RE: [ActiveDir] Global Catalogs and the Infrastructure Master

2004-03-30 Thread Grillenmeier, Guido 



yes, this causes no issues, as the GCs contain all the 
cross-domain links that the IM would update on DCs and thus the IM has 
absolutely nothing to do. I've also only had good experiences with 
it.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Donald 
BauerSent: Mittwoch, 31. März 2004 04:36To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Global Catalogs 
and the Infrastructure Master


We are currently 
running 120 DCs, 100 sites, all global catalogs with no 
issues.

Don





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Cody 
FlemingSent: Tuesday, March 
30, 2004 9:22 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Global Catalogs and 
the Infrastructure Master


Hello,



I have multiple AD domains and I 
currently have all DC's in my domains configured as Global Catalogs except for 1 
in Each domain and it holds the Infrastructure Master role. I am 
considering making these servers a GC as well. Can anyone give me some 
feedback on if this would be good/bad or issues that may be caused by doing 
this? Anyone have experience runningwith All 
GC's?



The reason I'm considering this is 
that the site where this DC lives currently has multiple DC's but the 
oneconfigured as the GC is being removed from this site leaving no GC 
coverage.



I'm not concerned with bandwidth 
or additional replication traffic needed for the 
GC.



I have read this: http://www.microsoft.com/windows2000/en/server/help/default.asp?url="">



Thank 
you,



Cody

RE: [ActiveDir] Windows 2003 and Windows 98 issue

2004-03-31 Thread Grillenmeier, Guido 



also disable the "Domain Member: Digitally encrypt or sign 
secure channel data (always)"security option in the Default Domain 
Controller policy

however, don't forget to re-enable this after you've 
upgraded all your Win98 clients

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Peter 
JohnsonSent: Mittwoch, 31. März 2004 16:21To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Windows 2003 and 
Windows 98 issue


Hi all and greetings from darkest 
South Africa.

This is my first query to the guru’s 
on the list. This is my scenario.

I have a native mode Windows 2000 
forest that I’m upgrading to Windows 2003. It’s a single domain forest and this 
is what I’ve done so far. 

1 ) Run adprep /forestrpep to 
upgrade the schema.

2.) Run adprep /domainprep to 
prepare the domain.

3.) Installed Windows 2003 server as 
domain member. This is not the first 2003 server in the 
domain.

4.) DCPROMO the new Windows 2003 
server.

The moment step 4 happens none of my 
Windows 98 machines can login to the domain. I get an error message that The 
password is incorrect or access to logon server has been denied. 


After reading through the sparse 
documentation I installed the DSCLIENT2003 that I got from PSS as well as IE 6.0 
SP1 and turned on NTLMV2 authentication and turned off SMB signing on the DC’s. 
None of these steps made any difference. The moment I demoted the Windows 2003 
DC to a member server the problem disappeared. I’ve not gone any further with 
the process since then,

Do any of you guys have any ideas? 
I’m accelerating the process to upgrade the Win98 machines to XP but I don’t 
want the issue to hold up my domain upgrade. Any help is greatly appreciated. 


Peter Johnson

RE: [ActiveDir] AD Query

2004-03-31 Thread Grillenmeier, Guido 



dsquery (come with 2k3, but also works fine on 
2000)

get OU from DN of user objects
get groups from memberOf attribute (will not be complete in 
multi-domain forests, but maybe good enough for what you 
need)

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Donnerstag, 1. April 2004 
00:33To: [EMAIL PROTECTED]Subject: [ActiveDir] 
AD Query
Does anyone know of a was that I can 
Pull a query of AD that lists each user, what ou they are in and what groups 
they belong too

RE: [ActiveDir] Testing other GPO's to DC's

2004-03-31 Thread Grillenmeier, Guido 
or create a sub-ou underneath the domain controllers OU which you link the GPO to.
then put those DCs into the sub-OU.  not only good for testing purposes...

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Mittwoch, 31. März 2004 19:36
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Testing other GPO's to DC's

Yes, that's exactly it. Grant those specific DCs the Read and Apply
Group Policy rights on the GPO. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, March 31, 2004 12:08 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Testing other GPO's to DC's

Hi,

I'm sure this has been covered in previous posts but how can I create a
GPO object and link it to the Domain Controllers OU but only apply it to
a couple of domain controllers for testing purposes?

Is it removing the authenticated users group and adding the specific
domain controllers to the ACL's?

Thanks,

_
Check out MSN PC Safety  Security to help ensure your PC is protected
and safe. http://specials.msn.com/msn/security.asp

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MS Audit Collection Service?

2004-04-09 Thread Grillenmeier, Guido 
MACS runs pretty well and rather independent of MOM itself though. That
should be made clear as well. Not that folks think it's useless unless
you invest in MOM. You can use many other plattforms to add reporing and
alerting capabilities to MACS as the MACS server has full subscriber API
capabilities.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of E Brown
Sent: Freitag, 9. April 2004 06:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MS Audit Collection Service?

Group,

It will be release real soon.
I can send you the whitepapers for it to get you some preliminary info.
Just send me an email due to size limits it was rejected.s
Make sure you get MOM for the management piece to tie everything
together.
But this will definitely be free.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, April 08, 2004 7:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MS Audit Collection Service?

http://www.microsoft.com/australia/servers/windowsserver/ioe/management.
aspx
Search that page for MACS.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Thursday, April 08, 2004 9:38 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] MS Audit Collection Service?

Hi Eric,

Thanks for the quick response!  I searched quite a bit for it on 
Microsoft's site but couldn't locate anything.  If you happen to find a 
link, it would be much appreciated. :-)  Thanks again,

- Robbie

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Eric Fleischman wrote:

I'm afraid you got some bad information. MACS (Microsoft Audit
Collection Service) is not out at this point in time.

There is some pre-release documentation up on Microsoft.com though. You
should be able to find it if you search for MACS, but let me know if
not
and I'll dig it up again.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Thursday, April 08, 2004 8:17 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] MS Audit Collection Service?

Hi,

I'm trying to find the Microsoft Audit Collection Service.  I had never

heard of it until today.  A Microsoft rep at the Security Summit I 
attended today said it was out and available on the Technet site, but I

can't find it.

It really irritates me when I find out about a product like this well 
after the thing has been designed  tested.  I'm already on several 
lists and I check news sites regularly.  Is there a better way?  Some 
secret newsletter I'm not subscribed to? :-)

  

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using dsacls.exe

2004-04-09 Thread Grillenmeier, Guido 



Hey Ulf - I see you got home from the summit safely 
;-)

In your AD newsgrouppost which your referenced below 
you answered the following question
 Is there a comprehensive reference that 
identifies each permission required to perform a task ? Giving a user the 
"AddUser" permission is not enough. They also have to have the rights to 
add objects and child objects, etc etc...with Not that I'm 
aware off - the rights I don't know I set with the delegation 
 wizard and 
run dsacls or look into the security tab.
Just 
want to make sure that everyone is aware of the excellent Delegation Whitepaper, 
that's been available for a couple of months now:

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en

And 
don't forget to download the Appendix for this whitepaper, which contains all 
the nitty gritty details on what's required to perform which 
task.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Donnerstag, 8. April 2004 17:10To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
dsacls.exe

Hello Bart,

see the following post:
http://groups.google.de/[EMAIL PROTECTED]

Ulf B. Simon-Weidner


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Vermeire 
BartSent: Dienstag, 6. April 2004 06:43To: 
[EMAIL PROTECTED]Subject: [ActiveDir] using 
dsacls.exe

Hi,
I am struggling 
with the dsacls.exe tool and hope that someone in this list can answer 
me.
I need to set 
permissions on an OU from a CMD line batch file and I am using dsacls.exe for 
that.
However, setting 
the "Reset Password" extended right is one task I cannot 
accomplish.
Can you please 
help me out here.

regards,

Bart 
Vermeire
Volvo 
IT

RE: [ActiveDir] Unable to see users group membership in trusted domain

2004-04-09 Thread Grillenmeier, Guido 
works as designed.  Especially if you're using Domain Local Groups
(DLG). But in 2003 you can even not see the UG memberships of other
domains in ADUC.  This will likely be fixed in SP1 as only GCs would
have the potential to show UG-memberships from other domains anyways (a
filter was added in 2003 so that only groups of own domain show up on
the MemberOf tab of an object - in SP1 you're supposed to have a
choice).

Realize a non-GC DC doesn't know of the UG memberships of the other
domains and neither a DC nor a GC will show you the DLG memberships of
the other domains - as these are not replicated to the GC.

And wait until you try to recover accidentally deleted users in your
environment and recover them. Then not seeing the memberships will be
the least of your worries = they'll actually be missing from the other
groups...  Read this whitepaper if you want to know more: 
http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active
_Directory_Recovery.pdf

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen
Sent: Mittwoch, 7. April 2004 00:37
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Unable to see users group membership in trusted
domain

I have two AD domains, of which one is subdomain to the other.

In the child domain, most users are members of a number of security
groups in the parent domain.

All was well until recently, but after raising the domain and forest
level to 2003 i can no longer see the child domain users parent domain
membership under the user property Member of. Furthermore, from this
property sheet i cannot add the user to parent domain groups anymore.

They are still members, everything works as expected, and i can add the
users to groups from within the group property - but that is a hell of a
job to cruise through the all groups everytime a user is created

Please help :-)

Ole Thomsen
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Consultants

2004-04-09 Thread Grillenmeier, Guido 



just want to mention, that other companies to AD consulting 
as well ;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Dienstag, 6. April 2004 15:35To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
Consultants


I highly recommend Dean 
as well..

Todd





From: joe 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 2:26 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
Consultants

http://www.msetechnology.com/

This is where Dean 
Wells works, they are out of Florida but go all over. You probably have 
seen Dean's posts on here. 

 
joe







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Celone, 
MikeSent: Monday, April 05, 
2004 2:14 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] AD 
Consultants

Before I start just to let you know 
I checked with Tony before sending this to the list. Does anyone know 
anyone companies in the North Eastern US area that does AD consulting and 
design? My CIO would like to bring in a consulting company to help us out 
with a global AD design for our company. If anyone has any suggestions or 
needs more infomation please email OFF the list. Any and all help is 
appreciated. 



Mike

RE: [ActiveDir] using dsacls.exe

2004-04-10 Thread Grillenmeier, Guido 



would have been nice for me as well to be around with you 
longer - it was definitely good to put some faces to some of the other names. 
But you guys must have already been on the bus while I was still chatting with 
some MS folks. And I'm sure you kept on beating on UGs even if it 
wasn'tthe topic;-)

I have also continued on some other ideas for the DR stuff 
- need to do some testing to see if it works. Let's compare our results sometime 
soon.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Samstag, 10. April 2004 09:00To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
dsacls.exe

Actually I think he replied to this one in the bar of the 
Renaissance as him, myself, and Deanwere chatting about it while drinking 
and Ulf was working on his pda/phone.

BTW Guido, you slipped out like a phantom man. Sorry you 
had other responsibilities to deal with. Would have been nice to have had you 
around longer and especially when sitting with the Dev guys. We had a lot of 
fun.

Also BTW, the Dev guyssaid that Universal groups were 
all a huge mistake and no one should be using them... Do Exchange in a separate 
single domain forest j/k But I think they would have said that had we 
discussed it. I had something else on my mind when we chatted with them that was 
more important to me than Universal Groups and Domain Local Groups. 


Another also BTW, Dean and I talked out an interesting 
idea, you may like it when we have the result ready. An idea to hopefully kill 
the entire lag site paradigm by making it unnecessary. Never was a fan of that 
idea but I do like the idea of DR sites for grabbing backups off of as I have 
discussed previously.

 joe

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, April 09, 2004 1:29 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
dsacls.exe

Hey Ulf - I see you got home from the summit safely 
;-)

In your AD newsgrouppost which your referenced below 
you answered the following question
 Is there a comprehensive reference that 
identifies each permission required to perform a task ? Giving a user the 
"AddUser" permission is not enough. They also have to have the rights to 
add objects and child objects, etc etc...with Not that I'm 
aware off - the rights I don't know I set with the delegation 
 wizard and 
run dsacls or look into the security tab.
Just 
want to make sure that everyone is aware of the excellent Delegation Whitepaper, 
that's been available for a couple of months now:

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en

And 
don't forget to download the Appendix for this whitepaper, which contains all 
the nitty gritty details on what's required to perform which 
task.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Donnerstag, 8. April 2004 17:10To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] using 
dsacls.exe

Hello Bart,

see the following post:
http://groups.google.de/[EMAIL PROTECTED]

Ulf B. Simon-Weidner


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Vermeire 
BartSent: Dienstag, 6. April 2004 06:43To: 
[EMAIL PROTECTED]Subject: [ActiveDir] using 
dsacls.exe

Hi,
I am struggling 
with the dsacls.exe tool and hope that someone in this list can answer 
me.
I need to set 
permissions on an OU from a CMD line batch file and I am using dsacls.exe for 
that.
However, setting 
the "Reset Password" extended right is one task I cannot 
accomplish.
Can you please 
help me out here.

regards,

Bart 
Vermeire
Volvo 
IT

RE: [ActiveDir] Unable to see users group membership in trusted domain

2004-04-10 Thread Grillenmeier, Guido 
as mentioned, using the native tool the visibility depends on the group
types.  and it seems like you preferr viewing the group-memberships per
user.  from a child domain's GC you'll at least be able to view the UG
memberships of your parent domain via ADSIEDIT.MSC = look at the
memberOf attribute.
On a parent domain's GC you could then also use ADSIEDIT, configure it
to connect to the child domain's GC partition and view the properties of
user of your child domain the way that it's stored on the parent
domain's GC = in the memberOf attribute of the user you'll see the UGs
and DLG memberships of the parent domain.

We're building a tool right now (basically done, but internal beta is
still running), that collects all this information (i.e. the links
between users and groups etc.) centrally into an SQL or MSDE database.
The tool then allows you to view all the groups that a user belongs to
in a forest in a nice UI (i.e. it will not only show you the memberhips
in the domain's own groups, but also all UGs and DLGs from other domains
in your forest). The main purpose though is not for viewing these
memberships - it is targeted at helping you automatically restore the
memberships in case you've lost them due to restoring accidentally
deleted objects in AD. 

Let me know if you want to know more and I'll put you on my list.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen
Sent: Samstag, 10. April 2004 12:51
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unable to see users group membership in trusted
domain

Thanks for saving my sanity, Guido, I have for days been seeking the
missing userright or setting in ADUC to show the memberships :-)

Are there any easier method to show/set these memberships than cruising
through all the parent domain groups?

And BTW, copying a user no longer copies the parent domain group
memberships - argh!

Ole Thomsen


 -Original Message-
 From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] 
 Sent: Friday, April 09, 2004 7:49 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Unable to see users group membership 
 in trusted domain
 
 works as designed.  Especially if you're using Domain Local Groups
 (DLG). But in 2003 you can even not see the UG memberships of other
 domains in ADUC.  This will likely be fixed in SP1 as only GCs would
 have the potential to show UG-memberships from other domains 
 anyways (a
 filter was added in 2003 so that only groups of own domain show up on
 the MemberOf tab of an object - in SP1 you're supposed to have a
 choice).
 
 Realize a non-GC DC doesn't know of the UG memberships of the other
 domains and neither a DC nor a GC will show you the DLG memberships of
 the other domains - as these are not replicated to the GC.
 
 And wait until you try to recover accidentally deleted users in your
 environment and recover them. Then not seeing the memberships will be
 the least of your worries = they'll actually be missing from 
 the other
 groups...  Read this whitepaper if you want to know more: 
 http://www.aelita.com/library/whitepapers/10_Things_to_Know_ab
 out_Active
 _Directory_Recovery.pdf
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen
 Sent: Mittwoch, 7. April 2004 00:37
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Unable to see users group membership in trusted
 domain
 
 I have two AD domains, of which one is subdomain to the other.
 
 In the child domain, most users are members of a number of security
 groups in the parent domain.
 
 All was well until recently, but after raising the domain and forest
 level to 2003 i can no longer see the child domain users parent domain
 membership under the user property Member of. Furthermore, from this
 property sheet i cannot add the user to parent domain groups anymore.
 
 They are still members, everything works as expected, and i 
 can add the
 users to groups from within the group property - but that is 
 a hell of a
 job to cruise through the all groups everytime a user is created
 
 Please help :-)
 
 Ole Thomsen
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Consultants

2004-04-10 Thread Grillenmeier, Guido 



that was actually pretty convincing Joe.And I have to 
say, I pretty much agree with you. It's probably my own position 
thatdoesn't allow me tospeak up the same way.May be a personal 
thing too.

And I do like Canon digital cameras 
;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Samstag, 10. April 2004 16:45To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
Consultants

 I am just as fond as you are of Dean's 
capabilities 
 and only wanted to mention that there are other 
choices.

