Windows 2000 RTM'ed. They think it is just like the routing subnets where
you have to very careful what you are doing or you will break packet
routing. I see this question on a pretty regular basis in various forums, at
least once per month.
joe
--
O'Reilly Active Directory Third Edition -
http
]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Ewww. :)
Unless there are other needs
G:\Tempadfind -default -f * -s one ntsecuritydescriptor -sddl++
-resolvesids -sddlnotfilter ;inherited
AdFind V01.35.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED])
January 2007
Using server: r2dc2.test.loc:389
Directory: Windows Server 2003
Base DN: DC=test,DC=loc
dn:CN
structures used can make or break the
entire solution. I have seen seemingly impossible problems that have been
made possible with great ideas about how to structure the data and I have
seen simple problems made nearly impossible because of bad data structures.
joe
--
O'Reilly Active
it?
On 1/28/07, joe [EMAIL PROTECTED] wrote:
I agree that MIIS could be convenient but only if it is already there or you
have other plans for it. If this was the only reason for it I would be more
apt to put something else together that had a far lower bar of entry such as
some basic
Just an FYI, I kept reading in the responses about move... This doesn't
move the mailbox, it creates a new one at the new HomeMDB URL location and
the old mailbox is sitting there disconnected in the old store location.
This is something that can be done for normal users to get dialtone back
)
{
($mail,$primarysmtp)=($thisline=~/,([^,[EMAIL PROTECTED],]+),.*SMTP:([^,[EMAIL
PROTECTED],]+)[\n,]/)
;
$disjoint=($mail ne $primarysmtp)?TRUE:FALSE;
$thisline=~s/smtp://ig; # strip smtp: and SMTP:
print ofh $disjoint,$thisline;
}
joe
--
O'Reilly Active Directory Third
Active directory will use the most specific network address that applies to
it. For instance, I set up a class-A address (or multiple in some companies)
that applies to all of the network space of the company and assign that to
the primary data center location. Then I start making more focused
You are mistaking machine subnetting and subnetting defined in AD. They are
not connected. The definitions in AD do not have to reflect what is really
happening at the routing layer. They are generally close but there isn't any
technical reason why they have to be.
--
O'Reilly Active Directory
-Free (x8595)
803.739.1176 Fax
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?
In addition to what Ulf said
the addresses that way. It would probably be less effort in the long run.
If I was asked to do the exact same thing, that is definitely how I'd do it.
If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious
to hear about it. :)
Joe K.
- Original Message -
From: Douglas W
of thing).
Joe K.
- Original Message -
From: Dave Wade [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 6:30 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
If you want to query Notes and AD in the same script you don't
and then
check for the values that are prefixed with lower case smtp.
Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP
itself doesn't help much.
Joe K.
- Original Message -
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007
://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, January 25, 2007 7:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?
In addition to what Ulf said
Cool, thanks Lee. It works. :)
Joe
- Original Message -
From: Lee Flight [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 23, 2007 5:13 AM
Subject: Re: [ActiveDir] Who Am I request
Using ldp.exe;
rootDSE query for supportedExtension will you the OID:
4
by the server or CRL checking.
Does Oracle give you any logs? What SSL stack do they use? Can this issue
be reproduced with any other SSL stacks (Windows using ldp.exe for example)?
Joe K.
- Original Message -
From: Mauricio de Andrade Ramos [EMAIL PROTECTED]
To: ActiveDir
depend on the user name format you are
using in the bind. If you did a simple bind with the DN, then you already
have the path to the user object. :)
Joe K.
- Original Message -
From: Alexandr Kara [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 23, 2007
troubleshoot
the problem.
Joe K.
- Original Message -
From: Mauricio de Andrade Ramos [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 23, 2007 11:43 AM
Subject: Re: [ActiveDir] Search over SSL hangs
Joe, List,
yes! It does sound like it is something with Oracle SSL
such as the full DN, GUID or SID. I doubt that helps if
you are trying to use use OpenLDAP though. :)
Joe K.
- Original Message -
From: Alexandr Kara [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 23, 2007 3:12 PM
Subject: Re: [ActiveDir] Who Am I request
Let's
Thanks for clearing that up. I appreciate it.
Joe K.
- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 23, 2007 5:52 PM
Subject: RE: [ActiveDir] Who Am I request
You can do an x-domain simple bind within the forest
Get a network trace of the LDAP calls and responses. Possibly it is an
apache issue, possibly the developer is a knucklehead. :)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
http://www.activedir.org/List.aspx
Careful... some affairs can get you jail time... An affair with a tiger or
leopard is likely one of them... Plus once you have gone that direction, you
may find your overall pool of possible dates shrinks drammatically,
especially if you admit where you have
I am aware of a 20GB DIT or two.
Generally most of the DITs seem to be 10GB or smaller for many/most
companies even with hundreds of thousands of users.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
22:06:29.53]
F:\Dev\CPP\AdModadfind -e -default -f name=administrators member
AdFind V01.34.00cpp Joe Richards ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED])
November 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=Administrators,CN=Builtin,DC
before, during, or after my engagement.
It's way too easy to ask for the details in a particular format vs.
collecting it with DA rights. DA is just way too much IMHO. It's lazy to ask
for the keys to the kingdom to gain access to the kitchen.
But I'm with you joe, I hope it's a translation thing
...
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, January 11, 2007 12:55 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Win 2000
] Win 2000 Remote Desktop Users
joe,
YMYMYM
Thanks.
RH
__
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: 11 January, 2007 2:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win 2000 Remote Desktop
whatever_filter member -qlist
Like so
G:\adfind -default -f name=domain admins member -qlist
CN=user\, test,OU=Users,OU=TestOU,DC=test,DC=loc
CN=$joe,OU=Users,OU=My,DC=test,DC=loc
CN=Administrator,CN=Users,DC=test,DC=loc
And if it doesn't return a list that exceeds 1500 members, let me know
because
Hopefully the guy means the person needs administrator rights over the two
servers. Not sure how you would give domain admin rights over two servers
and even what that would buy you. At the member level a domain admin isn't
any more powerful than a local admin. The domain powers come in with the
What is the version? Current version of AdFind that is publicly available is
V01.35.00. The -resolvesids option made it into AdFind around V01.31.00 or
so which was a year ago.
Plus if you really want something readable you likely want -sddl++
joe
--
O'Reilly Active Directory Third
not seen an example of this until a few months ago
when I noticed such SID appearing in DSACLS output in an Exchange 2007
deployment[1].
Lee Flight
[1]
See Table 3 in
http://technet.microsoft.com/en-us/library/315d9c42-1ab4-4ef4-9292-12cdcb9c9
8cf.aspx
On Sun, 7 Jan 2007, joe wrote:
Because
admins are user's too... :)
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Monday, January 08, 2007 1:39 PM
To: ActiveDir@mail.activedir.org
Subject
encoded secprins decoded use -resolvesids.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Monday, January 08, 2007 5:42 PM
To: ActiveDir@mail.activedir.org
Subject
of machine account passwords
On Mon, 8 Jan 2007 15:33:01 -0500
joe [EMAIL PROTECTED] wrote:
A dirty trick I have used in the
past to disprove how secure an environment was was to set up a web site on
a
workstation, enable basic auth only, write a little perl cgi script to
write
the creds sent
of currently locked accounts. It would be relatively
efficient unless you have a lot of accounts that have passed the lockout
duration but no one ever logged into them afterward.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From
to figue out if someone has access to
something, SIDs are compared, not names.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj
Sent: Thursday, January 04, 2007
(V01.35.00) in the next
day or three (may even upload it tonight still if I don't run out of gas).
It has a couple bug fixes around the ACL output and some additional ACL
options.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message
Excellent, good to hear.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: Thursday, January 04, 2007 3:15 PM
To: ActiveDir@mail.activedir.org
Cc: 'joe
.
So you could specify -default and -rb cn=users.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, January 06, 2007 1:14 AM
, but I would be
shy on how agressive you are with the cleanup. You can easily screw yourself
up.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04
question and one that I never really thought much about
before, so don't be disappointed when you don't find it discussed in ch 3 or
6. :)
Joe K.
- Original Message -
From: AD [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 02, 2007 10:30 AM
Subject: RE: [ActiveDir
That is what I was thinking of. I couldn't find where I read that and went
from memory. Thanks for the clarification.
Joe K.
- Original Message -
From: steve patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, December 29, 2006 6:07 PM
Subject: Re: [ActiveDir
with previous DS APIs. That might be part
of the problem here.
In any event, it is generally always good practice to use the .Value
property to set a single value. There is more info on this in ch 6 of our
book (www.directoryprogramming.net).
Joe K.
- Original Message -
From: AD
hope it helps more than hurts. There is an inevitable
amount of hair loss that must occur with any new LDAP programming project,
but hopefully it won't require prescription drugs or surgery to replace.
Joe K.
- Original Message -
From: AD [EMAIL PROTECTED]
To: ActiveDir
]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, December 28, 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DirectoryServices vb.net is broken.
They aren't equivalent. Try using the .Value property instead:
user.Properties(description).Value =
Studio but sometimes cycles
with Windows). However, these are pretty low key.
Joe K.
- Original Message -
From: AD [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, December 28, 2006 1:40 PM
Subject: RE: [ActiveDir] DirectoryServices vb.net is broken.
One last
I didn't read the whole chain of responses, I was just skimming and saw
these questions
Hey joe, is there a way to see replication meta data using adfind? ;-)
If yes, I could take a peek at originating date/time for attributes.
Yes it can show you the metadata from AD (assuming K3
in
ch 11 and has followed up with a few additions on his blog showing other
techniques.
I can't help with the Visio stuff, but if you can find some samples that
show how to plug data into the model to produce diagrams, it shouldn't be
too hard to put it all together.
Best of luck,
Joe K
way as pw-resets.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Freitag, 22. Dezember 2006 18:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets
You will either delegate or you will proxy. That is about
)
)
(objectClass=user)
(!
(homeMDB=*)
)
(!
(msExchHomeServerName=*)
)
)
(
(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
(objectClass=user)
(|
(homeMDB=*)
(msExchHomeServerName
of
that group directly to continue on.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, December 22, 2006 11:14 AM
To: ActiveDir@mail.activedir.org
I hope I am not confusing you all. :-)
I know, simple solution would be to change criteria to say 15 days, raise
DFL and use LLTS, but I am taking this as a scripting challenge at
Win2k-native DFL.
Hey joe, is there a way to see replication meta data using adfind? ;-)
If yes, I could take
You won't need anything other than a normal userid unless you have put weird
ACEs in place to hide user objects and then you just need to have the normal
userid in the right group and that right group shouldn't have to be
Administrative level.
Note though that no group membership is going to give
That is precisely why that group existed in NT4. Now it is a holdover for
the migration periods when you have NT4 and AD deployed. Honestly I wish the
group would vanish the instant you clicked native mode.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
You will either delegate or you will proxy. That is about it for the
choices. And quite frankly, the proxy is just a delegation to a specific
account that does the authentication/authorization of the support folks on
its own.
To be most honest, I prefer proxy over delegation. It is much easier
Good ol .NET. :)
Honestly you can probably throw a pretty simple ASP.NET app together to do
this. Doubt there is a reason to buy anything and then when it dorks up you
can fix on your own. JoeK probably has this code on a web site somewhere.
--
O'Reilly Active Directory Third Edition -
a little crazy to me, but I'm
also a good developer, so a lot of things that seem easy to me might not be
easy to other people.
Joe K.
- Original Message -
From: joe
To: ActiveDir@mail.activedir.org
Sent: Friday, December 22, 2006 11:34 AM
Subject: RE: [ActiveDir] Delegate Password Resets
made up about the RFC standards etc but that reason was, as I
said, crap. It is just something you have to be aware of when working with
those filters.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED
,
giving out unconstrained delegation privileges is a bit icky.
This may be one of those situations where it is easier to just pass the
plaintext credentials around between the tiers using basic auth/SSL and
such.
Joe
- Original Message -
From: Ken Schaefer
To: ActiveDir@mail.activedir.org
as above and then query the tokenGroups attribute of the
rootdse like so
adfind -h ADAMSERVER -rootdse -resolvesids tokengroups
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED
to see
most large companies deploying Longhorn heavily into production before Vista
even.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka
Any answers would simply be guesses but I honestly wouldn't expect anything
until Longhorn release time frames.
Note that those Petri instructions initially were posted to this list by
Steve Linehan (Microsoft).
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
SBS... uh oh there goes the neighborhood... This one could possibly get the
[OT] badge I expect and/or go to the SBS specific groups. If an SBS server
died, AD would be one of the last things on it I would suspect with
everything it runs. ;o)
joe
--
O'Reilly Active Directory Third Edition
, that would be running and collecting info and then you
generate the report from the output generated.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess
, I am curious what exactly they want to
do from UNIX and Java with machine accounts and whether they are chatting
with anyone as they may find they really don't have rights to do what they
are wanting to do or are specifically disallowed from mucking with it.
joe
--
O'Reilly Active Directory
So what was the overall outcome here?
Did the PDC -vs not-PDC end up making a difference?
Administrators -vs- Domain Admins?
etc etc etc
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Ah. And the PDC verus non-PDC? Red Herring? Cross-contamination? Crossed
the streams and the sta-puff marshmallow man wasn't in sight. ;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
In Exchange nothing comes from the DL, it comes from the user who sent to
the DL. I believe you cannot in actualality (sp?) send from a DL because a
DL is an alias, not a mailbox.
I could easily be wrong not being an Exchange guy but I don't expect I am.
--
O'Reilly Active Directory Third
I am not positive on this, but I think you need to look at mAPIIDs.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike)
Sent: Tuesday, December 05, 2006 5:26 AM
To:
ran into that while doing mass testing of AdMod which will also
reanimate tombstones. The bug is officially bugged and should be corrected
eventually.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED
Difficult to replicate a deleted object... If you send a null to your
replication partner, it doesn't know what to remove. :)
You can get around the whole tombstone thing though if you use dynamic
objects. Those really and truly do delete with no chance of reanimation.
However, the time to die
second what joe says about not taking their word for anything. I'll
go so
far as to qualify that and say that the best answer you should get
from a
consultant or on-site resource is it depends. What that really means
is
that depending on the information available, your current best
practice
] On Behalf Of joe
Sent: Wednesday, November 22, 2006 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mailNickName(OT)
I have to admit some surprise that you have that large of an org and haven't
hit issues in collisions on the name space when using firstname.lastname.
Actually I
I seem to recall Dean Wells posting a batch file to the list to gather all
of the service accounts being used across a forest, might want to peek at
the archives.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
Hmmm I almost missed this post
Ok Matty goes on the list
;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matty
Sent: Wednesday, November 22, 2006 5:24 PM
To:
--Paul
- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, November 16, 2006 6:32 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?
AdFind only determines the Directory level, it doesn't look for functional
modes or mixed mode. The way I get
I am not aware of being able to do so no.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Monday, November 06, 2006 2:30 PM
To:
Hmm I swear I responded to this but I don't see it... So...
The progress dots is only for reading in the CSV pipe... Not for what it is
currently working on.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL
Hey Jerry, I am not exactly sure what you are asking for here.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Thursday, November 02, 2006 9:26 AM
To:
(security or distribution).
