: Tuesday, January 10, 2006 3:38 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT: DEC 2006
 
  I think you are going to find the same at Green Valley - 
  http://www.greenvalleyranchresort.com/gaming/index.html
 
  Leave your car and house titles at home!

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/



--
Kat Collins - The Email of the species is more powerful than the Mail!

The human voice is the organ of the soul. Henry Wadsworth Longfellow
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are 

RE: [ActiveDir] OT: DEC 2006

[Creamer, Mark]

On-site support visit. I count 12 Applebee’s
locations in the greater Vegas area. Surely there’s a piece of AD broken in one
of them J



Me? We’ve got pants and shirts scattered
all over Vegas hotels and casinos and I still can’t go L





mc 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday, January 10, 2006
9:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DEC
2006





Ditto for me… My title doesn’t start with
a C _ _ so I’m afraid to even ask for a paid trip to Vegas J





---
Rich Milburn
MCSE, Microsoft MVP - Directory
Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
”I love the smell of red
herrings in the morning” - anonymous











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Monday, January 09, 2006
1:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DEC
2006







I would love to go, unfortunately as most people on
the list unless our employeers pay for it, we just can not afford to attend.











Jose







- Original Message - 





From: McLeod, Scotty






To: ActiveDir@mail.activedir.org






Sent:
Monday, January 09, 2006 7:45 AM





Subject:
RE: [ActiveDir] OT: DEC 2006









Am attending again,
looking forward to it.



Scotty











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mark Parris
Sent: 05 January 2006 22:17
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: DEC 2006





Of the list how many
people are going to DEC this year? www.directoryexpertsconference.com




Tomorrow is the last day for
the early bird registrations if anyone wants to day some $£€’s.



Mark



This
e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this e-mail and destroy any
copies. Any dissemination or use of this information by a person other
than the intended recipient is unauthorized and may be illegal.











---APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review
the content of all messages sent to and from this e-mail address. Messages sent
to or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system.













This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] AD or is this Exchange task?

[Creamer, Mark]

Title: AD or is this Exchange task?








Thanks Tony. One question if someone knows



Below is an excerpt from the script. What
should the syntax for the folder path be?



' This code toggles the
mail-enabled status of the selected folder.

' -- SCRIPT
CONFIGURATION --

strComputerName = serverName 

strPubFolderPath = folderPath



In our Public Folder list when I look at
it in Outlook, it shows: Public Folders/All Public Folders/HR Managers, and
then under that is all the folders whose mail-enable status I want to turn off.
These are named HR001, HR002, etc.



What should the strPublicFolderPath look
like to accomplish this? Thanks again!









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, December 21, 2005
4:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?





Another method to do this
is to use WMI. Heres sample script from the Exchange Server
Cookbook.



http://www.exchangecookbook.com/files/09-08-change-PF-mail-enable-status.txt



Bear in mind that if you
are running in mixed mode then Exchange 5.5 expects all PFs to be mail-enabled.



Tony











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, 22 December 2005
9:13 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?





The supported mechanism is to use the
CDOEXM maildisable method.



http://msdn.microsoft.com/library/default.asp?url="">













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, December 21, 2005
2:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD or is this
Exchange task?

Ive
been asked to write a script to mail-DISable a
bunch of public folders. Is that accomplished by manipulating
something in AD, or Exchange or both? I havent been able to uncover
much documentation on this topic, except for one guys horror story.
Ill tell our Exchange dude to do it manually if this is an
unusually risky undertaking, but there are about 1000 or so to do.

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.

This
communication, including any attachments, is confidential. If you are not the
intended recipient, you should not read it - please contact me immediately,
destroy it, and do not copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this communication does not
designate an information system for the purposes of the Electronic Transactions
Act 2002.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] AD or is this Exchange task?

[Creamer, Mark]

I think Im pretty close on this,
but am unable to get past an error. When I run the script (which initially I
configured to only tell me whether or not the various folders are mail-enabled),
I get an error 0x80041010. My research suggests this is either because
something is misspelled in the WMI query, or that the Class doesnt even
exist in the given namespace. I tried running it on the server itself, but same
result. Then I opened Scriptomatic V2 and selected the Root/MicrosoftExchangeV2
namespace, and sure enough, Exchange_PublicFolder does not show up as a class
in that namespace. So I guess thats why the error happens, but how do I
fix it? Script is below



Thanks!



strComputerName = myServer




strPubFolderPath = /Public
Folders/All Public Folders/HR Managers/


strE2K3WMIQuery = winmgmts://
 strComputerName  /root/MicrosoftExchangeV2

' query for the specific folder we
want


Set wmiService =
GetObject(strE2K3WMIQuery)


query = Select * From
Exchange_PublicFolder   Where Path=' 
strPubFolderPath 
'


Set targetFolder =
wmiService.ExecQuery(query)




' report on the mail-enabled status, then
toggle
it


For Each folder In
targetFolder 

 If
folder.IsMailEnabled
Then


 WScript.Echo
folder.Name   is mail-enabled as  
folder.TargetAddress 

 Else


 WScript.Echo
folder.Name   is not
mail-enabled


 End
If


Next












From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, December 22, 2005
8:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD or is
this Exchange task?







IIRC, it's 











Public Folders/All Public Folders/HR
Managers/HR001





Al











On 12/22/05, Creamer,
Mark [EMAIL PROTECTED]
wrote: 



Thanks Tony. One question if someone knows



Below is an excerpt from the script. What should the syntax
for the folder path be?



' This code toggles the mail-enabled status of the selected
folder.

' -- SCRIPT CONFIGURATION --

strComputerName = serverName


strPubFolderPath = folderPath



In our Public Folder list when I look at it in Outlook, it
shows: Public Folders/All Public Folders/HR Managers, and then under that is
all the folders whose mail-enable status I want to turn off. These are named
HR001, HR002, etc. 



What should the strPublicFolderPath look like to accomplish
this? Thanks again!









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tony Murray
Sent: Wednesday, December 21, 2005
4:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] AD or is this Exchange task?





Another method to do this is to use WMI.
Here's sample script from the Exchange Server Cookbook. 



http://www.exchangecookbook.com/files/09-08-change-PF-mail-enable-status.txt



Bear in mind that if you are running in mixed
mode then Exchange 5.5 expects all PFs to be mail-enabled. 



Tony











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Thursday, 22 December 2005
9:13 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?





The supported mechanism is to use the CDOEXM maildisable
method.



http://msdn.microsoft.com/library/default.asp?url="">













From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Creamer, Mark
Sent: Wednesday, December 21, 2005
2:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD or is this
Exchange task?

I've
been asked to write a script to mail-DISable a
bunch of public folders. Is that accomplished by manipulating
something in AD, or Exchange or both? I haven't been able to uncover much
documentation on this topic, except for one guy's horror story. I'll tell our
Exchange dude to do it manually if this is an unusually risky
undertaking, but there are about 1000 or so to do. 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated. 

This
communication, including any attachments, is confidential. If you are not the
intended recipient, you should not read it - please contact me immediately,
destroy it, and do not copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this communication does not
designate an information system for the purposes of the Electronic Transactions
Act 2002. 






This e-mail transmission contains information that is intended to
be confidential and privileged. If you receive this e-mail and you are not a
na

RE: [ActiveDir] AD or is this Exchange task?

[Creamer, Mark]

No, actually 2000, at least on the
Exchange server hosting the public folders. There are a couple of them which
are 2003. Earlier posters only mentioned this not working with 5.5, which I do
not have. Will this not work with 2000?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, December 22, 2005
1:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?





You are Exchange Server 2003, right?









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, December 22, 2005
1:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?

I think Im pretty close on this,
but am unable to get past an error. When I run the script (which initially I
configured to only tell me whether or not the various folders are
mail-enabled), I get an error 0x80041010. My research suggests this is either
because something is misspelled in the WMI query, or that the Class
doesnt even exist in the given namespace. I tried running it on the
server itself, but same result. Then I opened Scriptomatic V2 and selected the
Root/MicrosoftExchangeV2 namespace, and sure enough, Exchange_PublicFolder does
not show up as a class in that namespace. So I guess thats why the error
happens, but how do I fix it? Script is below



Thanks!



strComputerName =
myServer




strPubFolderPath = /Public
Folders/All Public Folders/HR
Managers/ 

strE2K3WMIQuery = winmgmts://
 strComputerName  /root/MicrosoftExchangeV2

' query for the specific folder we
want


Set wmiService = GetObject(strE2K3WMIQuery)


query = Select * From
Exchange_PublicFolder   Where Path=' 
strPubFolderPath 
'


Set targetFolder =
wmiService.ExecQuery(query)




' report on the mail-enabled status, then
toggle
it


For Each folder In
targetFolder



If folder.IsMailEnabled
Then



WScript.Echo folder.Name   is mail-enabled as  
folder.TargetAddress 


Else



WScript.Echo folder.Name   is not
mail-enabled



End
If


Next












From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, December 22, 2005
8:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD or is
this Exchange task?







IIRC, it's 











Public Folders/All Public Folders/HR
Managers/HR001





Al











On 12/22/05, Creamer,
Mark [EMAIL PROTECTED]
wrote: 



Thanks Tony. One question if someone knows



Below is an excerpt from the script. What should the syntax
for the folder path be?



' This code toggles the mail-enabled status of the selected
folder.

' -- SCRIPT CONFIGURATION --

strComputerName = serverName


strPubFolderPath = folderPath



In our Public Folder list when I look at it in Outlook, it
shows: Public Folders/All Public Folders/HR Managers, and then under that is
all the folders whose mail-enable status I want to turn off. These are named
HR001, HR002, etc. 



What should the strPublicFolderPath look like to accomplish
this? Thanks again!









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tony Murray
Sent: Wednesday, December 21, 2005
4:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] AD or is this Exchange task?





Another method to do this is to use WMI.
Here's sample script from the Exchange Server Cookbook. 



http://www.exchangecookbook.com/files/09-08-change-PF-mail-enable-status.txt



Bear in mind that if you are running in mixed
mode then Exchange 5.5 expects all PFs to be mail-enabled. 



Tony











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Thursday, 22 December 2005
9:13 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?





The supported mechanism is to use the CDOEXM maildisable
method.



http://msdn.microsoft.com/library/default.asp?url="">













From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Creamer, Mark
Sent: Wednesday, December 21, 2005
2:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD or is this
Exchange task?

I've
been asked to write a script to mail-DISable a
bunch of public folders. Is that accomplished by manipulating
something in AD, or Exchange or both? I haven't been able to uncover much
documentation on this topic, except for one guy's horror story. I'll tell our
Exchange dude to do it manually if this is an unusually risky
undertaking, but there are about 1000 or so to do. 

Thanks,

Mark


This e-mail transmission contains information that is intended to be confidential
and privileged. If you receive this e-mail and you are not a named addressee
you are hereby notified that you are not authorized to read, print, retain,
copy or disseminate this communication without the consent of the sender and
that doing so is prohibited and may be unlawful. Please reply to the message
immediately by informing the sender that the message was misdirected. A

[ActiveDir] AD or is this Exchange task?

[Creamer, Mark]

Title: AD or is this Exchange task?






Ive been asked to write a script to mail-DISable a bunch of public folders. Is that accomplished by manipulating something in AD, or Exchange or both? I havent been able to uncover much documentation on this topic, except for one guys horror story. Ill tell our Exchange dude to do it manually if this is an unusually risky undertaking, but there are about 1000 or so to do.

Thanks,

Mark



This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] AD or is this Exchange task?

[Creamer, Mark]

Title: AD or is this Exchange task?








Cool!. Ive used autoitx.dll control
in my scripts before for weird little macro-like tasks, but I didnt know
about this. Thanks Ken!











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, December 21, 2005
3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD or is
this Exchange task?





As much as I like to whip up perl code, I
usually use AutoIt http://www.autoitscript.com/autoit3/for
one-shot things like this.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, December 21, 2005
2:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD or is this
Exchange task?

Ive
been asked to write a script to mail-DISable a
bunch of public folders. Is that accomplished by manipulating
something in AD, or Exchange or both? I havent been able to uncover
much documentation on this topic, except for one guys horror story.
Ill tell our Exchange dude to do it manually if this is an
unusually risky undertaking, but there are about 1000 or so to do.

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Script to find Computers under particular OUs

[Creamer, Mark]

Wouldnt it be faster/more efficient
to search for all computer objects and output the entire distinguishedname (which
would obviously include the ou name)?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar
Sent: Tuesday, December 20, 2005
11:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to
find Computers under particular OUs







I am trying to find a way to write script. The scenario is a bit like
this,





I have few OU under which there are Computers. I need to check if 





computer names are supplied from the text file then it will have to run





against those particular OUs. If it can find machine under those
particular





OUs then it will write something like found or not found depending upon





the search result. I know how to query against entire AD but I am
looking





a way out where I can just supply or hardcode the OUs and it will
search





against those multiple OUs only and not entire AD. Any help in this





regard is much appreciated. 

