[ActiveDir] Way OT: Shared Folders snap-in columns
I can't find an explanation and thought some of this august body might know or can point me to some resource... When viewing sessions in the Shared Folders MMC snap-in for an AD member file server, there is a column labeled Idle Time. What events reset this timer? I sometimes see very short idle times in the wee hours of the morning when I'm pretty sure no human is at the client machine. In the Computer column I see some machines listed by their NetBIOS name, obviously from info in the AD integrated DDNS. Others are listed by their FQDN which is not related to the assigned NetBIOS name. This must be coming from the non-AD related, public DNS to which the AD DDNS refers inquiries for other domains. (The AD domain name and the public domain name are different.) What might be different about the way these machines were set up? Just curious... TIA, -mjm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Delegate Password Resets
I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Quota Software
We use a 3rd party app SpaceGuard SRM from www.tools4ever.com on our file servers to implement directory level (rather than user level) disk quotas, monitor usage, send email to users when they get close or hit the quota, etc. I can monitor and manage quotas from a single client workstation and have setup automatic quotas for Home Directories. Spaceguard works fine for our single site. We did not try the built in Windows quota at the time we switched to AD 4 years ago because the quota was by user. It may have gotten better in win2k3. Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ Mark Parris wrote: All, I have been tasked with implementing disk quota's for corporate users the some of the data is centralised and some is stored on regional file servers, but no user has data spead over more than one server or location. Whilst I understand the concepts I have never implemented quota software so can anyone recommend a quota management software that works? The software must be configurable to a user or a group and not at the volume level. A nice to have would be storage billing. Any gotchas? Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: M$
no oops needed, IMHO I think we crossed a line here and would like to see this thread stopped before Tony gets back. ;-) -mjm Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: (oops) ;-) and :-) of course Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: ... it must be everyone weirding out waiting for their Vista downloads on MSDN... at least I'm hoping that's the reasonotherwise...can we go back to when Deji was insulting the wrong Laura? At least near my dinnertime? Laura A. Robinson wrote: I am so grossed out now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Friday, November 17, 2006 9:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Mm... Yummy! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 17, 2006 3:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ May I have that fork when you're finished? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Friday, November 17, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ Great, thanks joe. Now I have to go stab my eyes out with a fork. It's worse than Princess Jorge in the lederhosen at Oktoberfest. On 11/17/06, joe [EMAIL PROTECTED] wrote: I wear boots with lifts. Shirts with padding. And carry hershey's kisses in my cheeks like a squirrel. -- -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Can't sign up for MS security alert email
I tried to sign up for MS email security alerts. But I get an error: The portion of your e-mail address that follows the @ symbol is part of a reserved domain such as live.com, hotmail.com, msn.com or passport.com. Please type a different e-mail address. I tried my general work address [EMAIL PROTECTED] and then one in our own subdomain [EMAIL PROTECTED] with the same error message for both. Anybody know what up? TIA, -mjm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Can't sign up for MS security alert email
Yes, this was a passport signup form. I was wondering about something like that. The UIUC domain is part of the MS Select program - related? It doesn't at present seem to make sense to me why they would elect that exclusion. Security alerts are good thing, are they not? Maybe the logic will come to me in a dream. ;-) Anyway, it sounds as if I should inquire with the powers that be in this domain instead of bugging you people. Thanks, Brian, -mjm Brian Desmond wrote: Did you have to get passport? I think organizations can tell MS not to allow passport signups from their domain. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Tuesday, October 10, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Can't sign up for MS security alert email I tried to sign up for MS email security alerts. But I get an error: The portion of your e-mail address that follows the @ symbol is part of a reserved domain such as live.com, hotmail.com, msn.com or passport.com. Please type a different e-mail address. I tried my general work address [EMAIL PROTECTED] and then one in our own subdomain [EMAIL PROTECTED] with the same error message for both. Anybody know what up? TIA, -mjm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: recent MS updates changed Exchange SMTP servers?
We use Exchange 2003 running on Win2k3 server Standard Edition strictly for distribution groups where all user objects have external SMTP addresses - no Exchange mailboxes, etc. We have a simple single forest, single site AD Win2k R2 domain. A message addressed to one of our AD distribution groups ([EMAIL PROTECTED]) results in an out bound message with multiple RCPT TO entries. With very few exceptions, the external email addresses are for the main campus domain ([EMAIL PROTECTED]). This worked well since implementation in February 2006. Lately, there have been considerable delays in the UIUC campus domain servers accepting these messages in a timely manner. There have been no intentional changes to our Exchange server other than the application of patch Tuesday updates and, after becoming aware of these delays, changing the SMTP connection timeout from the default 10 minutes, to 30, then to 45 and now to 120 minutes. Do any of you Exchange gurus know of any recent MS updates that would have changed anything regarding outbound connections with the Exchange SMTP server? I suspect the problem is not on our end but don't want to start pointing fingers without some assurance that nothing has changed here. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Jabber and AD authentication
The powers that be at my site want to implement IM using Jabber and would like to leverage our AD for authentication. We are just starting to think about this. It's not yet decided if the Jabber server will be running on Linux or Windows. I would imagine several people in this august body would have experience with this. I would be interested in your comments before we actually start trying to implement something. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] adm file management
ADM files are silently updated by whatever host machine you use. The recommendation is to use the latest and greatest OS on a dedicated GPO machine so that the latest ADM files are available for use. -mjm Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ Graham Turner wrote: quick question (hopefully not too daft) ref ADM file management it seems different OS's ship with different versions of the 'standard' ADM files that include conf.adm / interes.adm / system.adm ... say if you are maintaining policies that link to containers holding say XP , 2000, 2003 computers it would not be unreasonable to manage them all from a single host on which you edit policies. am i correct to say that in maintaining the settings in these files are always cumulative - if that's the right word if so then it is correct working practice to always use the MOST RECENT version of an ADM file with no fear of breaking previously functional GPO's ??? GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] LDAP queries and FERPA