Sure sure. :o)

 My thought for recommendations for specific names 
or 
 companies would be to do so offline to those who 
requested it 

I like online myself. I am a data sharing type of 
person except for stuff that I am NDA'ed on which I stay tight lipped on or 
stuff I work out for joeware that I don't want companies picking source code up 
for and then turning around to try and sell. Also the one piece of source code I 
released widely (published in a magazine) to the general public came back to 
burn me when people took it, modified it, and distributed it and later came back 
to me when things broke or didn't work right.I will now share coding 
concepts or sometimes even code snippets, but not full code. 


I definitely think vendors/companies that do a good job 
should be pushed and told about on this and other forums just like people should 
talk about companies that they have issues with. That way when people are out 
trying to figure out who to use, they can see other opinions of those that have 
used them. Both so certain troublesome companies can be evaded and so companies 
that are doing a good job can be rewarded. Hopefully that pushes the vendors to 
try harder knowing that a group of folks knowledgeable in the field are saying 
good or bad things about them. We shouldn't, for instance, all have to try to 
figure out individually that EMC has integrated the Celerra into Windows in a 
very poor way and can't seem to make their dates for promised updates. On the 
flip side people should know that I previously beat onMTEC to get things 
fixed in Psynch because they were wrong and they went back and fixed them and 
continue to fix anything we find that isn't right. The former needs to be 
punished until they correct and the later should be rewarded. Unless people 
openly talk about this stuff no one knows. 

I had a conversation with someone I highly respect this 
last week about laptops. He was going on about the several IBM laptops he had 
and used based on the specific requirement at the time and until that point, I 
wouldn't have considered an IBM product (any IBM product) to save my life, but 
especially hardware as we have had no end of issues with their server line and 
the product support behind it. I am now actually looking at buying an IBM laptop 
because of his recommendation (still wouldn't take a server even if it were free 
if I had any choice in the matter). Had he not made that recommendation to me I 
would have gone on never even considering using IBM. 

I do, 
however, understand your position and that some thingscan't be 
said(and others have tobe said)due to constraints, either 
personal or professional. 

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Saturday, April 10, 2004 5:02 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
Consultants

I did for some time, however I would recommend other 
individuals of similar quality in the area simply to reduce travel expenses - 
inner-company knowlege sharing and collaboration can go along way to close 
the loop.However, I don't think this is the forum to discuss these 
details. I am just as fond as you are of Dean's capabilities and only 
wanted to mention that there are other choices. My thought for 
recommendations for specific names or companies would be to do so offline to 
those who requested it (as even Mike suggested himself). I don't think it's 
appropriate to do soin this list.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Samstag, 10. April 2004 08:49To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD 
Consultants

But do you personally do the N.E. US area Guido? If not, my 
only recommendation is still MSETechnology.

I am more willing to recommend specific individuals over 
companies because companies as a whole aren't good, it is specific people in 
them. Usually there are only a couple of good people in a company. The smaller 
the company, the more chance those few people have a stronger voice in how the 
company operates and maintains overall quality. 

-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Friday, April 09, 2004 1:51 PMTo: 
[EMAIL PROTECTED]Subject: RE:

RE: [ActiveDir] Photos in Active Directory

2004-04-13 Thread Grillenmeier, Guido 
 lawsuits. 
 
   joe
  
 
 -
 http://www.joeware.net   (download joeware)
 http://www.cafeshops.com/joewarenet  (wear joeware)
  
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
 Sent: Friday, April 09, 2004 1:43 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Photos in Active Directory
 
 WARNING: let's look at the security aspects of photos in AD from another
 side. You need to be aware that the photo attribute is editable by default
 by every user himself (just like all the other attributes which are part of
 the personal information property set).
 
 But the photo-attribute is somewhat special: it's a binary blob which
 basically has no size limit... (depends on LDAP policy max msg size).
 This means that if you don't lock down this attribute, every user could
 potentially upload really large images (think of a 1 GB image) to this
 attribute and kill your all your DCs anytime he'd like either through
 replication or simply growing the DIT-file over the limits of your disks.
 
 So even if you're not going to use this attribute to store photos, you
 should also ensure that nobody else does it for you.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
 Sent: Dienstag, 6. April 2004 17:55
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Photos in Active Directory
 
 I think the benefit is obvious - security.
 
 You may want to consider using Active Directory Application Mode or setting
 up an Application Partition in AD (assuming you are using W2K3).
 Either would enable you to isolate the data  replication.
 
 Photos shouldn't change much so once you have done your initial replication
 there shouldn't really be any additional traffic to bear.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
 Sent: Tuesday, April 06, 2004 12:51 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Photos in Active Directory
 
 It all depends on how large your organisation is I guess, how many sites,
 WAN links, etc. I wouldn't really recommend it as you really want to keep
 your AD as small as possible for replication and performance reasons.
 
 What benefit will you get out of having users photo's in the user object? 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: 05 April 2004 22:40
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Photos in Active Directory
 
 
 Hi all,
 
 We're in the middle of desiging our Active Directory (Server 2003) and
 our security group just came up with the idea that it would be great to
 include a photo of the user in each user object.  I know this CAN be
 done but I'm looking for information that would tell me whether it
 SHOULD or SHOULD NOT be done.  Any references anyone can think of or,
 better yet, personal experience with this?
 
 
 Thanks,
 Mike
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ    : http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 The information transmitted is intended only for the person or entity
 to which it is addressed and may contain confidential and/or
 privileged material. Any use (including retransmission or copying)
 of this information by persons or entities other than the intended
 recipient is prohibited.  If you are not the intended recipient of this
 transmission, please contact the sender and delete the material
 from any computer. The sender is not responsible for the 
 completeness or accuracy of this communication as it has been
 transmitted over a public network. Any replies to this email may be
 monitored by the MCPS-PRS Alliance for quality control and other 
 purposes.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ    : http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ    : http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ    : http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ    : http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] enterprise-wide accounts

2004-04-13 Thread Grillenmeier, Guido 



domain admins is a global group and as such you can't add 
users from other domains to it. While other global groups can be converted to 
universal groups, you can't do so for the domain admins 
group.

a solution to your problem is to use the restricted groups 
GPO feature (which will not work for your legacy machines in the AD domain) to 
add a universal group to the administrators group of all Server-OUs. I wouldn't 
want to set this GPO at the domain level, as then you're putting your AD domains 
at risk as well, if you do something wrong... The UG to use can either be 
the Enterprise Admins group or any other UG you assign for the 
task.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] enterprise-wide accounts

2004-04-13 Thread Grillenmeier, Guido 



 won't Restricted groups remove any groups that are in 
the administrators group 
 now except for the ones you 
specify?

not if you have Win2k 
SP4 or Win2k3 and use the "MemberOf" option of the restricted 
groups.

/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
CeloneSent: Mittwoch, 14. April 2004 00:07To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

Alternatively you can do what we do here. We have a 
startup script that runs from a GPO that adds a group to the local 
administrators group everytime the machine is started up. The script looks 
like this

net localgroup administrators /add 
"domain\admins"

Just create a UG for all theadmins and add them to 
it, then when the servers are rebooted add this script will run and add the 
group to the machine's local administrator group. If you can't wait for 
the servers to be rebooted you can create a script that will read the servers in 
line by line and add this group to their local administrators 
group.

Don't get me wrong Guido's solution will work also but 
won't Restricted groups remove any groups that are in the administrators group 
now except for the ones you specify?

Mike


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Tuesday, April 13, 2004 5:47 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

domain admins is a global group and as such you can't add 
users from other domains to it. While other global groups can be converted to 
universal groups, you can't do so for the domain admins 
group.

a solution to your problem is to use the restricted groups 
GPO feature (which will not work for your legacy machines in the AD domain) to 
add a universal group to the administrators group of all Server-OUs. I wouldn't 
want to set this GPO at the domain level, as then you're putting your AD domains 
at risk as well, if you do something wrong... The UG to use can either be 
the Enterprise Admins group or any other UG you assign for the 
task.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

What about adding them to each domain admins group for each 
domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts


Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] AD Sites and SYSVOL

2004-04-19 Thread Grillenmeier, Guido 
Title: Message



actually, the SYSVOL folder is "just another" share 
redirected via DFS (which also allows the folder to be replicated via 
FRS...).

I've never really thought about it, but Jorge's comment 
makes sense, as in a Win2k DFS hierarchy the client will receive a list of 
link-targets from a DFS server (every DC is a DFS server for SYSVOL) listing the 
links of the same site as the client at the top of the list - any other DFS 
link-targets in AD will be randomly ordered (was changed in Win2k3). The DFS 
client would thencheck the list fromthe top until it finds an 
available target - usually the one in the same siteas the 
client.

In the example given, there are no DFS link-targets (SYSVOL 
in this case) available in a site of the client, so that it would be natural to 
choose any target, i.e. any DC to access SYSVOL (even if a specific DC had been 
found to authenticate the user/machine). I guess everyone expects the 
client to use the same DC as the one found in DNS for authentication - would be 
worth a test to see if this is really the case. If you've already tested 
this, it would be good to hear some more about it.

If you have a Win2k3 
DFS server (or DC, once the domain is upgraded), the list returned from the DFS 
server still lists the links of the same site as the client at the top of the 
list, but then lists the other DFS links in an order that respects the site-link 
costs from the client to the other link targets when adding the targets to the 
list... So that would mostly solve the problem for you, at least in a 
star-toplology- but this shouldn't be your main driver to upgrade to 
2003... ;-)

/Guido




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Montag, 19. April 2004 
12:01To: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] AD Sites and SYSVOL

The DC 
locator process is the job of DNS. Your zone records will contain the site-wide 
and domain-wide list of Domain Controllers. When a client tries to contact a DC, 
it looks first of all at the site-wide list in DNS and tries to contact a DC in 
it's own site. If this fails it will select one at random from the domain-wide 
list.

What 
is required here is some DNS tinkering, you need to manually delete the remote 
DC records from the domain-wide liston the branch office DNS 
server.

eg

Main 
Site DNS server:
Site-wide list contains SRV records for DC's in the main 
site
Domain-wide list contains SRV records for every DC in the 
domain

Branch 
DNS server 1:Site-wide list contains SRV records for DC's in branch site 
1 
Domain-wide list 
contains SRV records for every DC in site 1 and the main 
site

Branch DNS server 2:Site-wide list 
contains SRV records for DC's in branch site 2 
Domain-wide list contains SRV records for every DC in 
site2 and the main 
site


With this scenario, clients 
in the remote sites can only contact DC's in their own site or in the main site, 
not in another branch sitewhich I think is what you are 
after.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jorge de Almeida PintoSent: 19 April 2004 
  07:50To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] AD Sites and SYSVOL
  Hi Everyone, 
  
  In a large AD network 
  (W2K SP3 + hotfixes) only the HUB DCs register the domain-specific SRV RRs and 
  all DCs register the site-specific SRV RRs. When all DCs in a site fail the 
  HUB DCs are contacted. Works as expected, at least for AD info. For SYSVOL 
  info this does not work. When all DCs in a site fail the client enumerates all 
  DCs that host the SYSVOL and it picks the first DC in the list (which is 
  randomly created).
  Is there any way to 
  configure DCs so that the following situation exist: * All DCs provide SYSVOL info 
  for the clients in their respective site * Only the HUB DCs provide 
  SYSVOL info to clients in a specific site when all the DCs in that site are 
  unavailable 
  Any comment on this 
  appreciated 
  Thanx! 
  Regards, 
  Jorge 
  Met vriendelijke 
  groet / Kind regards, 
  Jorge de Almeida 
  Pinto Infrastructure Consultant __ 
  ...OLE_Obj... 
  
  LogicaCMG 
  Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport 
  (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 
   5605 JB Eindhoven 
  ( Tel 
   : +31-(0)40-295 
  2 Fax : 
  +31-(0)40-2957709 ( Mobile : 
  +31-(0)6-29067977 * E-mail : 
  [EMAIL PROTECTED] " http://www.logicacmg.com/ - Solutions that matter 
  - This e-mail and any attachment is for authorised use by the 
  intended recipient(s) only. It may contain proprietary material, confidential 
  information and/or be subject to legal privilege. It should not be copied, 
  disclosed to, retained or used by, any other party. If you are not an intended 
  recipient then please promptly delete this e-mail and any attachment and all 
  copies and inform the sender. Thank you.

RE: [ActiveDir] AD Management and monitoring

2004-04-21 Thread Grillenmeier, Guido 



ofcourse I'm 
biased, but I'd also compare OpenView for Windows with the AD SPI to the rest - 
it's pretty powerful and has some awsome features (such as the 3D-View of the AD 
topology etc.)

You'll like 
this whitepaper, which is generally rather useful to understandwhat you 
need to monitor (not only about OV): http://www.openview.hp.com/products/smart_plug-ins/tech_whitepaper/spi_msad_twp_manage_apr03.pdf

It's been 
written by some folks who really know AD.


/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan 
CaseySent: Mittwoch, 21. April 2004 20:08To: 
[EMAIL PROTECTED]Subject: [ActiveDir] AD Management and 
monitoring

I have been 
asked to evaluate a monitoring solution for AD. The only product I have tested 
so far is NetPro's suite, Diagnostics for Active Directory (DAD), which I like. Does anyone have experience using the other solutions 
available such as MOM, NetiQs APP Manager for AD, or Quests Management suite 
for Windows? Any feedback on any of these products would be 
appreciated.
Thank
Nathan

RE: [ActiveDir] enterprise-wide accounts

2004-04-21 Thread Grillenmeier, Guido 



you can only change the groups on those machines, to which 
the GPOs apply. If you apply a restricted groups GPO to an OU and try to 
add members to the Ent.Admin. group, you'll fail, as this group is maintained by 
the root DCs only. And I would never advise you to use the restricted 
groups policy on your DCs themselves - it's definitely geared to be used for 
members/clients of a domain.

Even though you can't browse the groups of the 
member-machines, you can just type their names (which is ugly in an 
multi-language environment...). 

When using the MemberOf option, you'd e.g. add the 
"forestroot\Enterprise Admins" group to the restricted groups list and 
then add the names of the local machine-group, i.e. "Administrators" to the 
MemberOf tab = this will ensure, that the Enterprise Admins are members of 
the Adminsitrators group on every machine in that OU. At the same time, the 
other members of the Adminstrators group remain in this group as 
well.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Mittwoch, 21. April 2004 16:55To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts


Guido, et 
alI have tried this in my test domain  I applied the GPO to the OU where my 
servers are, as well as an OU I created where my workstations are. The group I 
added is the Enterprise Admins group. 

Now I 
think I just need some clarification on the members and member of settings. 


First, 
re: Memberssince this GPO applies to the specific OU, is this saying that only 
the accounts that I place in members on this Enterprise Admins group object will 
in fact be Enterprise Admins, and that they will only be Enterprise Admins with 
respect to this OU? That seems weird, but otherwise, why would this members 
option be included in the GPO?

Second, 
re: Members Of. If my goal is to make the Enterprise Admins members of the Local 
Administrators group on the machines in the OU, but the only objects I can 
choose from are domain objects (not the local objects) what group do I choose to 
make this happen?

Third, 
why do the Members and Members Of options say This group should contain no 
members and The groups to which this group belongs should not be modified 
respectively, even though it will let me do either or both?

Sorry for 
the lengthy query  Im just confused (can you tell??) J

Thanks 
for your help on this issue!


mc
-Original 
Message-From: 
Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 5:47 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts

domain 
admins is a global group and as such you can't add users from other domains to 
it. While other global groups can be converted to universal groups, you can't do 
so for the domain admins group.

a solution 
to your problem is to use the restricted groups GPO feature (which will not work 
for your legacy machines in the AD domain) to add a universal group to the 
administrators group of all Server-OUs. I wouldn't want to set this GPO at the 
domain level, as then you're putting your AD domains at risk as well, if you do 
something wrong... The UG to use can either be the Enterprise Admins group 
or any other UG you assign for the task.

/Guido




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Depp, Dennis 
M.Sent: Dienstag, 13. April 
2004 22:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] enterprise-wide 
accounts
What about 
adding them to each domain admins group for each domain?




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Tuesday, April 13, 
2004 4:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] enterprise-wide 
accounts
Wed 
like to eventually trim down the number of domains and get to an OU-based 
administrative model. But in the mean time, we have identified a couple of 
people that we want to have domain admin rights in all domains. I know that 
making them an enterprise admin allows them domain admin rights on the DCs in 
each domain because of membership in the BUILTIN\Administrators group in each 
domain. But that doesnt allow logon to all the member servers. How do I best 
grant domain admin-level rights across all domains in the forest with a single 
logon for each of these persons? Looking for a best practice.

Thanks!

Mark 
Creamer
Systems 
Engineer
Cintas 
Corporation
Honesty and 
Integrity in Everything We Do

RE: [ActiveDir] how to identify the servers (Domain Controllers) using File Replication service - - - And how to enable/disable FRS service on these servers

2004-05-10 Thread Grillenmeier, Guido 



can you add, roughly WHY you want to do 
this?

FRS is enabled on ALL DCs in an AD forest, and that's the 
way it should be as SYSVOL replication uses FRS.FRS is one of those 
special services, that you don't want to screw around with (such as turning off, 
make a lot of file-system changes, turning back on), unless you really know what 
you're doing or you really want to have more trouble. 

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Durairaj K. 
AvasiSent: Sonntag, 9. Mai 2004 23:59To: 
[EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: 
[ActiveDir] how to identify the servers (Domain Controllers) using File 
Replication service - - - And how to enable/disable FRS service on these 
servers


AD Gurus::

I hope all had 
very good weekend.. Here is my requirement where I 
stuck and I need your hand on this

In short: This is what I 
want:

Script 1: identify the 
servers (Domain Controllers) using File Replication service 
(FRS).

Script 2: Disable these 
found in Script 1. (When I say disable, I just meant to say FRS service on these 
servers)

Script 3: Enable these found 
in Script 1. (When I say enable, I 
just meant to say FRS service on these servers)


The following 
is the detail of what I found
=

How to identify 
the servers (Domain Controllers) using File Replication service 
(FRS)?

I found the 
repadmin /replsum in 
Active Directory cookbook. However I need the same output in a txt file just 
servernames (Note  not the 
status)

and how to disable and enable 
the FRS service on the above identified servers? 

I thought of using cscript service.vbs /X /N ntfrs /S __SERVERNAME /U avasi /W 
password /O c:\temp.txt  I dont know how this is going to 
workout.


Thanks in 
advance.

Durairaj K. 
Avasi

RE: [ActiveDir] AD Query Question

2004-05-07 Thread Grillenmeier, Guido 



retrieve the memberOf attribute of the users - if 
multi-domain forest, use a GC to also catch UGs. If you want the complete 
picture, you'll have to run the query against all domains to also catch local 
group memberships.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Freitag, 7. Mai 2004 20:25To: 
[EMAIL PROTECTED]Subject: [ActiveDir] AD Query 
Question


Im looking 
to write an LDAP Query that will bring back all user groups in AD that a user is 
a member of. 

I will 
query the cookbook as well. 

Thanks in 
advance.

Mike

RE: [ActiveDir] Replication issues

2004-04-30 Thread Grillenmeier, Guido 



as Joe already wrote, there is a difference between "out of 
band" and "urgent" replication. 

  
  any DC that you use to set a PW for a user also apply 
  this change "out of band" to the PDCE of the domain = this is NOT urgent 
  replication. It is referred to as immediate replication, 
  although it should simply be called "updatePDC", since this is what it's 
  doing. It's not relying on AD replication at all - instead a direct RPC to the 
  PDCE is made to apply the change at this end= this is totally 
  independent of your site-replication schedules= however, the PDCE 
  needs to be reachable from the DC that performs the PW 
  change
  
  additionally, the PW will be replicated 
  urgently to DCs within the same site of the DC where the PW 
  was updated - and yes, this does NOT replicate accross 
  site-boundaries
  
  however, when a user logs onto any DC in the domain 
  that hasn't replicated the PW change (i.e. still has the old value), prior to 
  denying logon and increasing the lockout counter, the DC will contact the PDCE 
  and validate if the PW is not correct afterall (if it is, I believe it's 
  updated immediately on the DC itself as well - but I'm not sure on 
  this)
  
  also, any DC where an account gets LOCKED OUT due to 
  too many logon retries by the user and thus reaching the AccountLockout policy 
  will behave the same way as when setting a PW= the PDCE will also be 
  updated immediately out-of-band via an RPC call
So what's the problem?

  
  well, when you UNLOCK an account, this WON'T 
  be updated on the PDCE via immediate replication and neither will the 
  local DC of the user check the PDCE if the account is locked out or 
  not.
  
  so the real problem is NOT that the PW change doesn't get back to the 
  user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting 
  the user object's lockoutTime=0) does NOT behave the same way at every change 
  (only replicates immediately when value is not equal to 
  0)
  
  even though the PW change on any DC would work just fine to allow a 
  user to log back onto the domain from any other DC, when an account is LOCKED, 
  this will prevent him from doing so successfully - so this is the reason why 
  you'd want to perform the account UNLOCK on the DC that's "local" to the user 
  account and most often this task is combined with resetting a user's 
  password.
A better solution

  
  you'll have a much better life, if you simply do not configure an 
  Account Lockout policy = what does it gain you?It is actually more 
  of a security risk thanhelp for IT = you wantto ensure that 
  hackerscan'tattempt too many retries at cracking a user's 
  password, so you set the account lockout to 5-10retries. 
  
  
  
  usually you don't setup the account lockout policy to tease your own 
  users - do you really care if they need to try 50 times until they getit 
  right? Or before they call the helpdesk and admit they've forgotten their 
  PW? Usually not.
  
  
  However,setting the 
  account lockout threshold this low is the best way for a hacker to plan 
  a DOS attack against your domain, once he has a list of accounts = he'll 
  justcontinuously try bogus 
  logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime 
  trying to unlock them in a timely manner... 
  (yes, you can use Joe's account unlock tool -but remember you'll have to 
  wait until all of these unlocks replicate to the DCs used by the 
  users)
  So 
  you can actually INCREASE the security of your infrastructure by either 
  disabling the Account Lockout policy or at least by setting it to a rather 
  high value (min. 15 - 50 attempts) = a hacker will still not be able to 
  quess the password with these few attempts, but you users will usually call 
  the helpdesk, BEFORE they lockout their own accounts - and a PW change on ANY 
  DC is now fully sufficient to get the user back to work. 
  
  using this approach (setting account lockout to a higher value), I have 
  reduced helpdesk calls rgd. locked out accounts by 90% for many customers - 
  and we have combined this with increased monitoring of the eventlogs to detect 
  PW-guessing attempts from hackers, something that you should do 
  anyways.
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Freitag, 30. April 2004 07:34To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication 
issues


The password will get 
replicated "out of band" [1] back to the PDC on apassword change. 
Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx, 
specifically check the piece on "immediatereplication".

I missed this. Let's hope I don't get 
smacked too hard for it. But, are you saying password change qualifies for 
"immediate" (or urgent) replication? Not according to this:
By default, urgent replication does not occur across site 
boundaries. Because of this, administrators

RE: [ActiveDir] Replication issues

2004-05-01 Thread Grillenmeier, Guido 



as Joe already wrote, there is a difference between "out of 
band" and "urgent" replication. 

  
  any DC that you use to set a PW for a user also apply 
  this change "out of band" to the PDCE of the domain = this is NOT urgent 
  replication. It is referred to as immediate replication, 
  although it should simply be called "updatePDC", since this is what it's 
  doing. It's not relying on AD replication at all - instead a direct RPC to the 
  PDCE is made to apply the change at this end= this is totally 
  independent of your site-replication schedules= however, the PDCE 
  needs to be reachable from the DC that performs the PW 
  change
  
  additionally, the PW will be replicated 
  urgently to DCs within the same site of the DC where the PW 
  was updated - and yes, this does NOT replicate accross 
  site-boundaries
  
  however, when a user logs onto any DC in the domain 
  that hasn't replicated the PW change (i.e. still has the old value), prior to 
  denying logon and increasing the lockout counter, the DC will contact the PDCE 
  and validate if the PW is not correct afterall (if it is, I believe it's 
  updated immediately on the DC itself as well - but I'm not sure on 
  this)
  
  also, any DC where an account gets LOCKED OUT due to 
  too many logon retries by the user and thus reaching the AccountLockout policy 
  will behave the same way as when setting a PW= the PDCE will also be 
  updated immediately out-of-band via an RPC call
So what's the problem?

  
  well, when you UNLOCK an account, this WON'T 
  be updated on the PDCE via immediate replication and neither will the 
  local DC of the user check the PDCE if the account is locked out or 
  not.
  
  so the real problem is NOT that the PW change doesn't get back to the 
  user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting 
  the user object's lockoutTime=0) does NOT behave the same way at every change 
  (only replicates immediately when value is not equal to 0)
  
  even though the PW change on any DC would work just fine to allow a 
  user to log back onto the domain from any other DC, when an account is LOCKED, 
  this will prevent him from doing so successfully - so this is the reason why 
  you'd want to perform the account UNLOCK on the DC that's "local" to the user 
  account and most often this task is combined with resetting a user's 
  password.
A better solution

  
  you'll have a much better life, if you simply do not configure an 
  Account Lockout policy = what does it gain you?It is actually more 
  of a security risk thanhelp for IT = you wantto ensure that 
  hackerscan'tattempt too many retries at cracking a user's 
  password, so you set the account lockout to 5-10retries. 
  
  
  
  usually you don't setup the account lockout policy to tease your own 
  users - do you really care if they need to try 50 times until they getit 
  right? Or before they call the helpdesk and admit they've forgotten their 
  PW? Usually not.
  
  
  However,setting the 
  account lockout threshold this low is the best way for a hacker to plan 
  a DOS attack against your domain, once he has a list of accounts = he'll 
  justcontinuously try bogus 
  logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime 
  trying to unlock them in a timely manner... 
  (yes, you can use Joe's account unlock tool -but remember you'll have to 
  wait until all of these unlocks replicate to the DCs used by the 
  users)
  So 
  you can actually INCREASE the security of your infrastructure by either 
  disabling the Account Lockout policy or at least by setting it to a rather 
  high value (min. 15 - 50 attempts) = a hacker will still not be able to 
  quess the password with these few attempts, but you users will usually call 
  the helpdesk, BEFORE they lockout their own accounts - and a PW change on ANY 
  DC is now fully sufficient to get the user back to work. 
  
  using this approach (setting account lockout to a higher value), I have 
  reduced helpdesk calls rgd. locked out accounts by 90% for many customers - 
  and we have combined this with increased monitoring of the eventlogs to detect 
  PW-guessing attempts from hackers, something that you should do 
  anyways.
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Freitag, 30. April 2004 07:34To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication 
issues


The password will get 
replicated "out of band" [1] back to the PDC on apassword change. 
Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx, 
specifically check the piece on "immediatereplication".

I missed this. Let's hope I don't get 
smacked too hard for it. But, are you saying password change qualifies for 
"immediate" (or urgent) replication? Not according to this:
By default, urgent replication does not occur across site 
boundaries. Because of this, administrators should

FW: [ActiveDir] Replication issues

2004-05-03 Thread Grillenmeier, Guido 



reposting this again, as I still can't see it on the 
list...


From: Grillenmeier, Guido Sent: 
Samstag, 1. Mai 2004 10:20To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Replication 
issues

as Joe already wrote, there is a difference between "out of 
band" and "urgent" replication. 

  
  any DC that you use to set a PW for a user also apply 
  this change "out of band" to the PDCE of the domain = this is NOT urgent 
  replication. It is referred to as immediate replication, 
  although it should simply be called "updatePDC", since this is what it's 
  doing. It's not relying on AD replication at all - instead a direct RPC to the 
  PDCE is made to apply the change at this end= this is totally 
  independent of your site-replication schedules= however, the PDCE 
  needs to be reachable from the DC that performs the PW 
  change
  
  additionally, the PW will be replicated 
  urgently to DCs within the same site of the DC where the PW 
  was updated - and yes, this does NOT replicate accross 
  site-boundaries
  
  however, when a user logs onto any DC in the domain 
  that hasn't replicated the PW change (i.e. still has the old value), prior to 
  denying logon and increasing the lockout counter, the DC will contact the PDCE 
  and validate if the PW is not correct afterall (if it is, I believe it's 
  updated immediately on the DC itself as well - but I'm not sure on 
  this)
  
  also, any DC where an account gets LOCKED OUT due to 
  too many logon retries by the user and thus reaching the AccountLockout policy 
  will behave the same way as when setting a PW= the PDCE will also be 
  updated immediately out-of-band via an RPC call
So what's the problem?

  
  well, when you UNLOCK an account, this WON'T 
  be updated on the PDCE via immediate replication and neither will the 
  local DC of the user check the PDCE if the account is locked out or 
  not.
  
  so the real problem is NOT that the PW change doesn't get back to the 
  user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting 
  the user object's lockoutTime=0) does NOT behave the same way at every change 
  (only replicates immediately when value is not equal to 0)
  
  even though the PW change on any DC would work just fine to allow a 
  user to log back onto the domain from any other DC, when an account is LOCKED, 
  this will prevent him from doing so successfully - so this is the reason why 
  you'd want to perform the account UNLOCK on the DC that's "local" to the user 
  account and most often this task is combined with resetting a user's 
  password.
A better solution

  
  you'll have a much better life, if you simply do not configure an 
  Account Lockout policy = what does it gain you?It is actually more 
  of a security risk thanhelp for IT = you wantto ensure that 
  hackerscan'tattempt too many retries at cracking a user's 
  password, so you set the account lockout to 5-10retries. 
  
  
  
  usually you don't setup the account lockout policy to tease your own 
  users - do you really care if they need to try 50 times until they getit 
  right? Or before they call the helpdesk and admit they've forgotten their 
  PW? Usually not.
  
  
  However,setting the 
  account lockout threshold this low is the best way for a hacker to plan 
  a DOS attack against your domain, once he has a list of accounts = he'll 
  justcontinuously try bogus 
  logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime 
  trying to unlock them in a timely manner... 
  (yes, you can use Joe's account unlock tool -but remember you'll have to 
  wait until all of these unlocks replicate to the DCs used by the 
  users)
  So 
  you can actually INCREASE the security of your infrastructure by either 
  disabling the Account Lockout policy or at least by setting it to a rather 
  high value (min. 15 - 50 attempts) = a hacker will still not be able to 
  quess the password with these few attempts, but you users will usually call 
  the helpdesk, BEFORE they lockout their own accounts - and a PW change on ANY 
  DC is now fully sufficient to get the user back to work. 
  
  using this approach (setting account lockout to a higher value), I have 
  reduced helpdesk calls rgd. locked out accounts by 90% for many customers - 
  and we have combined this with increased monitoring of the eventlogs to detect 
  PW-guessing attempts from hackers, something that you should do 
  anyways.
/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of deji 
AgbaSent: Freitag, 30. April 2004 07:34To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication 
issues


The password will get 
replicated "out of band" [1] back to the PDC on apassword change. 
Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx, 
specifically check the piece on "immediatereplication".

I missed this. Let's h

RE: [ActiveDir] [OT] Replication issues

2004-05-03 Thread Grillenmeier, Guido 



talk about feeling stupid ;-) 

I really didn't see my own post but saw others coming in 
and after I've been rather busy in the past few weeks I wanted to make sure this 
one got through so you know I'm still alive ;-))


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Montag, 3. Mai 2004 15:59To: 
[EMAIL PROTECTED]Cc: Grillenmeier, 
GuidoSubject: RE: [ActiveDir] [OT] Replication 
issues

LOL... three times I have seen it... Hey Guido, maybe Tony 
just kicked you off the list, but didn't do it the usual way, he chopped off 
what you see versus what you post so you don't notice he booted you. You should 
have heard Tony at the summit anyway... The whole time... "Yeah that Guido is 
too good to hang out with us... Man is he stuck up... Some one give me another 
Pabst Blue Ribbon, I'm thirsty." [1] Personally I think Tony didn't like your 
accent Guido... what was that accent, like Egyptian or Spanish or something? 
=)

I would say look at the archive but it is a ways behind 
now. 



[1] This is of course ficticious. Tony picked thebest 
winesat dinnerI have had in a long time. Who knew wine could cost 
more than $4.99USD a bottle. 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Monday, May 03, 2004 8:17 AMTo: 
[EMAIL PROTECTED]Subject: FW: [ActiveDir] Replication 
issues

reposting this again, as I still can't see it on the 
list...


From: Grillenmeier, Guido Sent: 
Samstag, 1. Mai 2004 10:20To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Replication 
issues

as Joe already wrote, there is a difference between "out of 
band" and "urgent" replication. 

  
  any DC that you use to set a PW for a user also apply 
  this change "out of band" to the PDCE of the domain = this is NOT urgent 
  replication. It is referred to as immediate replication, 
  although it should simply be called "updatePDC", since this is what it's 
  doing. It's not relying on AD replication at all - instead a direct RPC to the 
  PDCE is made to apply the change at this end= this is totally 
  independent of your site-replication schedules= however, the PDCE 
  needs to be reachable from the DC that performs the PW 
  change
  
  additionally, the PW will be replicated 
  urgently to DCs within the same site of the DC where the PW 
  was updated - and yes, this does NOT replicate accross 
  site-boundaries
  
  however, when a user logs onto any DC in the domain 
  that hasn't replicated the PW change (i.e. still has the old value), prior to 
  denying logon and increasing the lockout counter, the DC will contact the PDCE 
  and validate if the PW is not correct afterall (if it is, I believe it's 
  updated immediately on the DC itself as well - but I'm not sure on 
  this)
  
  also, any DC where an account gets LOCKED OUT due to 
  too many logon retries by the user and thus reaching the AccountLockout policy 
  will behave the same way as when setting a PW= the PDCE will also be 
  updated immediately out-of-band via an RPC call
So what's the problem?

  
  well, when you UNLOCK an account, this WON'T 
  be updated on the PDCE via immediate replication and neither will the 
  local DC of the user check the PDCE if the account is locked out or 
  not.
  
  so the real problem is NOT that the PW change doesn't get back to the 
  user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting 
  the user object's lockoutTime=0) does NOT behave the same way at every change 
  (only replicates immediately when value is not equal to 0)
  
  even though the PW change on any DC would work just fine to allow a 
  user to log back onto the domain from any other DC, when an account is LOCKED, 
  this will prevent him from doing so successfully - so this is the reason why 
  you'd want to perform the account UNLOCK on the DC that's "local" to the user 
  account and most often this task is combined with resetting a user's 
  password.
A better solution

  
  you'll have a much better life, if you simply do not configure an 
  Account Lockout policy = what does it gain you?It is actually more 
  of a security risk thanhelp for IT = you wantto ensure that 
  hackerscan'tattempt too many retries at cracking a user's 
  password, so you set the account lockout to 5-10retries. 
  