Sincerely, 
J 








This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Ntds.dit file corruption

[Creamer, Mark]

Net share joesdevfolder

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, December 08, 2005 11:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ntds.dit file corruption

Error detection and correction seems to be about 60-90% of any program that
does it well, in other words most of the code is to validate you are working
with what you should be working with. 

For user facing apps that usually means a ton of code around
detecting/correcting data entry issues. For apps that don't directly
interact with a user it is about data consistency and validity of anything
based into it from any external source (disk, another function, etc). 

I once made a very very stupid comment around this. When I was in college a
high level math teacher[1] once asked what I wanted to do with computers. I
said I wanted to work on system software instead of user applications
because I hated wasting all of the time on checking to make sure the
information was correct that I was getting because users always enter stupid
things. That generated a 90 minute discussion where I got the crap beat out
of me for saying something so obtuse. But realistically, at the time, and
until about 5 years ago for a lot of MS software, my comment was accurate.
System software didn't have a lot of checks for data validity and
consistency. That conversation, although it melted my ego and made me crawl
back to my dorm in the bushes so people couldn't see me, drammatically
changed my outlook on how software should be written. That error checking is
one of the core pieces of secure code writing. If you only let through
things you expect and you know you handle, it is a lot tougher to compromise
a component.

If I apply this to joeware, I whip up joeware tools left and right all of
the time that are great for me. I know the boundaries. When I have time to
spend 10 times longer on a program than I did when I initially wrote it to
do what I needed then I can make it so others can use it. There is a ton of
stuff in my dev\cpp folder that only I get to use and probably never will
make it to anyone else simply because I don't have the time to put in all of
the error correction, etc to make it safely useable by others.

  joe

 

[1] I think I was in Calc IV or something like that where you have maybe 10
people in the class at Michigan State University versus the normal several
hundred. It was definitely a math teacher instead of a CIS teacher though.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Thursday, December 08, 2005 10:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ntds.dit file corruption

I'd agree with that... but I know from doing small scripts that when I put
them in someone else's hands, and I start adding in detection for this, and
that, and error handling, eventually what was a 20 line script has grown
into 1000+ lines and loads of subs and functions without actually adding to
the end result if it had been entered correctly initially.  Here I'm
referring to simply inputting an IP address, and then having to break it
down and check it and ensure that a valid address is put back in through
WMI.  Probably less than the size of the code for the welcome dialog for
dcpromo :0  So while it's nice to detect all the scenarios that could create
corruptions or irregularities or unexpected conditions, I think sometimes we
need to be able to run the Active Directory Zamboni to go through the
database when everyone's asleep and find, and fix and/or report on, these
irregularities.  A huge and better Zamboni wouldn't slow down the whole
directory in real time, and while it wouldn't be the solution to every
instance, perhaps it would help us be more proactive without having to know
what tools to run when for detection.  Not that there isn't a Zamboni, just
that maybe here are some more things for it to do.  Just some ideas...

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, December 08, 2005 7:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ntds.dit file corruption

Yep, any time you can correct for an error versus just fail out on detection
(or even worse not detect) it is a good thing. I expect someone was sitting
around one day saying, hey you know how we detect these problems and you
know how it is often a single bit... I bet we could find a way to detect
which bit and fix it... Or possibly someone just realized, hey we have
enough info to determine this so we don't have to throw an error...
Either
way... Good job.

I wonder what the doubling of pages sizes in E12 (to make it the same as AD
Page Sizes) will do to impact the percentages of occurrence. Honestly if it
saves just one recovery a month that would probably be worth it to Exchange
and probably to SBS AD as well. For non-SBS AD deployments it shouldn't be
as 

RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

[Creamer, Mark]

Just curious - what's MONAD's goal supposed to be, other than having an acronym 
that sounds like a
military facility?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, December 01, 2005 9:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting/WMI/MONAD - was FSMO role transfer

You know that the scriptomatic 2 HTA will create Perl script that does WMI
right

I am not a huge fan of WMI but there are times in the scripting world if you
want to stick to pure script it is in the only way to do what you want and I
will use it if I don't have time (or ability as in the case of mailbox
reconnects or getting info on what DCs are being used by DSACCESS) to write
native code to do what I need. 

If you have perl in your pocket there really is no need to learn vbscript
other than enough to look at examples which doesn't take much learning. 

MONAD might be worth learning but I am still not sure about it. They have
scaled it back so much from what they were initially talking about when I
thought, that is seriously cool. I certainly don't feel that it is going to
turn a bunch of people into scripters by just being released. The model will
confuse the crap out of most people as it is even more involved than
vbscript which people don't want to learn because it is too much like
programming. I have made some recommendations to folks at MS all the way up
to Iain McDonald (great guy) that all of the MS management tools should have
a switch to output MONAD code so that someone could do something once in the
GUI and get a MONAD script generated automatically that does the same thing.
Then they can tweak that to do other things. It is the only way I visualize
that MONAD will really take off like people seem to think it will, at least
over and above perl and vbscript. In other words, I don't see anything there
that will take someone who wasn't a scripter and wasn't thinking about being
a scripter to become one. You will have the same bunch of yahoos writing
scripts but they will be doing it in MONAD instead of vbscript or VB. It is
sort of like .NET in general, it certainly didn't produce a whoosh of a
zillion new coders. Some of the folks that were already writing in other
languages adopted it, some, older school, steadfastly avoided it. Personally
I might consider .NET for a web site, other than that, not really. If it
becomes ubiquitous and MS actually starts coding low level system and kernel
stuff in it I might start looking at it. As it stands right now I feel the
same way that many of my friends do one of which has renamed .NET to .FAT
which I think is pretty funny. He even told me if I started writing my tools
in it he would refuse to use them. I expect there are others. Maybe MS needs
to rename it because I know when I hear .NET I think fat and lazy. I don't
know why, I just do. I have seen enough posts in the newsgroups of issues
and limitations and don't feel the benefits outweigh them. 


  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Wednesday, November 30, 2005 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer

Well, I just think that most of the people in the command line and/or
scripting camp like to encourage others to learn to use them simply
because they feel it's to your benefit.  I don't think they really like to
promote the you're not a real admin... sentiment.  Or at least I hope not
:-)  Right now in my org, I'm in the minority using the CLI.  I just prefer
working that way and don't knock my colleagues for their methods, but rather
show them other ways to get at the info they need.

CLI and scripting fosters your knowledge of what's happening in the
background, helps you learn the product and truly is a great way to automate
tasks!  (if not THE way)

For the longest time I've been meaning to learn VBscript, but haven't
devoted enough time to go for it yet.  From what I've seen so far, it scares
me  :-P  but I still intend to give it a shot.  I've been getting by with
Perl and CMD shell for now (I came from a KSH/*nix background).
Have you seen some of the sample command shell scripts Dean has put
together?  Or the stuff that Alain Lissoir can do with WMI?  Wow!

Anyway, this topic has drifted further now, but I'm going to resist the urge
to change the subject line.  The last time I did that, we had a little side
bit just on the fact that the subject line changed! :-D

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Wednesday, November 30, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer

Susan,

THANK YOU


!!!

There are a LOT of people on this list that do not believe that real
Admins use the GUI.  Some believe that you're 

RE: [ActiveDir] AD Schema Attribute

[Creamer, Mark]

Title: RE: [ActiveDir] AD Schema Attribute








I like that its multi-valued. No
need to limit someone to a single favorite, despite that being a bit
contradictory J











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Magalhaes
Sent: Wednesday, November 30, 2005
9:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema
Attribute









Check out Tomek's blog about this: http://blogs.dirteam.com/blogs/tomek












:)





C















From:
[EMAIL PROTECTED] on behalf of Dean Wells
Sent: Wed 11/30/2005 4:29 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] AD Schema
Attribute





Note that
it's multi-valued ... what can I say, we're British and there's
[EMAIL PROTECTED] all else to do :o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, November 28, 2005 11:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema Attribute

Now this is fun...
The AD Schema contains the following attribute:

distinguishedName=CN=drink,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN
CN=drink
adminDescription=The drink (Favourite Drink) attribute type specifies the
favorite drink of an object (or person).
isSingleValued=FALSE

;-)

Cheers,
Jorge
PS.: I read about this here:
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/29/drink_attr.aspx



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] OT: Licensing compliance SBS

[Creamer, Mark]

Title: OT: Licensing compliance SBS






Folks, in an issue not related to my regular employer other than they recommended meIve been asked to assist a small non-profit with their SBS 2003 so they can use calendaring in Exchange (currently Exchange is turned off there). 

I want to be able to assure them of their licensing compliance because the consultant who installed everything seems to have been less than above-board in that respect. Is there anything I can look at/document/verify within the SBS tools that will tell me that

1. The server license is valid

2. The client licenses (and how many) are valid


Also, since I dont have any experience with SBS other than a very old version, does a client purchase one CAL that applies to all products utilized on the SBS server, or are there individual CALS for server, Exchange, etc?

Thanks folks  I just want to make sure I give these guys the best possible information.

Best regards



This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] OT: Licensing compliance SBS

[Creamer, Mark]

Great info, Thanks Susan. I'll know more this weekend. Danny, thx for your 
reply as well.

OK, back to real work for me... :-D

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 30, 2005 2:01 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Licensing compliance SBS

Oh dear... licensignI'm getting a headache already

1. If a nfp he should have gone through Techsoup.org where he could have 
bought DIRT CHEAP licenses for a 501c3 org.
2. He should have a cdrom, paperwork, etc. to prove the licenses. We 
aren't on the honor system and if he bought a retail box, no open 
license/open value he has to keep the docs. If open value/license the 
agreement is up on the eopen.microsoft.com website.

On the back of the cdrom 1 is the product key code. All of our SBS 
servers need/must go through WPA.

CALs. Again, unless open value/license, he needs to have this piece of 
paper with a product key code that is entered into the system and 
activated. The SBS cals are like core cals... they cover everything on 
that SBS box [this is why they are $99 a cal], they also cover a member 
server as well [we don't need to buy server cals for a member server 
used for TS purposes but we do need to buy TS cals or have leftover pre 
4/23/2003 Win XP boxes]

Follow the wizards and is the Exchange 'turned off' or not installed? If 
not installed use the add/remove Small Business server and you do a 
maintenance install. Use the wizards, tweak afterwards is our motto. 
[and for the record the FSMO moving argument is moot in SBSland our PDC 
has to hold them all but a member server can be an additional domain 
controller]

The first 5 cals are either device or userafter that you buy 
whichever type.

To ensure that you don't lose the cals. we're not on the honor 
systemthey get counted and enforced via licensing logging that you 
cannot shut off. ensure that the A/V is not scanning the licenses.


c:\winnt\system32\licstr.cpa  c:\winnt\\system32\lls

Exclude those.

In the todo list there is a license console' that lists how many 
licenses you have and how many have been used. SBS's counting is a bit 
like the CPAs for Enron... it fudges a bit and thus has a bit of fluff 
in there. What you see is the max used not the currently used. The 
console will not tell you if the licenses in use after the first 5 are 
device or user.

If they don't have the paperwork ping me back with the name of the 
consultant as I know some MS partner folks.

Creamer, Mark wrote:

 Folks, in an issue not related to my regular employer other than they 
 recommended me...I've been asked to assist a small non-profit with their 
 SBS 2003 so they can use calendaring in Exchange (currently Exchange 
 is turned off there).

 I want to be able to assure them of their licensing compliance because 
 the consultant who installed everything seems to have been less than 
 above-board in that respect. Is there anything I can look 
 at/document/verify within the SBS tools that will tell me that

 1. The server license is valid
 2. The client licenses (and how many) are valid

 Also, since I don't have any experience with SBS other than a very old 
 version, does a client purchase one CAL that applies to all products 
 utilized on the SBS server, or are there individual CALS for server, 
 Exchange, etc?

 Thanks folks - I just want to make sure I give these guys the best 
 possible information.

 Best regards


 This e-mail transmission contains information that is intended to be 
 confidential and privileged. If you receive this e-mail and you are 
 not a named addressee you are hereby notified that you are not 
 authorized to read, print, retain, copy or disseminate this 
 communication without the consent of the sender and that doing so is 
 prohibited and may be unlawful. Please reply to the message 
 immediately by informing the sender that the message was misdirected. 
 After replying, please delete and otherwise erase it and any 
 attachments from your computer system. Your assistance in correcting 
 this error is appreciated.

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any

RE: [ActiveDir] Query out all user members in nested groups

[Creamer, Mark]

Robbie Allen's AD Cookbook covers this topic as well:

http://rallenhome.com/books/adcookbook/src/07.03-view_nested_group_membership.vbs.txt


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Aaron Seet
Sent: Friday, November 25, 2005 5:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Query out all user members in nested groups

I am trying to find a way to list all user accounts that are members of a
given group, _including_ those in nested groups. I didn't find anything
useful in my cache of historical LDAP emails, and it seems from the internet
people are more interested in finding what groups a user has membership in -
opposite to my perspective.

Any advice if this is possible? thanks,

Aaron


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active Directory 3rd Book

[Creamer, Mark]

Who wants to hear Joe do a Cornet solo at DEC???!!!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 18, 2005 9:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

You will probably find me, if you can find me there, in the penny slots or
on one of those darn Wheel of Fortune slot machines. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, November 16, 2005 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

I am hoping to bring a copy with me to Henderson, NV in March 2006
(DEC2006).  Hopefully, the author will be there to sign it!
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Medeiros, Jose
Sent: Wed 11/16/2005 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book



Hey Joe, If I buy it. Will you autograph it? I already asked Robbie to
present at our user group and do a book signing. Would you be interested as
well?


Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Wednesday, November 16, 2005 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book


Not available yet, it is Active Directory Third Edition. From O'Reilly
publishing. As soon as Amazon has it available I will have a link to it from
my website - http://www.joeware.net and announce it in my blog
http://blog.joeware.net. If you don't like purposely enflaming blog entries
I recommend pointing the RSS feed at the tech specific links though you
still won't avoid them, just the non-technical ones. :o)




  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
Sent: Tuesday, November 15, 2005 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

I'm sorry for coming into this late - can you give me the exact name of the
book so I can look for it??

Thanks

Russ

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, November 05, 2005 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

Interesting, O'Reilly doesn't even have it listed yet. I just heard from the
O'Reilly that it is finally out of copy-edit.

On the co-author piece. Alistaire wrote the initial edition, Robbie did the
2nd Edition update, I did the 3rd Edition update. You may want to ask the
reviewers (they almost all read and response heavily on this
list) but I am quite sure there is sufficient updates to warrant someone who
has the 2nd Edition to get the 3rd Edition. There should be a chapter that
will be floating around for the book that you can look at, I requested that
it be Chapter 11 which is the security chapter as I spent considerable time
reworking it. If someone is familiar with an older edition they will almost
certainly note the changes.

I go into great detail on the evil that is SBS and why it shouldn't be used.
Or did I??? Hmmm the SBS folks will just have to buy it to find out. ;o)

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
Sent: Tuesday, November 01, 2005 11:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory 3rd Book

The Active Directory 3rd Book with Joe as co-author seems will be released
somewhere in February 2006 based on
http://www.bookpool.com/sm/0596101732 .

(Bookpool is having discounted O'reilly book sale this month, and accept
pre-order, though I do not have any relation with bookpool other than being
as a customer who is looking to buy a couple books and noticed this book)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List 

[ActiveDir] IP addresses on Name Server tab

[Creamer, Mark]

Title: IP addresses on Name Server tab






I have one server that has two NICs (there are others configured the same way). On this particular server, I have a persistent problem. The IP addresses for both NICs keep showing back up on the name server tab for the zone that this server manages. On the other server in the same domain, this doesnt happen. I only have the one NIC which I want DNS to respond to and not the other. I realize this probably isnt worded very well, but heres basically what it looks like:

On the name server tab, all of my DNS servers are listed like so:

Server1 [10.1.x.x]

Server2 [10.1.x.x]

ProblemServer [10.1.x.x 10.2.x.x]

I thought what controlled this was the checkbox in DNS settings that says Register this Connections addresses in DNS. But that box is not checked. I only want the one address to be listed for this server on the name server tab. How do I get the second address to stop showing up?

Thanks!



This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Export Users in a group

[Creamer, Mark]

Title: Export Users in a group








See the AD scripts at www.rallenhome.com















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando
Sent: Monday, November 14, 2005
10:27 AM
To: Active Directory Mailing List
Subject: [ActiveDir] Export Users
in a group





Hi all AD Gurus,

I was wondering if anyone had a script to export users in a group in AD?

Mark 





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] dumping DL permissions

[Creamer, Mark]

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?



Thanks,

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Creamer, Mark]

Thanks Joe  Brian,



Time to take the feet down off the desk
againK



MC











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions





Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the
-sddc option. Note it will be in SDDL format which is probably one of the
easier formats for scripting but worse for reading.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. Id just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
youll still need to parse this information into something useable. 





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions





One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?



Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Creamer, Mark]

GASP

Joeware.net is suddenly blocked by
SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic.
:-/



Oh well, thank God for my super top secret
testing DSL connection so I can get to the usage documentation
again. Now where the heck is that surf admin











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions





Thanks Joe  Brian,



Time to take the feet down off the desk
againK



MC











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions





Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the
-sddc option. Note it will be in SDDL format which is probably one of the
easier formats for scripting but worse for reading.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. Id just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
youll still need to parse this information into something useable. 





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions





One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?



Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Creamer, Mark]

Its a filtering program that we use
attached to ISA server. Basically it looks at each request and lets it through
or redirects to our AUP internal web page.



I was on joeware.net earlier this week,
and it didnt block me. So I just went to www.surfcontrol.com (Test a Site
link) to make sure it wasnt mis-categorized, because they will change it
if found to be wrong. They have it as Computing and Internet.
Hmmm. So were blocking that category now? I dont think so..Ive
asked our admin to take a look. Either way, we can override here locally.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions





Interesting. Is that controlled locally or
is that some blacklist service type item?



I am digging around also. I think
withsome small mods, the script I wrote for dumping ACLs for AD objects
for AD3E could be used for this to generate a CSV with DLs and their perms. It
could probably further be filtered to only show ACEs with the ability to modify
membership. It is going to be considerably slower than adfind though because it
is using ADO
and ADSI.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

GASP

Joeware.net is suddenly blocked by
SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic.
:-/



Oh well, thank God for my super top secret
testing DSL connection so I can get to the usage documentation
again. Now where the heck is that surf admin











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions





Thanks Joe  Brian,



Time to take the feet down off the desk
againK



MC











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions





Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the
-sddc option. Note it will be in SDDL format which is probably one of the
easier formats for scripting but worse for reading.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. Id just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
youll still need to parse this information into something useable. 





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions





One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?



Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the sender
and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate

[ActiveDir] Pulling DHCP data

[Creamer, Mark]

Has anyone in the group seen a tool or script to dump the
information in DHCP to a file? My DHCP admins want to see what MAC addresses
are assigned to what IP address. Its too large to do by hand because
there are a couple of hundred scopes and 10s of thousands of addresses. Thanks!





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Pulling DHCP data

[Creamer, Mark]

Thanks guysIm sure one of
these two tools will do it. Much appreciated as always











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, November 10, 2005
10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Pulling
DHCP data





DHCPCMD from the reskit should give you what you're
looking for.

Joe
Pochedley 
A
computer terminal is not some clunky old television 
with a
typewriter in front of it. It is an interface 
where
the mind and body can connect with the universe 
and
move bits of it about. -Douglas Adams 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McLeod, Scotty
Sent: Thursday, November 10, 2005
10:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Pulling
DHCP data

Sorry away from my main
computer at the moment but we have dumped DHCP data in the past using NETSH and
from memory the dump command. Hope it helps.



Scotty











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: 10 November 2005 14:52
To: activedir@mail.activedir.org
Subject: [ActiveDir] Pulling DHCP
data





Has anyone in the group seen a tool or script to dump the
information in DHCP to a file? My DHCP admins want to see what MAC addresses
are assigned to what IP address. Its too large to do by hand because
there are a couple of hundred scopes and 10s of thousands of addresses. Thanks!


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Need ADSI Scripting help.

[Creamer, Mark]

Before you do this, see oldcmp at www.joeware.net

http://www.joeware.net/win/free/index.htm



mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra Kalyankar
Sent: Thursday, October 20, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Need ADSI Scripting help.

I am looking for some example script and/or help for the script I am writing for
my company. What I want to achieve is if I run the script against the machine
list which will be in the text file, it should give me the output in
the text file
saying which machine account is enabled, disabled or not found.

I know how to manipulate the text files using fso object but I am not sure
what do I need to use to get the attributes of computer container in AD. Any
help in this regard is highly appreciated and valued.

Please let me know if you need more information abou this.

--
Thanks,
Jitendra Kalyankar
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Need ADSI Scripting help.

[Creamer, Mark]

Yes, but oldcmp does have significant levels of are you sure built in. 
Anyway, there is a nice perl
solution you might want to look at on Robbie Allen's site, at
http://rallenhome.com/books/adcookbook/src/08.08-find_inactive_computers.pls.txt

In the book, Robbie explains why one would use Perl for this task rather than 
VBScript.

That's all I've seen...maybe there's something on Microsoft's Script Center

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra Kalyankar
Sent: Thursday, October 20, 2005 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Need ADSI Scripting help.

I know about the Oldcmp.exe, but the thing is the tool is really
powerful and I don't want Jr. Sys. Admins doing something or
deleting something that they are not suppose to. And again
I will have to go through the security department route to use
it. Too much hassel

Hope that explains my situation.

Sincerely,
Jitendra Kalyankar

On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote:
 Before you do this, see oldcmp at www.joeware.net

 http://www.joeware.net/win/free/index.htm



 mc

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 Jitendra Kalyankar
 Sent: Thursday, October 20, 2005 4:14 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Need ADSI Scripting help.

 I am looking for some example script and/or help for the script I am writing 
 for
 my company. What I want to achieve is if I run the script against the machine
 list which will be in the text file, it should give me the output in
 the text file
 saying which machine account is enabled, disabled or not found.

 I know how to manipulate the text files using fso object but I am not sure
 what do I need to use to get the attributes of computer container in AD. Any
 help in this regard is highly appreciated and valued.

 Please let me know if you need more information abou this.

 --
 Thanks,
 Jitendra Kalyankar
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 This e-mail transmission contains information that is intended to be 
 confidential and privileged.
If you receive this e-mail and you are not a named addressee you are hereby 
notified that you are not
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the
sender and that doing so is prohibited and may be unlawful.  Please reply to 
the message immediately
by informing the sender that the message was misdirected.  After replying, 
please delete and otherwise
erase it and any attachments from your computer system.  Your assistance in 
correcting this error is
appreciated.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



--
Thanks,
Jitendra Kalyankar
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: TS Security Warning and GPO

[Creamer, Mark]

Title: OT: TS Security Warning and GPO






We have a number of terminal servers running various apps, with a OU-level GPO managing their settings. A new Windows 2003 terminal server was recently added to the OU, and it is the only one running an older legacy app. When a user starts the application, it pops up a warning saying The publisher could not be verified. Are you sure you want to run this software? I havent been able to figure out how to turn off this warning. Does anyone know how to set it either on this server or at my GPO?

Thanks!

Mark Creamer



This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] OT: Outsourcing OS Patching

[Creamer, Mark]

Why wouldn't any decent consulting group do whatever you want them to do for 
their fee? Xerox for
example, IBM also. I know we have them both doing work for us on various 
platforms. We just agree on
the services provided, and that's that. What do they mean no competitors?, or 
maybe I'm
misunderstanding

One thought though - I think I'd still want the control to say do this patch, 
but not that service
pack yet, etc. I would think you want to maintain control to make sure that 
your applications are
tested before a SP is introduced, right?

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Carerros, Charles
Sent: Thursday, September 15, 2005 4:22 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] OT: Outsourcing OS Patching

Group,

Odd question.  I just got out of a meeting with a consulting group that
wants us to outsource the patching of our servers that are not in our data
center (we have a number of servers that are at our remote locations and our
staff is struggling with our patching cycle on these for one reason or
another).

Does anyone know of an outsourcing group that will only do the MS patchiness
on the servers and let the owners of the boxes do everything else?  

We are looking for a basis of comparison and this consultant said that they
don't have any competitors in this field.  Either people outsource all of
their servers, all of the services or they don't outsource at all.  They
don't know of anyone who only outsourcers the patching and monitoring of the
boxes.

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Cisco ACS and GC configuration

[Creamer, Mark]

Title: Cisco ACS and GC configuration






Id like to be able to point our Cisco ACS server to our global catalogs to authenticate users (LDAP config rather than Windows). Is anyone on the list using this configuration that could help me figure out what to enter into the various fields?

One question in particularit wants to know the users container and groups container. If I was using port 389, and a single domain, I would probably enter CN=Users there. But what is the container entry for users and groups when Im pointing to a GC? I have several domains with users in the same forest, so a GC makes sense here (I think). J

Thanks as always,

Mark Creamer

Systems Engineer

Cintas Corporation





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] OU permissions for user object

[Creamer, Mark]

Hehewhere else can you get some
much information *and*
entertainment in one place!











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, September 07,
2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU
permissions for user object





My personal and professional opinion?



tick
tick
tick
tick
tick tick
tick
click
bm



You have a time bomb. Could be fine for a
long time, could blow up entirely in your face tomorrow leaving only scattered
parts of hands and feet or things that appear to possibly be part of hands and
feet but in actually could be bits of spleen and liver. The only thing I can
say for sure, you have no clue what you truly have in your directory and you
have no control over the environment.



I understand that you didn't do this. The
person willing to open up and say they have an issue
isn't*usually*the same person who came up with the idea or likes
the idea, that person sits behind a desk coverning up for the time the bomb
goes off never saying a word about it, if they realize at all that they have
built a bomb (or they already left). Sort of like the little dog that pees on
the carpet and looks around at everyone else seeming to say, why did you
pee on the carpet?.



If I were brought into the situation and
was told my job was to provide a secure, stable, efficient environment. I would
do the same thing I did for the very very very large widget factory I used to
work for and point this out to management as insidiously evil and explain in great
detail just how badly it could hurt and how at that moment, you have no idea
who has been reading what files on any machines or reading whose mail (Assuming
Exchange), or sending mail as other users, and that any SLAs you have are
almost certainly impossible to guarantee because you have no/none/nada, control
over the environment. I would then say, if this is fine, I would appreciate a
get out of jail free card right now indicating you understand what I have said
and that when something goes down later due to this, I can pull that card out
and say, look, you said that you want it this way. If the manager truly
understands what you are saying, it is doubtful they will want things to stay
the same. Basically, you need management backing because people are not going
to be happy as you back out rights.



For the next step, I would yank every
person's (that wasn't of the chosen 3 or 4 people) domain admin and server
operator and any other excessive permissions they had to DCs . We would then be
working our butts off handling all of the work being done by everyone else that
supposedly needed domain admin. This prevents the environment from changing
unbeknownest you[1] and it teaches you what is being done. It is a lot of extra
work, but it helps you learn what is being done and maybe some of the whys so
you can come up with the proper solutions. File and print can be done properly
on DCs, I think it is a horrendous idea and a great way to cause issues and
reduce overall FPavailability but it can be done. I would sooner
throw file and print on a little BSD box than put it on DCs, but there are
times when you can't avoid it. But you need to understand how it is being
managed because the DAs own the DCs. 



So now that you are handling all of that
work, you spend a little time each day working up the proper solution which
involves either getting that crap onto other machines or coming up with an
effective way to manage it. 



You obviously have the alternative of
coming up with a solution first, but it is a good chance you will miss
something if you don't fully understand why people need it. But maybe this is
how you have to do it, at that point, forget about the domain, focus on that
solution. No use trying to make the domain better since someone else can just
tork it back up. Don't start making the domain better until you have control of
it otherwise it will take you forever to get anything done. 





Any time there was something that I felt
was wrong and was too much power to give out on DCs or in AD, instead of simply
saying no, if the function was truly critical (versus one person's idea of
critical) I always offered an alternative even if the alternative was, take on
extra work until I can find a better way. Take, for instance, the EMC Celarra
POS boxes. They required domain admin to properly add them to the domain, I
fought like cats and dogs to make it so they weren't added to production until
that part (and many other things) was corrected. I and the others fighting it
were overruled. Instead of giving out domain admin rights,my
managersaid fine, if someone wants one added, they come to me
andI add them. No one else.. But that's a bottle neck
or what if you aren't here?, response... tough, these shouldn't be going
into the production environment anyway because they are half-ass. 



In general, it was far more important to
me 

RE: [ActiveDir] Where to begin...

[Creamer, Mark]

Are you running AD on Windows 2000 or 2003? Windows DNS or BIND?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Brian Atkins
Sent: Wednesday, September 07, 2005 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Where to begin...

Good Morning.  I'm brand new to the list and am seeking assistance out
of desperation/frustration.  I think that I should preface my story with
the statement that I am not an experienced Microsoft admin, but am
partially filling a void in our organization.  Most of my experience is
Unix/Linux, but my Microsoft experience has been trial by fire...

OK, here's the deal: Over the past few weeks I have been seeing some
strange behavior with our PDC.  After applying MS security updates 3
weeks ago, I have had some interesting issues related to authentication
and DNS.  It started with our Sophos (AV) Console not being able to
'push' software out to new workstations due to invalid credentials, even
though we were using a domain admin account.  After some research, I
thought that I had nailed it down to Hotfix KB899587, which was a
security patch for Kerbos.  I removed the hotfix, but after several days
put it back as it appeared to make things worse.

As of late I have had issues with NT workstations suddenly not being
able to authenticate or just not being able to see other workstation's
shares.  I thought (again) that I had narrowed it down to DNS, but, even
though I was able to fix a few minor issues with PTR records, the
problem still exists.  Here are a few examples of what I am seeing:

Scenario #1: NT Workstation
Original issue was that the user could not log on using her domain
account.  I removed, then rejoined the workstation to the domain
(several times).  Domain authentication now works, but when browsing the
network shares, that workstation cannot 'see' the PDC's shares (access
denied), but I can see all of the other shares, including the BDC's.  I
verified the share permissions were OK.  Also, when joining it to the
domain, I had to create the computer in AD prior to joining.  It would
not allow me to create the object using the check box at the bottom.

Scenario #2: XP workstation
This morning, following the change of the PTR records that were in
error, a user complained that she could no longer log onto her
workstation using her domain account.  There errors that I see are NET
LOGON 5790 unable to locate a suitable domain controller.  This one
just happened, but there have been multiple issues across the network.

I would greatly appreciate some insight.  I'm not sure what I can
provide to assist...

Thanks,

-- 
Brian 

An adventure is never an adventure 
when it's happening.  Challenging
experiences need time to ferment, 
and an adventure is simply physical 
and emotional discomfort recollected 
in tranquility. -- Tim Cahill

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Biggest AD Gripes

[Creamer, Mark]

I too am a Sungard refugee - twice this year already. The doc they hand you to 
rebuild your systems is
pretty much like the one referenced below. We have found it less than reliable 
(especially when using
Compaq/HP backups and restoring to Dell or vice-versa).

The last few times we went, we junked the Sungard technique and used Veritas' 
system state restore,
which has been *far* more successful. Still, the idea of doing a DR test with 
mostly VMWare disk
images would really put a smile on this OLD guy's face :-) Hopefully by next 
year we'll have at least
some of those to do.

-Mark


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick
Kingslan
Sent: Monday, August 08, 2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

And, knowing fully that I'm replying to myself - I don't, nor have I ever
used SunGuard, so I have no idea what 'card' they hand a client.

I'd assume that it's something along the lines of the procedures lined out
in:

http://support.microsoft.com/default.aspx?scid=kb;en-us;249694

Which is still fraught with difficulty and lower than resonable success rate
for most of the people and customers that I've talked with.

I'm just indicating that there *IS* some difficulty involved - instructions
neatly laid out or not.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Help me understand where I'm missing this (I've been in a con-call for 3.5
hours this AM...).

Isn't the registry backed up as part of the System State?  And, doesn't the
registry pretty much make something 'hardware dependent' to some great
degree, just by its very nature?

I'm sure that there's something very simple that I'm missing.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, August 08, 2005 1:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

What is difficult about restoring a DC to different hardware? We just
did our yearly DR testing (at Sungard as a matter of fact!), and I
didn't have any problems. Just follow the little procedure they give you
(basically, remove all the network cards and video card in device
manager before you reboot after the recovery). Then, follow the other
procedure they give you if you end up with phantom NICs. It's the same
procedure for DCs as it is for member servers. 

It isn't hardware dependant, but if you are talking about the hours-long
waltz you do with ntdsutil to remove all of the DCs you aren't bringing
back, I've found a neat trick. Run through the process for one site once
manually recording all of the text you type, then using a text editor
create a command file duplicating the tons of commands required to
remove every server from every site. Run ntdsutil yourfile.txt. The
trick is that ntdsutil prompts before removing each server - just answer
no to the server you recover. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Tuesday, August 02, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:

Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like Sungard) should Not. Be. So. Friggin'.
Hard.  It's better in K3 than it was in 2K, but it's still way too much
of a hothouse-flower-y delicate operation.  (Maybe Longhorn's AD as a
service will make this better.  I can hope, at least, because right now
it still sucks canal water.)

- Laura

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 02, 2005 6:30 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 DFS-R is only supported for custom DFS namespaces. MS at the moment 
 does not support DFS-R for SYSVOL replication. MS states that in the 
 DFS-R overview document page 16
  
 See: 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547
 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en
  
 QUOTE:
 
 DFS Replication is not supported for SYSVOL replication in Windows 
 Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL 
 by disabling FRS and setting up a replication group for SYSVOL. 
 Continue to use FRS for SYSVOL replication on domain controllers 
 running Windows Server 2003 R2. FRS and DFS Replication can co-exist 
 on the same member server or domain controller.
 
  
 A shame, but true! DFS-R really rocks!!! It is way better than NTFRS!
  
 Cheers
 #JORGE#
 
 

RE: [ActiveDir] Biggest AD Gripes

[Creamer, Mark]

I dislike that it is painful (if not impossible) for a non-developer 
(administrator) to extend the GUI
interface for ADUC to include other and/or custom attributes.

I dislike that there aren't better tools created and maintained by Microsoft 
for capacity planning.
(HELLO...When will MS update the AD Sizer??!!)

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 02, 2005 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Biggest AD Gripes

So what are everyone's biggest AD Gripes? I am not talking about gripes
about things that use AD like GPOs[1] or Exchange or NFS or anything else
like that. I mean actual AD really missed the boat because of this that or
the other thing.

Like 

o I dislike that when you defunct an attribute it doesn't purge the
information in the directory for that attribute.

o The fact that AD Security policy is managed through a technology dependent
on AD and replicates both within AD and the other technology.
 
o I dislike that there is no true schema delete.

o I dislike the fact that I can't specify which branches of the tree
replicate where.

o I dislike the fact that GUIDs are represented in multiple ways in the
directory.

o I dislike the implementation of property sets especially since they could
be so incredible awesomely cool. Specifically I dislike that an attribute
can only be in a single property set. 

o I dislike creator/owner on SDs.

o I dislike the lack of configurable business rules.

o I dislike the fact that I can't run multiple domains on a single domain
controller. 



Etc etc. I have more but lets see what others say. Everyone pipe up. Let's
pretend that MS will actually see this, let's further say let's pretend MS
AD Developers will see this. What would you tell them if you were sitting in
the room with them?



   joe





[1] I do not consider GPOs to be part of AD. They are a technology that
leverages AD.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Replicating AD

[Creamer, Mark]

Title: Message








I use LDIFDE to export all the objects,
save that to a CD, and then import it into the lab domain. Another option would
be to add a new DC to your domain, allow it to replicate, take it offline, and
manually clean up the removed DC from AD. I dont particularly like that
option  others could say better than I whether thats a good
suggestion or not.





mc











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Tuesday, August 02, 2005
12:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replicating
AD







Im trying to setup a test AD that's
identical to the production AD with the same OU structure and user
accounts. I'd like to avoid having to manually creating them by hopefully
finding a tool that would import all those object. Does any one know of such a
tool?



Antonio







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] _gc and _ldap SRV records

[Creamer, Mark]

A question about DNS SRV records for my DCs and Global Catalog servers...should 
every AD-integrated
DNS server in my entire forest have _gc and _ldap records for every GC and DC 
in the forest?

It looks like the records listed vary from one domain to another in my DNS, and 
I wonder if they
should all have the same records regardless of the forest domain the DNS server 
is in

Thanks,
Mark


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] problem with NameTranslate

[Creamer, Mark]

Title: problem with NameTranslate






Our developers are seeing an extremely slow output from the following example script. It takes about 30 seconds to translate a WinNT name to LDAP distinguished name. Can anyone tell me what to look for to troubleshoot this process? It used to be very quick, and in fact still is on some systems within the same subnet as where Im testing from.

Thanks

 **Script

' Constants for the NameTranslate object.

Const ADS_NAME_INITTYPE_GC = 3

Const ADS_NAME_TYPE_NT4 = 3

Const ADS_NAME_TYPE_1779 = 1

' Specify the NetBIOS name of the domain and the NT name of the user.

strNTName = MyDomain\MyUser

' Use the NameTranslate object to convert the NT user name to the

' Distinguished Name required for the LDAP provider.

Set objTrans = CreateObject(NameTranslate)

' Initialize NameTranslate by locating the Global Catalog.

objTrans.Init ADS_NAME_INITTYPE_GC, 

' Use the Set method to specify the NT format of the object name.

objTrans.Set ADS_NAME_TYPE_NT4, strNTName

' Use the Get method to retrieve the RPC 1779 Distinguished Name.

strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)

' Bind to the user object in Active Directory with the LDAP provider.