The recent discussion of LDAP queries from the outside brings to mind a question regarding FERPA for those of us working in the education arena. See http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html How do you deal with hiding directory data for individuals who have elected to not have their directory data exposed? I'm sure there are several solutions in current use. -- Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Find last logon for ID
It strikes me that y'all are trying to cobble together a bicycle. Why not use a car? AD Toolkit from Javelina Software has last logon as one of many pre-configured reports. You run it against and OU or entire domain and it returns last logon info as well as which DC handled it. Saving a report as a CSV file is also a standard option. I sometime use it for machine account last logon info to find those which may have left with Elvis. See http://www.javelinasoftware.com/advantage.html Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ joe wrote: You may want to test this in your environment, but from an efficiency standpoint, with this query you may want to trim it all the way down to sAMAccountName=username This is an odd one because objectcategory and samaccountname are both indexed so the QP has to decide which index to use based on some internal logic. From what I have experienced it usually chooses objectcategory probably because it will have fewer values than samaccountname. However in this case samaccountname is guaranteed to be unique so it can go directly to the object in question. Whereas with objectcategory it will have to visit all of the person objects. Another alternative would be to try and stick the sAMAccountName portion of the query at the very beginning of the query which seems to push that index into being used from what I have seen. I don't agree that reversing the filter like that should cause this to happen but it seems to which is why if I have multiple indexed attributes in an AND query I try to stick with putting the most specific one at the front. Why it all works this way I have some ideas but honestly, the QP specifics are something that should come from someone with more intimate knowledge of the QP code like ~Eric or someone else who has spent 14 hour days in that specific section of the code. It would make great blog entries I think... I would also buy the book but I think that would be an extremely limited audience and probably not worth writing as a whole official book. :) You can experiment with this, assuming you are basically an Admin on your DCs with the -stats+only switch in ADFIND like so: adfind -b some_base_dn -f somefilter -dn -stats+only *Initial Query* Elapsed Time: 0 (ms) Returned 1 entries of 16 visited - (6.25%) Used Filter: ( (objectClass=user) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc) (sAMAccountName=$joe) ) Used Indices: idx_objectCategory:16:N *Query Reversed* Elapsed Time: 0 (ms) Returned 1 entries of 1 visited - (100.00%) Used Filter: ( (sAMAccountName=$joe) (objectClass=user) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc) ) Used Indices: idx_sAMAccountName:1:N *Query chopped* Elapsed Time: 0 (ms) Returned 1 entries of 1 visited - (100.00%) Used Filter: (sAMAccountName=$joe) Used Indices: idx_sAMAccountName:1:N -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Chong Ai Chung *Sent:* Wednesday, August 16, 2006 3:34 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Find last logon for ID You can get this information using adfind: adfind -b dc=domaname,dc=com -f ((Objectclass=user)(Objectcategory=person)(samaccountname=username)) lastlogontimestamp -tdc If you are looking for script, you can refer to following Script Center article: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx Regards, Ai chung On 8/16/06, *Tashildar, Dinesh (Cognizant)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Does anyone know script to get last logon stamp for active directory user? This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com http://www.cognizant.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Find last logon for ID
Fair enough! I didn't realize it costs so much these days. We got in early and also got an EDU discount to boot. It costs me only $250 a year and saves a lot of time by avoiding debugging some script. My objective is to administer the AD, not write code. I'm new to this list and perhaps haven't quite gotten the jist of it yet. In my case, it pays for itself each fall by allowing mass creation of new user accounts for incoming students with random generated passwords, Home Directories, etc using a simple file as input. Other uses are just gravy. I'll shut up and just listen for a while. Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ Steve Rochford wrote: One reason for using the bicycle instead of the car is that the bike is free whereas the car costs (a lot!) of money. There's also the benefit that you learn more about how it all works; then when you want a report which isn't included in the toolkit you have you can just run it up yourself (perhaps asking for a little help along the way) Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: 16 August 2006 15:55 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Find last logon for ID It strikes me that y'all are trying to cobble together a bicycle. Why not use a car? AD Toolkit from Javelina Software has last logon as one of many pre-configured reports. You run it against and OU or entire domain and it returns last logon info as well as which DC handled it. Saving a report as a CSV file is also a standard option. I sometime use it for machine account last logon info to find those which may have left with Elvis. See http://www.javelinasoftware.com/advantage.html Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution
Maybe you wouldn't exactly call it a utility tool, but WSUS can generate reports with all kinds of info regarding the status of patches for all machines in the domain. It's free and has minimal hardware requirements. You can service all your machines via a GPO and, if you're the cautious type, wait for the bleeding edge people to report back before approving certain updates for your client machines. -mjm _ Alex Alborzfard wrote: What about MS06-040? I've heard it's a nasty one like blaster. DHS has already issued a recommendation to apply this patch. I remember using a utility tool that would list all applied patches on a Windows box with all kind of information. Anyone has ever used or knows anything about it? Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 08, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution One of 12 today...but since it's DNS related Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683): http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server. (and Brett...just a FYI... in my twig forest... any attacker that ends up on a subnet between a host and my DNS server [aka the Kitchen sink service server] ... that attacker is dead meat and has a 2x4 aimed his way... one advantage of being little) Your patch folks may be calling up you AD guys for testing passes. Workarounds: *Block DNS related records at network gateways* Blocking the following DNS record types at network gateways will help protect the affected system from attempts to exploit this vulnerability. * ATMA * TXT * X25 * HINFO * ISDN DNS List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx