I think I'd be setting up a sniffer and figuring out exactly what is
wanting what open and why.
...that's an awful lot of portsand exactly where is this firewall?
I'm with Brian.. except I would probably not use the f word.. but I
think I'd be going "okay this is fine to keep the bosses
Hi Jim,
I agree with you and I do find technet article's that are unclear and are
missing steps, however much of it is, that Microsoft has only 5 or 6 people
creating that content and probably do not always test ( Or have very
limited testing ) what they are listing.
However, this
Hmm.. I'm surprised by that Susan. :)
Anyhow, why would you lock it down? I'm curious as to what the motivation is in this particular instance to use the firewall like that? What's the gain? What risk are you mitigating? What are you controlling?
As I understand this, it is not an internet
Title: RE: User Logon Hour
Hello all.
Anyone can help me?
Thank´s
Atila
_
From: Atila Firmino
Sent: segunda-feira, 5 de junho de 2006 15:08
To: ActiveDir@mail.activedir.org
Subject: User Logon Hour
Hi everybody.
How can I change
I'm pretty sure Jim is familiar with those 5-6 people creating the content on a personal level;)
FWIW, Exchange 2k is dependent on shortname resolution (AKA NetBIOS/WINS name res or in this case, good DNS name resolution practices) for some of it's components. Which ones? Setup was one notable.
thanks
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, June 06, 2006 7:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sample vbs script
Look at BLOCKED::http://www.lissware.net http://www.lissware.net, White
Papers
Exactly, I dont want to have to be
modifying the extensionAttribute EVERY time I add a new user to that specific
OU.
Unless, like what Al was saying, I could
some how create a script, apply it to a GPO, that when the user logs in, it
modifies their
This works perfect! Thanks!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Tuesday, June 06, 2006 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logged in user
psloggedon \\Computername
Does anyone know if there's a corresponding event id to a user's mailbox
being purged from an Exchange server after the retention timeframe
expires? I see event id 9535 showing the number of deleted mailboxes
cleaned but I want to know if there's an event showing the actual names
associated with
I hadn't really thought about putting it on the users to logon and do work. That's too much work to ensure they can update, that they logon, etc. I was thinking more like something in my provisioning code or putting a scheduled job out there that wakes up a couple of times a day and checks for the
Title: Virtual DCs
This is absolutely true. I know virtualization scares
a lot of people, but the fact is that in some environments virtualizing systems
saves a great deal of money and actually makes managing systems much easier
(here it has reportedly saved a "significant" amount in
My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following:
All,
This may seem pretty straight forward, but I haven't been able to track
down any definitive info anywhere, not even from Microsoft.
We are looking at connecting a number of businesses within our region
(Asia Pacific) to the same domain. No stress there - most of the DC's
(where they exist)
I will be on vacation for two weeks .
Egress filtering so that there's less ports for me to keep an eye on...
those high level ports can be used for backdoors, trojans and what
not... I live in California.. I have SSNs in an encrypted database... I
have sucky vendors that won't support encryption... so I'm putting all
the layers I
where are you going? Can we come along?
:-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis,
DebbieSent: Wednesday, June 07, 2006 9:00 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Please Remove Me
>From your List
I will be on vacation for two weeks
.
Besides .. if this is an interior firewall and you just opened up
1024-65535.. and chances are 0-1024 is already open... what are they
good for now? What's their job now? Why does he even need them now in
these deployments if the ports are open? Graphical views of malware as
it streams
So... you watch those ports then? You have some sort of watching going on for that set of ports? Or are you just relying on the concept that, hey, nothing should be talking to that set of ports, hence I shouldn't see anything in my firewall logs (which I'm reviewing religiously by the way)
No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context)
Al
On 6/7/06, HBooGz [EMAIL PROTECTED] wrote:
My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need
Just curious..how does everyone handle RPC ports on your LAN?
I reg. hacked all servers to use ports 5001-5099. The ports are than
enabled with GPO and allowed only specific subnets to come through. I
know..I have to manually keyed in all 100 entries.
-Z.V.
List info :
Does anyone know if there's a corresponding event id to a user's mailbox
being purged from an Exchange server after the retention timeframe
expires? I see event id 9535 showing the number of deleted mailboxes
cleaned but I want to know if there's an event showing the actual names
associated with
Thanks Al -When i type that into my web browser a search function come up -- should i be able to search for objects successfully using this ? because currently i get an error message.Also, the development staff is trying to create a form to authenticate users who login against AD. The path
Doesnt the Quest migration tool now claim to be able to migrate without any trusts? It's been a little while since I looked into any migration tools though so maybe my memory is slipping.
Phil
On 6/1/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:
Moveuser.exe is the tool that I would typically
I've been using it fo a while and it still requires trusts.
It even has a Trust Migration Wizard that is run as part of their Pre-Migration Activities
On 6/7/06, Phil Renouf [EMAIL PROTECTED] wrote:
Doesnt the Quest migration tool now claim to be able to migrate without any trusts? It's been a
Yes, according to this article it looks like it. Still
wondering why you then need to have to the necessary rights on the
Administrative Group in order to uninstall Exchange.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: woensdag 7 juni 2006 1:24To:
Hello ,I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3. An application named ZOPE running on a linux box accesses my DC. Users use a web page, viaZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC
You'll get 9535 with text of some number mailboxes removed followed
shortly therafter by ID 1100 stating number of folders deleted during
backround DB cleanup.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W
Mr HP
Sent: Wednesday, June
One advantage of ISA server being on the DC (yes folks I told you we are
insane..but I do have a hardware firewall on the outside) is yeah...
I've got the data watching that crud...I turn into an atheist every now
and then and lose religion I will admit and don't review the daily
firewall
Aren't you removing an item from that AG? Shouldn't you have to have rights for that?
On 6/7/06, Victor W. [EMAIL PROTECTED] wrote:
Yes, according to this article it looks like it. Still wondering why you then need to have to the necessary rights on the Administrative Group in order to
Totally different questions.
The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the
Thanks for all your help. I have
another idea; let me know if its a dumb idea. Is there a way with
scripting to create a copy of a pre-exiting user? Just create a copy of
the user, change the names but have identical membership to security groups and
OU and all other attributes.
just in case you've not yet proceeded with any of your
actions: a trust is not a requirement to migrate your users and do the profile
updates on the clients or in fact to migrate objects from one domain to
another. You can work just fine with passthrough-authentication instead
(i.e. using
Hello Steve,
you're right - language doesn't matter for any of the data stored in AD.
Replication will work just fine. You might however face special
challenges in correctly displaying the characters that are entered by
your Chinese colleagues. This is where the language packs come in, as
you
Look for the "Net localgroup limitation?" thread in January
of this year, particularly joe's message of 1/23/2006 8:35
PM
Also his message of 2/20/2005 8:37 AM in thread
"samAccountName attribute length"
Finally his listing from lmcons.h header
file in "character limit for
Hi Yann
One option would be to enable logging of all LDAP searches against
the DC.
http://www.activedir.org/article.aspx?aid=97
Tony
PS. Were just loading a new version of the site, so it might
take a few minutes before you can load the page.
From:
[EMAIL PROTECTED]
What rights does a user need to move objects from one OU to another? I
can not seem to find that or a white paper on delegation of authority
that someone mentioned before.
Thanks in advance.
Johnny Figueroa
Supervisor Network Operations Support
Network Services
Banner Health
Voice
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en
and
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en
On 6/8/06, Figueroa, Johnny [EMAIL PROTECTED] wrote:
What rights does a
http://blog.joeware.net/2005/07/17/48/
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: Wednesday, June 07, 2006 7:01 PM
To:
Hi all,
Have a general question / case.
On small companies ( 10 - 20 employees), what config is the best to set the
downtime in case of a crash to a minimum. Especially in
a SBS environment / small company.