Set objUser = GetObject(LDAP://  strUserDN)

MsgBox(objUser.distinguishedName)

MsgBox(objUser.Name)

 ***End of Script

Mark Creamer

Systems Engineer

Cintas Corporation





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] Determining active user accounts

[Creamer, Mark]

Title: Determining active user accounts






We need to get a count of users that are active, so we can make sure our purchasing of 2003 User CALs is as accurate as possible. However, every employee of the company has an account in Active Directory, but only a certain percentage of those users ever access a server or need to authenticate. Whats the best way to determine how many users we need to have a User CAL for?

Mark Creamer

Systems Engineer

Cintas Corporation





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Determining active user accounts

[Creamer, Mark]

Thanks Laura, good suggestion. I forgot I could use oldcmp for users as well. 
Great tool, Joe.

Thanks

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Hunter, Laura E.
Sent: Thursday, June 16, 2005 3:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Determining active user accounts

Wouldn't the accounts that don't need server access show up as inactive
if you ran them through joe's 'oldcmp'?  If so, then couldn't you get a
fair approximation from:

CALs required = [Total user objects] - [user objects flagged by oldcmp]

?

[Insert standard Call your reseller for definitive licensing advice
disclaimer here.]

- Laura

 -Original Message-
 From: Creamer, Mark [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, June 16, 2005 3:40 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Determining active user accounts
 
 We need to get a count of users that are active, so we can 
 make sure our purchasing of 2003 User CALs is as accurate as 
 possible. However, every employee of the company has an 
 account in Active Directory, but only a certain percentage of 
 those users ever access a server or need to authenticate. 
 What's the best way to determine how many users we need to 
 have a User CAL for?
 
 Mark Creamer
 
 Systems Engineer
 
 Cintas Corporation
 
 
 This e-mail transmission contains information that is 
 intended to be confidential and privileged. If you receive 
 this e-mail and you are not a named addressee you are hereby 
 notified that you are not authorized to read, print, retain, 
 copy or disseminate this communication without the consent of 
 the sender and that doing so is prohibited and may be 
 unlawful. Please reply to the message immediately by 
 informing the sender that the message was misdirected. After 
 replying, please delete and otherwise erase it and any 
 attachments from your computer system. Your assistance in 
 correcting this error is appreciated.
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] safest disk configuration

[Creamer, Mark]

Title: safest disk configuration






What are the admins of some of the larger directories using for disk configuration on their DCs? Mirrored OS and RAID 5 for the NTDS drive(s)? Logs separate? Thanks

Mark Creamer

Systems Engineer

Cintas Corporation





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] Using AD Sizer

[Creamer, Mark]

Title: Using AD Sizer






Im trying to run through the Microsoft-provided free Active Directory Sizer tool to approximate what new hardware should look like so we can replace some older DCs. I havent used this thing before, and a couple of things are unclear to me:

1. It asks How many additional attributes will you have per user?  Are they talking about schema changes we may have made for user accounts?

2. It asks for Avg logon rate per second in Interactive, Batch, and Network logons. How can I approximate something like that?

Alternatively, has anyone seen a better tool to get this information? We are still Windows 2000 AD  no 2003 DCs yet.

Thanks

Mark Creamer

Systems Engineer

Cintas Corporation





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Prevent Redirection for My Music, My Videos, etc.

[Creamer, Mark]

I remembered seeing this tip on annoyances.org. Maybe it
would help?



http://www.annoyances.org/exec/show/article05-100







mc











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Wednesday, June 08, 2005
11:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Prevent
Redirection for My Music, My Videos, etc.





Hi:



We
use a group policy to redirect My Documents to a network share. Is it possible
to prevent the redirection of subfolders from My Documents such as My Music, My
Videos, My Virtual Machines, My Pain in the Ass? If so, how?



Thanks.



--
nme





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] whenCreated and createTimeStamp

[Creamer, Mark]

In the Schema documentation on MSDN, it looks like
whenCreated and createTimeStamp are used for the same thing, but whenCreated is
in the Global Catalog. If I want to report on the date each account was created
in the entire forest, am I safe to use the whenCreated attribute so I can use
the GC as my source? Are the values ever different for any reason? Thanks



Mark
Creamer

Systems
Engineer

Cintas
Corporation







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Seeking AD monitoring software recomendations

[Creamer, Mark]

Gil must be OOTO today :-)

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark
Sent: Sunday, June 05, 2005 8:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations

What is the biggest difference between MOM 2005 and Netpro ?


- Original Message - 
From: Mark Parris [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, June 05, 2005 5:00 PM
Subject: Re: [ActiveDir] Seeking AD monitoring software recomendations


MOM 2005, and do you think you have enough DC's? ;-)

Mark
-Original Message-
From: Mark [EMAIL PROTECTED]
Date: Sun, 5 Jun 2005 16:46:44
To:ActiveDir@mail.activedir.org
Subject: [ActiveDir] Seeking AD monitoring software recomendations

I work for a large enterprise company running w2k3 in 2003 mode with the 
expectation the main user domain will hold 150K users. Currently has about 
80 DCs.

We finally have funding to buy some AD specific monitoring tools.
   I am looking for an application(s) that will tell   us when AD is not 
functioning as it should in a simple screen and email   us.   Would like to 
be able to bench mark   systems.   Will tell us when someone changed a piece 
of the   infrastructure (Auditing)   Would like to have the install done in 
about a   week and be proficient in about a month.
I need a system I do not have to spend a lot of time with, and will tell me 
when something wrong/changed.

anyone have any good suggestions ?

Thanks, You guys are great!
M. Lunsford
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User account and home directory management

[Creamer, Mark]

There are many create user scripts that
you should be able to alter to suit your needs. I would try Windows Script
 Center (just google that,
and youll see it). Also, Robbie Allens site at www.rallenhome.com, and Clarence
Washingtons script site at http://cwashington.netreach.net







mc











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Stanford
Sent: Monday, June 06, 2005 9:37
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User account
and home directory management









Hi to all on the list.











Forgive me if this subject has been covered, as I am new to
the list. I manage a school network, and one of the issues I face is that
an AD user account, the user profile and the user's home directory share are
inextricably linked. I need to be able to create users and shares in on go, so
that the account is set up, the share and profilecreated, and permissions
set, and the details entered into the AD object. Does anyone know of any
software or scripts that would accomplish this? I would ideally like to
be able to do it for individual users or in bulk.











Thanks in advance,





Dan Stanford.













The contents of this email and any attachments do not
necessarily represent the views or policies of Ibstock Place
 School, its employees or
pupils. They are intended for the confidential use by the named recipient
only and may be legally privileged and should not be communicated to, or relied
upon by, any other party without our written consent. Although this
message is believed to be virus free, Ibstock Place
 School does not accept
liability for any damage, loss or cost caused by software viruses. If
received in error, please advise the sender immediately and delete all record of
it from your system. 







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] deleting specific values from multi-val attribute

[Creamer, Mark]

Thanks Sakari ( Dèjì). That's how I set it up and it worked fine. I appreciate 
the pointers, as
always.

mc

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sakari Kouti
Sent: Friday, May 27, 2005 8:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] deleting specific values from multi-val attribute

Hi Mark,
 
You would use a line such as the following:
 
Const ADS_PROPERTY_DELETE = 4
Call objUser.PutEx(ADS_PROPERTY_DELETE, otherHomePhone, _
  Array(111-,444-))
 
This would delete the two numbers specified (111- and 444-).
 
Yours, Sakari
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Creamer, Mark
Sent: Thursday, May 26, 2005 5:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] deleting specific values from multi-val attribute
We have a multi-values custom attribute that is used with one of our 
applications. Some of the values
stored there for some users are obsolete and I've been asked to clean them up. 
So I'm looking for a
method to look at each user object, enumerate the values in this specific 
attribute, and delete the
value that matches what I'm looking for, while leaving the other values of the 
attribute alone. Any
advice on this? I have some scripts I can alter - I just need to understand the 
enumeration of the
attribute values. Thanks

Mark Creamer
Systems Engineer
Cintas Corporation


This e-mail transmission contains information that is intended to be 
confidential and privileged. If
you receive this e-mail and you are not a named addressee you are hereby 
notified that you are not
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the 
message immediately by
informing the sender that the message was misdirected. After replying, please 
delete and otherwise
erase it and any attachments from your computer system. Your assistance in 
correcting this error is
appreciated.


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] deleting specific values from multi-val attribute

[Creamer, Mark]

We have a multi-values custom attribute that is used with
one of our applications. Some of the values stored there for some users are
obsolete and Ive been asked to clean them up. So Im looking for a
method to look at each user object, enumerate the values in this specific
attribute, and delete the value that matches what Im looking for, while
leaving the other values of the attribute alone. Any advice on this? I have
some scripts I can alter  I just need to understand the enumeration of
the attribute values. Thanks



Mark
Creamer

Systems
Engineer

Cintas
Corporation







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] Enterprise Certificate Authority

[Creamer, Mark]

Title: Enterprise Certificate Authority






In a recovery test, I discovered today that our enterprise root certificate server was not one of the AD servers that was restored. However, there is another AD server with cert services running that is not the enterprise root CA. 

Now my users cannot use LDAP over SSL. So my question is, can I install cert services on one of the other domain controllers and make it the enterprise root CA? Understand that this is a test environment only, so I'm not messing up production if whatever you suggest is destructive to the CA that is online in the test environment. But i need to enable LDAP over SSL somehow. 

Thanks




This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] FW: SUGGESTION: LDAP Browser v.2.6 (build 650)

[Creamer, Mark]

This is the response from the Softerra
folks, regarding the paging functionality in case anyone is interested. Thanks





mc











From: Kirill Kovalenko
[mailto:[EMAIL PROTECTED] 
Sent: Friday, May 13, 2005 2:12 AM
To: Creamer, Mark
Subject: RE: SUGGESTION: LDAP
Browser v.2.6 (build 650)





Dear Mr. Creamer,



LDAP Browser 2.X does not support
paging. LDAP Administrator 3.X supports both Simple Paging and VLV. You
can order [1] a trail version of the LDAP Administrator at our web site [2].
Please read documentation [3] for details.



[1] http://ldapadministrator.com/download/tryIt.php

[2] http://ldapadministrator.com/

[3] http://ldapadministrator.com/resources/english/help/la31/index.php
(Browsing Directory - Managing Large Numbers of Entries)



Sincerely yours,

Kirill Kovalenko
Product Manager
Softerra LLC
http://www.softerra.com
http://www.ldapadministrator.com







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Softerra's LDAP Browser

[Creamer, Mark]

Thanks for an excellent discussion guys.
As usual, I learned something more than I bargained for. Tom, I understood the
implications of changing MaxPageSize, and thats not an option for us
because our directory is too big  as well as for the reasons some of the
others pointed out. But I just sent a suggestion to Softerra about adding
paging as an enhancement, or to point out how to do it if the capability
already exists. If they respond, Ill share the info.



In the mean time, I remembered reading
about a nice Excel add-in (Marcos Excel Management Macro, or MEMM) that
does many of the same things LDAP browser would do, and it will allow paging
the result set. If anyone is interested, I found it here: http://bink.nu/Article3399.bink



Thanks again for the help and advice





mc











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, May 10, 2005 4:29
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Softerra's LDAP Browser







I thought by default the max # of records
that can be retrieved from a query is 1000.











I think you can fun ntdsutil to change
this or better yet, if running against win2k, you can use paging.





you set it with ldp.exe and an ldap
control( i forget the number).





also with win2k3 you can use VLV





-Original Message-
From: Creamer, Mark
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 10, 2005 4:21
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Softerra's
LDAP Browser

Ive been playing around a little with
Softerras LDAP Browser (the freeware version), and I cant seem to
be able to get it to return more than the standard 1000 records in the result
set. The FAQ says to set the entry count limit to zero, but I still only get
1000. Has anyone else used this tool and figured out how to return all records?
Id love to use this thing as an ad hoc query tool.



Mark
Creamer

Systems
Engineer

Cintas
Corporation




This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Softerra's LDAP Browser

[Creamer, Mark]

I agree. But LDAP browser is also
freeware. Just another option





mc











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, May 11, 2005
12:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Softerra's LDAP Browser





Ive never used the Softerra
browser, so I may be missing something, but what exactly does it do that you
cant get with ldp.exe for free? The nice thing about ldp is that is
has support for ALL of the MS proprietary SASL bind mechanisms and nice support
for all of the special controls such a paging, VLV, ASQ, deleted items, etc.
that AD supports. The never versions also have really nice support for
mapping many AD datatypes to friendly strings, which saves you a
lot of time.



