Re: [ActiveDir] Add or Remove Programs GPO
might it be worth running something like filemon and regmon and checking whats happening? On 1/26/07, Bart Van den Wyngaert [EMAIL PROTECTED] wrote: That opens the snap-in... So through the Control Panel it doesn't work, directly running the .cpl it does. Still don't understand it totally though... On 1/25/07, Darren Mar-Elia [EMAIL PROTECTED] wrote: You would not get a permissions problem from that admin. templates policy. They just don't work that way. So my guess is its something else. What happens, as administrator, when you run appwiz.cpl from a command prompt? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Thursday, January 25, 2007 4:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add or Remove Programs GPO I did, but the local administrators group has full control on the file. And ofcourse, my AD admin account is part of the local administrators group on the workstations (naturally). That's the reason I absolutely don't have a clue, I don't see the relation in restrictions put in place and the effect on the admin account and when I start looking for that error message, I don't make progress either... On 1/25/07, Grillenmeier, Guido [EMAIL PROTECTED] wrote: So what is the NTFS security on C:\WINNT\System32\rundll32.exe? The error message could naturally be a false hint, but might as well check it out. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Donnerstag, 25. Januar 2007 12:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add or Remove Programs GPO No NTFS or other restrictions set in that GPO or the PC GPO. Only some other restrictions like no access to control panel, no messenger, ... stuff. These apply to the specific Users OU + Computer OU, making a User PC configuration for those PC's + Users (certain department). My admin account is totally somewhere else in the directory without those GPO's applied to. The restrictions in the Computer GPO are also not set to block the admin. I can drilldown the Computer GPO if you want, as I don't see any relevant setting in it. Otherwise I would be blocking myself and that's just the point I don't want... Thanks, Bart On 1/25/07, Grillenmeier, Guido [EMAIL PROTECTED] wrote: What other things did you change in the same or other GPOs that apply to the machine you're logging on as admin? If you've applied some lockdown GPOs for file-system permissions, those will also apply for your admins /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Mittwoch, 24. Januar 2007 17:38 To: ActiveDir Subject: [ActiveDir] Add or Remove Programs GPO Hi, I've set a GPO for some users that restricts usage of Add or Remove Programs (User Configuration\Administrative Templates\Control Panel\Add or Remove Programs). This GPO is linked to a specific OU where those users reside. But now I have even with admin accounts to which the GPO doesn't apply (totally different OU location and so on...) problems with opening the interface, it refers to security that is not correct on C:\WINNT\System32\rundll32.exe Is this normal?! Did I miss something before setting this GPO? Thanks, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Network latency on VBScript-mapped drive letters.
Just curious. Are you sure its not something like AV scanning network files on access? Generally once scanned they add them to a temp db of known good list to prevent scanning when accessed later. If so, that would explain slow performance when first accessing the files but better responses when accessing after manually mapping drives. Do you think its worth looking at network traces to see if any SMB errors are occurring? On 1/23/07, Laura E. Hunter [EMAIL PROTECTED] wrote: So I have a VBScript that I use to map a network drive to a DFS share, as follows: strDriveLetter = S: strBaseDrivePath = \\domain name\dfs root\share name\ Set objNetwork = CreateObject(WScript.Network) objNetwork.MapNetworkDrive strDriveLetter, strBaseDrivePath set objNetwork = nothing When I map the DFS root using a drive letter using this code in a login script, I get isolated-but-consistent client reports of network latency when opening or saving a file; Word/Excel/whatever will choke up for a good 5 or 6 seconds at a time. If I disconnect the script-mapped drive and access this resource from the same machine using any other method: * map the drive using the GUI, * map the drive from the CLI using 'net use', or * manually enter the UNC path from the Run line ...all latency goes away. It's not OS-specific as far as I can tell; the machines currently reporting the latency are a handful of XPSP2 and 2KSP4 machines that don't have much else unique in common. I've determined that it's not specifically DFS-related, as I've tested mapping directly to the physical servername instead of the DFS sharename and produced identical results. Neither is it relevant that the script is being run as part of a login script/GPO, as running the script manually from an affected desktop also produces the same behaviour. So it's either a VBScript thing, or it's something client-specific that I haven't isolated on the half-dozen desktops that are experiencing the issue. Google has thus far yielded no joy, has anyone run into this before? -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Who needs that much ram anyway?
All Put your hands up if you are using this hotfix to its full potential ;-) http://support.microsoft.com/kb/918844 On 1/16/07, Martin Tuip [EMAIL PROTECTED] wrote: I can think of quite a few situations. RAM is cheap aswell compared to the early days. Martin Tuip Exchange MVP - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 1:00 AM Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Vista BSOD with more than 2GB of RAM
All Sorry for the OT topic. I have a PC I use as my lab with VMs. It has Vista Ultimate and only has 2GB of RAM and was working fine. However I tried to upgrade the memory by using a 512MB module and the PC wont boot now. It blue screens with a message similar to KB 929777. I tried getting the hotfix from technet+ with no luck. Its stage is private and wont be released until the 30th Jan. My Premier connection doesn't seem to allow download of the hotfix either. I would like to know before I try and escalate this whether there is anyone out there with a Vista RTM PC with more than 4GB of RAM. I have run memtest86 on my PC and it reports everything is working. However I'd appreciate if I can get some confirmation that there are others who either have the issue or dont. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM
Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with more than 2GB of RAM. Thanks M@ On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All Sorry for the OT topic. I have a PC I use as my lab with VMs. It has Vista Ultimate and only has 2GB of RAM and was working fine. However I tried to upgrade the memory by using a 512MB module and the PC wont boot now. It blue screens with a message similar to KB 929777. I tried getting the hotfix from technet+ with no luck. Its stage is private and wont be released until the 30th Jan. My Premier connection doesn't seem to allow download of the hotfix either. I would like to know before I try and escalate this whether there is anyone out there with a Vista RTM PC with more than 4GB of RAM. I have run memtest86 on my PC and it reports everything is working. However I'd appreciate if I can get some confirmation that there are others who either have the issue or dont. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM
I didnt configure the memory dumps for this machine. I assume a kernel dump is preferred over minidump? Either way I will check and let you know. Thanks for the reply. On 1/11/07, Ken Schaefer [EMAIL PROTECTED] wrote: Yes - I have a Dell Precision that has 4GB RAM, and which has had both Vista x86 and x64 on it and it doesn't BSOD. The issue in the KB seems to be with devices that use DMA and you have more than 4GB of RAM. That used to cause issues on XP as well (which is why I believe SP2 for XP limited the amount of RAM that could be utilised to 4GB for 32bit editions). STOP 0xA is pretty common. If you want a detailed explanation of what's going on, then check out Part 1 here: http://www.adopenstatic.com/cs/blogs/ken/archive/tags/Debugging/default.aspx Do you have minidump files handy? I'm happy to have a look if you want. Cheers Ken From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe Sent: Thu 11/01/2007 12:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with more than 2GB of RAM. Thanks M@ On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All Sorry for the OT topic. I have a PC I use as my lab with VMs. It has Vista Ultimate and only has 2GB of RAM and was working fine. However I tried to upgrade the memory by using a 512MB module and the PC wont boot now. It blue screens with a message similar to KB 929777. I tried getting the hotfix from technet+ with no luck. Its stage is private and wont be released until the 30th Jan. My Premier connection doesn't seem to allow download of the hotfix either. I would like to know before I try and escalate this whether there is anyone out there with a Vista RTM PC with more than 4GB of RAM. I have run memtest86 on my PC and it reports everything is working. However I'd appreciate if I can get some confirmation that there are others who either have the issue or dont. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with more than 2GB of RAM. Thanks M@ On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All Sorry for the OT topic. I have a PC I use as my lab with VMs. It has Vista Ultimate and only has 2GB of RAM and was working fine. However I tried to upgrade the memory by using a 512MB module and the PC wont boot now. It blue screens with a message similar to KB 929777. I tried getting the hotfix from technet+ with no luck. Its stage is private and wont be released until the 30th Jan. My Premier connection doesn't seem to allow download of the hotfix either. I would like to know before I try and escalate this whether there is anyone out there with a Vista RTM PC with more than 4GB of RAM. I have run memtest86 on my PC and it reports everything is working. However I'd appreciate if I can get some confirmation that there are others who either have the issue or dont. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM
Sure ;-) I was just trying to get as much info as you needed the first time ;-) Sending the minidump offline On 1/11/07, Ken Schaefer [EMAIL PROTECTED] wrote: Minidump is 100kb, whilst a kernel dump is 150MB+ I would prefer you to email me a 80-100kb file in the first instance if that is enough to solve the problem :-) Cheers Ken From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe Sent: Thu 11/01/2007 12:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM I didnt configure the memory dumps for this machine. I assume a kernel dump is preferred over minidump? Either way I will check and let you know. Thanks for the reply. On 1/11/07, Ken Schaefer [EMAIL PROTECTED] wrote: Yes - I have a Dell Precision that has 4GB RAM, and which has had both Vista x86 and x64 on it and it doesn't BSOD. The issue in the KB seems to be with devices that use DMA and you have more than 4GB of RAM. That used to cause issues on XP as well (which is why I believe SP2 for XP limited the amount of RAM that could be utilised to 4GB for 32bit editions). STOP 0xA is pretty common. If you want a detailed explanation of what's going on, then check out Part 1 here: http://www.adopenstatic.com/cs/blogs/ken/archive/tags/Debugging/default.aspx Do you have minidump files handy? I'm happy to have a look if you want. Cheers Ken From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe Sent: Thu 11/01/2007 12:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with more than 2GB of RAM. Thanks M@ On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All Sorry for the OT topic. I have a PC I use as my lab with VMs. It has Vista Ultimate and only has 2GB of RAM and was working fine. However I tried to upgrade the memory by using a 512MB module and the PC wont boot now. It blue screens with a message similar to KB 929777. I tried getting the hotfix from technet+ with no luck. Its stage is private and wont be released until the 30th Jan. My Premier connection doesn't seem to allow download of the hotfix either. I would like to know before I try and escalate this whether there is anyone out there with a Vista RTM PC with more than 4GB of RAM. I have run memtest86 on my PC and it reports everything is working. However I'd appreciate if I can get some confirmation that there are others who either have the issue or dont. Cheers M@ Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with more than 2GB of RAM. Thanks M@ On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All Sorry for the OT topic. I have a PC I use as my lab with VMs. It has Vista Ultimate and only has 2GB of RAM and was working fine. However I tried to upgrade the memory by using a 512MB module and the PC wont boot now. It blue screens with a message similar to KB 929777. I tried getting the hotfix from technet+ with no luck. Its stage is private and wont be released until the 30th Jan. My Premier connection doesn't seem to allow download of the hotfix either. I would like to know before I try and escalate this whether there is anyone out there with a Vista RTM PC with more than 4GB of RAM. I have run memtest86 on my PC and it reports everything is working. However I'd appreciate if I can get some confirmation that there are others who either have the issue or dont. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Vista Resource Monitor blank
Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Vista Resource Monitor blank