I think this was some weird replication/info store cache issue that
for some reason took 4 days to resolve itself.
Thanks
On 12/16/06, joe [EMAIL PROTECTED] wrote:
In Exchange nothing comes from the DL, it comes from the user who sent to
the DL. I believe you cannot
answer Joe. I completely missed the multi-domain issue, thinking (as
I wrote) that was only an issue for DLGs. Oh well, you've certainly
refreshed my memory and answered the question admirably.
As you can tell from this, and from our off-line conversation, I'm just
using ASQ all the time ('cause
of the user who runs it. My
suggestion is that you rethink your process because this sounds like a
really crappy plan that you've got.
I believe Joe Richards' cpau utility on joeware.net supports some type of
encryption of credentials that you could use if you must do this.
Thanks,
Brian Desmond
companies, police departments, governments, and universities that use it for
automated install packages as well. I would be curious what didn't work for
you, feel free to email me separately if you haven't already.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win
this sounds like a
really crappy plan that you've got.
I believe Joe Richards' cpau utility on joeware.net supports some type of
encryption of credentials that you could use if you must do this.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto
additional perms at the OU level and let them inherit down so they
don't have to deal with it.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:What is Websence
You don't know I though you knew it all, this is sad day.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, December 08, 2006 12:51 PM
To: ActiveDir
? But it is open
source, someone could always quickly and easily add proper SRV lookup
capability. eg
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Friday
)... did I forget anyone... hmm maybe Robbie
might take time away from work on his fields medal or latest cookbook to
write you a Monad shell script that Joe will find a way to compile into
a
.exe to execute from a ADFIND query pipe.
In all seriousness though, when evaluating DR feature for AD you
I don't know but I bet it deserves [OT] in the subject. :o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Thursday, December 07, 2006 6:30 PM
To:
, December 02, 2006 4:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Can you run DHCP on a XP computer??
Which would probably be a licensing violation. :-)
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, December 02, 2006 4:41 PM
I would recommend doing a trace of one of the problem clients logging on and
watch the whole referral process, etc. Actually I would probably just turn
on a sniffer and let it watch everything from one of those machines from
boot up for some time so you catch refreshes and everything else. At
Good post but yuck. Amazing how many issues you avoid by avoiding ADSI, WMI,
CDOEXM, and the other MSFT frameworks designed to make life easier...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Yes, I believe there are at least one or two DHCP Server Open Source
projects that will run on Windows XP. The Windows DHCP server won't from my
knowledge, though I would surmise it may be possible to hack a machine to do
so if someone really wanted to.
--
O'Reilly Active Directory Third
though.
From a security perspective, though, Brian is right. If you just want
to do this with AD and trusts, you should do a separate forest and do
a forest trust. Otherwise, you aren't buying much in terms of real
security. You might as well just put the accounts in a separate OU.
Joe K
don't think ADFS uses that either. :)
Joe K.
- Original Message -
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, November 23, 2006 10:24 PM
Subject: Re: [ActiveDir] Scaling up with AD or ADAM?
Thanks, Joe.
I'll look up Eric's blog
to use it if they can avoid it. Just a thought... :)
Joe K.
- Original Message -
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, November 23, 2006 2:54 PM
Subject: [ActiveDir] Scaling up with AD or ADAM?
Hi guys,
We're helping a customer
there.
joe
[1] Exchange for example and by default relies on authenticated user
permissions on global catalogs for access to a great deal of data by the
Exchange servers themselves. I received a considerable surprise many years
ago when I ran into that as what I had locked down resulted
a peek.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, November 21, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE
.
There are special little implementation details all throughout AD that you
don't know about until you actually encounter them. I would not be suprised
by even experienced admins to be tripped up on this one. It isn't worth
really knowing about unless you have had a reason to have to know about it.
joe
Pub time already. Phew this day went by fast! Let's go!
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 6:34 AM
To:
1 - 100 of 3993 matches
Mail list logo