Granted, it isnt super-pretty, but
it gets the job done. Once you change the default font, it is prettier.



Joe K.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, May 11, 2005 8:37
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Softerra's LDAP Browser





Thanks for an excellent discussion guys.
As usual, I learned something more than I bargained for. Tom, I understood the
implications of changing MaxPageSize, and thats not an option for us
because our directory is too big  as well as for the reasons some of the
others pointed out. But I just sent a suggestion to Softerra about adding
paging as an enhancement, or to point out how to do it if the capability
already exists. If they respond, Ill share the info.



In the mean time, I remembered reading
about a nice Excel add-in (Marcos Excel Management Macro, or MEMM) that does
many of the same things LDAP browser would do, and it will allow paging the
result set. If anyone is interested, I found it here: http://bink.nu/Article3399.bink



Thanks again for the help and advice





mc





This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] client time zones

[Creamer, Mark]

Am I correct that NTP serves only UTC time settings and that
time zone information is all client-side? In other words, a 2000 or above
client would receive a time setting from Win32Time in an AD domain, but that
would in no way affect the PCs time zone, correct? Thanks!



Mark
Creamer

Systems
Engineer

Cintas
Corporation







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] client time zones

[Creamer, Mark]

Cool. Thx Joe





mc











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, May 11, 2005 3:29
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] client
time zones





Correct.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, May 11, 2005 3:10
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] client time
zones

Am I correct that NTP serves only UTC time settings and that
time zone information is all client-side? In other words, a 2000 or above
client would receive a time setting from Win32Time in an AD domain, but that
would in no way affect the PCs time zone, correct? Thanks!



Mark
Creamer

Systems
Engineer

Cintas
Corporation




This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

[ActiveDir] Softerra's LDAP Browser

[Creamer, Mark]

Ive been playing around a little with Softerras
LDAP Browser (the freeware version), and I cant seem to be able to get
it to return more than the standard 1000 records in the result set. The FAQ
says to set the entry count limit to zero, but I still only get 1000. Has
anyone else used this tool and figured out how to return all records? Id
love to use this thing as an ad hoc query tool.



Mark
Creamer

Systems
Engineer

Cintas
Corporation







This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] ADFind syntax

[Creamer, Mark]

Charlie, there's a -nodn switch

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Charlie Kaiser
Sent: Friday, May 06, 2005 10:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind syntax

Hey Joe; I have a question for you (or anyone else who knows!) about
ADFind. 

Let's say I'm searching for, for example, a list of users
(samaccountname) in an OU. I run the query, and it comes back with the
DN and the attribute value. 
Is there a way to make it not display the DN? I sometimes need to make
lists that will export quickly to a doc for non-admins to read, and the
DN throws them off. :-) I can export to a spreadsheet and trim it, but I
thought perhaps there's a native way to do it...

I figured out how to do this in dsquery; 
dsquery user ou=employees,dc=domain,dc=com -scope onelevel -limit 1000 |
dsget user -display

Can something like that be done with ADFind?
Thanks...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: End Process permission

[Creamer, Mark]

Anyone know how I can grant a non-admin the permission to
end a running process? Im not finding anything in Group Policy unless Im
overlooking it. Thanks!

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Script

[Creamer, Mark]

Check out ScriptLogic if youre
looking for a fast solution. But like ASBs tag line says, FAST, CHEAP, SECURE,
pick any Two.



By the way, a lot of what ScriptLogic does
is built into KiXtart, so if youre interested in investing the time in
the scripts, you can achieve mostly the same thing











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Thursday, April 28, 2005
11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script





Anyone have a good script for updating Critical Updates? I can
create a batch file that execute all the updates when a user logs in, but I
want it to run only once and not every time someone logs in. I have Shavlik
Pro, but the damn thing is slow and resource hog. 



Thank you,

Z.V





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Importing AD into a test lab ...

[Creamer, Mark]

Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE 
method), with the names
changed to protect the guilty. A couple of batch scripts are included that you 
can modify. Hope it
helps.

***

1. Ldifde is loaded by default on servers but not workstations. If running this
command on a workstation, you must first copy the ldifde.exe file from the
WINNT\System32 folder on a server to a location on your system.
2. Since the command with all of the required attributes is quite long, batch 
files
have been created. The contents of these files are listed in the appendix.
3. The batch files reference specifically the my.domain.com domain, export 
server
SERVER1 (production) and import server SERVER99 (lab). If any of these
components change or if the goal is to export/import a different domain, the
appropriate changes will have to be made to the batch files
4. Including many attributes creates a very large export file. Verify that 
enough disk
space is available before beginning (about 70 MB currently)
5. Other command options are available, see KB237677 at this link:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s
upport/kb/articles/Q237/6/77.ASPNoWebContent=1
6. Passwords are not included in the export. Therefore, when the import is
performed, passwords for each user are blank
7. Administrator is not included in the export, to avoid overwriting the 
existing Administrator


Section 1: Export OUs and Users from the Production Directory
1. Log on to the exporting domain as an administrator
2. Batch files are located on \\SERVER1\C$\SCRIPTS
3. Run the batch file export_OUs.bat (see appendix for command) Note: folder
c:\temp must already exist. File created will be exportOU.ldf
4. Run the batch file export_users.bat (see appendix for command) Note: File
created will be exportUser.ldf
5. Save the two ldf files to a CD since the production and test environments 
are not
networked together
6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the
same CD:
a. Import_ous.bat
b. Import_users.bat

Section 2: Import OUs and Users into the Test Lab Active Directory
1. Copy the files from the CD to C:\Temp on the import domain controller
SERVER99
2. Remove the read-only attribute from the files
3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are
missing in the test lab that are present in the production environment, they 
will be
created. Others are ignored
4. From the command prompt, launch c:\temp\import_users.bat. If any users are
missing in the test lab that are present in the production environment, they 
will be
created with their associated attributes. Accounts are created disabled, and the
password set to null. This is because LDIFDE does not support
exporting/importing passwords
5. When the batch files have completed, verify that no errors were reported, and
check for the existence of the new users in ADUC.
6. Close the command prompt window and delete the contents of c:\temp


Appendix

Script Contents

Export_OUs.bat
ldifde - f c:\temp\exportOu.ldf -s server1 -d dc=my,dc=domain,dc=com -p 
subtree -r
(objectClass=organizationalUnit) -l cn,objectclass,ou
Export_Users.bat
ldifde - f c:\temp\exportusers.ldf -s server1 -d dc=my,dc=domain,dc=com -p 
subtree -r
((objectCategory=person)(objectClass=User)(givenname=*)) - l
cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co
mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL
astSet,displayName,distinguishedName

Import_OUs.bat
ldifde - i -k -f c:\temp\exportou.ldf -s server99

Import_Users.bat
ldifde - i -k -f c:\temp\exportusers.ldf -s server99


*

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
McDougal, Philip H
Sent: Wednesday, April 27, 2005 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Importing AD into a test lab ... 

Hello,
 
I have a question concerning getting my existing AD into a test lab.  I saw 
some help in the archives
but I'd like a fresh look on the topic.  I am considering 2 options, that I 
know of:
 
1.  Use LDIFDE to export and import the Schema, OUs, Users and GPs into the 
test lab.  I built a box
with W2003 Standard and DCPROMO'd it up with different machine name but same 
Domain name.  This avenue
sounded pretty good but I keep getting failure errors when I try to import the 
ldf files saying that
An attemp was made to add an object to the directory with a name that is 
already in use or
Directory Object not found.
 
my other choice was
 
2.  http://support.microsoft.com/default.aspx?scid=kb;en-us;263532  But since 
this is a test lab, my
library is not available and neither is my backup server.  Plus, it's a DC and 
I don't want to
introduce it to my existing domain.  I guess I could DCPROMO it back out and 
then bring it into the
existing domain as a standalone and then do a 

RE: [ActiveDir] Recommended DNS settings in 3 domain forest

[Creamer, Mark]

Guido, thanks for your help on this! Best regards

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Tuesday, April 26, 2005 1:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

ah - that changes the picture

option 3 is still valid for child DCs (DCs point to themselves + another
DC of the same domain), but you should either add a secondary of _msdcs
subzone of the root (i.e make this it's own zone) or - if the root zone
itself is not too large - add a secondary of the root itself to the
child DCs.

for the root DCs, ensure that they use a different root DC as their
primary DNS server, then either another root DC (if you have three) or
themselves for the secondary DNS server. I you have three, then I'd add
themselves as a third DNS server.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 22:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

Oops, sorry. I did forget. It's all Win2K. We're probably a while away
from 2003 Guido. What's the
recommendation in that case?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Monday, April 25, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

you don't mention OS version - I'm assuming you will or have implemented
Win2k3.  In this case the island-problem (which used to be an issue in
a Win2k AD's root domain) is no longer an issue and you're fine to go
ahead with your option 3.

I would also recommend to setup the _msdcs subzone of the root as a
forest wide app-partition, so that all DCs receive a copy (in this case
DNS queries for GCs and DC GUIDs would still work in the even that no
root DC is available to answer any forwarding queries).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 19:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommended DNS settings in 3 domain forest

I'd like to solicit a little advice on our AD design with respect to
DNS. We have an empty forest
root domain, and two subdomains. Each domain has at least 3 DCs, two in
the main subnet at our
corporate office, and one in a remote office. All DCs have DNS
installed, all AD-integrated. Each DC's
DNS has a copy of its own zone, and has forwarders set up to the root
domain. That domain has
forwarders to our external DNS servers.

My question is, on each of the DCs, how should their own DNS settings be
set? That is, what DNS
server(s) should a particular DC use for its DNS queries?

I've tried a few different approaches, and I think I understand the
concept of islanding, but I'm not
totally clear on that. My goal is simply to make sure all DNS queries
from the users (who all exist in
the two sub-domains) run smoothly, and that replication is reliable.

Different ideas I've tried:

1. Each DC has itself as a primary DNS, and a forest root DC as
secondary
2. Each DC has a partner DC in the same domain as a primary, and a
forest root DC as secondary
3. Each DC has itself as primary, and a partner DC in the same domain as
secondary; no root DC defined

I'd like to just do whatever best practice would be and then leave it
alone. Thanks as always for your
advice!

Mark



This e-mail transmission contains information that is intended to be
confidential and privileged.  If you receive this e-mail and you are not
a named addressee you are hereby notified that you are not authorized to
read, print, retain, copy or disseminate this communication without the
consent of the sender and that doing so is prohibited and may be
unlawful.  Please reply to the message immediately by informing the
sender that the message was misdirected.  After replying, please delete
and otherwise erase it and any attachments from your computer system.
Your assistance in correcting this error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be
confidential and privileged.  If you receive this e-mail and you are not
a named addressee you are hereby notified that you are not authorized to
read, print, retain, copy or disseminate this communication without the
consent of the sender and that doing so is prohibited and may be
unlawful.  Please reply to the message immediately by informing the
sender that the message was misdirected.  After replying, please

RE: [ActiveDir] Recommended DNS settings in 3 domain forest

[Creamer, Mark]

One more question on this - is it a good idea to have secondary zones for the 
other PEER domains on
each subdomain's DCs?

In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are 
subdomains, and peers of
each other. Should the DCs for sub1 all have secondary zones for sub2 and 
vice-versa?

Thanks again!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Tuesday, April 26, 2005 1:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

ah - that changes the picture

option 3 is still valid for child DCs (DCs point to themselves + another
DC of the same domain), but you should either add a secondary of _msdcs
subzone of the root (i.e make this it's own zone) or - if the root zone
itself is not too large - add a secondary of the root itself to the
child DCs.

for the root DCs, ensure that they use a different root DC as their
primary DNS server, then either another root DC (if you have three) or
themselves for the secondary DNS server. I you have three, then I'd add
themselves as a third DNS server.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 22:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

Oops, sorry. I did forget. It's all Win2K. We're probably a while away
from 2003 Guido. What's the
recommendation in that case?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Monday, April 25, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

you don't mention OS version - I'm assuming you will or have implemented
Win2k3.  In this case the island-problem (which used to be an issue in
a Win2k AD's root domain) is no longer an issue and you're fine to go
ahead with your option 3.

I would also recommend to setup the _msdcs subzone of the root as a
forest wide app-partition, so that all DCs receive a copy (in this case
DNS queries for GCs and DC GUIDs would still work in the even that no
root DC is available to answer any forwarding queries).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 19:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommended DNS settings in 3 domain forest

I'd like to solicit a little advice on our AD design with respect to
DNS. We have an empty forest
root domain, and two subdomains. Each domain has at least 3 DCs, two in
the main subnet at our
corporate office, and one in a remote office. All DCs have DNS
installed, all AD-integrated. Each DC's
DNS has a copy of its own zone, and has forwarders set up to the root
domain. That domain has
forwarders to our external DNS servers.