Yes I was. I often launch the resource monitor from task manager and its not blank. But in this instance it was. So I find it hard to believe its normal. Thanks for the reply anyway Laura. Cheers M@ On 12/15/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Are you referring to Performance Monitor? If so, that's normal. You have to pick the objects and counters that you want to watch. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 5:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Resource Monitor blank Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] DFS vs Robocopy question
How much data do you want to keep in sync between the distribution points? Cheers M@ On 12/6/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi all I'm looking for feedback on a couple of scenarios for our environment. We have three W2K3 SP1 domains and WAN separated regions in a couple of them. When deploying software, hotfixes and such I want to go to the 'distribution point' for that domain/region so as not to traverse the WAN for downloads. Each distribution point needs to mirror the others. Each region has an app server where we maintain these distribution points for downloads, patches and such and currently is managed manually as far as keeping each server identical to the other. I'm not familiar with DFS other than what is and does and have not configured or used it. Robocopy seems okay but also has a lot of configuration to deal with. DFS seems to be the best but wanted to see what the experts thought. My concern is if I create the DFS hierarchy I'd still be pointed to one server for the files. In reading the documentation I see multiple roots can be established which I'm hoping would provide access to each regional distribution point and still replicate the latest uploads from one point to all others. Appreciate any feedback. Thanks Jerry
Re: [ActiveDir] BIND allow-update
http://research.microsoft.com/programs/up_content/bind.doc might be of use.On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Easy question for the group -I have a forest rood domain: msroot.companyI have a domain: company.comWe use BIND. My question: do I need an allow-update entry for both zones or just the forest root zone for proper dynamic update operation?Thanks in advance,JamesList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSI programming
I wonder whether ironpython http://www.ironpython.com/ is worth looking into in that case. I am no programmer but I have a hunch it might be to your liking. CheersM@ On 9/15/06, Ramon Linan [EMAIL PROTECTED] wrote: Hi,I want to start programming in AD.I have experience programming with Python, PHP and VBA.Any suggestion on which language is more convienient to program withADSI.I was going to use Python because I can be use in windows, MAC or Linux/unixThanksRezumaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Completely OT: Maroons
I've received blank posts here.M@On 9/4/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Has anybody figured out what's causing the blank posts, or is it just me whogot blank replies from Mark and Neil? Thanks,Laura -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Monday, September 04, 2006 4:15 AM To: ActiveDir.org Subject: Re: [ActiveDir] Completely OT: MaroonsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Moving user accounts.
http://blog.joeware.net/2005/07/17/48/M@On 8/30/06, David Cliffe [EMAIL PROTECTED] wrote: Hi Jim, Yes, I have found this to be true...there is no move object delegation.We have to use the create and delete. I wonder if that will change in future (I have a feeling it's been mentioned here several times before, but can't remember). -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kennedy, JimSent: Wednesday, August 30, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving user accounts. I am I correct that to delegate moving user accounts from OU to OU I will have to allow them the ability to delete accounts. It appears accounts work similar to documents, a move is really a copy then delete. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Re: [ActiveDir] Agents on Domain Controllers
I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx . There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Agents on Domain Controllers
Somehow I read that and got an entirely different meaning. It may be due to the mood I am in right now. Then again a quick look at some of joe's blog comments will show how often I misread things. Hmm...Sorry Deji. M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: You seem to think I disagree with you, whereas we are both saying the same thing. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matheesha WeerasingheSent: Fri 8/25/2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Agents on Domain Controllers I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx. There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. M@ On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] disable 200 users
To add to Deji's, you would then use the same list to get a FOR /F %i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -name %i -o dn|dsmove -newparent OU=NEWDEST,DC=FQDN where OU=NEWDEST,DC=FQDN is the FQDN of the new OU you want to move to.please note your list of names must be unique. Test before doing this by ensuring the command below FOR /F %i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -name %i -o dn textfilename.txtgives you a list of DNs you really want to disable/move. Please check syntax and test before doing for real on production servers! RegardsM@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: You have a list to use as input file. Read from that list and get the DN of each user. Then pass the DN to the script listed in this sample: http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true Or In a batch file, do a For loop and read in the input file, then usedsquery to get the DN and pass that to dsmod to disable the accounts Something like: FOR /F %%i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -o dn|dsmod user -disabled Yes Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Fri 8/25/2006 11:16 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] disable 200 users Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType: 1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType: 1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
Re: [ActiveDir] Problem in AD
I'm afraid you need to give a little more detail than that. What do you mean not able to communicate with AD? M@ On 8/23/06, Pankaj Verma [EMAIL PROTECTED] wrote: Hi AllI have 3 domain controllers.I transfer all the FSMO roles from DC03to DC02 after that I shutdown D03 I restarted D02 dC01 but after that I was not able to communicate with active directory then switchedon DC03 after that every thing is working fine. If somebody can tellme what could be the problem and after the in event viewer I amgetting an error Event id =1030 1058 source = usernv--RgdsPankaj vermaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Secure LDAP queries from the outside
Check the firewall rules to ensure they are correct. Are the packets even getting to the DC? Personally I doubt it. M@ On 8/22/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
Thanks Paul M@ On 8/17/06, Paul Williams [EMAIL PROTECTED] wrote: You need to escape the comma, as a comma is a delimiter and in the case of displayName it shouldn't be a delimiter: ((objectCategory=person)(objectClass=user)(displayName=phelps\, k*)) I've not read the whole thread, so can't discuss whether or not this is the best way to do what you want. I will say I feel for you re. the HP documentation. I had some fun getting the AD iLO integration stuff to work because the guide wasn't very helpful at explaining what format and syntax things wanted. I found the help on the administration pages better, and simply tried a number of things that I thought should work. --Paul - Original Message - From: Alex Alborzfard To: ActiveDir@mail.activedir.org Sent: Monday, August 14, 2006 8:22 PM Subject: RE: [ActiveDir] LDAP Logon Name Good catch, but the corrected query still didn't work! L Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Cace Sent: Monday, August 14, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Logon Name In the error below, the LDAP filter is ((objectclass=person)displayname=phelps,k*)). You missed the opening parenthesis before displayname. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Monday, August 14, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Logon Name That was exactly the same as HP documentation. I'll try your filter and will post the result. Thanks Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 1:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name I assume you need a filter such as ((objectcategory=person)(objectclass=user)(displayname=phelps,k*)) I optimised the user object search and put a opening bracket when specifying the displayname. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldap authentication. Apparently this printer has an Embedded Web Server (EWS). However, when I follow the documentation, using ldp tool, it fails when trying to query ldap. The message I get is this: ***Searching... ldap_search_s(ld, DC=pharmanet,DC=com, 2, ((objectclass=person)displayname=phelps,k*)), NULL, 0, msg) Error: Search: Filter Error. 87 Server error: Error94: ldap_parse_result failed: No result present in message Getting 0 entries: I connect to ldp as member of Domain Admins and Schema Admins, with the same result. Any ideas? Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 09, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can do this. There is an option for setting up LDAP gateway, where you can set user name password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation but I would try to use DN, or CN (in CN=... format) of this user. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] Longhorn Beta
Technet Plus On 8/17/06, WATSON, BEN [EMAIL PROTECTED] wrote: Outside of my MSDN account is there a preferred way to obtain Longhorn Beta's for testing? ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFind Query
http://unxutils.sourceforge.net/ On 8/15/06, WATSON, BEN [EMAIL PROTECTED] wrote: I'm familiar with grep on *nix, but didn't realize it was available on Windows. Where did you get your port of grep for Windows at? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 6:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Yeah something like adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376 would work fine. But still... the OP is hopefully prefixing schema attributes and classes with a corporate value... Otherwise they could run into collisions with vendors with bad schema practices. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 14, 2006 6:17 PM To: Send - AD mailing list Subject: RE: [ActiveDir] ADFind Query If not, though less efficient, dump them all and pipe it through find … -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi,A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group.Is it possible to recreate this group with the same well known SID?Authoritative restore is out of the question, deletetion is too long ago. Han Valk.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing isthat if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I dont think it can be moved. MS documentation suggests it cannot be. M@ On 8/14/06, Peter Johnson [EMAIL PROTECTED] wrote: Maybe the user moved it to another OU? Have you done a full forestsearch for the account?-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Han Valk Sent: 14 August 2006 12:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust BuildersProblem is I don't see it anymore in the BUILTIN container. Strange thing isthat if I look at the security of the domain object in ADUC IncomingForestTrust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible tomovedelete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxDisclaimer:The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it. Confidentiality:The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED] .Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I also meant to view as Administrator. Not an account with domain admin rights. There are subtle differences in certain scenarios. I wasassuming the ACLs on the object or the parent are possibly preventing you from viewing the object. But I doubt its the case. You arent using the list object (LO)right are you? M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
Its only in the forest domain IIRC ;-) M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: No??? Child domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@On 8/14/06, Han Valk [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there.-Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM?http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldapauthentication. Apparently this printer has an Embedded Web Server (EWS).However, when I follow the documentation, using ldp tool, it fails whentrying to query ldap. The message I get is this:***Searching...ldap_search_s(ld, DC=pharmanet,DC=com, 2, ((objectclass=person)displayname=phelps,k*)), NULL,0, msg)Error: Search: Filter Error. 87Server error:Error94: ldap_parse_result failed: No result present in message Getting 0 entries:I connect to ldp as member of Domain Admins and Schema Admins, with thesame result.Any ideas?Alex-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz OnyszkoSent: Wednesday, August 09, 2006 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon NameAlex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses cando this. There is an option for setting up LDAP gateway, where you can set user name password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation butI would try to use DN, or CN (in CN=... format) of this user.--Tomasz Onyszkohttp://www.w2k.pl/blog/ - (PL)http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
I assume you need a filter such as ((objectcategory=person)(objectclass=user)(displayname=phelps,k*)) I optimised the user object search and put a opening bracket when specifying the displayname. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldapauthentication. Apparently this printer has an Embedded Web Server (EWS).However, when I follow the documentation, using ldp tool, it fails whentrying to query ldap. The message I get is this:***Searching...ldap_search_s(ld, DC=pharmanet,DC=com, 2, ((objectclass=person)displayname=phelps,k*)), NULL,0, msg)Error: Search: Filter Error. 87Server error:Error94: ldap_parse_result failed: No result present in message Getting 0 entries:I connect to ldp as member of Domain Admins and Schema Admins, with thesame result.Any ideas?Alex-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 09, 2006 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon Name Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can do this. There is an option for setting up LDAP gateway, where you can set user name password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation butI would try to use DN, or CN (in CN=... format) of this user. --Tomasz Onyszkohttp://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]
http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info.M@ On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: Alter ego !my thanks are dueworked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ??GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content.It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question.By default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]
joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote: Why thank you … but who said otherwise? ;0) --Dean WellsMSE technology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info.M@ On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: Alter ego !my thanks are dueworked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ??GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content.It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question.By default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]
I am still waiting for the other 5 parts! M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote: Why thank you … but who said otherwise? ;0) --Dean WellsMSE technology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info.M@ On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: Alter ego !my thanks are dueworked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ??GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content.It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question.By default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
All I did was fix your query. It seemed like you were trying to do a search for users who have phelps,k as the start of their displayname. I assume the printer wants a DN to do lookups. Any AD user should be able to bind. But I dont know what it does with the bind credentials. I've never configured a printer that needed to be given credentials to an LDAP directory. Does it look at who submitted the job and do a query for the persons email address and send them an email that its done? I dont know. You need to tell us how the LDAP credentials are going to be used by the printer. Otherwise it may appear that we are not helpful. Which, I well may be not ;-) Sorry M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: Logon ID? Most likely the DN, but I need an account that can do the bind. Per HP documentation after running the search, I am supposed to find the search prefix, which should begin after the individual user's CN. This is the example right from documentation: Dn: [EMAIL PROTECTED],OU=US,OU=Users,OU=Account,DC=americas,DC=cpqcorp,DC=net I tried M@'s query, it worked…well kind of…it didn't generate an error, but got 0 entries on Matched DNs L I also tried your tree view suggestion, but that didn't give me anything I could use for this printer. I don't see anything even close to it. I'm beginning to HATE LDAP and HP both!!! Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, August 14, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Agreed. But does your printer search for the logon ID? I doubt it. Most LDAP authentication (I HATE that term) will use the DN of the user: cn=user,cn=users,dc=domain,dc=com would be default. From there it should be able to lookup the mail address in the directory. You should specify the service account it will use to bind to the directory and the password and it should be fine from there. To see that information, use ldp, and rather than search, use the tree view and navigate to it. (note: when the tree asks you for a dn value, leave it blank and press OK.) Al On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldap authentication. Apparently this printer has an Embedded Web Server (EWS). However, when I follow the documentation, using ldp tool, it fails when trying to query ldap. The message I get is this: ***Searching... ldap_search_s(ld, DC=pharmanet,DC=com, 2, ((objectclass=person)displayname=phelps,k*)), NULL, 0, msg) Error: Search: Filter Error. 87 Server error: Error94: ldap_parse_result failed: No result present in message Getting 0 entries: I connect to ldp as member of Domain Admins and Schema Admins, with the same result. Any ideas? Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 09, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can do this. There is an option for setting up LDAP gateway, where you can set user name password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation but I would try to use DN, or CN (in CN=... format) of this user. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFind Query
I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFind Query
The wildcard char is stripped according to the network trace for W2K. Hence the nosuchattribute result. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFind Query
scratch the previous comment. Here is the trace output. DSID-0C0905A4. Error 0x0057 (87) error processing filter. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: The wildcard char is stripped according to the network trace for W2K. Hence the nosuchattribute result. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
I took a quick look at the 9100C manual. It looks like it offers the ldap search facility to get a list email addresses you want to send the attachment to. So you'd scan the doc, it'll make an attachment and send to an email address list obtained by an ldap query. You could also use the address books on the printer or type the destinations manually. Obviously in order to do the ldap query, it may need credentials.The credentials are almost certaintly in DN format as Al said. Else it does it anonymously. Check the address book feature. I think most people will probably rather type destinations manually than do ldap searches ;-) M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: No you are definitely helpful. My best guess is that the printer wants to make sure you have a valid user account in AD, before letting you can fire off an email from it. Reading further on HP LDAP doc, at LDAP Authentication configuration page, it instructs to: -Input cn into the Match the name entered with the LDAP attribute of field. -Find the device user email address in the LDP trace. Copy the attribute defining the email address. (A screenshot of ldp query result is shown as: 1mail:[EMAIL PROTECTED]; -Paste the attribute into the Retrieve the device user's email address using attribute of box -Find the device user display name in the LDP trace. Copy the attribute defining the display name. (A screenshot of ldp query result is shown as: 1displayName:Phelps,K -Paste the attribute into the Retrieve the device and name using the attribute of box. - Click Test LDAP Authentication. Input your username and password. And this is just the first part. I save you the authentication manager configuration part. Hopefully this will give you an idea of what the heck they want! Thanks Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 3:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name All I did was fix your query. It seemed like you were trying to do a search for users who have phelps,k as the start of their displayname. I assume the printer wants a DN to do lookups. Any AD user should be able to bind. But I dont know what it does with the bind credentials. I've never configured a printer that needed to be given credentials to an LDAP directory. Does it look at who submitted the job and do a query for the persons email address and send them an email that its done? I dont know. You need to tell us how the LDAP credentials are going to be used by the printer. Otherwise it may appear that we are not helpful. Which, I well may be not ;-) Sorry M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: Logon ID? Most likely the DN, but I need an account that can do the bind. Per HP documentation after running the search, I am supposed to find the search prefix, which should begin after the individual user's CN. This is the example right from documentation: Dn: [EMAIL PROTECTED],OU=US,OU=Users,OU=Account,DC=americas,DC=cpqcorp,DC=net I tried M@'s query, it worked…well kind of…it didn't generate an error, but got 0 entries on Matched DNs L I also tried your tree view suggestion, but that didn't give me anything I could use for this printer. I don't see anything even close to it. I'm beginning to HATE LDAP and HP both!!! Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, August 14, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Agreed. But does your printer search for the logon ID? I doubt it. Most LDAP authentication (I HATE that term) will use the DN of the user: cn=user,cn=users,dc=domain,dc=com would be default. From there it should be able to lookup the mail address in the directory. You should specify the service account it will use to bind to the directory and the password and it should be fine from there. To see that information, use ldp, and rather than search, use the tree view and navigate to it. (note: when the tree asks you for a dn value, leave it blank and press OK.) Al On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldap authentication. Apparently this printer has an Embedded Web Server (EWS). However, when I follow the documentation, using ldp tool, it fails when trying to query ldap. The message I get is this: ***Searching... ldap_search_s(ld, DC=pharmanet,DC=com, 2, ((objectclass=person)displayname=phelps,k*)), NULL, 0, msg) Error: Search: Filter Error. 87 Server error: Error94: ldap_parse_result
Re: [ActiveDir] ADFind Query
You are right. The 0.99.1pre1 release of wireshark was borked. I tried the latest release(Version 0.99.2) and it decodes correctly. M@ On 8/15/06, joe [EMAIL PROTECTED] wrote: You sure? That would be a client side item, not server side. I expect the tool decoding the LDAP query may not be decoding properly. I would recommend doing the query twice, once with wildcard, once without, then look at the actual bytes representing the query and see if they are identical. If the wildcard is truly being stripped, then they should be. If not, then it is likely a decode issue and not all that unusual. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 6:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query The wildcard char is stripped according to the network trace for W2K. Hence the nosuchattribute result. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Netlogon and SYSVOL after Restore
Check the File replication Service event log for more details. This is a non authoritative restore of FRS. So it is trying to sync with a replica to ensure the sysvol content is up to date. I assume you have more than one domain controller in this domain. Once it syncs, it will bring it online. I've never worked with a single domain controller domain. But I'd expect it to be clever enough to know that if there is no other replica, to just come online as the non auth restore is in affect a auth restore as well. If you have more than one domain controller and you restore this on a network with no access to the repl partners, I dont think it will come online because it will never be able to reach a replica. Unless of course you chose the primary restore option for SYSVOL in which case it will just come online. Post more details from the FRS event log if it doesnt come online.CheersM@On 8/10/06, Salandra, Justin A. [EMAIL PROTECTED] wrote: We have restored a Domain Controller and on reboot we noticed that the Netlogon, and the SYSVOL folders exists but are not shared. Is this normal, should we share them out ourselves or will it happen automatically? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
Re: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question
If you look in the AD Delegation document http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en it shows the adminsdholder has permissions defined for the terminal server license servers group. Its allowed to view a terminalserver attribute that is defined on the user object and hence inherited by other classes based on it such as computer. I am not aware of the importance of the terminalserver attribute. But judging by the msdn explanation it looks like something maintained for backwards compatibility. I cant view the site right now as Its blocked by my corp's net nanny software as an adults only site. Go figure! But I remember it said something about opaqe data and Windows NT. I cannot see any harm with adding your license servers to the group. But then check with others before doing and test in a lab to see if there are any known issues. Might want to read http://support.microsoft.com/kb/895151/en-us as well.If you want some good details on terminal server licensing please refer to this doc http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx here.I have a domain based TS License server and it shows up just fine in lsview if launched from a machine in the same site as the license server. If launched from a different site I get the same results as yours. Green with no server names. I enabled the log file and configured lsview to check for a license server every 1 minute and all its logged is checking the local machine to see if its a domain license server. Its not so it failed. No messages about been able to find the correct domain license server. If I do this on a machine in the same site as my domain license server, it immediately logs the fact that it found it.I dont have any enterprise license servers to test with so can't comment. I also havent done any network traces either so I am not sure if it is indeed doing the license server discovery as a normal TS Client would at logon time. Might do later if I get the time. RegardsM@On 8/6/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi Freddy, Thanks for the feedback. But I get the same result from the W2K lsview.exe . And this is running these tools right on the license server/domain controller! I am thinking that I need to manually populate the AD group Terminal Server Licensing Servers. Conversely, I hate making changes when there are no known problems. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Freddy HARTONO Sent: Sunday, August 06, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi Mike I had the same problems in which I actually logged a pss call on, try using the windows 2000 resource kit version of lsview.exe and it works fine. Basically if i remember this correctly using the win2003 lsview.exe it will only detect it if your machine is in the same site as the tsls server, if you are running the lsview on a machine that is outside the site, it wouldnt detect it. No solution, fedup with the answers I was getting - closed the ticket (as I thought this only occurs in my ex company, apparently now im getting the same result as well) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Thommes, Michael M. Sent: Saturday, August 05, 2006 5:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi, This is not causing any issues that I am aware of, but something does not seem right. We set up two Enterprise Terminal Server Licensing Servers, both DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com under the attribute siteServer. When I run the GUI LSVIEW.EXE from the W2K3 ResKit, nothing populates but the spotlight icon shows green (ie, everything is hunky-dory). Some more research shows that the AD group Terminal Server License Servers has *no* members! Would it make sense to populate this group with the appropriate servers? Any idea why it wouldn't have been populated in the first place? TIA, Mike Thommes
Re: [ActiveDir] LDAP Ping
Nope. Me too. I know Tony said no me too posts but I cant help it here.M@On 8/6/06, Al Mulnick [EMAIL PROTECTED] wrote:Am I the only one receiving blank messages from Mark? On 8/4/06, Mark Parris [EMAIL PROTECTED] wrote:
Re: [ActiveDir] LDAP Ping
Why not use ldp.exe and just try connecting? Or you could also use adfind and doing a rootdse lookup when you want at regular intervals and check the output? Well, Its what I'd do. But someone may have a better suggestion. I'd run a netmon/ethereal/wireshark session as well to see what happens when the ldap open/bind is done. Cheers M@ On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote: Hey all, Does anyone know of a command line utility that allows you to test ldap connections? We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings. I know about the rpc ping utility, but I wanted to test for ldap connectivity as well. Does anyone know of a utility like this? Thanks, Nate
Re: [ActiveDir] LDAP Ping
But you are troubleshooting it right? ;-) Cheers M@ On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote: Its not for troubleshooting, its so we can tell when the DC is hung, you cant tell when its hung because our monitoring software only pings by ip and it responds. If it replies, I know it can serve ldap queries, and then i can rpc ping it and make sure that authentication requests will be answered. Its just to do a quick check of whats going on first thing in the morning. Nate From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Ping So you ldap ping the DC and it replies or it does not. What does this tell you? How does it help troubleshoot the issue? I'd suggest more detailed tools are needed such as network / packet sniffers etc. They should be able to build a picture of the situation better than a ping which offers little more than a 'yes/no' response. My 2 penneth :) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Ping Hey all, Does anyone know of a command line utility that allows you to test ldap connections? We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings. I know about the rpc ping utility, but I wanted to test for ldap connectivity as well. Does anyone know of a utility like this? Thanks, Nate PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Using a secret administrator account
Well from what I've understood, I dont think your secret administrator is going to be useful in scenarios where you get issues with token limits. In those instances, the only account that is guaranteed to work is the default built-in administrator account. Even if its disabled, you can still use it in Safe mode with Networking. Check http://www.microsoft.com/downloads/details.aspx?familyid=22dd9251-0781-42e6-9346-89d577a3e74adisplaylang=en for details.Instead you should look to reducing the number of domain administrators in the domain and limiting them to a few trusted users. Auditing will show when passwords are changed on the default administrator account. HTHM@On 8/4/06, Isenhour, Joseph [EMAIL PROTECTED] wrote: What is the general consensus on the use of back up admin accounts?This is an account that is hidden to most users and has elevatedprivileges in the domain.The purpose of the account is to be able toquickly react to an attack on the Domain Admin accounts either by a malicious user, or a bug in a process.The built in Administrator account is a huge target and it's easy tofind even if you rename it.It can't be deleted but the password can bechanged which can cause a lot of trouble.That's why I'm starting to think about this.ThanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: NTLM troubleshooting info
Many thanks for the link mate. M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: there is at leastsome documentation on this found at http://davenport.sourceforge.net/ntlm.html .i i'm not sure if it will meet your needs or not. think there are some others around as well. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, August 01, 2006 12:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: NTLM troubleshooting info Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. Cheers M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: might sspi_workbench (from technet) be useful for this? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
Re: [ActiveDir] DNS oddities?
Ha ha! So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off? Cheers M@ On 8/1/06, joe [EMAIL PROTECTED] wrote: If it works for a subset of records, why not for all? Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. Just would have been nice to see some consistency in the results. Oh now you are just asking for the moon ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 31, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH --Dean Wells MSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS oddities? AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts?CheersM~
Re: [ActiveDir] DNS oddities?
Thanks Neil. That makes a lot of sense. Cheers M@ On 8/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: netlogon is responsible for all SRV records and the DHCP client is responsible for the A record. neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: 01 August 2006 09:53 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS oddities? Ha ha! So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off? Cheers M@ On 8/1/06, joe [EMAIL PROTECTED] wrote: If it works for a subset of records, why not for all? Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. Just would have been nice to see some consistency in the results. Oh now you are just asking for the moon ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 31, 2006 7:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS oddities? Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@ On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH --Dean Wells MSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS oddities? AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts?CheersM~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code
[ActiveDir] OT: NTLM troubleshooting info
Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
Re: [ActiveDir] OT: NTLM troubleshooting info
Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. Cheers M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: might sspi_workbench (from technet) be useful for this? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
Re: [ActiveDir] DNS suffix resolution..
I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks, -- HBooGz:\
Re: [ActiveDir] DNS oddities?
Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. M@On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote: I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 1. reboot the new DC one more time 2. or - a. temporarily configure the zone to permit non-secure updates b. on the new DC, run ipconfig /registerdns or restart the DHCP client HTH -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Sunday, July 30, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS oddities? All Can someone please explain the following observation? Installed a new R2 DC forest with one DC/DNS. created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record? Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts? Cheers M~
Re: [ActiveDir] [OT] Can I add an index in AD using an LDIF file?
I hear Bill and Melinda are very charitable. Not sure if they'd wanna adopt a 6 foot 1 uber geek though. ;-)M@On 7/29/06, joe [EMAIL PROTECTED] wrote: LOL. This was catch up week. I took it off from work and ran around the house getting stuff fixed up etc and was only so so watching email. I also went to Cedar Point but that was quite the let down. It has gotten pretty run down and the clientele is interesting nowto say the least. Kind of sad as it can be an incredibly fun place.Anyway, when my task list in OneNote starts causing memory paging on my PC I figure I need to do a little catchup and take off time so I don't have any distractions so I can do so. Now I am sitting here, resting up from putting down some more grass seed and fertilizer in the 98 degree (37C for you metric folks) weather sucking down a rootbeer float and not looking forward to going back to work on Monday. I need to be independently wealthy already. I need to go find and adopt some rich parents. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, July 28, 2006 11:13 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Can I add an index in AD using an LDIF file? Hey, I can post this one ahead of joe? joe must be busy or somethin' :) I believe this is what you're looking for: http://rallenhome.com/books/adcookbook/code.html (see chapter 10 section for the vbs, ldif, and perl sections) On 7/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I realise I could do this via the UI but I want to create a single LDIF which will: Add new attributes Make new attributes available to User class Add new indexes The last point evades me so far and the RFC appears to indicate that this is not supported(?) Any ideas? neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] DNS oddities?
AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. Thoughts?CheersM~
Re: [ActiveDir] R2 In-Place Upgrade bug ?
So it works while its W2k3-SP1 but then breaks once upgraded to R2?What did you mean by incoming connections? Did you just mean ICMP? or actual connections like to certain services? Are the other DCs allowing incoming ICMP echo requests and allowing replies out? Are they also W2K3 -SP1? I assume there is no other firewall software from thirdparty AV or anything else installed.Just an idea. Is it worth checking the rsop.msc for Computer Configuration/Administrative Templates/Network/Network Connections/WIndows Firewall/Domain Profile and Standard Profile /Allow ICMP exceptions? Sounds to me like a security configuration wizard was run on it.I'd wait for someone more knowledgeable to say something if I were you ;-) Still, it doesnt hurt to check.CheersM@ On 7/29/06, HBooGz [EMAIL PROTECTED] wrote: Morning to all -I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly. outbound traffic and icmp works fine, inbound icmp returns a time out.scenario:Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/modelinstalled new nic drivers and prosetupgraded to R2.rebooted and noticed a ton of errors with services hanging upon boot.checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled.i disabled IPSEC and entered dword value for ProhibitIpSec - nothingi then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing.reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothingreinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing.i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks,-- HBooGz:\
Re: [ActiveDir] R2 In-Place Upgrade bug ?
I dont think its SCW anymore. Admittedly I havent used SCW but I am aware of it. If policies were applied, the change logs will be in %windir%\security\msscw\ChangeConfigurationLogs. if I understand correctly, Port 445 must be open because your file shares and the like are accessible. According to GPO help docs that means ICMP is also allowed by the server. quoteNote: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. /quoteWhen you say you cant ping from the main office, are you talking of workstations/servers that belong to the same subnet of the DC they are pinging?I assume you did a trace to see ICMP coming into the server and whether its leaving the server. I'm curious now as to whats happening. M@On 7/29/06, HBooGz [EMAIL PROTECTED] wrote: I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ? i can ping the server from workstations outside the main office!!!i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ?could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde [EMAIL PROTECTED] wrote: Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz Sent: Saturday, July 29, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 In-Place Upgrade bug ? Morning to all - I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence: The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly. outbound traffic and icmp works fine, inbound icmp returns a time out. scenario: Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2. connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/model installed new nic drivers and proset upgraded to R2. rebooted and noticed a ton of errors with services hanging upon boot. checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled. i disabled IPSEC and entered dword value for ProhibitIpSec - nothing i then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing. reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothing reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing. i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks, -- HBooGz:\ -- HBooGz:\
Re: [ActiveDir] cn=meetings
Thanks On 7/27/06, Free, Bob [EMAIL PROTECTED] wrote: MS NetMeeting uses the Meetings container to publish network meetingobjects. From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Thursday, July 27, 2006 12:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] cn=meetingsAllJust a quick query. Does anyone know what cn=meetings,cn=system,dc=domainfqdn is for?CheersM@List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] cn=meetings
AllJust a quick query. Does anyone know what cn=meetings,cn=system,dc=domainfqdn is for? CheersM@
Re: [ActiveDir] ldp in ADAM-SP1
Thanks Guido. That helps a lot. I was going to create the role structure but leave them unpopulated and do most of the work myself. I.e I am all roles!! I was then going to populate them as and when I found skilled and trusted chaps. I'll keep it very simple now. Cheers M@ P.S. Thanks again to everyone that read and responded. On 7/26/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: well, do as you should always do to ensure that your systems are maintainable: keep it simple! Don't introduce extra complexity if you don't require it. For AD ACLing this means, don't introduce roles and permissions for users, if you do not need that role - there is certainly no need to implement all the roles that are described in the delegation whitepaper to maintain a stable AD infrastructure. most ACLing issues that I have come across was in companies that granted their delegated admins the rights to create OUs underneath their location specific OU - soon afterwards they had an AD structure with OUs and permissions that looked like a badly managed file-server... so the issue is not so much setting ACLs in AD (which as discussed can be a complex task to do right, depending on your needs), but more controlling who is allowed to set ACLs. This should be done centrally by domain and/or enterprise admins. As a rule of thumb you should not grant any non-domain or enterprise admin the rights to create OUs and also limit the rights to create any other objects (especially groups) to very few delegated admins. Less critical is delegating the ability to manage existing objects (e.g. to reset PW of user, mail-enable users and groups, change membership of groups, etc). I also consider the rights to create computer objects as low risk (which is usually required by local desktop admins in branch offices). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, July 25, 2006 9:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Thanks to Al and Guido for your further input. Even though it may seem pretty obvious, I would like to know of any horror stories due to AD ACL'ing if possible. The reason is Al's comments have made me take a much more cautious approach to ACL'ing. I get the feeling that even though the granular feature is there, if there arent enoug people with the correct skill level available to maintain it, then it shouldnt be pursued. I hope I can get that skill and that is one fo the goals here. But I may not be here all the time. So any stories from anyone ? M@ On 7/25/06, Al Mulnick [EMAIL PROTECTED] wrote: I wholeheartedly applaud the effort being put into this. That said, I urge you to reconsider your administrative model and favor as much simplicity as is possible. Why? Because the best laid plans of mice and architects and all that. The tricky bit is the matching a trusted and appropriately skilled person to the relevant role. That makes me laugh and cringe at the same time. Yes, it is very difficult to find that perfect match but at the same time I think a design should take that into account where possible. That's a design philosophy and I won't debate that for this thread. But I would caution you that any design that has the people intricately relied upon is going to have a failure point at some point when you least can tolerate it. While you can use the command line tools as much as possible, as joe and Guido both pointed out, consider rolling your own scripts if you absolutely cannot do what you *need* to do at the GUI. But remember you can really really really^^ hurt yourself with security permissions. Believe me, it can be ugly and it can be the undoing. Two thoughts consider as you walk through the design: 1) You should never try to solve wetware issues with software or hardware. 2) Complexity is the anti-security. Best of luck. On 7/25/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Wow, Thanks you so much for the detailed info guys. Basically my goal is quite simple. At least it is in my head. What I want to do, is to go through the entire case study given in the AD delegation whitepaper, and do all of that permissions configuration entirely at command line (where possible). I am willing to use the delegation wizard to some extent, but as I am configuring quite a lot of permissions for an AD design I am involved in, I would rather avoid having to use GUI tools for this. You see, I am going to end up as been a very privileged service administrator and data administrator once my proposed AD design model is in place. I expect I will be making some endeavour to train sufficiently capable people in doing this. But I dont plan to spoon feed. I want the guys to know to a decent level ACL'ing and if not, do their research. At least on an adhoc basis. Then once they understand whats involved, they can go ahead and add
Re: [ActiveDir] ldp in ADAM-SP1
an email from the developer working on LDP and can say that he is digging into this. I can't say much more than that though. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 11:32 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 I dunno about you guys but I am very disappointed with the tools available to me for configuring perms. dsacls can configure most perms but cant configure control access rights to certain attribs of certain objects. (e.g. when you configure an attribute as confidential and need to allow certain people the control access right to view the attribute). dsacls also cant display perms that great and gives details as special access. In order to see whats special, I have to use something like acldiag and sdcheck. And then to revoke, yet another tool dsrevoke which only works on domain objects and OUs. After reading joe's book I figured ldp.exe from ADAM-SP1, here I come. Now that also has issues. I know I can write scripts for handling this. But they are cumbersome and slow. I think a nice fast C++ tool that does all this would be much appreciated. I am not sure how hard this is to do. But MSFT certaintly have the expertise. May be longhorn will ship with something like that. But I aint holding my breath. I am no expert and no MVP. I aint convinced my rant is gonna be heeded to. But please, guys out there with the influence (MVPs) help!! M@ P.S Please!!! On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf igur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN
Re: [ActiveDir] ldp in ADAM-SP1
Thanks to Al and Guido for your further input. Even though it may seem pretty obvious, I would like to know of any horror stories due to AD ACL'ing if possible. The reason is Al's comments have made me take a much more cautious approach to ACL'ing. I get the feeling that even though the granular feature is there, if there arent enoug people with the correct skill level available to maintain it, then it shouldnt be pursued. I hope I can get that skill and that is one fo the goals here. But I may not be here all the time. So any stories from anyone ? M@ On 7/25/06, Al Mulnick [EMAIL PROTECTED] wrote: I wholeheartedly applaud the effort being put into this. That said, I urge you to reconsider your administrative model and favor as much simplicity as is possible. Why? Because the best laid plans of mice and architects and all that. The tricky bit is the matching a trusted and appropriately skilled person to the relevant role. That makes me laugh and cringe at the same time. Yes, it is very difficult to find that perfect match but at the same time I think a design should take that into account where possible. That's a design philosophy and I won't debate that for this thread. But I would caution you that any design that has the people intricately relied upon is going to have a failure point at some point when you least can tolerate it. While you can use the command line tools as much as possible, as joe and Guido both pointed out, consider rolling your own scripts if you absolutely cannot do what you *need* to do at the GUI. But remember you can really really really^^ hurt yourself with security permissions. Believe me, it can be ugly and it can be the undoing. Two thoughts consider as you walk through the design: 1) You should never try to solve wetware issues with software or hardware. 2) Complexity is the anti-security. Best of luck. On 7/25/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Wow, Thanks you so much for the detailed info guys. Basically my goal is quite simple. At least it is in my head. What I want to do, is to go through the entire case study given in the AD delegation whitepaper, and do all of that permissions configuration entirely at command line (where possible). I am willing to use the delegation wizard to some extent, but as I am configuring quite a lot of permissions for an AD design I am involved in, I would rather avoid having to use GUI tools for this. You see, I am going to end up as been a very privileged service administrator and data administrator once my proposed AD design model is in place. I expect I will be making some endeavour to train sufficiently capable people in doing this. But I dont plan to spoon feed. I want the guys to know to a decent level ACL'ing and if not, do their research. At least on an adhoc basis. Then once they understand whats involved, they can go ahead and add/modify/delete ACE's , revoke perms, define new roles etc... Reading this delegation doc has made me believe I can configure an extremely secure delegation model where each role can be given just enough to do that role. The tricky bit is the matching a trusted and appropriately skilled person to the relevant role. So you see, as there is a lot involved and this is a big infrastructure to attempt to administer perms for 20,000 users plus many OUs used to organise users based on the business unit (at least a dozen in each geographical hub) they work in and the site (we have more than a 40 geographical hubs and 1000 satellite sites) they are located at. Different levels of data admin roles. I would like to get this right to a large extent from the moment go. Admittedly it may not be big as in Fortune 5 ADs. But its the biggest I've had the privilege to design and support. I figured if I test this using the case study as a lab, I will get a good feel of whats involved in my lower level design. I am getting a little miffed when I have to swap between several tools to do what I need to do. There is just so many buts and ifs. You can do this but you cant do this. To do this use this. For this use that. And then try this. If all else fails script I admit I was ranting a bit when asking why is this named and like such and the discrepencies in the docs and syntax help of command line tools. My sincere apologies for been anal. Is it too much to ask, to have at the very least a reliable command line or GUI tool (ldp) to configure perms just the way I want and need? Actually I don care even if I have to use a series of command line apps. I dont care how complex it is/willbe right now. I just want something that works. And I want the tool from MSFT. For free ;0) Please! Cheers M@ P.S. thanks once again for reading, for escalating, for laughing, for educating , the kind words, hugs Control-H,Control-H,Control-H,Control-H,Control-H, etc... On 7/25/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I guess