Lets keep it an easy example:
-company has 15 employees
-15 XP
One more thing.. we're just started to think about virtualizing SBS.
Big server land guys are virtualizing DCs... guess what... you can do
the same with SBS. All the parts are officially supported to be on VS.
It's still a gleem in everyone's eye and just thoughts... but it sure is
an idea,
Here is the most recent...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, January 23, 2006 11:35 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup
limitation?
According to the schema the sAMAccountName must be
0-256, however, this
Just to elaborate a little on what Al said, when using an ADSI-based model
like S.DS, the adspath contains the provider, optional server info and a
distinguished name of an object to search. When you don't specify a server
part in the path (a serverless bind), LDAP infers a domain from the
1. Go to TechEd 2006 in Boston
2. Go to Jeff Middleton's Myths of DR on SBS
Any questions?
Okay so seriously...
3. Remember that under the hood we're AD.. so even though the big guys
around here cringe at a single DC, all on one box.. all the tricks for
AD restoration still work.
Okay
It is like creating a user and populating it only you add
the overhead of opening up the user you are copying and looking at all of the
settings and duplicating the ones you want on the new object. There isn't, for
instance, a single COPYTHISID script call.
joe
--
O'Reilly Active
Title: User Logon Hour
You need to modify the logonHours attribute. This is, as
far as I know at this hour of the night, an officially undocumented field in
terms of formatting but basically it is a bunch of bits representing the time
units.
Now the fun thing is that using script, the
Interesting read...
So since i have thousands of groups with pretty long names
- any suggestions on how do you handle long groupnames? Do you create a short
groupname and put the long description on it...?
Thank you and have a splendid
day!
Kind Regards,
Freddy Hartono
Group Support
Yep the reason is because it is divisible by 7. As Al
mentioned I have written this up here and in the newsgroups multiple multiple
times.
From watching an environment with over 200k IDs and daily
password changes measuring in the thousands we noticed that with a 91 day policy
the password
Ah I love this problem... Crappy apps can't do the right thing so the AD
folks have to figure out a solution. I have been in this conversation so
many times it isn't funny. I have seen it go several ways.
1. The AD Admins cave in and do whatever to help the apps.
2. The AD Admins tell the app
Amen...
I read My boss is an MCSE and he purposely let me sweat this one out on my
own.
And thought, the boss had no clue and was glad someone else was around to do
the work. You don't let a company stay in a painful position to allow
someone to learn.
joe
--
O'Reilly Active Directory
Wow this thread went wickedly wrong...
I agree that Al has definitely been quite chatty lately. That is ok, he can
pick up for my volume which has been reduced. Sometimes he is even right. :)
As for the Cher stuff... Errr no.
As for the saying my bad... Goodness... I do say that occasionally.
Ihave had really decent experiences with QIP. I have
actually been happier with deploymentswith QIP on UNIX than Windows DNS.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
I would start them on the various LDAP primers out on the net or get the
O'Reilly AD books. The cookbook, my Active Directory 3E book, etc.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Yeah but he posted another entry too... So once again, you are behind Sir
~Eric.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, June
WTF is QIP anyway? Ive heard of BIND and Windows DNS.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, June 07, 2006 10:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
Well for normal AD there is no reason to handle them unless
for some reason you don't want them anymore. As for the ADC... It is a temporary
POS... I am not sure how much changing of the environment I would do to support
it. I would start looking at telling it to stop dorking with
things.
Hi:
I am
facing some IT policy questions and wanted to get some perspectives. In each of
these areas, I am trying determine how restrictive I need to be. The client has
four sites connected over high-speed links. I have good backing from management
but will undoubtedly get resistance on
My suggestion is that you implement 802.1x port auth to implement
port based authentication. You can use this to implement guest vlans with the
policy routing you describe.
Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have
it. You can do some NAC stuff with Cisco VPN as well
57 matches
Mail list logo