My question is, on each of the DCs, how should their own DNS settings be
set? That is, what DNS
server(s) should a particular DC use for its DNS queries?

I've tried a few different approaches, and I think I understand the
concept of islanding, but I'm not
totally clear on that. My goal is simply to make sure all DNS queries
from the users (who all exist in
the two sub-domains) run smoothly, and that replication is reliable.

Different ideas I've tried:

1. Each DC has itself as a primary DNS, and a forest root DC as
secondary
2. Each DC has a partner DC in the same domain as a primary, and a
forest root DC as secondary
3. Each DC has itself as primary, and a partner DC in the same domain as
secondary; no root DC defined

I'd like to just do whatever best practice would be and then leave it
alone. Thanks as always for your
advice!

Mark



This e-mail transmission contains information that is intended to be
confidential and privileged.  If you receive this e-mail and you are not
a named addressee you are hereby notified that you are not authorized to
read, print, retain, copy or disseminate this communication without the
consent of the sender and that doing so is prohibited and may be
unlawful.  Please reply to the message immediately by informing the
sender that the message was misdirected.  After replying, please delete
and otherwise erase it and any attachments from your computer system.
Your assistance in correcting this error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be
confidential and privileged.  If you receive this e-mail and you are not
a named addressee you are hereby notified that you

RE: [ActiveDir] Recommended DNS settings in 3 domain forest

[Creamer, Mark]

Excellent explanation. Thanks again!!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Tuesday, April 26, 2005 4:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

Mark, that depends more on the usage scenarios of your domains. If you
have many cross-domain shared resources, e.g. where users working on
computer in sub1.domain.com often need to access servers in the
sub2.domain.com domain, a secondary could cause less traffic and would
be more independend on the availability of a DC/DNS server of sub2.  

If it is the exception, then I wouldn't bother creating those
secondaries (however, you may still want to add secondaries to the root
of the domain saving another hop to get those names resolved)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Dienstag, 26. April 2005 20:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

One more question on this - is it a good idea to have secondary zones
for the other PEER domains on
each subdomain's DCs?

In other words, domain.com is root. Sub1.domain.com and sub2.domain.com
are subdomains, and peers of
each other. Should the DCs for sub1 all have secondary zones for sub2
and vice-versa?

Thanks again!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Tuesday, April 26, 2005 1:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

ah - that changes the picture

option 3 is still valid for child DCs (DCs point to themselves + another
DC of the same domain), but you should either add a secondary of _msdcs
subzone of the root (i.e make this it's own zone) or - if the root zone
itself is not too large - add a secondary of the root itself to the
child DCs.

for the root DCs, ensure that they use a different root DC as their
primary DNS server, then either another root DC (if you have three) or
themselves for the secondary DNS server. I you have three, then I'd add
themselves as a third DNS server.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 22:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

Oops, sorry. I did forget. It's all Win2K. We're probably a while away
from 2003 Guido. What's the
recommendation in that case?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Monday, April 25, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

you don't mention OS version - I'm assuming you will or have implemented
Win2k3.  In this case the island-problem (which used to be an issue in
a Win2k AD's root domain) is no longer an issue and you're fine to go
ahead with your option 3.

I would also recommend to setup the _msdcs subzone of the root as a
forest wide app-partition, so that all DCs receive a copy (in this case
DNS queries for GCs and DC GUIDs would still work in the even that no
root DC is available to answer any forwarding queries).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 19:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommended DNS settings in 3 domain forest

I'd like to solicit a little advice on our AD design with respect to
DNS. We have an empty forest
root domain, and two subdomains. Each domain has at least 3 DCs, two in
the main subnet at our
corporate office, and one in a remote office. All DCs have DNS
installed, all AD-integrated. Each DC's
DNS has a copy of its own zone, and has forwarders set up to the root
domain. That domain has
forwarders to our external DNS servers.

My question is, on each of the DCs, how should their own DNS settings be
set? That is, what DNS
server(s) should a particular DC use for its DNS queries?

I've tried a few different approaches, and I think I understand the
concept of islanding, but I'm not
totally clear on that. My goal is simply to make sure all DNS queries
from the users (who all exist in
the two sub-domains) run smoothly, and that replication is reliable.

Different ideas I've tried:

1. Each DC has itself as a primary DNS, and a forest root DC as
secondary
2. Each DC has a partner DC in the same domain as a primary, and a
forest root DC as secondary
3. Each DC has itself as primary, and a partner DC in the same domain as
secondary; no root DC defined

I'd like to just do whatever best practice would be and then leave it
alone. Thanks as always for your
advice!

Mark



This e-mail transmission contains information that is intended to be
confidential and privileged

[ActiveDir] Recommended DNS settings in 3 domain forest

[Creamer, Mark]

I'd like to solicit a little advice on our AD design with respect to DNS. We 
have an empty forest
root domain, and two subdomains. Each domain has at least 3 DCs, two in the 
main subnet at our
corporate office, and one in a remote office. All DCs have DNS installed, all 
AD-integrated. Each DC's
DNS has a copy of its own zone, and has forwarders set up to the root domain. 
That domain has
forwarders to our external DNS servers.

My question is, on each of the DCs, how should their own DNS settings be set? 
That is, what DNS
server(s) should a particular DC use for its DNS queries?

I've tried a few different approaches, and I think I understand the concept of 
islanding, but I'm not
totally clear on that. My goal is simply to make sure all DNS queries from the 
users (who all exist in
the two sub-domains) run smoothly, and that replication is reliable.

Different ideas I've tried:

1. Each DC has itself as a primary DNS, and a forest root DC as secondary
2. Each DC has a partner DC in the same domain as a primary, and a forest root 
DC as secondary
3. Each DC has itself as primary, and a partner DC in the same domain as 
secondary; no root DC defined

I'd like to just do whatever best practice would be and then leave it alone. 
Thanks as always for your
advice!

Mark



This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Recommended DNS settings in 3 domain forest

[Creamer, Mark]

Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 
2003 Guido. What's the
recommendation in that case?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Monday, April 25, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest

you don't mention OS version - I'm assuming you will or have implemented
Win2k3.  In this case the island-problem (which used to be an issue in
a Win2k AD's root domain) is no longer an issue and you're fine to go
ahead with your option 3.

I would also recommend to setup the _msdcs subzone of the root as a
forest wide app-partition, so that all DCs receive a copy (in this case
DNS queries for GCs and DC GUIDs would still work in the even that no
root DC is available to answer any forwarding queries).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Montag, 25. April 2005 19:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommended DNS settings in 3 domain forest

I'd like to solicit a little advice on our AD design with respect to
DNS. We have an empty forest
root domain, and two subdomains. Each domain has at least 3 DCs, two in
the main subnet at our
corporate office, and one in a remote office. All DCs have DNS
installed, all AD-integrated. Each DC's
DNS has a copy of its own zone, and has forwarders set up to the root
domain. That domain has
forwarders to our external DNS servers.

My question is, on each of the DCs, how should their own DNS settings be
set? That is, what DNS
server(s) should a particular DC use for its DNS queries?

I've tried a few different approaches, and I think I understand the
concept of islanding, but I'm not
totally clear on that. My goal is simply to make sure all DNS queries
from the users (who all exist in
the two sub-domains) run smoothly, and that replication is reliable.

Different ideas I've tried:

1. Each DC has itself as a primary DNS, and a forest root DC as
secondary
2. Each DC has a partner DC in the same domain as a primary, and a
forest root DC as secondary
3. Each DC has itself as primary, and a partner DC in the same domain as
secondary; no root DC defined

I'd like to just do whatever best practice would be and then leave it
alone. Thanks as always for your
advice!

Mark



This e-mail transmission contains information that is intended to be
confidential and privileged.  If you receive this e-mail and you are not
a named addressee you are hereby notified that you are not authorized to
read, print, retain, copy or disseminate this communication without the
consent of the sender and that doing so is prohibited and may be
unlawful.  Please reply to the message immediately by informing the
sender that the message was misdirected.  After replying, please delete
and otherwise erase it and any attachments from your computer system.
Your assistance in correcting this error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] startup scripts not running

[Creamer, Mark]

It adds a group to the RDP permissions so
our off-hours operators have TS access into the servers. Its in the
startup script because we wanted to make sure that if that ever got changed
manually by someone, a reboot would cure it











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running





What exactly is the EXE doing? Not all
system services are not available when the startup script runs. For instance,
try to shutdown a server from a startup script. If you ever really need to do
that, let me know, I have an exe that will do it. Dean told me about issues
doing it and I got interested enough to look at it and it pissed me right off
so I fixed it.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 4:51
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It is a vbs. Actually, though, I found out
a little more. I put a fresh server into the same OU, and rebooted. Turns out
most of the script is successful. The only part that isnt is a line that
calls an executable file (.exe), which is also located in the same folder as
the vbscript. 



If I wait until the server is fully logged
in, the script runs the executable with no problem. If I leave it to the
startup script to run, it does not. Im using the Exec method of the
wscript object, such as:



Ws.exec(myexecutable.exe)



Does that make sense?



Thanks again,

Mark











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 28, 2005 3:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running





Is it a vbs? If yes, have you tried
calling it from a bat file? Does it work if you do that? What you can do
depends on the outcome of that test.



Deji









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 11:54
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
scripts not running





I have a situation in which startup scripts assigned to
various OUs where different servers are located are not running. If I log in as
a domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 



Im having trouble figuring out why the script
wont launch on its own.



The only thing Ive found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself, just in
case thats the issue?



Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] startup scripts not running

[Creamer, Mark]

Good point Joe, I dont know. Im
basing the not working assumption on the end result not being
there, namely that the group has not been added to the RDP permissions. However
when I run it manually after logging in, the group is added.



Next I tried adding a Do Until loop in the
script, looking for the executable to return a 0. That never happens. The
startup script runs forever J



So based on that, and what you said, I
guess I need to ask the programmer (this app is home-grown) what error is
thrown if it doesnt work.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Tuesday, March 29, 2005 9:11
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running





Ok, do you know for a fact that the exe
isn't running or is it simply not outputting an error if it fails? The reboot
issue I mentioned before appeared to be that shutdown wasn't being run, it was
running, it was hitting a device not ready error and wasn't outputting it. Once
I wrote a tool that definitely output errors when it ran into them, it was
crystal clear that something was preventing shutdown from working when running
in a startup script. It goes back to a type of error handling some programs use.
Some will encounter an error and dump out with any errors it doesn't know how
to handle. Some will dump out only with errors it knows how to handle. 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, March 29, 2005 8:41
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It adds a group to the RDP permissions so
our off-hours operators have TS access into the servers. Its in the
startup script because we wanted to make sure that if that ever got changed
manually by someone, a reboot would cure it











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running





What exactly is the EXE doing? Not all
system services are not available when the startup script runs. For instance,
try to shutdown a server from a startup script. If you ever really need to do
that, let me know, I have an exe that will do it. Dean told me about issues
doing it and I got interested enough to look at it and it pissed me right off
so I fixed it.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 4:51
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It is a vbs. Actually, though, I found out
a little more. I put a fresh server into the same OU, and rebooted. Turns out
most of the script is successful. The only part that isnt is a line that
calls an executable file (.exe), which is also located in the same folder as
the vbscript. 



If I wait until the server is fully logged
in, the script runs the executable with no problem. If I leave it to the
startup script to run, it does not. Im using the Exec method of the
wscript object, such as:



Ws.exec(myexecutable.exe)



Does that make sense?



Thanks again,

Mark











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 28, 2005 3:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running





Is it a vbs? If yes, have you tried
calling it from a bat file? Does it work if you do that? What you can do
depends on the outcome of that test.



Deji









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 11:54
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
scripts not running





I have a situation in which startup scripts assigned to
various OUs where different servers are located are not running. If I log in as
a domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 



Im having trouble figuring out why the script
wont launch on its own.



The only thing Ive found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself, just in
case thats the issue?



Thanks,

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase

[ActiveDir] startup scripts not running

[Creamer, Mark]

I have a situation in which startup scripts assigned to
various OUs where different servers are located are not running. If I log in as
a domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 



Im having trouble figuring out why the script wont
launch on its own.



The only thing Ive found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself, just in
case thats the issue?



Thanks,

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] startup scripts not running

[Creamer, Mark]

It is a vbs. Actually, though, I found out
a little more. I put a fresh server into the same OU, and rebooted. Turns out
most of the script is successful. The only part that isnt is a line that
calls an executable file (.exe), which is also located in the same folder as
the vbscript. 



If I wait until the server is fully logged
in, the script runs the executable with no problem. If I leave it to the
startup script to run, it does not. Im using the Exec method of the
wscript object, such as:



Ws.exec(myexecutable.exe)



Does that make sense?



Thanks again,

Mark











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 28, 2005 3:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running





Is it a vbs? If yes, have you tried
calling it from a bat file? Does it work if you do that? What you can do
depends on the outcome of that test.



Deji









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 11:54
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
scripts not running





I have a situation in which startup scripts assigned to
various OUs where different servers are located are not running. If I log in as
a domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 



Im having trouble figuring out why the script
wont launch on its own.



The only thing Ive found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself, just in
case thats the issue?



Thanks,

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] LDAP and related Exchange question

[Creamer, Mark]

What if you married Yamila Diaz-Rahi...would the dash cause additional issues? 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, March 04, 2005 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and related Exchange question

Assign a new unique name and link it to the old name and the old name is still 
never reused except in
the case that the person's name changes back which has happened. Say if I got 
married to Eliza Dushku,
my new ID would be something like jdushku3 or something. Let's say after a few 
years I marry Denise
Richards... Then I go back to jricha34. However jdushku3 would always still 
only reference me. Their
biggest issue is that they are currently limited to 3-8 characters. At some 
point they will have to
expand that range. 

I think it depends on what systems it has to go onto, what the flexibility is 
of those systems, and
what you want to be the master of the whole thing.
If you can make AD the master source and the other directories/stores/etc can 
accept a guid then it
would work. Otherwise, you are correct, you need to come up with some other 
unique mechanism.

Basically look at the least flexible piece that has to stay long term and build 
from there. 

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, March 04, 2005 1:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and related Exchange question

How did they handle people changing their names?  

I see the ID, but does that ID make sense when the user changes their name from 
Joe to 'They' or
something along those lines? 


That goes back to the idea of coming up with a unique identifier that expands 
the horizon beyond the
AD forest(s) and into the rest of the realm.
I maintain that at some point in just about every country and every company, 
there is a unique
identifier that ensures that person gets their proper compensation.  Not that 
it couldn't be messed
up, but you'd know quickly if your paycheck were lower than expected or paid to 
you in Yuan vs. Rubles
if that's what you expected. 


This needs to stretch beyond AD from what I can tell.  Is that an incorrect 
assumption Marcus?  




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, March 04, 2005 1:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and related Exchange question

I would tend to agree, I think objectGUID would be fine though it is a pain to 
deal with since it is
binary.

Another thing to consider is to stop the random wonton creation of 
samaccountnames. When someone gets
hired, they get assigned from one source their ID for use within the company. 
That ID is used
everywhere and forever identifies that person and is never reused anywhere else 
in that company.
Someother company gets merged in, everyone gets new SAM IDs from the same 
source.  

One company I worked for I am the only and will always be the only jricha34 to 
ever be there. If I
somehow for some reason go work on that network again I will get spun up a 
jricha34 ID for use. This
is a company with hundreds of thousands of users and huge turnover every year 
and they still maintain
all of those unique identifiers even if the actual NT or mainframe IDs are 
deleted so I know it is
feasible for smaller companies. There was another single source for UIDS if you 
needed them and if you
lost and got access to UNIX again, it would be with the same UID.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Friday, March 04, 2005 1:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and related Exchange question

Why wouldn't objectGuid be appropriate? AD generates the objectGuid attribute 
using UuidCreate() (or
some variation) that is guaranteed with reasonable certainty to generate values 
that are unique across
all machines, not just DCs in the forest. If you need a globally unique, 
immutable identifer, the
objectGuid attribute should do the trick.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, March 04, 2005 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and related Exchange question

GUID is likely NOT an option in a multiple forest scenario or multiple identity 
stores.  But the
concept can be applied to the sphere of identity stores you have responsibility 
for.  It's just that
the system won't do it for you out of the box.

So one thought that comes to mind is to inject a Cox-specific GUID into each 
identity store from the
authoritative source(s) and then use that to find what you need 
programmatically.  That's a bigger
undertaking than you may be able to go after, but it ultimately solves the 
issues that are so
troublesome.  Some where, you have 

RE: [ActiveDir] The missing fields

[Creamer, Mark]

And scream YOU'RE FIRED! in unison at the first buffer overflow??? I wanna go 
to that bar!

mc
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 01, 2005 3:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

I would watch that. Call it something like the making of the mail system
and it shows the Exchange Dev guys working on the product and learning along
the way. For exciting commercial scenes they could show someone typing a
poor AD query or putting in an unchecked buffer copy You could have big
parties in bars where the geeks could look on and say things like, can you
believe they wrote that routine that way!?!?! 

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Tuesday, March 01, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

I guess watching programmers code would be no more boring than any of the
other reality shows...how about Fear Factoring, or the Amazing Race
Condition ?
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Tuesday, March 01, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields


Programming as taught by Catholic nuns! Father Djykstra and Sister Grace
(Murray Hopper)! What a great concept. It ould be a sitcom. Or even beter a
reality show (that way you don't have to pay those expensive script
writers).

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J
Contr InDyne/Enterprise IT
Sent: Tuesday, March 01, 2005 11:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

Was that before or after they smacked your knuckles with a wooden ruler?
;)

If more places would teach coding like that, there'd be a lot more, better
code going around.

Dave 


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc 
Comm: (805) 606-4597DSN: 276-4597 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 01, 2005 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

Robbie also says you should cut me a government check for $3.2 billion and I
should email you a copy of adfind and admod. You can list them as a hammer
and a screwdriver or a WoMD detector or something. 

If I had that kind of money to play with can you imagine the joeware that
would be available? OMG!

I would have to hire more coders. I would treat it like school, or at least
the school I went through. If you write something bad you sit in a classroom
with everyone watching the screen and the teacher says, and this is an
example of what Mr. Richards thinks is good code as he puts in 5000
characters into a buffer according to the specs needed to be 256 characters
and it slowly self-destructs the machine Mr. Richards, when I say in the
spec the buffer should be 256 bytes, that doesn't mean make the buffer 256
bytes and leave it at that. I expect you to actually make sure no one puts
more than 256 bytes in it! Actually, I wish more college professors had
taught that way. We also had fun times around integer overflows and other
fun and interesting coding flaws like why M and m really aren't the same
even though we don't pronounce them differently, etc. 


  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 01, 2005 12:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

Buy-guy is Robbie Allen's label for me.

No, no kick back (Although they are a Maryland company), just think it is a
really effective tool for bulk administration.  I tend to be scripting /
LDIF challenged early in the AM, and late at night (Who am I kidding, I am
just scripting challenged). I have been able to automate so much work these
past two weeks using this tool, so I offer it as a possible solution.

Toddler  

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 01, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

A buy guy??

I would be happy to sell you a copy of adfind and admod if that is the only
thing holding you back. How much you want to spend on them?

In the meanwhile, you getting a kickback from Javelina? That has got to be
the 4 post or so in a week where you have dropped that name. :)

  joe 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 01, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields

For a cost conscious 

RE: [ActiveDir] Some thoughts on securing sensitive accounts....

[Creamer, Mark]

We built a fairly simple break the glass application that adds a person to 
the necessary group, logs
the action, emails the security team, etc. Only members of a certain group can 
be elevated that way.
Then all we do is log off, back on, and do the work. The membership expires in 
a couple of hours
automatically

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Francis Ouellet
Sent: Friday, February 25, 2005 3:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts

How about a generic ent. Admin account? One with an obsure name and 10 foot 
password? Only selected
support/admin people have the password?

Just thinking out loud here. ;-) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Renouf, Phil
Sent: 25 février 2005 15:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts

What do you do when you have an AD support group than need access to Enterprise 
Admin privs if you
only have one Enterprise Admin? I know I wouldn't want to be the only guy with 
those privs in the
middle of the night on a weekend when I'm not on call ;)

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Some thoughts on securing sensitive accounts

  Then you have your actual Enterprise Admins and that should be a small 
group, maybe 2-5 people
depending on your size (I worked on a team of 3 people and supervisor for a 
250,000 user deployment).

 
So I'm assuming that you have more than 1 Enterprise admin in your root domain? 
Isn't that agains't
all the white papers out there stating that you shouldn't have more than one 
ent. admin. in your
forest and all other admins should be domain admins in their own respective 
domain? Or did you use
enterprise admin as a generic term?
 
Thanks,
Francis 
 
 
 
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, February 25, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Some thoughts on securing sensitive accounts


Hi folks,
 
I'm was thinking the other day of the best way to secure schema and enterprise 
admin accounts. What
would you do if you had carte blanche
to secure sensitive accounts in an enterprise directory?
 
First things that came to mind were using mandatory smart cards for SA and EA 
accounts kept in a safe
where only designated employes knew the pinsAny other thoughts?
 
Thanks!
Francis Ouellet 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.  Thank you.  Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] delegating group management

[Creamer, Mark]

Hi guys, I'm fairly sure I can do this. But thanks to recent security changes, 
I can no longer just
fire up the delegation of authority wizard to make sure...can I grant the 
ability to manage membership
of groups to a given group of user admins, without giving them the ability to 
change other attributes
of the users themselves? I'm thinking the best way to do this is to place all 
the groups in an OU, and
run the wizard to apply just the necessary permissions on those groups in the 
OU.

Mark Creamer
Systems Engineer
Cintas Corporation
The Service Professionals


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.  Thank you.  Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Logon Scripts

[Creamer, Mark]

This would give you the results for everyone in the Users container, SAM ID and 
login script, with a |
in between. Run from cscript or you'll get to click OK on each user! :-)

Dim OU, oUser, UserObj
set OU = GetObject(LDAP://CN=Users,DC=my,DC=domain,DC=COM;)

For Each UserObj in OU

WScript.Echo UserObj.sAMAccountName  |  UserObj.LoginScript

Next

WScript.Quit

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Charlie Saliba
Sent: Tuesday, February 22, 2005 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon Scripts

Is there anyway to tell without clicking into each user's properties
to tell which logon script they use?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.  Thank you.  Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] script to convert userID to first and lastname of users

[Creamer, Mark]

I'm assuming by convert you mean associate? (i.e. given a user ID, show me 
the Full Name? 

You could use adfind (www.joeware.net)

adfind -b dc=mydomain,dc=com -gc -f objectCategory=person sAMAccountName Name

That returns something like: 

dn:CN=Robert Smith,CN=Users,DC=mydomain,DC=
name: Robert Smith
sAMAccountName: SmithR


mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Marie-Therese Fahmy
Sent: Thursday, February 17, 2005 8:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] script to convert userID to first and lastname of users

I need a script to search for userID for users and give me their full name. 
We have Active Directory 2003.

Thanks,
Marie 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.  Thank you.  Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] W32Time and *nix

[Creamer, Mark]

Folks, I'd like to throw this back out for comments if I can. A while back I 
asked about using our
current W32Time server, the forest root AD box, as the authoritative time 
server for the non-Windows
clients on our network. I haven't had any luck getting this to work. If I 
remember correctly, W32Time
is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've 
tried enables the
Linux and Unix boxes to sync with this server. One article I read said it will 
not work, but you
obviously can't rely on everything posted on the net :-)

Am I missing something, or do I need to maybe look at a 3rd party solution to 
handle all of the time
services? What are some of you using for this situation? Thanks!

Mark Creamer

This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.  Thank you.  Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Time sync on non-domain W2K server?

[Creamer, Mark]

Interesting...Charlie's message just popped up in my inbox as well. Looks like 
time sync is a current
hot topic. Eagerly awaiting thoughts from the group.

mc

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Charlie Kaiser
Sent: Thursday, February 17, 2005 1:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Time sync on non-domain W2K server?

I have a W2K3 AD domain. Gets its time synch from our Cisco switch,
which gets time from outside. Usually works OK; hiccups once in a while;
no big deal. I've run into an interesting problem, though. We have Cisco
VoIP phones, which display the time on the screen. A user complained
because the time was about 6 minutes different between the phone and her
PC. I started looking into it, took care of a few things, but came
across something I can't resolve.
Our Cisco Call Managers (W2K servers running Cisco call-handling apps)
are not members of the domain. Cisco documentation says they should be
stand-alone servers. I try and use net time /setsntp:switchIPaddress or
net time /setsntp:PDCEname. Either one works, but when I do a net time
/set, it fails with Could not locate a time-server. Q243574 explains
that only the PDCe can so an external synch. So how do we get a
stand-alone machine to set the time? It's kind of important, because the
phones get their time display from the Call Managers' OS time.
Any ideas?
Thanks!

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be 
confidential and privileged.  If you receive this e-mail and you are not a 
named addressee you are hereby notified that you are not authorized to read, 
print, retain, copy or disseminate this communication without the consent of 
the sender and that doing so is prohibited and may be unlawful.  Please reply 
to the message immediately by informing the sender that the message was 
misdirected.  After replying, please delete and otherwise erase it and any 
attachments from your computer system.  Your assistance in correcting this 
error is appreciated.  Thank you.  Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/