[ActiveDir] ldp in ADAM-SP1
All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ldp in ADAM-SP1
I dunno about you guys but I am very disappointed with the tools available to me for configuring perms. dsacls can configure most perms but cant configure control access rights to certain attribs of certain objects. (e.g. when you configure an attribute as confidential and need to allow certain people the control access right to view the attribute). dsacls also cant display perms that great and gives details as special access. In order to see whats special, I have to use something like acldiag and sdcheck. And then to revoke, yet another tool dsrevoke which only works on domain objects and OUs. After reading joe's book I figured ldp.exe from ADAM-SP1, here I come. Now that also has issues. I know I can write scripts for handling this. But they are cumbersome and slow. I think a nice fast C++ tool that does all this would be much appreciated. I am not sure how hard this is to do. But MSFT certaintly have the expertise. May be longhorn will ship with something like that. But I aint holding my breath. I am no expert and no MVP. I aint convinced my rant is gonna be heeded to. But please, guys out there with the influence (MVPs) help!! M@ P.S Please!!! On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ
Re: [ActiveDir] ldp in ADAM-SP1
Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the Access System Security option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but Access System Security. Also how come there is no string defined for Access System Security? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe [EMAIL PROTECTED] wrote: Beautiful, this is bug week There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\dsacls \\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain AdminsSPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain AdminsFULL CONTROL Inherited from parent Allow TEST\Enterprise AdminsFULL CONTROL Inherited from parent Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
[ActiveDir] OT: Interview Techniques
All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
LOL. Yeah. Never a good idea to have customised BIG AL number plates. ;-) On 7/23/06, joe [EMAIL PROTECTED] wrote: Yeah Al interviewed me once and I didn't get the job because I started crying. I found his car in the parking lot and punched holes in the tires. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, July 23, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques LOL. If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter. But I like to see how they react and how they deal with questions. Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer? The last is the worst thing they can ever do. I demand honesty in the work I do. If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Replmon vs. dssite.msc
If I understand correctly, replmon shows connection object info that was retrieved from the dc itself. dssite.msc shows the connection object info from the dc the snap-in is focused on. please correct me if i've misunderstood M@ On 7/19/06, Noah Eiger [EMAIL PROTECTED] wrote: Hi – I am trying to promote a new DC in a branch location. I also want this to be the bridgehead for IP at this Site. The promo seems to have worked, but there are some replication problems. Why would replmon show different replication partners than the Active Directory Sites and Services (dssite.msc) snap-in? I am running both tools on the same machine and have confirmed that they connect to the same machine. Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 7/18/2006 [EMAIL PROTECTED])
Re: [ActiveDir] Using non-standard TLDs within Active Directory
Well it would be a good idea as long as no one thinks crikey thats a great idea and people start making corp.ad or corp.ads as their forest name ;-) As I understand it, the forest names need to be unique DNS names. If you have two corp.local's, how would you do conditional forwarding and the like? What happens when a SRV record query is sent by a client who is possibly able to query SRV records for both forests? M@ On 7/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For this and other reason I like to use the .ad or .ads TLD for my active directory. Andrew Fidel Almeida Pinto, Jorge de [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/21/2006 06:43 AM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] Using non-standard TLDs within Active Directory for the LOCAL tld, you need be aware that it can cause issues with MAC computers http://support.microsoft.com/kb/836413/en-us http://docs.info.apple.com/article.html?artnum=107800 Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 21, 2006 12:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Thanks again. We're on the same wave length :) I appreciate that .local can work but as you state, it's best to avoid names that can become obsolete if the company name changes. The proposal here is to use .nom and the company name is Nomura. ...and no, it will not be a single domain forest, but let's not go there please :) I've already spent months on that subject :/ Thanks for the comments and feedback. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 21 July 2006 10:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Hi Neil Correct. The TLD is the normally the last bit the in the string. So in the real world Internet examples of TLD's are .com,.edu etc plus the country codes such as .za for South Africa which is where I from. I always something like corp.local for the forest name. I assuming you are going to be building a single domain forest right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 21 July 2006 11:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Thanks Peter. Are we referring to same thing? I refer to the suffix at the end of the DNS name - e.g. I refer to 'blob' in 'neil.blob'. I am not referring to the 'neil' part. Does your response still hold? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: 21 July 2006 09:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory I've always gone the opposite way. I like the idea of using a completely non-standard TLD for my forest root so that if the company name changes etc it has no effect on the forest. It also enables you to split the internal DNS from the external DNS structure. If the internal DNS structure is ever published to the Internet it will simply be dropped. I always set mine up with non-standard TLD's and have never had any issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 21 July 2006 10:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Using non-standard TLDs within Active Directory Does anyone have experience or comments regarding the use of non-standard TLDs within a production AD forest? E.g. x.nom The name will be used within a production environment - a separate forest will exist for testing and QA. I've always preferred to use standard TLDs in prod [so the name can be registered etc] and permit the non-standard TLD in test forests only. Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author
Re: [ActiveDir] root admin account able to be locked out?
Well, I've seen in our AD when it was W2K, the administrator account was showing as locked in dsa.msc if you try too may incorrect auth attempts. But I was still able to logon with it as expected. I didnt check to see if any events were logged to indicate that it was. I cannot repro your setup as my lab is busy doing other work. Someone else might have something more sensible to add here. M@ On 7/18/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Forestprep Failure
adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with the base set to the schema and pass the following filter. ((objectcategory=classschema)(maycontain=uid)) The above tries to do a search for classes where the maycontain attribute contains uid. HTH M@ On 7/19/06, WATSON, BEN [EMAIL PROTECTED] wrote: Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m.In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported. You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values were multivalued and that the application was not referring to it by OID. Next you need to address the syntax of the UID attribute. We are expecting the syntax
OT: Re:[ActiveDir] Regarding printer configure through web
If you want a web based view of what printers are available on a print server, then installing IIS should do it. This will install a virtual directory called printers so you could then browse http://printserver/printers to get a list of printers. Users could then browse and choose a printer and click connect to download and install the driver and then print to it. More info at http://www.microsoft.com/windowsserver2003/techinfo/overview/internetprint.mspx M@ P.S. This is strictly not an AD topic. Please prefix OT: to future topics for the benefit of other users. Thanks! On 7/10/06, Ajay Kumar [EMAIL PROTECTED] wrote: Hi all, Please help me out, How I can configure website of printer server. Actually we having 40 printer of different make and having around 1000 user on different location.So pls tell me how I can create website for printer access. Thanks, Sam List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Fwd: Redirect Application Data
Sorry for the repost but it doesnt appear in the archives as been ever posted. I would appreciate a reply ;-) ta! M@ -- Forwarded message -- From: Matheesha Weerasinghe [EMAIL PROTECTED] Date: Jul 3, 2006 11:46 PM Subject: Redirect Application Data To: ActiveDir@mail.activedir.org Hi All I was watching a Webcast on GPO's and saw it mention a recommendation I heard from PSS sometime back. And that is to not use application data redirection. Especially in TS environments. I would appreciate if someone could elaborate a bit on this. I would also like to know when do MS or consultants recommend using application data redirection. I.e ideal scenarios. Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Fwd: Redirect Application Data
Basically the reason I am inquiring this is because of performance issues which were blamed on application redirection. The appdata was on a cluster in this particular instance. Siting the fact that there are more components involved in the data path when appdata is accessed from a cluster , the PSS guy basically didnt personally seem to approve the design. And it seems like quite a few guys share his opinion. As he explained, in a normal file server the client will go through the file server's nic, the ide/scsi controller and then to the disk(s). In a cluster environment, the client goes through the cluster node's nic, the node's HBA, fibre switch/hub, SAN controller, and finally disk(s). And in the case of small files the SAN was not very performant especially with big volumes with lots of files. In the webcast I mentioned in the original email, in slide 22 of the presentation available at http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=26 for group policy tips and tricks Mark Cribben recommends against it. I would say the main reason for that recommendation is network latency. We are designing some file servers at the moment for the client and we have some design considerations and fears. Basically we are wondering whether to do away with appdata redirection altogether and leave it in the profile itself. One of the suggestions is that we may take a hit in logon time to download profiles , but app performance will be good as the files are cached locally during the TS session. We would like to use appdata redirection if at all possible. But we dont want to sacrifice app performance for it. i.e. We dont want to wait too long while the app is looking for ini files etc.. Thoughts? M@ On 7/8/06, Susan Bradley [EMAIL PROTECTED] wrote: Sorry read the original post and saw it was specifically about TS. TS is one of those things that if the application loves the TS environment, I don't think we've seen too many issues... and that's usually the key... there are some applications that just don't work well and the vendor states so in a TS/Citrix setup and would have problems redirecting. I know that we redirect 'normal' stuff like My Docs folder all the time over a TS... but apps like Word and Excel don't have to maintain a constant connection to a data file. Susan Bradley [EMAIL PROTECTED] wrote: Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and Howard/Lipner's Secure Coding and SDL books currently written software from Microsoft is indeed following their best practice guidelines. (Which my only complaint wtih both books is that they are paperback and not hardbound and thusly when I throw them at crappy app developers like ... oh.. say.. I don't knowIntuit... the bruise on the head of the Dev folks there will be slightly lessened the SDL book so far is very interesting) Older software that they purchased .. granted that statement cannot be made... And isn't your situation solvable with having on your patch test matrix a check box that says ensure app data redirect is still functional... and of course testing that patch before it's globally deployed? Matt Hargraves [EMAIL PROTECTED] wrote: I believe the reason they recommend against this is because all applications are different. Another problem is that there is no guarantee that the application will remain the same. Patches and updates can change more than just a file here and a file there, they can change settings such as these and trying to redirect the location for that data can end up with a situation where the application during an update is trying to pull your information from %userroot%\appname and it's really at a completely different location. If all application vendors use MS best practices for programming, it would be great, but unfortunately not even MS always uses their own best practices. Redirecting application data can work fine for months or even years, but then you get an update to an application and *bam* everything's broken and you don't really know why and you spend days (or worse, weeks) trying to figure out why everyone's broken and realize that your problem is that the application data is being redirected and that's the source of the problem. Matt List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Fwd: Redirect Application Data
Thanks for the suggestion. I've posted in the public TS newsgroup. M@ On 7/8/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: This sounds like a question for a MSDN/TS list/newsgroup with some monitoring tools thrown in as you do your tests. I can tell you that in our little networks, things like smb signing enabled on our DCs add about a 20 to 40 percent overhead to file transfers and apps (ergo one of the reasons we're a bit insane to be making our DCs file servers). We've also seen speed issues affected by NIC driversand the selection of a static speed versus auto-sense on the nic. Just reading that laundry list of what that app is having to go through.. each possibly needing a little tweak here or there...sounds to me that a test, perf mon and other such monitoring is needed to determine if he's right? Matheesha Weerasinghe wrote: Basically the reason I am inquiring this is because of performance issues which were blamed on application redirection. The appdata was on a cluster in this particular instance. Siting the fact that there are more components involved in the data path when appdata is accessed from a cluster , the PSS guy basically didnt personally seem to approve the design. And it seems like quite a few guys share his opinion. As he explained, in a normal file server the client will go through the file server's nic, the ide/scsi controller and then to the disk(s). In a cluster environment, the client goes through the cluster node's nic, the node's HBA, fibre switch/hub, SAN controller, and finally disk(s). And in the case of small files the SAN was not very performant especially with big volumes with lots of files. In the webcast I mentioned in the original email, in slide 22 of the presentation available at http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=26 for group policy tips and tricks Mark Cribben recommends against it. I would say the main reason for that recommendation is network latency. We are designing some file servers at the moment for the client and we have some design considerations and fears. Basically we are wondering whether to do away with appdata redirection altogether and leave it in the profile itself. One of the suggestions is that we may take a hit in logon time to download profiles , but app performance will be good as the files are cached locally during the TS session. We would like to use appdata redirection if at all possible. But we dont want to sacrifice app performance for it. i.e. We dont want to wait too long while the app is looking for ini files etc.. Thoughts? M@ On 7/8/06, Susan Bradley [EMAIL PROTECTED] wrote: Sorry read the original post and saw it was specifically about TS. TS is one of those things that if the application loves the TS environment, I don't think we've seen too many issues... and that's usually the key... there are some applications that just don't work well and the vendor states so in a TS/Citrix setup and would have problems redirecting. I know that we redirect 'normal' stuff like My Docs folder all the time over a TS... but apps like Word and Excel don't have to maintain a constant connection to a data file. Susan Bradley [EMAIL PROTECTED] wrote: Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and Howard/Lipner's Secure Coding and SDL books currently written software from Microsoft is indeed following their best practice guidelines. (Which my only complaint wtih both books is that they are paperback and not hardbound and thusly when I throw them at crappy app developers like ... oh.. say.. I don't knowIntuit... the bruise on the head of the Dev folks there will be slightly lessened the SDL book so far is very interesting) Older software that they purchased .. granted that statement cannot be made... And isn't your situation solvable with having on your patch test matrix a check box that says ensure app data redirect is still functional... and of course testing that patch before it's globally deployed? Matt Hargraves [EMAIL PROTECTED] wrote: I believe the reason they recommend against this is because all applications are different. Another problem is that there is no guarantee that the application will remain the same. Patches and updates can change more than just a file here and a file there, they can change settings such as these and trying to redirect the location for that data can end up with a situation where the application during an update is trying to pull your information from %userroot%\appname and it's really at a completely different location. If all application vendors use MS best practices for programming, it would be great, but unfortunately not even MS always uses their own best practices. Redirecting application data can work fine for months or even years, but then you get an update to an application and *bam* everything's broken
Re: [ActiveDir] Fwd: Redirect Application Data
Thanks Darren Unfortunately we are indeed clearing cached profiles at logoff and so download of roaming profiles is gonna take some time. We store a lot of files specially for lotus notes so I could have done without that. I am gonna need to think a bit about this one. But at this stage I'd rather take a hit at logon/logoff and have a reasonably well performant session than crap performance all throughout the session. Thanks to all others that replied too. Cheers M@ On 7/8/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: In general I recommend against AppData redirection for the performance reasons you've already cited below. A lot of apps, esp. MS apps, read/write to files in AppData frequently as they run, and I've just found that when that data resides remotely, it really slows down the user's experience. If you are concerned about download performance of roaming profiles, you could set AppData to not roam, but that won't do you much good in a TS environment. Keep in mind also that unless your users are moving around to a lot of different machines, the roaming profile hit should be reasonably minimal after the initial download because the roaming profile algorithm should only be downloading changed files. Of course, all bets are off if you're deleting the cached profile at each logoff (as may be the case on a TS). Darren -Original Message- Wrom: MHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDX [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Saturday, July 08, 2006 10:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Fwd: Redirect Application Data Basically the reason I am inquiring this is because of performance issues which were blamed on application redirection. The appdata was on a cluster in this particular instance. Siting the fact that there are more components involved in the data path when appdata is accessed from a cluster , the PSS guy basically didnt personally seem to approve the design. And it seems like quite a few guys share his opinion. As he explained, in a normal file server the client will go through the file server's nic, the ide/scsi controller and then to the disk(s). In a cluster environment, the client goes through the cluster node's nic, the node's HBA, fibre switch/hub, SAN controller, and finally disk(s). And in the case of small files the SAN was not very performant especially with big volumes with lots of files. In the webcast I mentioned in the original email, in slide 22 of the presentation available at http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=26 for group policy tips and tricks Mark Cribben recommends against it. I would say the main reason for that recommendation is network latency. We are designing some file servers at the moment for the client and we have some design considerations and fears. Basically we are wondering whether to do away with appdata redirection altogether and leave it in the profile itself. One of the suggestions is that we may take a hit in logon time to download profiles , but app performance will be good as the files are cached locally during the TS session. We would like to use appdata redirection if at all possible. But we dont want to sacrifice app performance for it. i.e. We dont want to wait too long while the app is looking for ini files etc.. Thoughts? M@ On 7/8/06, Susan Bradley [EMAIL PROTECTED] wrote: Sorry read the original post and saw it was specifically about TS. TS is one of those things that if the application loves the TS environment, I don't think we've seen too many issues... and that's usually the key... there are some applications that just don't work well and the vendor states so in a TS/Citrix setup and would have problems redirecting. I know that we redirect 'normal' stuff like My Docs folder all the time over a TS... but apps like Word and Excel don't have to maintain a constant connection to a data file. Susan Bradley [EMAIL PROTECTED] wrote: Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and Howard/Lipner's Secure Coding and SDL books currently written software from Microsoft is indeed following their best practice guidelines. (Which my only complaint wtih both books is that they are paperback and not hardbound and thusly when I throw them at crappy app developers like ... oh.. say.. I don't knowIntuit... the bruise on the head of the Dev folks there will be slightly lessened the SDL book so far is very interesting) Older software that they purchased .. granted that statement cannot be made... And isn't your situation solvable with having on your patch test matrix a check box that says ensure app data redirect is still functional... and of course testing that patch before it's globally deployed? Matt Hargraves [EMAIL PROTECTED] wrote: I believe the reason they recommend against this is because all applications are different. Another problem is that there is no guarantee
Re: [ActiveDir] Can't find anyting on this [NTDS warning]
Going by the ESE error codes it appears to not find the record. Some DB corruption may be? Source is http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese/extensible_storage_engine_errors.asp JET_errNoCurrentRecord -1603 There is no current record. I guess someone like Brettsh could enlighten us more? M@ On 7/7/06, John Singler [EMAIL PROTECTED] wrote: Sorry to rehash a year old thread... OT: http://www.mail-archive.com/activedir@mail.activedir.org/msg30076.html One of my DC's just logged this same message. Nothing else is logged around this event. Brian, was this ever resolved for you? Thanks, john Brian Desmond wrote: *Event Type: Warning* *Event Source: NTDS General* *Event Category: Internal Processing * *Event ID: 1173* *Date:6/21/2005* *Time:10:08:47 AM* *User:NT AUTHORITY\ANONYMOUS LOGON* *Computer: TheServer* *Description:* *Internal event: Active Directory has encountered the following exception and associated parameters. * * * *Exception:* *e0010004 * *Parameter:* *0 * * * *Additional Data * *Error value:* *-1603 * *Internal ID:* *2050344* * * *For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.* * * * * *Closest thing I Found was a -1605. Box is a 2k3 SP1 clean build (aka I built it on 2k3 SP1) PDC FSMO and GC. * ** ** ** ** **--brian** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Question on rightsguid
thanks joe! M@ On 6/20/06, joe [EMAIL PROTECTED] wrote: Oops correction here, I spaced for a second. The value for Property Sets in validAccesses is a combination of ACTRL_DS_WRITE_PROP + ACTRL_DS_READ_PROP so the value is 32 + 16 or 48, not just 32. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 20, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on rightsguid There are three things currently handled in the extended-rights container of objectclass controlAccessRight. Validated Writes Property Sets Extended Rights These are differentiated by the validAccesses attribute[1]. Quickly it lays out like Validated Writes have validAccess value of 8 Property Sets have validAccesses value of 32 Extended Rights have validAccess value of 256 While they are the same objectclass and in the same container, they are not the same things. The attributeSecurityGUID is used to tie schema objects to property sets. Validated Rights and Extended Rights are hardcoded into the OS. While you could add those types of objects, you wouldn't get anything out of the OS with them, you would need to write your application(s) to use them. Now there are some things that are a bit confusing... The rightsGuid of Add/Remove self as member is the same as the member attribute's schemaIDGUID. This means that if you don't use the correct access mask the permission will not be written properly and many programs and scripts (including several of mine) actually display this incorrectly. If the mask is a CA grant/deny (control access) then the permission is for Add/Remove self as member, if the mask is anything else, it is the member schema attribute. It gets even worse with the rightsGUID of Validated wite to DNS host name is also the rightsGUID of the property set DNS Host Name Attributes AND the schemaIDGUID of the attribute dNSHostName. I've actually been meaning to blog this for a while now as I keep fielding questions in email and the newsgroups about it. Seems like a lot of people are actually really looking at that stuff finally. I reported the DNS GUIDs item to MSFT back after K3 came out as I didn't think it was right. I still don't think it is the right way to handle it but too late to change now. It just adds a bunch of confusion to something that doesn't need the confusion because it is already too confusing. As for the second part... I have been asked that and actually people have insisted it is a bug in my code so much that I did blog it. http://blog.joeware.net/2005/12/17/173/ joe [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr ol_access_rights.asp -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, June 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on rightsguid All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets? Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid was expanded as Transformed Filter: ((objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Question on rightsguid
All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets? Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid was expanded as Transformed Filter: ((objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] bitwise filters
Thanks joe! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] bitwise filters
Thanks for replying Tony. Unfortunately gmail couldnt read your reply so I resorted to the archive. In my example for searching universal groups, I wasnt distinguishing between security and distribution groups. Therefore the 2nd filter is correct too isnt it? As for the 3rd question, I am sure you can answer it. Please dont hold back. I merely addressed it to Joe as he wrote the tool and hence should know how it behaves more than anyone else ;-) But if anyone else could explain it, I will be most grateful. TIA M@ On 6/13/06, Tony Murray [EMAIL PROTECTED] wrote: List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] bitwise filters
Guys, I have a few questions on bitwise filters. 1. I just wanna make sure I've understood bitwise filters correctly. Basically if I want to check if all bits are set, I should use the Bitwise AND operator. If I need to check if any number of the bits I am interested in are set, I should use the OR operator. Therefore the OR operator is best used in multiple bit checking scenarios. If I am checking for only one bit (and not multiple bits) , then I should use the AND operator. I guess it really doesn't matter. Its just the logic behind it. If I want a list of global and local groups, I could either do a search for groups that are not universal or I could do a seach for groups that have the bit for either global or local set couldnt I? i.e ((objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or ((objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))). Please correct me if I am wrong. 2. How do I find the bitwise filter OID for AND or OR without refering to manuals. Can I query this in the directory or is it hardcoded? 3. Joe, Could you please explain why the group type value output in adfind is minus? If I do a query with -f (objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650) grouptype, I get -2147483646 as the output. The results are correct. I just want to understand why the output is minus. Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: RE : RE: RE : RE: [ActiveDir] AD LDAP Logging.
Check out the TechNet Webcast: Active Directory Performance Measurement and Troubleshooting—Level 300 at http://www.microsoft.com/events/series/adaug.mspx. On 6/10/06, Yann [EMAIL PROTECTED] wrote: Hello, Gil, very very very usefull informations that u provided at DEC ad performance session. I just finished to study it. I highly recommend it because of videos that well explanied how to use spa, logman,etc..!. I'm eager to test your troubleshooting on monday ! :) A few questions... 1) Will spa comsumes lots of resources when starting analyze and generating reports ? 2) Can spa analyzes other DCs from one w2k3 box dedicated spa ? or must i install spa on each boxes that i want to trend ? 3) Could I see possible LDAP problem connectivities (dirty LDAP disconnections...) between my DC and a client ? 3) Can i schedule the analyzes for a few days to be sure to track ldap pb? and will it consumes hight resources ? Thanks, Yann Gil Kirkpatrick [EMAIL PROTECTED] a écrit : You can use SPA, or you can use logman and tracerpt to get detailed LDAP stats. SPA does a lot of analysis for you and diagnoses several classes of AD perf problems. Tracerpt will give you a fairly raw look at all the LDAP traffic. I covered all three in my DEC AD Performance session (which I didn't actually deliver at DEC :). Its available on the NetPro website at http://www.netpro.com/community/medialibrary.cfm. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Friday, June 09, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: RE : RE: [ActiveDir] AD LDAP Logging. It is true that SPA is not localized but I believe the French version will be ok. The problem comes about with the localization of the perfmon data. If you have problems post back and we can try a few work arounds because we are only really interested in the trace data at this point which should not be impacted. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] AD LDAP Logging. Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, Yann Steve Linehan [EMAIL PROTECTED] a écrit : I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 09, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with this generic error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field
Re: [ActiveDir] Rights to move an object from one OU to another
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en and http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en On 6/8/06, Figueroa, Johnny [EMAIL PROTECTED] wrote: What rights does a user need to move objects from one OU to another? I can not seem to find that or a white paper on delegation of authority that someone mentioned before. Thanks in advance. Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602)495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Logged in user
psloggedon from sysinternals.com On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
Whats the version of ldp? Are there any issues using ADAM sp1's ldp from the english version? I assume other ldap cliients are fine? other than this ldp? Wire traces show anything weird?Just my $0.02M@ On 6/5/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg)Error: Search: Erreur d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sivarajan, SanthoshSent: Monday, June 05, 2006 10:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay KumarSent: Sun 6/4/2006 10:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doaminof 50Pc'swith a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay.
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
Man I regret trying to even answer that. I didnt look at the name of the poster for crying out loud! Note to self a fool is not known until he opens his mouth /Note to self Sorry Gil. Wont happen again. M@ On 6/5/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Start your own thread :) Joe blogged about this DSID thingy a while back, and it was a very informative piece. I suggest you start from there. This may require you peeking into the source code. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Mon 6/5/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSID-020A06F3 error from French platform AD I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh Sent: Monday, June 05, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
Re: [ActiveDir] DHCP migration(OT)
look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks
Re: [ActiveDir] DHCP migration(OT)
Havent played with it for a while so I cant answer unless I fire up a VM and start playing. Do you fancy letting me know your findings ;-) M@ On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote: Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use. On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks [EMAIL PROTECTED] ��V�r�y���-�÷¾4���i�b��b��
Re: [ActiveDir] [OT] GMAIL encoding
Thanks for that. My question is why doesnt the mail sent by Al viewable by other gmail users? I was also seen blank emails and I use gmail too. M@ On 5/10/06, AdamT [EMAIL PROTECTED] wrote: On 10/05/06, Lou Vega [EMAIL PROTECTED] wrote: I don't know exactly where it is off the top of my head because I don't have access to GMAIL at work, but GMAIL does allow you (to my knowledge) to set the encoding of your messages if you wanted toâ¦perhaps you can check into that? It's under the settings like at the top right of the screen. You get a choice of: Use default text encoding for outgoing messages Or: Use Unicode (UTF-8) encoding for outgoing messages -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ [EMAIL PROTECTED] ��V�r�y���-�÷¾4���i�b��b��
Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
personally, I'd like a command line tool thats interactive like ntdsutil or nslookup. I'd be able to use this to browse the ADAM instance from a command line. Have a prompt which allows me to navigate the hierachy. Execute commands such as create/delete objecttype etc... M@ On 4/28/06, Stewart, Fitz [EMAIL PROTECTED] wrote: Heck, just give a user the ability to create and otherwise manage objects – users, groups, the basics. Name, etc. Nothing fancy, just not the command-line-ishness of ADSIEDIT. -fitz 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is LDAP I did look at some friendlier admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 09:44:55 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org That's a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI experience? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Jef, As Al pointed out, there are numerous products from vendors such as IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs (RIP) etc providing web-based authentication/authorisation in front of AD. Since from a design point-of-view it's generally not a good idea to stick AD too close to the Internet, often these solutions comprise a presentation tier, e.g. with IIS (using some sort of ISAPI plugins) that th! en hooks into
Re: [ActiveDir] GC Promotion
I've got a parent-child domain setup here and I have child domain GCs which repls the parent domain NC from another child domain NC. Now I dont know if its possible to make a GC using a DC of the other domain thats not a GC. In a hypothetical setup where all sites were not fully routed this could be tested, forcing it to repl NCs from a site/server that has/is no GC. But I wont be testing that in a VM in the near future. I'll let the knowledgable enlighten us on the subject. M@On 4/28/06, Mark Parris [EMAIL PROTECTED] wrote: When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information? Make sense?MarkList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Service Account Logging/Tracking
eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@On 4/22/06, mike kline [EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. Once you have the events in the log you can search through them using a tool like Eventcomb http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en Eventcomb can be found within this download. You can search for EventID 528 and specify the service account to narrow the search. When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. Thanks Mike On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Service Account Logging/Tracking
My bad. Just saw the option to check saved logs too . SorryM@On 4/22/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@On 4/22/06, mike kline [EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. Once you have the events in the log you can search through them using a tool like Eventcomb http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en Eventcomb can be found within this download. You can search for EventID 528 and specify the service account to narrow the search. When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. Thanks Mike On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] stupid ldap queries
All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] stupid ldap queries
Thanks all for the clarification!M@On 4/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I did the same after I saw some of the activedir folks post about doing it… J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lee, Wook Sent: Tuesday, April 18, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There's an attribute (I think "isIndexed") which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto: ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. objectClass=user) fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] how to report on scheduled jobs?
http://www.microsoft.com/technet/scriptcenter/scripts/os/tasks/ostkvb04.mspx On 4/17/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Is there a script to output scheduled job information? Maybe something I could call in a for loop driven by a list of servers. Ideally, I would like to see the job and who's credentials it is running under, with maybe the schedule. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Changing a users password
How about using lockoutstatus.exe? its no script tool but is sure easy to use. M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/