  
  
  usually you don't setup the account lockout policy to tease your own 
  users - do you really care if they need to try 50 times until they getit 
  right? Or before they call the helpdesk and admit they've forgotten their 
  PW? Usually not.
  
  
  However,setting the 
  account lockout threshold this low is the best way for a hacker to plan 
  a DOS attack against your domain, once he has a list of accounts = he'll 
  justcontinuously try bogus 
  logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime 
  trying to unlock them in a timely manner... 
  (yes, you can use Joe's accoun

RE: [ActiveDir] HELP I just deleted an OU

2004-05-03 Thread Grillenmeier, Guido 



yes, the basic restores in 2003 work the same way as in 
2000, however, depending on your forest-functional level and number of domains 
in your environment you'll have additional tasks

IF you run at Win2003 forest functional 
level AND IF this is NOT a forest that was 
upgraded from Win2000 AND IF you only have a single domain, 
THEN you don't need to do anything else = using a 
systemstate backup and running NTDSUTIL / authorithe restore / restore subtree 
DN of deleted OU will recover everything, incl. the links of users in 
the OU to the groups they belonged to.

IF your deleted OU contained both users and groups, then 
you should do another authoritative restore on the same DC for the same subtree 
(without the systemstate backup).

There is quite a bid more to do in a multi-domain 
environment or in a Win2000 domain/forest incl. a Win2003 domain forest upgraded 
from Win2000.Steve already pointed those issues out in his post. But 
I hope this situation doesn't apply to you.


/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grantham, 
CaronSent: Montag, 3. Mai 2004 19:32To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just 
deleted an OU


I forgot to mention 
that Im working in Server 2003 . Does this KBA 
apply?


Caron 
Grantham 
Systems 
Engineer, ITS Dept 
,[EMAIL PROTECTED]

( 
312-742- 
2731
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lou VegaSent: Monday, May 03, 2004 12:21 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just 
deleted an OU

You might 
try the restore subtree using NDTSUtil

http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grantham, 
CaronSent: Monday, May 03, 
2004 1:05 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an 
OU




How can I 
get the OU with all objectes restored 
immediately

RE: [ActiveDir] HELP I just deleted an OU

2004-05-03 Thread Grillenmeier, Guido 



thanks for the pointer Eric - this article was long 
overdue, but at least it's available now and it contains most of the information 
required to be prepared for a successful recovery. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Montag, 3. Mai 2004 21:12To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just 
deleted an OU


Here is a better KB to be reading. This one 
is more recent and better discusses the issues in 
question:
840001 How to restore deleted user accounts 
and their group memberships in
http://support.microsoft.com/?id=840001

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grantham, 
CaronSent: Monday, May 03, 
2004 12:32 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just 
deleted an OU

I forgot to mention 
that Im working in Server 2003 . Does this KBA 
apply?


Caron 
Grantham 
Systems 
Engineer, ITS Dept 
,[EMAIL PROTECTED]

( 
312-742- 
2731
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lou VegaSent: Monday, May 03, 
2004 12:21 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just 
deleted an OU

You might 
try the restore subtree using NDTSUtil

http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grantham, 
CaronSent: Monday, May 03, 
2004 1:05 
PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an 
OU




How can I 
get the OU with all objectes restored 
immediately

RE: [ActiveDir] [OT] Cats dogs (was A root dc question)

2004-05-16 Thread Grillenmeier, Guido 
what's the problem Joe? 
even Cats could be members of Universal Groups ;-) 

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sonntag, 16. Mai 2004 16:06
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats  dogs (was A root dc question)

Oh this is probably going too far but.

No, that three-day old stanky can I would call Exchange. It seems to be
necessary even though there are other things you can use but seems to be the
most efficient and handy of the bunch, it just smells really bad when you
have to use it and you always seem to cut yourself when opening it up to
use. :o)  Personally I use dry catfood, self contained, doesn't make a huge
mess, good for the cat's teeth and doesn't stink up the house. It may not be
the cat's favorite but it gets the cat what it needs. Sort of like POP3/SMTP
Standards based email. 

DCDIAG would probably be your Dr. Spock's book for cats. 

The laxetone from the cat world (used to clean out the intestinal track of
various collected debris) would be similar to oldcmp which blows away old
computer accounts... 

Adfind would be like saying here kitty kitty... Where is that d cat!?!

Unlock would be like when you accidently shut the cat in the closet and you
discover it and have to let her out.

OK this is going down hill. The Exchange piece was fun... Can't think of
anything for Universal Groups for Guido.


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Sunday, May 16, 2004 9:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats  dogs (was A root dc question)

So what you're saying is that the Deleted Objects container is sort of like
a litter box, and you have to clean out the litter box occasionally?

If that's the case, then what in AD is like the smelly 3-day old can of cat
food with the nasty crust on the top? DCDIAG?

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, May 16, 2004 6:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats  dogs (was A root dc question)

Wow I just reread this and thought I need to stop writing like this or I
am going to be like Wook


  :o)

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, May 16, 2004 9:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats  dogs (was A root dc question)

LOL!

You see, you have to groom cats like you groom Active Directory. If you
don't take care of the excess crap in AD it will barf on you, just like a
cat will barf if you don't take off the excess fur with brushing. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Saturday, May 15, 2004 11:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Cats  dogs (was A root dc question)

Oh my, this has flamewar written all over it. Oil and water, Palestinians
and Israelis, Microsoft zealots and Novell bigots, dog people and cat
people. This thread can go nowhere but downhill.

But what the heck, I'll give it a little shove.

Joe, I really have trouble putting refined and yakking up a hair ball in
the same paragraph.

The way I see it, cats are a lot like mop heads. You can wash the floor with
'em, but it's a lot easier if you stick a handle up their a** first.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Saturday, May 15, 2004 8:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Cats treat humans like slaves, now a Dog, it knows how to greet you at the
door after a rough day in the forest.  Ever come home after a rough day and
have the Cat greet you with anything other than distain?

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, May 15, 2004 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Cats rock. They play with you, you just don't usually realize that they are
playing because they don't come up and drool on you. A dog is like beer,
harsh and in your face. A cat is like wine, very smooth and gentle and
refined. I can leave the house for days and know the cat will be fine and
won't have destroyed anything other than walking back and forth across my
Zen garden on my computer desk. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 13, 2004 5:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Never liked cats much - what fun are they? At least a dog will play with
you. I nearly whacked one with a paint roller whilst painting the front
porch a couple of years ago. The school drama department took it upon
themselves to paint a very nice recital hall (not auditorium/theater) which
had white walls and a gloss

RE: [ActiveDir] FOREST MIGRATION

2004-05-16 Thread Grillenmeier, Guido 
going from one AD domain to a new forest requires the same approach, as
migrating from an NT4 domain.  Depending on the complexity of your
environment, the free MS ADMT tool can do this for you (but will only
migrate security principals, i.e. users, groups, computers).

If you want to migrate other stuff as well (OUs, contacts, printers or
custom schema objects etc.) you'll need to leverage a different tool. My
suggestion: have a look at the Quest/Aelita Enterprise Migration
Manager:
http://wm.quest.com/products/enterprisemigrationmanager/


Rgd. your GAL question, this is where it get's more difficult: a GAL is
always bound to a single Exchange Org.  And there can be only one Org in
a forest and the Org can only span a single forest.  However, similar to
granting NT4 accounts permissions on Ex55 mailboxes, you can grant users
from your new forest permissions to mailboxes managed your old forest
that contains Exchange (this would then become an Exchange
resource-forest).  

In your case though, your final goal would likely be to get rid of the
child domain (and forest?) and integrate Exchange into your new forest,
which would require a new Exchange Org. And although you can't _share_ a
GAL between these two Orgs, you can _sync_ the GAL between the two Orgs
by syncronizing mbx-user/contact/DL data between the two forests.  This
can be achieved rather easily with the free Identity Integration Feature
Pack (IIFP) from Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-4
1c4-b7ea-6f56819769d5DisplayLang=en

Note that the word free is only valid for the tool itself, not for
it's requirements: you'll need a Win2k3 Enterprise Edition and an SQL
Server 2000 (MSDE will NOT do the job). If you don't have these machines
and licenses flying around, you will find cheaper methods and tools on
the market to sync the GALs.

First upgrading to Win2k3 and E2k3 won't make this any easier,
especially if you're still running your current Win2k forest in mixed
mode (potentially with E2k servers running on Win2k DCs?).  So I'd
concentrate on getting the new forest on Win2k3 / E2k3.

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sonntag, 16. Mai 2004 21:36
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FOREST MIGRATION

what's the best way to migrate a child domain's users to a new
forest?How would one go about this? exchange2k is really the only AD
aware app we have. also, how could we still share the GAL between 2
forests? would it be easier to upgrade to win2k3 and exchange2k3 first? 
we are running win2k in mixed mode with exchange 2k in native mode.
thanks, i know its a big question(s).
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FOREST MIGRATION

2004-05-16 Thread Grillenmeier, Guido 
I should have been clearer on the word migration: it usually means a
parallel migration into disjoint namespace.  Yes, an inplace-upgrade
is definitely easier, although you still need to know what you're doing,
especially if you do this in larger deployments.

There are various gotcha with ADMT - if you have some time (I guess 3-4
months) then wait for version 3 to come out.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sonntag, 16. Mai 2004 23:06
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FOREST MIGRATION

migrating from nt4 was a little easier, as we just upgraded the pdc to
win2k and kept our accounts without a migration tool.here, i'm looking
to disjoin a forest and create my own with the users groups dl's,etc
from my child domain.
thanks for your hrlp. i'll look into those links.
are there any gothca with the admt?
thanks again.

-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 16, 2004 4:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FOREST MIGRATION


going from one AD domain to a new forest requires the same approach, as
migrating from an NT4 domain.  Depending on the complexity of your
environment, the free MS ADMT tool can do this for you (but will only
migrate security principals, i.e. users, groups, computers).

If you want to migrate other stuff as well (OUs, contacts, printers or
custom schema objects etc.) you'll need to leverage a different tool. My
suggestion: have a look at the Quest/Aelita Enterprise Migration
Manager:
http://wm.quest.com/products/enterprisemigrationmanager/


Rgd. your GAL question, this is where it get's more difficult: a GAL is
always bound to a single Exchange Org.  And there can be only one Org in
a forest and the Org can only span a single forest.  However, similar to
granting NT4 accounts permissions on Ex55 mailboxes, you can grant users
from your new forest permissions to mailboxes managed your old forest
that contains Exchange (this would then become an Exchange
resource-forest).  

In your case though, your final goal would likely be to get rid of the
child domain (and forest?) and integrate Exchange into your new forest,
which would require a new Exchange Org. And although you can't _share_ a
GAL between these two Orgs, you can _sync_ the GAL between the two Orgs
by syncronizing mbx-user/contact/DL data between the two forests.  This
can be achieved rather easily with the free Identity Integration Feature
Pack (IIFP) from Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-4
1c4-b7ea-6f56819769d5DisplayLang=en

Note that the word free is only valid for the tool itself, not for
it's requirements: you'll need a Win2k3 Enterprise Edition and an SQL
Server 2000 (MSDE will NOT do the job). If you don't have these machines
and licenses flying around, you will find cheaper methods and tools on
the market to sync the GALs.

First upgrading to Win2k3 and E2k3 won't make this any easier,
especially if you're still running your current Win2k forest in mixed
mode (potentially with E2k servers running on Win2k DCs?).  So I'd
concentrate on getting the new forest on Win2k3 / E2k3.

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sonntag, 16. Mai 2004 21:36
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FOREST MIGRATION

what's the best way to migrate a child domain's users to a new
forest?How would one go about this? exchange2k is really the only AD
aware app we have. also, how could we still share the GAL between 2
forests? would it be easier to upgrade to win2k3 and exchange2k3 first? 
we are running win2k in mixed mode with exchange 2k in native mode.
thanks, i know its a big question(s).
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

2004-05-19 Thread Grillenmeier, Guido 
what's the primary suffix of your clients? and how are the search
suffixes configured? or WINS?

also, did you not only check that you're service records in DNS exist,
but that they're also registered by the right machines?  It's
potentially possible, that other non-DC clients could have registered
DC/GC records (could also happen via some mean script) that are causing
you issues.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Mittwoch, 19. Mai 2004 18:16
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

here's some more weirdness-
now when i want to join a pc to a domain, i have to enter the fqdn.
before i would just enter domainname. now i have to enter
domainname.parentdomain.rootdomain.
when i just enter the domainname and do a trace, i see in dns that the
srv_msdc_ldap.domainname cannot be found.

also when i do a trace on the dns/dc i get weird dns requests for
legtimate domains as srv records as in srv_ldap_yahho.com


strange

-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 12:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


My immediate reaction is that this is a GC issue.  Missing GC DNS
records?

Mike Thommes

-Original Message-
From: Eric Fleischman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


Yup that's what I meant, we'd want to do that logging on affected
client. And network trace of that client (perhaps from second box on a
simple little hub) of the boot/logon would also be telling if the
userenv doesn't give us the answer (could go either way).


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

I believe Eric meant the client experiencing the slowness. You will note
that the DC seems to be having no issues as that ripped through the
process
in like half a second according to the logs.

  joe

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

this is the output of my userenv.log on my fsmo pdc.





SERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:  Starting computer Group
Policy
processing...
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:359 EnterCriticalPolicySection: Machine
critical
section has been claimed.  Handle = 0x74
USERENV(e4.34c) 10:45:11:359 ProcessGPOs:  Machine role is 3.
USERENV(e4.34c) 10:45:11:359 PingComputer: PingBufferSize set as 2048
USERENV(e4.34c) 10:45:11:359 PingComputer:  First time:  0
USERENV(e4.34c) 10:45:11:375 PingComputer:  Fast link.  Exiting.
USERENV(e4.34c) 10:45:11:375 ProcessGPOs:  User name is:
CN=ADSERVER1,OU=Domain Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET,
Domain
name is:  CHARMERNYDOM
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Domain controller is:
\\adserver1.CHARMERNYDOM.CSG-IT.NET  Domain DN is
CHARMERNYDOM.CSG-IT.NET
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Calling GetGPOInfo for normal
policy mode
USERENV(e4.34c) 10:45:11:375 GetGPOInfo:

USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Entering...
USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Server connection established.
USERENV(e4.34c) 10:45:11:406 GetGPOInfo:  Bound successfully.
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Searching OU=Domain
Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Found GPO(s):
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  Deferring search for
LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Searching
DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Found GPO(s):
[LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://CN={276E7B50-A050-497E-8996-BB4A
2562
2B20},CN=Policies,CN=System,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://C
N={3
1B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHARMERNYD
OM,D
C=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  Deferring search for
LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437

RE: [ActiveDir] win98

2004-05-19 Thread Grillenmeier, Guido 
what's the DNS config of this client?

don't remember if Win98 has nslookup, but from a different client that
has, you should run
nslookup %DNSname_of_domain% = should get back a list of your DCs for
that domain - do you?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Mittwoch, 19. Mai 2004 19:25
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error.
i'm running a mixed mode win2k ad. my dc's have sp4 installed.
what else should i do?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User modifiable attributes

2004-05-19 Thread Grillenmeier, Guido 
Title: RE: [ActiveDir] Exchange 2003 Question



another option is to adjust the default property sets, 
which can be done in 2003 (but not in 2000) - this will even allow to change the 
effective permissions instantaniously on all objects ACLed with this property 
set without any re-acling on the objects themselves. This can be quite 
nice to avoid setting explicit deny ACEs at the object 
level.

but you may still want to add the removedattributes 
to a new property set and then add the correct ACEs via inheritance (e.g. just 
READ instead of WRITE permissions). 

I agree with Joe on that it would be nice to have more 
documentation on which permissions are really required - the AD Delegation 
Whitepaper is a good start - but we're talking about the minimal permissions and 
adjusting defaults. I could come up with some good suggestions myself on 
removing specific attributes from the def. property sets (specifically the 
personal information PS, which grants every user write permissions on a ton of 
attributes for his own object)... 

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Montag, 17. Mai 2004 23:52To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] User modifiable 
attributes


Inherited perms from 
top of subtree are better for everyone.easier to manage and such. And of course 
if youre going to do serious ACLing, 2k03 is a great upgrade path because of 
single instance store (SIS) of SDs.
I dont like making 
changes to default SD personally. Only when absolutely required with no other 
choices..

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, May 17, 2004 4:03 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] User modifiable 
attributes

Douglas you appear to be in 
luck...

The two attributes 
mentioned aren't in any property sets which means whatever permissions set for 
the user object itself are what counts. I have never seen either of those 
specifically outlined with permissions on a user object which would seem to 
indicate that the normal users would not have the ability to modify the values 
by default.

The positive proof 
would be to log on as a normal user, fire up adsiedit and try to modify the 
attributes or write a script to do so. If you get access denied, you know you 
are cool. 

I agree with Eric 
though for the choice of tool and how to do the determination. On the updating 
perms, if you can do it with inherited perms that rocks. If not it is kind of a 
pain. 

Actually I would like 
to see some serious docs from MS concerning locking down an AD deployment very 
seriously. I.E. Cleaning up all the default SDs in the schema so that by 
default, you get the permissions the container/OU the object is created in has. 
When I say serious, I mean what permissions would need to be given back and why 
so you don't break MS software or knowingly break it. They don't have to outline 
what you have to do to make anyone else's software work, just theirs. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Monday, May 
17, 2004 10:10 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] User modifiable 
attributes
You can look at the 
acls on the user object itself to see what the effective perms are.I like 
dsacls, others might have other tools of choice.
To modify it wholesale 
for a lot of users, my method of choice is ensuring there are no explicit acls 
on the users granting them write to the attributes in question (you can look at 
the default SD for the user object, or just create one, uncheck inherit for 
test, and see whats there, or just look at what is explicit.tons of choices 
;)) then put the desired ACL on the top of a subtree that gives what you 
want.in this case it would be DENY WRITE on the attribute(s) in question for at 
least SELF, probably a larger group of users defined 
somehow.
Or perhaps just dont 
allow write to SELF, and that will implicitly mean they cant write to 
it.

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Monday, May 17, 2004 
8:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] User modifiable 
attributes


Is there an easy way to 
find out what attributes a user to edit? The two I am most concerned about are 
employeeID, and employeeNumber. If they do appear to be editable by the user, 
how do i change that (a link would be great)? 
Thanks

RE: AW: [ActiveDir] hidding users

2004-05-21 Thread Grillenmeier, Guido 
list mode won't help you for hiding a specific link from a group's membership list. 
You'll also have to worry about many other permissions to use list-mode effectivly.

E.g. Authenticated Users by default has explicit Read-Permissions on every OU and on 
every object contained within.  So denying permissions from the top via inheritance 
won't do the trick, as these have lower priority than explicit allows (and the 
list-permission is part of the default READ permission).  

A good reason for using the LIST permission is to completely hide an OU from the UI - 
mainly useful in hosting environments (so that company one, can't see any existance of 
company 2 in the admin UI or in the GAL, the latter requiring some extra work on 
Exchange Address book configurations). 
But it's not really useful for hiding single objects.  And if you're not worried about 
the OU object being visible, then you might as well just remove the READ permissions 
for Authenticated Users from it (and any other sub-OU) = your users will then not be 
able to browse or search the OU.

However, it's generally a good idea NOT to put your ADMIN accounts into the same OU as 
your normal accounts. You're best off with a DUAL-account model = put the normal 
accounts (JoeRich) that your admins use for mail etc. into your general OU for users, 
and put the admin account for the same user (ADM.JoeRich) into a different OU 
outside of the scope of delegation for your normal OU.

The same is true for groups - once you have implemented a dual-accounts structure, 
you'll usually not have a reason to add any Admin account to a group containing 
normal users.  As such you don't need to hide them eather = you'll just hide the 
whole OU that contains the admin accounts and the admin groups...

/Guido



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
Sent: Donnerstag, 20. Mai 2004 23:48
To: [EMAIL PROTECTED]
Subject: Re: AW: [ActiveDir] hidding users





AD list mode is interesting enough that we're going to look into it as
well.  We're also looking into the link below as a way to accomplish this.
At this point we haven't tested either so I don't really know yet whether
they fill your need (or ours, for that matter).

Mike

http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci962436,00.html?track=NL-23ad=481969
   
  
  Ulf B. Simon-Weidner   
  
  [EMAIL PROTECTED]  To:  [EMAIL PROTECTED]
   
  Sent by:cc:  
  
  [EMAIL PROTECTED] Subject: AW: [ActiveDir] hidding users 

  tivedir.org  
  
   
  
   
  
  05/20/2004 04:34 PM  
  
  Please respond to
  
  ActiveDir
  
   
  




Maybe the AD List Mode will be an option for you:
http://www.chrisse.se/MAQB.asp?ID=34

Ulf

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Kern, Tom
Gesendet: Donnerstag, 20. Mai 2004 20:00
An: ActiveDir (E-mail)
Betreff: [ActiveDir] hidding users

is there an attribute i can set in adsiedit,ldp,etc to hide a user from
appearing in the usual admin gui utlilties like aduc?
also when you look in group memebership, to not have s(he) appear there as
well?
thanls
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



 *** PLEASE NOTE ***
 This

RE: [ActiveDir] 5.5 to 2K migration and A.D.

2004-05-21 Thread Grillenmeier, Guido 



I'll take a quick shot at this - see 
inline

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stefano 
CrivellaroSent: Freitag, 21. Mai 2004 09:08To: 
[EMAIL PROTECTED]Subject: [ActiveDir] 5.5 to 2K migration 
and A.D.

Hi all

I have read a lot of documentation on Excange 5.5 
to Exchange 2000 migration, still I can find answers to some 
questions

I want to migrate from 5.5 to 2K.

I have a Win2K domain already in Native mode. Users 
accounts are already in A.D..

I have three 5.5 servers, they belong to the same 
Exchange Organization and to the same Exchange Site (there is only 1 
site).

All the three 5.5. servers are already installed on 
Win2k servers.

Of the three 5.5 servers one is at the main office 
and holds 70% of the mailboxes while the two other 5.5 servers are in two 
distant offices.

The 5.5 server at the two distant offices have 
their own local (on the same subnet) Win2k domain controller, Global Catalog, 
DNS, WINS.

As they all belong to the same site the replication 
mechanism among the servers is the RPC-based 5.5 replication 
mechanism.

I plan to migrate the main 5.5 server doing a "move 
mailbox" upgrade, which is installing an Exchange 2000 server at the main office 
and then move the mailboxes from the 5.5 to the 2k server.



Now I know that I have and install and configure 
the ADC and run NTDSAtrb to generate a file with the NTDSNoMatch in Field 10 
etc.

What Iwas not able to find is the explanation 
of what happens in the mapping of information from 5.5 Directory to A.D. in 
these cases:

(Please note that all my user accounts are already 
in A.D.)

Case 1

Mailbox with alias A has PWNTA (Primary Windows NT 
Account) set to account A

Mailbox with alias B has PWNTA set to account 
A

also , in the Permissions tab for the mailbox A the 
accounts C and D have user level permissions on that mailbox and
in the Permissions tab for the mailbox B the 
accountsE andF have user level permissions on that 
mailbox.

How would this configuration in the 5.5 
Directory be mapped onto the A.D. by the ADC?

Would account A lose access to mailbox B at 
the moment the ADC replicate for the first time the information in A.D. or after 
I move mailbox B to the Exch2k server?[Guido Grillenmeier]whichever mailbox gets mapped first by the ADC wins - the other 
will get a new placeholder account (depending on your ADC config). This could be 
either mbx A or B, since any AD object can onlybe mappedto a single 
mbx. You can still assign permissions to various other maiboxes, but not as the 
primary account.= this is why you want to ensure, that every NT4 
account is only the PWNTA of exactly that mailbox, which you want to have 
assigned to him in AD/E2k

What happens to the permissions of accounts 
C,D,E,F? Would they lose access to the mailboxes at the moment the ADC 
replicates for the first time or only after I move the mailboxes A and B to the 
Exchange 2k server?[Guido 
Grillenmeier]the permissions would still come accross ok and will also 
remain on the object when moved over to the E2k 
server

Case 2


Mailbox with alias A has PWNTA (Primary Windows NT 
Account) set to account B,
in the Permissions tab for the mailbox A the 
accounts C and D have user level permissions on that mailbox


How would this configuration in the 5.5 Directory 
be mapped onto the A.D. by the ADC?
[Guido Grillenmeier]the name 
of the alias doesn't matter, since you've already got your user-accounts in AD - 
the match will happen via the SID of the PWNTA. So if B isn't 
assigned to another mailbox as well, this is a non-issue. And the permissions 
for C and D come over fine as well.

Note: even though the permissions granted on the 
mailbox object itself come accross well, the users may still have granted 
various permissions WITHIN their mailbox for access to calender or specifi 
mbx-folders = these will usually cause the main headaches when moving the 
mbx to the E2k server. You'll be best to move your mailboxes in "closed 
sets" - i.e. all users that potentially share a mailbox (boss + secretary) 
should be moved to the E2K server at the same time (i.e. within the same batch 
at night).

Thank you very much for your help!

Stefano

RE: [ActiveDir] Discontinue Mail Membership

2004-05-21 Thread Grillenmeier, Guido 



that's spelled FEMAIL ;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Donnerstag, 20. Mai 2004 15:25To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership


Please continue FEMALE membership 
J 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike 
WelbornSent: Thursday, May 20, 
2004 8:51 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Discontinue Mail 
Membership

Please 
remove [EMAIL PROTECTED] from the 
Activedir.org mailing list.

Thanks 
you
Michael 
Welborn

RE: [ActiveDir] how many domain controllers ?

2004-05-21 Thread Grillenmeier, Guido 
as few as possible

just roughly: depending on how you define small, medium, large, this
would translate to none for small, 1 for medium and usually no more than
2-3 for large (mainly depends on other services using the DCs/GCs, such
as Exchange).  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Maple
Sent: Freitag, 21. Mai 2004 12:28
To: [EMAIL PROTECTED]
Subject: [ActiveDir] how many domain controllers ?

Does anyone have a view about how many servers in a domain should be
domain controllers.  Should it be all of them - or only a few on each
site ?


Mike.



--
Releasing funds to keep business flowing...

Last year alone, Xchanging helped the London Market release 75 million
pounds of redundant claim reserves.

During 2003, Xchanging's Enhanced Claims Review team, validated 439
million pounds of non-moving London Market claims.

To find out more about the Enhanced Claims Review service, talk to Sara
Frost on 020 7327 5701 or visit our website www.xchanging.com

--



-
THE INFORMATION IN THIS E-MAIL AND IN ANY ATTACHMENTS IS CONFIDENTIAL

AND MAY BE PRIVILEGED OR OTHERWISE PROTECTED FROM DISCLOSURE. 
IF YOU ARE NOT THE INTENDED RECIPIENT AND HAVE RECEIVED IT IN ERROR YOU
ARE ON NOTICE OF ITS STATUS. 
PLEASE NOTIFY THE SENDER IMMEDIATELY BY RETURN EMAIL AND THEN DELETE
THIS EMAIL AND ANY ATTACHMENT FROM YOUR SYSTEM. 
YOU MUST NOT RETAIN, COPY OR USE THIS E-MAIL OR ANY ATTACHMENT FOR ANY
PURPOSE, NOR DISCLOSE ALL OR ANY PART OF ITS CONTENTS TO ANY OTHER
PERSON: 

TO DO SO COULD BE A BREACH OF CONFIDENCE

EMAIL MAY BE SUSCEPTIBLE TO DATA CORRUPTION, INTERCEPTION AND
UNAUTHORISED AMENDMENT, 
AND WE DO NOT ACCEPT LIABILITY FOR ANY SUCH CORRUPTION, INTERCEPTION OR
AMENDMENT OR THE CONSEQUENCES THEREOF. 

WE MAY MONITOR THE CONTENT OF EMAILS SENT AND RECEIVED VIA OUR NETWORK
FOR VIRUSES OR UNAUTHORISED USE AND FOR OTHER LAWFUL BUSINESS PURPOSES. 
WE DO NOT ACCEPT RESPONSIBILITY FOR ANY LOSS OR DAMAGE ARISING FROM A
VIRUS IN ANY EMAIL OR ATTACHMENT.

---
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security...

2004-05-22 Thread Grillenmeier, Guido 
what's the size of these 4 locations? and their network connectivity to
the next larger location that has a DC? 

the locations may be large enough to absolutely require a fileprint
server - but they could very well be fine without placing a DC in the
location and you'd still find authentication to run sufficiently well.
Ofcourse the locations won't be as independent in terms of network
outage, but usually you have many other dependencies in this case as
well (such as central web-apps, LOB apps, messaging servers etc.) so
network authentication shouldn't be the real culprit.  

And with the kerberos capabilities (assuming your users were able to
logon in the morning), the kerberos ticket will allow sufficient time
for an un-reachable DC as well.  I find DCs being placed in way too many
locations at many companies - often in physically unsecure rooms... So
even if you don't grant admin rights to local folks, this is not a bit
more secure either...  Better to keep DCs out of these locations.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Lynch
Sent: Freitag, 21. Mai 2004 23:11
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I know.  I agree that this isn't good security practice.  I wouldn't
recommend this as well.  But, for the lack of space in most locations
(and we are only talking about 4 locations), we would just like to
give the local tech access to that DC only and no other DC in the
domain.  I can restrict them to log onto that DC local to them only
(via GPO).  I might just give them Server Operators rights, restrict
them to log onto that DC only, and call it a day.

Thanks,

Chris 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Roger Seielstad
 Sent: Friday, May 21, 2004 10:19 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Domain Controller Security...
 
 True... I musta read half the question (again).
 
 
 --
 Roger D. Seielstad - MTS MCSE MS-MVP
 Sr. Systems Administrator
 Inovis Inc.
  
 
  -Original Message-
  From: joe [mailto:[EMAIL PROTECTED]
  Sent: Friday, May 21, 2004 12:41 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] Domain Controller Security...
  
  I am not sure that fits his requirements for this one...
  
  Sounds like he is file sharing from the DC (not something I 
 personally
  recommend) and obviously it would be a bit much to dcpromo down
  and  back up to add a new share.
  
joe
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  Seielstad
  Sent: Friday, May 21, 2004 11:54 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] Domain Controller Security...
  
  I like Joe Richard's option - DCPromo it out, let the tech 
 work on it, 
  and DCPromo it back in
  
  
  --
  Roger D. Seielstad - MTS MCSE MS-MVP
  Sr. Systems Administrator
  Inovis Inc.
   
  
   -Original Message-
   From: Chris Lynch [mailto:[EMAIL PROTECTED]
   Sent: Friday, May 21, 2004 11:27 AM
   To: [EMAIL PROTECTED]
   Subject: [ActiveDir] Domain Controller Security...
   

   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA1
   
   I'm wondering if anyone has accomplished the following:
   
   Provided different security policies to multiple DC's
  within the same
   domain, but different OU's for field techs to manage
  resources on just
   that DC without giving Server Operators rights.
   
   I have almost all of the requirements resolved, except the
  ability to
   create shares.  I have modified the security on the 
   HKLM\System\CurrentControlSet\Services\LanManserver and 
   HKLM\System\ControlSet001\Services\LanManserver with no success.
   Every document I have read about where the shares definitions are 
   stored are located in these two reg keys.
   
   I know the simple way would be to deploy another server to that 
   location and give them local Administrator rights.  But, 
 management 
   doesn't want to do this.
   
   Thanks for any input,
   
   Chris Lynch
   
   -BEGIN PGP SIGNATURE-
   Version: PGP 8.0.3
   Comment: Public PGP Key for Chris Lynch
   
   iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4
   BT+9sM9+/PU1ca4fioHgTuMm
   =k33B
   -END PGP SIGNATURE-
   
   List info   : http://www.activedir.org/mail_list.htm
   List FAQ: http://www.activedir.org/list_faq.htm
   List archive: 
   http://www.mail-archive.com/activedir%40mail.activedir.org/
   
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List

RE: [ActiveDir] OT, How to change wording on screen when computer is locked

2004-05-22 Thread Grillenmeier, Guido 



it's called Resource Hacker (reshacker.exe) and is 
available at: http://www.users.on.net/johnson/resourcehacker/

Quite nice - I've also used it - but only for lab-purposes 
to easily distinguish machines at logon time. However, we've moved to 
bginfo from sysinternals, which is obviously much simpler to use forthis 
purpose...

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Sonntag, 23. Mai 2004 
00:39To: [EMAIL PROTECTED]Subject: Re: 
[ActiveDir] OT, How to change wording on screen when computer is 
locked

I used a great little program called Hacker.EXE 
(excuse the name) that was great for modifying the Gina to change any of the 
messages, imagesetc, but can't seem to find a site for it now. Maybe 
someone else has experience.

In the end, we didn't use it 'cos management was a 
little nervous, but it seemed to work well when I played with it on my 
machine.



Alan Cuthbertson

Policy Management Software:-http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml



  - Original Message - 
  From: 
  joe 

  To: [EMAIL PROTECTED] 
  
  Sent: Saturday, May 22, 2004 1:05 
AM
  Subject: RE: [ActiveDir] OT, How to 
  change wording on screen when computer is locked
  
  Well there are two ways to modify the GINA. 
  
  
  1. Hack it with a binary editor
  2. Replace it with one you write
  
  Obviously #2 is the supported method, you can find sample 
  code at 
  
  http://msdn.microsoft.com/library/default.asp?url="">
  
  You may possibly be able to do something with the GINA 
  stub functionality, see this
  
  http://msdn.microsoft.com/library/default.asp?url="">
  
   joe
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, May 21, 2004 10:43 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] OT, How to change wording on screen when computer is 
  locked
  Do you know of a good software for 
  making modifications to the GINA? Ryan McDonaldSystems Administrator
  


  "joe" 
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
05/21/2004 09:35 AM 

  
  

  Please respond 
  to[EMAIL PROTECTED]
  

  
  

  To
[EMAIL PROTECTED] 
  

  cc

  

  Subject
RE: [ActiveDir] OT, 
  How to change wording on screen when computer is 
  locked

  
  

I don't believe that message is tuneable without 
  modification of the GINA.   joe 
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Thursday, May 20, 2004 5:24 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  OT, How to change wording on screen when computer is lockedWhat I am looking to do 
  is change the wording on the screen when a computer is locked where it says 
  "This computer is in use and has been locked". I have it when the user log's 
  in but I want to change it when it's locked as well but I can not find out 
  where to do this for the life of me. Any help would be great or links or 
  anything. Ryan McDonaldSystems Administrator

RE: [ActiveDir] Discontinue Mail Membership

2004-05-22 Thread Grillenmeier, Guido 



aren't those the rules that apply to post to this 
list? ;-))


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Freitag, 21. Mai 2004 15:32To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

I like the 
etiquette rules, especially useful reminder: 
"We have the 
right to exploite, humilate, delete, ignore, or coddle any person at anytime for 
no other reason than Our Own amusement."
and what's up 
with those pink...errmm..stuff, you reguire to wear while reading FeMail? That's 
mean!
Lana


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 21 May 2004 14:19To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

That is hilarious... go through FAQ on the left if you 
haven't



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Friday, May 21, 2004 7:30 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership

Hmmm..googled 
FeMail and got - "Totally new, 
cool and fast feMail system utilizes the newest technology available! 
"http://www.femail.sissify.com/
A replacement for 
ActiveDir? The most important - it promises "No 
more fretting about system administrators at your 
workplace!"
Lana 

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: 21 May 2004 11:16To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership


that's spelled FEMAIL ;-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Craig 
CerinoSent: Donnerstag, 20. Mai 2004 15:25To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail 
Membership


Please continue FEMALE membership 
J 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike 
WelbornSent: Thursday, May 20, 
2004 8:51 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Discontinue Mail 
Membership

Please 
remove [EMAIL PROTECTED] from the 
Activedir.org mailing list.

Thanks 
you
Michael 
Welborn

RE: [ActiveDir] Password set and enable account

2004-05-24 Thread Grillenmeier, Guido 
Title: Sysvol Damaged



here's a sample-batch that should help you get 
started

/Guido


set inputfile=%1if '%inputfile%'=='' goto 
ErrInput
set logfile=.\%inputfile%_log.txt

echo.echo Updating password settings for user listed in: 
%inputfile%echo Logfile: %logfile%echo.

echo. 
 %logfile%echo  
 %logfile%echo Inputfile: 
%inputfile% 
 %logfile%date /T  %logfile%time /T  
%logfile%echo Step 1: setting PW to new 
value  
%logfile%echo   
%logfile%echo. 
 %logfile%

REM 
Read users from inputfile and execute UpdatePWsetting routineset /A 
count=1FOR /F "tokens=1-2 delims=;" %%i in (%inputfile%) DO set CurUser=%%i 
 set newPW=%%j  call :Sub_PWchangestart notepad 
%logfile%

goto 
END


:Sub_PWchangeecho now updating User%count%: %CurUser% 
PW:%newPW%echo User%count%: %CurUser% PW:%newPW%  
%logfile%dsquery user -samid %curUser%|dsmod user -pwd %newPW%  
%logfile%REM *** dsmod user -pwd only works on Win2k3 DCs= for Win2k "net user" cmd be 
used***REM net user 
%CurUser% %newPW%  %logfile%set /A count=%count%+1GOTO 
:EOF


:ErrInputecho.echo 
**echo ERROR: 
missing inputfile - script will quitecho.echo Syntax: 
update_pwChange.bat myUser-list.csvecho Format of input-file: 
username;newPWecho 
**echo.pause

:END


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Montag, 24. Mai 2004 15:49To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and 
enable account

Oh 
yeah, I guess I have to read the username from a file and pass it into the dsmod 
command also. Do I just want a list of users in a .txt file, .cvs??? And how do 
I read from that?

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. 
  LongSent: Monday, May 24, 2004 9:41 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Password set and 
  enable account
  Ok, so my task is 
  to generate random passwords and enable the accounts for 3200 users. The user 
  accounts and all attributes were first created with ldife, and I am now 
  thinking about using the dsmod utility to do accomplish the password set and 
  account enablement. I wish I knew vbs like you guys do, but I dont yet (this 
  years resolution). So here is what I have for the password generation 
  part:
  
  
  Function Password_GenPass( nNoChars, sValidChars )' nNoChars = 
  length of generated password' sValidChars = valid characters. If 
  zerolength-string ( "" )then' default is used: A-Z AND a-z AND 
  0-9
  
  Const szDefault = 
  "abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789"Dim 
  nCountDim sRetDim nNumberDim nLength
  
  Randomize 'init random
  
  If 
  sValidChars = "" ThensValidChars = szDefaultEnd IfnLength = Len( 
  sValidChars )
  
  For 
  nCount = 1 To nNoCharsnNumber = Int((nLength * Rnd) + 1)sRet = sRet 
   Mid( sValidChars, nNumber, 1 )NextPassword_GenPass = sRetEnd 
  Function
  
  WScript.Echo "Your password: "  Password_GenPass( 10, "" 
  )
  
  What is my next 
  move? I am guessing I have to pass this password to a variable, instead of 
  echo, and then somehow pass that into the dsmod command, but as I already 
  said, I dont know vb script. Any help is highly 
  appreciated.

RE: [ActiveDir] MACS

2004-05-29 Thread Grillenmeier, Guido 
That was the impression I got too, when looking throught the ACS slides
(wasn't at the session either):

here's what it says on some slides
* ACS will ship with MOM management pack
* ACS is a Windows platform technology- not a complete solution
* ACS is specifically focused on security event collection in
high-security environments 
* MOM 2005 management pack provides a front-end to ACS
* ACS provides open interfaces for 3rd party extension [MOM not a
requirement] 

and
* Release
  - TBD (probably pretty soon)
* Licensing
  - TBD

= so I'm currently not sure if you basically buy the MOM mgmt pack to
get ACS, or vice-versa.  But they still seem to be working on the
licensing, which would suggest it's not for free.  But at least you
don't NEED MOM for it.


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Samstag, 29. Mai 2004 06:11
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MACS

It was announced at TechEd (although its second-hand information from
one of
our PMs; I wasn't at that session.)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, May 28, 2004 11:44 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MACS

Where did you hear that? Last I heard in the beta group it was to be
included in the next 2K/2003 SP's but I am not as well connected as
you are :-]

Maybe ~eric can answer G 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Friday, May 28, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MACS

And, as I understand it, it is not going to be a free download or
Resource
Kit component any more. MSFT is going to charge for it.

-gil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, May 28, 2004 11:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MACS

Anyone know where MS are with MACS now?

MACS is now called The Microsoft Windows Audit Collection Services (ACS)


Release Candidate 1 became available to beta testers at the end of
April.

ACS Release Candiate changes include:
1) Simplified and updated database schema
2) Updated communcations protocol
3) Complete support for SSL/TLS authentication
4) Improved performance  scalability
5) Improved setup experience
6) Improved security (on Windows XP and Windows Server 2003, ACS runs as
NetworkService)
7) Improved manageability
8) Database included
9) Many quality  stability improvements
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Friday, May 28, 2004 6:04 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] MACS


Anyone know where MS are with MACS now?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Username and Password

2004-05-31 Thread Grillenmeier, Guido 
you've not been particularly verbose on your infrastructure setup:
- do the two forests (or domains within) trust each other?
- what do you use for backing up?

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pyron
Sent: Sonntag, 30. Mai 2004 10:48
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Username and Password

how do i interconnect network shared drives on different servers with 
different active directory forests?
i mean permanently interconnect them even if the user logs off... I need

this so that my file backup server can be accessed even if the user is 
logged off.
this is because i need it for my scheduled backup every 3AM.

thanks


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Logging access to windows folders

2004-06-01 Thread Grillenmeier, Guido 
auditing 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marco Scalas
Sent: Dienstag, 1. Juni 2004 10:17
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Logging access to windows folders

Hi everybody,

Is there any way to logging accesses to a specific folder/directory (on
the
server's filesystem) in an W2K Active Directory environment?

Best Regards
Marco Scalas

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Protecting Domain Data in Forest

2004-06-01 Thread Grillenmeier, Guido 
Title: Message



this is not what firewalls are for 
= someone needs to manage the FW as well... - who's 
this going to be? Typically the same admins that you want to protect the data 
from... And since the server is in a domain, they can still do everything 
they need on the server via GPOs...

So usually, this is a call for encrypting data - and it 
sounds like you want to share the data between multiple users (which is 
typically the issue). Even though EFS in 2003 allows to share encrypted files 
between users, it's rather clumsy to do so, as you need to configure this for 
every single file... (i.e. can't be configured at the folder level). Also, 
depending on how you setup EFS, the Domain or Enterprise Admins have a hold of 
the master key.

There are various other tools out there, which do this very 
nicely (incl. sharing an encryption key in the department, whith each configured 
user having his own PIN to be able to leverage the key) - I've worked with 
Utimaco's SafeGuard products in this area and would recommend you to have a look 
at them (www.utimaco.com)

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, 
RobertSent: Dienstag, 1. Juni 2004 12:02To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting 
Domain Data in Forest

A 
personal firewall may also fit requirements.. I have used Checkpoint 
secureClient to fulfill a similar requirement.

  
  -Original Message-From: Rutherford, 
  Robert Sent: 01 June 2004 10:52To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting 
  Domain Data in Forest
  You 
  need a separate forest then really.
  
  or
  
  You 
  could DMZ the box off behind a firewall with anappropriate 
  rulebase.
  
  BR,
  
  Rob
  
  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: 01 June 2004 10:45To: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Protecting Domain 
  Data in Forest
  I 
have a very strange delemma here... One of our domains has a server with sensitive data. The IT 
director of this domain has decided that some of the information contained 
on this server cannot be seen by anyone from the other domains ( even 
including the Enterprise Admins in our forest ). This server must also 
remain connected to it's domain and available for non-protected data, SMS 
hotfixes... Is this even possible to do? My boss has also stated that he does not want a 
seperate forest and domain for this server because of the extra upkeep. 
Although, an extra password to encrypt data for the users would be 
allowable. Are there any products that could get this done? Has 
anyone else ran into this problem? Thanks, Jonathan 
This e-mail and the information it 
  contains are confidential and may be privileged. If you have received this 
  e-mail in error please notify the sender immediately and delete the material 
  from any computer. Unless you are the intended recipient, you should not copy 
  this e-mail for any purpose, or disclose its contents to any other person. 
  The MCPS-PRS Alliance is not responsible for the completeness or accuracy 
  of this communication as it has been transmitted over a public network. Whilst 
  the MCPS-PRS Alliance monitors all communications for potential viruses, we 
  accept no responsibility for any loss or damage caused by this e-mail and the 
  information it contains.It is the recipient's responsibility to scan this 
  e-mail and any attachments for viruses. Any e-mails sent to and from the 
  MCPS-PRS Alliance servers may be monitored for quality control and other 
  purposes.The MCPS-PRS Alliance Limited is a limited company registered 
  in England under company number 03444246 whose registered office is at c/o 
  29-33 Berners Street, London, W1T 3AB.This e-mail and the 
information it contains are confidential and may be privileged. If you have 
received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you 
should not copy this e-mail for any purpose, or disclose its contents to any 
other person. The MCPS-PRS Alliance is not responsible for the completeness 
or accuracy of this communication as it has been transmitted over a public 
network. Whilst the MCPS-PRS Alliance monitors all communications for potential 
viruses, we accept no responsibility for any loss or damage caused by this 
e-mail and the information it contains.It is the recipient's responsibility 
to scan this e-mail and any attachments for viruses. Any e-mails sent to and 
from the MCPS-PRS Alliance servers may be monitored for quality control and 
other purposes.The MCPS-PRS Alliance Limited is a limited company 
registered in England under company number 03444246 whose registered office is 
at c/o 29-33 Berners Street, London, W1T 3AB.

RE: [ActiveDir] SRV Record registration by Non-DC's

2004-06-03 Thread Grillenmeier, Guido 



yep, this is related to the installation of MS04-011 on XP 
clients - you shouldn't see this bug on other machines. I had mentioned it 
before when I reported of a related issue, where MS04-011 causes Win2000 DCs to 
FAIL registration of certain SRV records.

have a look at 
http://support.microsoft.com/?id=841395

and
http://support.microsoft.com/?id=825675

\Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, 
StuartSent: Donnerstag, 3. Juni 2004 23:46To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] SRV Record 
registration by Non-DC's

Yes... very occasionally... in the _msdcs\dc\_tcp 
zone.

Have not been able to trace them down to a common 
issue/application/problem. One possible culprit was the Citrix Management 
Console on a couple of Citrix admin workstations. We end up looking at the 
DNS records every week and deleting the ones that shouldn't be 
there.

We have even thought 
about scripting something to check for appropriate records. The idea of 
scripting some type of autocheck for proper SRV records was kicked around on the 
list recently.

-Stuart



From: Myrick, Todd (NIH/CIT) 
[mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:24 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SRV 
Record registration by Non-DC's


We have seen a number 
of SRV record registrations for hosts for LDAP that aren't DC's. Has 
anyone experienced this before?

Thanks,

Todd

[ActiveDir] AD in NATed environments

2004-06-05 Thread Grillenmeier, Guido 



last time I looked 
at replication of DCs in a NATed network, I was rather disappointed - basically 
this is was no-no. Simply due to name-resolution of the DCs (i.e. the IP-Address 
of a DC on one side of the NAT is not what it should be on the other side of the 
NAT etc.).

wondering how 
other folks work around this, if you just happen to fall into one of these 
environments...? Trying to change the network is a major undertaking, 
which could take months or even years in larger companies - so mostly this is 
not an option. So do you
- not use DDNS and 
manually register DCs on DNS servers (differently per DNS server, depending on 
which side of NAT...)?
- use DDNS and 
work around the issues in other ways?
- setup special 
DNS zones in some magic way that solves all the issues?
- other 
ideas?

I heard this is 
not supported by MS anyways - but I'd be open to any 
solution...


Thanks,
Guido

RE: [ActiveDir] AD in NATed environments

2004-06-06 Thread Grillenmeier, Guido 



thanks for your input Willem - yes, I was also thinking about somethink like 
VPN, but maybe in a dual-homed manner = one of the legs for replication 
between DCs accross NATed sites, another one for authentication in the 
respective site...There's no way I 
can change all resources in the sites to new VPN address-scheme in a quick 
enough fashion.Would likely be a messy setup to maintain, but 
maybe a possible solution.



obviously dual-homing itself is not exactly a good story 
itself -until now I've been convincing people that dual-homing 
(e.g. for a productive + backup LAN) is rather difficult to maintain with DCs, 
since you can't control thata specific NIC wouldn't register in DDNS (ok, 
not an issue if I'm going to go static only). However, I've just learned that 
you can now control the NIC registration in Win2003. May not be my problem 
here.

anybody else think dual-homing would be a feasable 
solution for NATed networks?

Thanks,
Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Willem 
KasdorpSent: Samstag, 5. Juni 2004 20:42To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in NATed 
environments


I ran into this once. I 
managed to convince the customer that it was a really bad idea. Youre right of 
course, DDNS is a nono, you need some smart conversion of DNS records. That is a 
big puzzle and a real administrative nightmare if you think it through. Some 
other technical hurdles you dont mention is that DCs really like 2-way 
communication, so you need to take care to use a real NAT, not PAT (port address 
translation). Yet another issue is that not all IP protocols survive over a NAT. 
Those are protocols that have an IP address in their packet bodies, or have some 
form of encryption or signing. You need a NAT translator to make that work. That 
is probably the main reason MS will not support it. They wont have verified 
that all their protocols (millions of RPCs!) survive over NAT. 


Solutions what about a 
VPN into the NAT? That way the DC could have a normal (non-NATted) address. 


--
 
Regards, Willem






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: Saturday, June 05, 
2004 4:10 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] AD in NATed 
environments


last time I looked at replication 
of DCs in a NATed network, I was rather disappointed - basically this is was 
no-no. Simply due to name-resolution of the DCs (i.e. the IP-Address of a DC on 
one side of the NAT is not what it should be on the other side of the NAT 
etc.).



wondering how other folks work 
around this, if you just happen to fall into one of these environments...? 
Trying to change the network is a major undertaking, which could take months or 
even years in larger companies - so mostly this is not an option. So do 
you

- not use DDNS and manually 
register DCs on DNS servers (differently per DNS server, depending on which side 
of NAT...)?

- use DDNS and work around the 
issues in other ways?

- setup special DNS zones in some 
magic way that solves all the issues?

- other 
ideas?



I heard this is not supported by 
MS anyways - but I'd be open to any 
solution...





Thanks,

Guido

RE: [ActiveDir] Identify STATIC records in AD DNS

2004-06-08 Thread Grillenmeier, Guido 



usually static records also have different ACLs - i.e. 
records that were registered by machineX have an ACL which grant machineX write 
privs to the respective DNS AD object.

note that by default in Win2000 a static record added to 
DNS by an administrator was granting Authenticated Users write privs to the 
record = which means it can be overwritten by any machine or use. Not so 
static afterall... You may want to check your ACLs.

This was changed in Win2003(I'm not sure, but I think 
it was also changed in 2000 SP4).

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji 
AkomolafeSent: Dienstag, 8. Juni 2004 05:23To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Identify STATIC 
records in AD DNS


Have you tried parsing the 
output of "dnscmd DNSServerName /ZonePrint ZoneName /Detail" ?

Records without scavenging timestamp will 
have the following clue: "dwTimeStamp = 0 ([ 0: 0: 0] [ 1/ 
1/1601])"

HTH



Sincerely,Dèjì Akómöláfé, 
MCSE MCSA MCP+I
Microsoft MVP 
-Directory Services
www.readymaids.com - we know 
ITwww.akomolafe.comDo you now realize that Today is 
the Tomorrow you were worried about Yesterday? 
-anon


From: JefSent: Mon 6/7/2004 6:44 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Identify STATIC records in AD DNS
Hi there,

Does anyone know of a way to programmatically identify STATIC records within
an AD integrated DNS zone?

The DNS manager gui can show if a record has a timestamp or not, but with
100's of thousands of records you can't check them all.

I've looked for a property I can search on using ADSI or WMI, but have not
found anything consistent.

The closest I found is the AD property dnsIsTombstoned.  It appears to have
3 values:

TRUE = Already tombstoned and will be replicated
FALSE = Not tombstoned yet, but can be
not set = Will not be scavenged.

This is not 100% though, so I think I am missing something else.

Thanks,

Jef Kazimer



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Non DR migration of AD

2004-06-10 Thread Grillenmeier, Guido 
you have different options when you're trying to implement the exact
same namespace in a physically separated lab, or when you want to
integrate your lab into the production network, choosing a different
domain name.  

For the first option you can go the clone DC or grab DC method as
described in other posts, but when you want to use a different
namespace, it's a little more complicated, especially - as you noted
yourself, when you want to grab the security settings as well.  If
Win2003, you could still do a domain/forest rename after you've
cloned/grabbed the DCs from production, but that's still a lot of work.
We've decided to go down the scripting/programming path to copy 
translate the ACLs of one AD forest to another to build lab-environments
(only OU permissions). Yes, it is rather tedious, but it can be done -
see MSDN IADsAccessControlEntry Property Methods.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: Donnerstag, 10. Juni 2004 17:00
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Non DR migration of AD

All,

We are in the process of constructing a Lab to mimic the production AD
system as closely as possible.  Doing a full DR into this environment is
certainly an option, however we have been looking into simply migrating
the
AD structure and using this as a test bed to cleanup AD (OU's,
objects,
permissions, policies etc).

Is anyone aware of tools or procedures to get the major AD configuration
components into a lab using an approach that can be scripted / automated
?
(we may want to do this every few months or so). For example, we have
used
LDIFDE to extract the OU structure, users and groups and re-imported
these
into the test lab.  By and large this has worked very well (took some
tweaking of the LDIFDE commands to resolve some constraint violations
etc),
however items such as OU security and policies is causing a bit more of
a
headache.

Any thoughts ?

TIA

Glenn


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Security

2004-06-10 Thread Grillenmeier, Guido 
don't use the Restricted Groups feature on domain groups, especially
domain admins. This has caused various issues for companies and thus
they've backed away from this approach.  However, using restricted
groups on member servers and clients works well. 

\Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Donnerstag, 10. Juni 2004 19:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security

If you want to make sure that no one is added to the group you could
make the group a Restricted Group via a GPO.

If you want to know when a user is added to the group, you could use a
GPO to turn on auditing of Account Management but then you would have
to search the audit logs of all of the DCs in the domain to find the
activity.

Or you could write a script that looked at the group membership and
compared it with a pre-determined list. Then execute the script on a
schedule of your choice.

-Original Message-
From: Aaron Visser [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 10, 2004 9:51 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Security

I need to know when the Domain Admin Group has a user added to it or at
least have that operation audited, is there anyway to perform this with
GPO
or something built into win2k server.

Thanks,
Aaron Visser

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

2004-06-10 Thread Grillenmeier, Guido 
first of all, if titi.com and toto.titi.com are real names, then I'd
switch jobs - this would drive me crazy ;-)

Rgd. adding the directReports to the PAS: that would be nice, but isn't
possible for the backlinks of linked attribute-pairs - this is the case
here for the directReports attribute = it is not a replicated attribute
at all (neither cross domain nor within the same domain), as only
forward links (here the manager attribute) get replicated between
DC/GCs.  

Instead, the backlink attributes are processed locally on each DC when
it receives the forward-link (e.g. a user object's manager attribute)
and creates the link between the two respective AD objects via an entry
in the local link table on the DC/GC.


However, the forward-link will only replicate to DCs hosting the
respective naming context. And for attributes (even forward links),
which are also in the PAS (configured to replicate to the GC), this
means that the information is also replicated to GCs from another
domain(s), hosting a read-only partition of the source domain (of an
object with a forward link). And the GCs will then again create the
respective backlink locally, when making the entry in the linktable,
even for cross-domain links.

For the given manager/directReport example this means that a user's
manager attribute is only replicated to DCs of the same domain and to
GCs in the forest - and that only these machines populate the respective
directReports attribute (backlink) for a user who is a manager of this
other user. As such, you won't see cross-domain directReports
information on a DC of a manager's domain, if this DC is not a GC. 


So here, the DC for titi.com used to lookup the directReports
attribute usertiti must have been a GC, while the DC of
toto.titi.com used to lookup the directReports attribute usertoto
must have been just a normal DC.


This is not to be confused with Phantom Records (which are updated via
the Infrastructure Master): as the directReports attribute is not the
replicated attribute, it is also not updated or replicated as a phantom
record via the IM.  
However, phantom records are created on non-GC DCs to replicate the
manager-attribute (forward-link) to other DCs, if e.g. a user's
manager-attribute is linked to a user-object outside the own domain. As
Dean perfectly described, the IM is then responsible to sync changes to
the linked object over time (renames, deletes etc.), but it would not
update any backlinks.


As a sidenote on the replication of the manager/directReports links you
should realize, that if you do leverage these accross domains in a
forest and you accidentally delete a manager (with direct-reports in
various domains) whom you must then authoritatively restore in AD, the
links to the manager's directReports are NOT recovered with the
manager... (same issue as with memberships in Universal Groups or Domain
Local groups in other Domains of the forest)

\Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Donnerstag, 10. Juni 2004 11:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain
and sub-domain

 If you really want/need it to be replicated to the GCs, you can use the
Schema snap-in, and check the box in front of 'Replicate this attribute
to
the Global Catalog'.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, June 10, 2004 11:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Replication of linked attributes between domain
and
sub-domain

The manager attribute is replicated between GCs as part of the Partial
Attribute Set.  The directReports attribute isn't.  Whether you see it
or
not will depend on the domain of the DC you are querying.

Tony

-- Original Message --
Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 10:02:34 +0200

Hi,

I have a domain titi.com with a sub-domain toto.titi.com, a user
usertiti on domain titi.com and a user usertoto on domain
toto.titi.com.
I set usertiti as manager of usertoto and usertoto as manager of
usertiti. 
When I look a the usertoto and usertiti entries in the directories,
I
have:
- the manager attribute of usertiti is correctly set at usertoto,
- the directReports attribute of usertiti is correctly set at
usertoto,
- the manager attribute of usertoto is correctly set at usertiti,
- but, the directReports attribute of usertoto is not correctly set at
usertiti !

Why ? Is it normal or is it a replication problem ?

Thanks in advance for your answers...


Solange Desseignes


List info   : http://www.activedir.org/mail_list.htm
List FAQ:

RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

2004-06-10 Thread Grillenmeier, Guido 
you may not be using a GC query, but the directReports backlink is still read from the 
same linktable on a DC when it is also a GC.

in your scenario, the DC used to lookup the titi.com user must have been a GC and 
the other one a normal DC.  This has nothing to do with the domain hierarchy.

See my previous post on this topic for more details.

\Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Solange Desseignes
Sent: Donnerstag, 10. Juni 2004 11:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

Thanks Tony !

But, I don't query the Global Catalog but the whole directory itself.
I connect the DC of the titi.com domain to see the usertiti user and I connect the 
DC of the toto.titi.com domain to see the usertoto user.

Is it so because toto.titi.com is a sub-domain of titi.com ?

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Tony Murray
Envoyé : jeudi 10 juin 2004 11:04
À : [EMAIL PROTECTED]
Objet : Re: [ActiveDir] Replication of linked attributes between domain
and sub-domain


The manager attribute is replicated between GCs as part of the Partial Attribute Set.  
The directReports attribute isn't.  Whether you see it or not will depend on the 
domain of the DC you are querying.

Tony

-- Original Message --
Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 10:02:34 +0200

Hi,

I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on 
domain titi.com and a user usertoto on domain toto.titi.com.
I set usertiti as manager of usertoto and usertoto as manager of usertiti. 
When I look a the usertoto and usertiti entries in the directories, I have:
- the manager attribute of usertiti is correctly set at usertoto,
- the directReports attribute of usertiti is correctly set at usertoto,
- the manager attribute of usertoto is correctly set at usertiti,
- but, the directReports attribute of usertoto is not correctly set at usertiti !

Why ? Is it normal or is it a replication problem ?

Thanks in advance for your answers...


Solange Desseignes


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

2004-06-10 Thread Grillenmeier, Guido 
Tony, as just mentioned in my other post, this is not an IM topic, as this is about 
visibility of backlinks (which are not influenced by the IM). 

Backlinks are only visible on DCs, which host the naming context of the object with 
the forward link (i.e. for directReports this would be those, which host the NC for 
the user's who are being managed)

\Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Donnerstag, 10. Juni 2004 13:23
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain


Post in hasterepent at leisure

I've said member (more than once) below when I should have said manager.

-- Original Message --
Wrom: DXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZ
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 05:48:33 -0400


Mmmh. I believe this is where the Infrastructure Master comes into the picture.  I'm a 
bit rusty, but here goes.

The IM is responsible for maintaining references from objects in it's own domain to 
objects in other domains.  We know that member (forward) and directReports (backward) 
are examples of linked attributes.  We also know that only the member attribute value 
is replicated between GCs.  This makes sense, because when you query for the 
directReports the value is calculated on-the-fly.  Back to the IM.  The IM 
periodically updates the references (using phantom records in the directory database) 
and replicates any changes to DCs in its domain.  This is the process that allows you 
to see, e.g. local group memberships, directReports, etc. that contain values from 
other domains. So there there will be a delay between the time that you create the 
forward/backward link and the time that you will be able to query the directReports 
value (if the values are DNs from a different domain).  

I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be 
wrong).  You may have to simply wait.  Let us know what happens.  In the meantime, 
some of the list gurus may be able to offer a better explanation?

Also, ensure that your IM is not on a GC as this may prevent you from seeing the 
directReports entries from the other domain.  Of course if all the DCs in the domain 
are also GCs this will not be an issue.

Tony

-- Original Message --
Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 11:17:13 +0200

Thanks Tony !

But, I don't query the Global Catalog but the whole directory itself.
I connect the DC of the titi.com domain to see the usertiti user and I connect the 
DC of the toto.titi.com domain to see the usertoto user.

Is it so because toto.titi.com is a sub-domain of titi.com ?

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Tony Murray
Envoyé : jeudi 10 juin 2004 11:04
À : [EMAIL PROTECTED]
Objet : Re: [ActiveDir] Replication of linked attributes between domain
and sub-domain


The manager attribute is replicated between GCs as part of the Partial Attribute Set.  
The directReports attribute isn't.  Whether you see it or not will depend on the 
domain of the DC you are querying.

Tony

-- Original Message --
Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 10 Jun 2004 10:02:34 +0200

Hi,

I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on 
domain titi.com and a user usertoto on domain toto.titi.com.
I set usertiti as manager of usertoto and usertoto as manager of usertiti. 
When I look a the usertoto and usertiti entries in the directories, I have:
- the manager attribute of usertiti is correctly set at usertoto,
- the directReports attribute of usertiti is correctly set at usertoto,
- the manager attribute of usertoto is correctly set at usertiti,
- but, the directReports attribute of usertoto is not correctly set at usertiti !

Why ? Is it normal or is it a replication problem ?

Thanks in advance for your answers...


Solange Desseignes


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org

RE: [ActiveDir] Preventing a DC from authenticating users

2004-06-10 Thread Grillenmeier, Guido 
if your test clients are all win2k/xp, you could also use the
NT4emulator registry key on the server to prevent the machine from
accepting the kerboros auth. protocol = win2k/xp clients will search
for other DCs that allow kerb.auth. (check MS Q298713)

initially the key was added to prevent the PDC overload issue during
migration, but it sounds like this would be valuable for your tests
without disturbing other things (I'm simply unsure what other things
would seize to work if netlogon is turned off - I could imagine that you
could also no longer logon via TS...?)

\Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Donnerstag, 10. Juni 2004 03:28
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Preventing a DC from authenticating users

True - would work.  But, why not just shut off netlogon?  Seems to be
about
the easiest way to be sure that it's not going to answer requests for
authN.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, June 09, 2004 1:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Preventing a DC from authenticating users

Why not create a dummy site, and move the DC into it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Tuesday, June 08, 2004 4:06 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Preventing a DC from authenticating users


I want to stop a specific DC from authenticating users as part of a
test.
The server also provides DNS for the clients, so I don't want to shut
down
the box during the test - I just want it to be 'invisible' to clients
looking for a DC for the duration of the test (a couple of days max).  

Is 'net stop netlogon' and deleting the appropriate GC and LDAP SRV
records
a reasonable way to go about this ? Will this prevent replication? Any
other
ideas to accomplish this ?  Thanks!

Dave Fugleberg
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

2004-06-11 Thread Grillenmeier, Guido 
glad you got it working - how I love this magic, although at times it is difficult to 
explain to folks how certain things in AD really work...

now all that's left to do is to rename those domains ;-))

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Solange Desseignes
Sent: Freitag, 11. Juni 2004 10:16
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain

I made the DC of the domain toto.titi.com a GC and the directReports attribute of 
usertiti has been immediately correctly set ! Magic !!!

Thank you all for your help !

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Solange
Desseignes
Envoyé : vendredi 11 juin 2004 09:50
À : [EMAIL PROTECTED]
Objet : RE: [ActiveDir] Replication of linked attributes between domain
and sub-domain


Thank you all for your responses !

If I understand well:

My problem is not due to the Infrastructure Master...

You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is 
not a GC.
To correct my problem and see the directReports attribute of usertoto correctly set 
at
usertiti, I must make the DC for toto.titi.com a GC. Right ?

Solange Desseignes


-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Grillenmeier,
Guido
Envoyé : vendredi 11 juin 2004 00:57
À : [EMAIL PROTECTED]
Objet : RE: [ActiveDir] Replication of linked attributes between domain
and sub-domain


first of all, if titi.com and toto.titi.com are real names, then I'd
switch jobs - this would drive me crazy ;-)

Rgd. adding the directReports to the PAS: that would be nice, but isn't
possible for the backlinks of linked attribute-pairs - this is the case
here for the directReports attribute = it is not a replicated attribute
at all (neither cross domain nor within the same domain), as only
forward links (here the manager attribute) get replicated between
DC/GCs.  

Instead, the backlink attributes are processed locally on each DC when
it receives the forward-link (e.g. a user object's manager attribute)
and creates the link between the two respective AD objects via an entry
in the local link table on the DC/GC.


However, the forward-link will only replicate to DCs hosting the
respective naming context. And for attributes (even forward links),
which are also in the PAS (configured to replicate to the GC), this
means that the information is also replicated to GCs from another
domain(s), hosting a read-only partition of the source domain (of an
object with a forward link). And the GCs will then again create the
respective backlink locally, when making the entry in the linktable,
even for cross-domain links.

For the given manager/directReport example this means that a user's
manager attribute is only replicated to DCs of the same domain and to
GCs in the forest - and that only these machines populate the respective
directReports attribute (backlink) for a user who is a manager of this
other user. As such, you won't see cross-domain directReports
information on a DC of a manager's domain, if this DC is not a GC. 


So here, the DC for titi.com used to lookup the directReports
attribute usertiti must have been a GC, while the DC of
toto.titi.com used to lookup the directReports attribute usertoto
must have been just a normal DC.


This is not to be confused with Phantom Records (which are updated via
the Infrastructure Master): as the directReports attribute is not the
replicated attribute, it is also not updated or replicated as a phantom
record via the IM.  
However, phantom records are created on non-GC DCs to replicate the
manager-attribute (forward-link) to other DCs, if e.g. a user's
manager-attribute is linked to a user-object outside the own domain. As
Dean perfectly described, the IM is then responsible to sync changes to
the linked object over time (renames, deletes etc.), but it would not
update any backlinks.


As a sidenote on the replication of the manager/directReports links you
should realize, that if you do leverage these accross domains in a
forest and you accidentally delete a manager (with direct-reports in
various domains) whom you must then authoritatively restore in AD, the
links to the manager's directReports are NOT recovered with the
manager... (same issue as with memberships in Universal Groups or Domain
Local groups in other Domains of the forest)

\Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson
Sent: Donnerstag, 10. Juni 2004 11:17
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication of linked attributes between domain
and sub-domain

 If you really want/need it to be replicated to the GCs, you can use the
Schema snap-in, and check the box in front of 'Replicate this attribute
to
the Global Catalog'.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB 
 Principal

RE: [ActiveDir] LogonServer

2004-06-14 Thread Grillenmeier, Guido 
In a site called Pune we have 2 domain controllers which are physically
located in 2 different buildings connected by 8mbps line.

that's your problem = DCs in the same site will be treated the same -
and if both buildings are in the same subnet, then there's not much that
you can do about it (you can configure preferred DCs for the clients via
registry/GPO, but that's a pain to manage).

If the two buildings do have different subnets, then you could tune the
priorities for the service-records in DNS, but it's likely easier to
create and manage an extra site. This way you can most transparently
differentiate the two buildings and your clients will automatically
preferr the only DC in their site.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tashildar,
Dinesh (Cognizant)
Sent: Montag, 14. Juni 2004 08:33
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LogonServer

Hi,
we have a domain called cts.com and under these domain we have several
sites. In a site called Pune we have 2 domain controllers which are
physically located in 2 different buildings connected by 8mbps line.

Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is
located in building B. Practically if users are seating in building B
then ctsinpuncfcc should authenticate it. But some of desktops are going
to ctsinpuncfaa and some are out of site domain controllers.
 
(from LOGONSERVER environment variable we are getting this information)

How can I restrict users from Building B to get authentication from
building B DC only ? Which DC server settings decide this factor ?

Any help will be appreciated..

Regards,
Dinesh 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LogonServer

2004-06-14 Thread Grillenmeier, Guido 
you can't change anything in the site-configuration itself (a site is
meant to treat every DC basically the same way).  

What are your reasons for not wanting to change the site config (i.e.
adding another site) - other than not having the permissions to do so?
The other options tend to bite you later.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tashildar,
Dinesh (Cognizant)
Sent: Montag, 14. Juni 2004 09:28
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LogonServer

 Hi Guido,
Thanks for reply, her are few more inputs.
Both these DC's are in different subnet and I really don't want to
change any property of other sites.

Is there anything I can change in PUNE site ?

-dinesh


-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Monday, June 14, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LogonServer


In a site called Pune we have 2 domain controllers which are physically
located in 2 different buildings connected by 8mbps line.

that's your problem = DCs in the same site will be treated the same -
and if both buildings are in the same subnet, then there's not much that
you can do about it (you can configure preferred DCs for the clients via
registry/GPO, but that's a pain to manage).

If the two buildings do have different subnets, then you could tune the
priorities for the service-records in DNS, but it's likely easier to
create and manage an extra site. This way you can most transparently
differentiate the two buildings and your clients will automatically
preferr the only DC in their site.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tashildar,
Dinesh (Cognizant)
Sent: Montag, 14. Juni 2004 08:33
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LogonServer

Hi,
we have a domain called cts.com and under these domain we have several
sites. In a site called Pune we have 2 domain controllers which are
physically located in 2 different buildings connected by 8mbps line.

Lets say ctsinpuncfaa is located in building A and ctsinpuncfcc is
located in building B. Practically if users are seating in building B
then ctsinpuncfcc should authenticate it. But some of desktops are going
to ctsinpuncfaa and some are out of site domain controllers.
 
(from LOGONSERVER environment variable we are getting this information)

How can I restrict users from Building B to get authentication from
building B DC only ? Which DC server settings decide this factor ?

Any help will be appreciated..

Regards,
Dinesh 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SID question

2004-06-14 Thread Grillenmeier, Guido 
Title: Message



how about first _MOVING_ the accounts from the child domain 
to the root domain (can be done via ADMT or the movetree command) - then update 
these from your LDAP source afterwards.

= user will keep GUID and UG/DLG memberships and will 
be dropped from GGs= user will keep same PW and other attributes (does 
not require PES)= user will get a new SID in and the old SID will be 
added to the SIDhistory of the user= local user profiles on Win2k/XP 
clients usually continue to work for the users (via GUID referrals), but not for 
NT4 (which only relies on SID to resolve profile path)
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
FlesherSent: Montag, 14. Juni 2004 22:02To: 
[EMAIL PROTECTED]Subject: [ActiveDir] SID 
question

Can a SID be 
"copied" from one account to another between domains in the same forest? The 
scenario is this: account is migrated using ADMT from NT4 domain into child 
domain in 2003 forest. An account with the same username is going to be copied 
into the root from an external LDAP source. One of the higher ups here wants to 
have the account in the root domain be what the user uses. So, he wants to know 
if the SID can be "copied" from the account in the child OU, and then have the 
child OU account deleted. I'm thinking no, but I wanted to make sure before 
telling him that.


Thanks in 
advance.

Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477

RE: [ActiveDir] Replication problem related to large groups.

2004-06-15 Thread Grillenmeier, Guido 



not bad, especially since AD prior to 2003 (at 2003 forest 
functional level, whichactivates LVR - link valure replication) only 
supports roughly 5.000 members to a group, due to these version store 
limitations... I doubt you can increase the storage for the version store, 
but an intermins solution would be to split your users into mulitple groups and 
nest them - then, after you've increased the FFL to 2003, re-add all of them to 
the original group but don't add more than 5.000 at a time. LVR no longer 
has a group-size limitation, but still has the version store limitation for the 
changes.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Dienstag, 15. Juni 2004 
19:37To: [EMAIL PROTECTED]Subject: [ActiveDir] 
Replication problem related to large groups.

 
Right now in our 
Active Directory environment we have 2 groups with 80,000 people or so. I 
know that this is bad and we are working to fix it. Replication was 
working before we tried to promote three DCsto W2K3. Now after the 
promotion, we are getting errors with the Event ID: 623. I think the 
replication of the large groups is the long-running transaction. Would it 
help if the version store max size was larger, and if so howdo I increase 
it? Below is the Event Log entry I get.


NTDS (576) NTDSA: The version store for this instance (0) has 
reached its maximum size of 104Mb. It is likely that a long-running transaction 
is preventing cleanup of the version store and causing it to build up in size. 
Updates will be rejected until the long-running transaction has been completely 
committed or rolled back. 
Possible long-running transaction: 
SessionId: 0x00B705A0 
Session-context: 0x 
Session-context ThreadId: 0x0A78 
Cleanup: 1

This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information. If you have received it in error, 
please notify the sender immediately and delete the original. Any other use of 
the email by you is prohibited.

RE: [ActiveDir] When a domain is Switch to Native Mode... what event Event ID is logged and where?

2004-06-16 Thread Grillenmeier, Guido 
Todd, you'll find out when you switch your domains  ;-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Mittwoch, 16. Juni 2004 20:36
To: [EMAIL PROTECTED]
Subject: [ActiveDir] When a domain is Switch to Native Mode... what
event Event ID is logged and where?

Does anyone have this information handy?

I am researching it now...

Thanks,

Todd
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Icons

2004-06-21 Thread Grillenmeier, Guido 
this can also be a phantom object from a foreign domain in a domain
local group or UG on a DC (not a GC), which has changed it's name in the
original domain, but wasn't yet updated in the domain by the
infrastructure master.

or it could just be a very old user account ;-))

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Montag, 21. Juni 2004 20:45
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User Icons

It simply means that the GUI didn't look that user's specific object up
to
verify its class. It is simply displaying an icon, it has no impact on
the
environment. If you have less than 500 users in the group however, it
could
indicate an issue with your GCs in that the object couldn't be looked up
properly. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Monday, June 21, 2004 2:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User Icons

The whole user icon is dimmed or gray and other users in the same group
arenot dimmed or gray.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, June 21, 2004 2:12 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] User Icons





Hey Debbie,

take a look here

http://support.microsoft.com/default.aspx?scid=kb;en-us;281923





|-+--
| |   Ellis, Debbie|
| |   [EMAIL PROTECTED]|
| |   m |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   06/21/2004 12:55 PM|
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
 
---

-|
  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  [ActiveDir] User Icons
|
 
---

-|





I am looking at group memberships in various groups in my AD structure
and
notice some user icons are dim or gray looking. What does this mean?

Debbie Ellis
Systems Administrator
Viasat, Inc.
4356 Communications Drive
Norcross, GA   30093
678-924-2591
 (Embedded image moved to file: pic01990.jpg)

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Moving FSMO RH to another site

2004-06-22 Thread Grillenmeier, Guido 



there's no problem moving the FSMO roles to your DC in A in 
a working environment - no need to move the hardware, unless you have other 
requirements to do so. you can easily move the roles via NTDSutil or via 
various UIs (ADUC, AD Domains  Trusts, Schema Manager) if you 
preferr.

_should_ you move the roles to site A? Depends if you 
will have IP connectivity from Site C to B or not - if not, you _have_ to move 
it, as the DCs in C will at least need to reach the RID master at least. 
If you do have connectivity, your motivations for moving the roles may simply be 
less dependency on the nw link between A + B.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Travis 
RiddleSent: Dienstag, 22. Juni 2004 22:47To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Moving FSMO RH to 
another site


I was wondering if anyone had any 
experience/advice that they would be kind enough to share J

Our current environment includes 2 
sites. Lets call them Site A and 
Site B. We will be adding Site C 
soon. 

Site B has the first DC/GC and FSMO 
RH along with our first exchange server and a second DC/GC. Site A has a GC and exchange server. 
Site C will have a GC along with an 
Exchange server as well. We will also be setting up a front-end Exchange server 
at Site A.

We have network connections from 
Site A to B and A to C, but not from B to C. The reason for this is there is a point 
to point from Site A to B, and A to C has a VPN connection. You might think that we could just add 
another internet connection and just VPN all around, but current location limits 
that possibility. What we have is 
currently what we get.

Since Site A will be the main hub 
I thought that we should probably move the FSMO RH to Site A for replication 
purposes. Am I justified in my 
thinking? Will this even make a 
difference? Are we asking for more 
trouble than it is worth? Will I 
run into any problems moving the server from one site to the other (both in AD 
and physically obviously)?

Please let me know and thank you for 
your time,

Travis

RE: [ActiveDir] AD Monthly E-Mail Newletter?

2004-06-22 Thread Grillenmeier, Guido 
hey Robbie - you're still alive!  Good to read you ;-)

nice blog - cheers,
Guido 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
Sent: Dienstag, 22. Juni 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Monthly E-Mail Newletter?

On a similar note, if you are interested in the latest industry news on
AD
and directory services, the latest AD-related downloads from MS, and
don't
mind some general observations from me, you might want to check out my
Active Directory blog:

http://www.rallenhome.com/blog/adcookbook/

Robbie Allen


  -- Original Message --
  Wrom: VFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXL
  Reply-To: [EMAIL PROTECTED]
  Date:  Mon, 21 Jun 2004 18:32:01 +1000
 
 
  Jackson - ditto with the other e-mails that have been doing 
 the rounds.
  Like Guido said it would be great if it was a honest newsletter with
  some handy points on some of the problems that are out there ... And
not
  just a sales pitch.
 
  Regards, Andrew
 
 
 
 
  -Original Message-
  Wrom: YRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOH
  [mailto:[EMAIL PROTECTED] On Behalf Of 
 Jackson Shaw
  Sent: Saturday, June 19, 2004 4:55 AM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] AD Monthly E-Mail Newletter?
 
 
  I've been doing focus groups with mid-market customers (avg ~100-500
  employees) over the last few days and have both learned a lot about
  their pains and where they get information about Active Directory.
 
  A number of customers suggested that we consider a monthly 
 AD-focused
  newsletter where we could inform recipients of new AD content, case
  studies and perhaps give the opportunity to well known 
 industry folks to
  provide a short column. The newsletter would focus on how customers
  solve particular pains using AD or other technologies 
 that leverage AD
  like Exchange, MIIS, etc. Or, maybe it is a web site with 
 an RSS feed.
 
  There is no way that such a newsletter could replace a 
 community like
  the one associated with this mailing list but I do believe it could
  serve the purpose of highlighting AD and informing customers -
  especially smaller customers  consultants - about new developments
  around AD.
 
  My question to this group is: How useful do you think such 
 a newsletter
  would be to you or your customers? Last thing I want to do is create
  more spam for anyone's Inbox. Thoughts?
 
  Feel free to reply directly to me, if you'd like.
 
  Best,
 
  Jackson Shaw
  Product Manager, Directory Services
  [EMAIL PROTECTED]
 
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 
 
 
  
  Sent via the WebMail system at mail.activedir.org
 
 
 
 
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 9x Clients

2004-06-25 Thread Grillenmeier, Guido 
domain mode (mixed or native) has nothing to do with it.  This is often
confused: the domain mode (or in 2003: domain and forest functional
level) only determine, which type of DCs are allowed to be used in a
domain - this then determines the features available in the domain (e.g.
an NT4 DC cannot work with Universal Security Groups, or a 2000 DC has
no clue what Link Value Replication is, etc.). 

However, a mode change does NOT change the protocols available for
clients/users to authenticate.  So if you can authenticate in mixed
mode, you can also authenticate in native mode.

Realize that there are other settings, which may prevent a Win9x client
from logging onto a 2003 domain = by default 2003 domains require SMB
signing and secure channel encryption, which is not supported by the
legacy clients until you add the AD DS clients to them... (or turn off
the new security requirements in the DC policy, which is NOT the
recommended way).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Freitag, 25. Juni 2004 02:23
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows 9x Clients
Sensitivity: Private

Yes.  We have we have clients that do it all the time.  Win2K native
mode
and we did not use the AD client.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Thursday, June 24, 2004 4:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Windows 9x Clients
Sensitivity: Private

I am going to ask a really stupid question so bear with me.  I want to
confirm because I am getting the opposite information from my coworker -
can
windows 9x and NT clients autheniticate against an AD DC in native mode
without the ADCE client installed? (I know that you will be
authenticating
in ntlm v1 without adce though)

Thanks!

Kind Regards,

Jennifer Fountain
RB Inc
3400 E Walnut Street
Colmar, PA  18915

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enterprise Admin members

2004-06-25 Thread Grillenmeier, Guido 
some more

5. trigger replication of config/schema partition between DCs of
different domains
6. trigger replication of domain partition to GCs of other domains
7. manage replication topology at the forest level
8. create child domains
9. add any new objects to the config container (e.g. for special
applications)
10. restore any cross-domain links (such as group-memberships) in a
recovery scenario
11. ability to manage all objects (e.g. users, groups etc.) in any
domain
12. ability to locally logon or TS to any DC in the forest
13. managing Application Partitions

there should be no service accounts that require membership in EA to do
their work. Unless you have an app that perform any of the listed
activities in an automated fashion, which isn't what I'd recommend to do
(i.e. if you're auto-creating sites + subnets, then it would be
worthwhile to delegate this to a special group and make the service
account a member of this group).

rgd. your approach to leave the EA group empty until required: this is
an approach I definitely recommend for the Schema Admin group, as it's
permissions are very limited in scope and are not required very often.
Doing the same thing with EA really depends on how you currently manage
AD and how willing you are to adjust some of the default security to
delegate the required permissions for the most frequent of the taks
listed (e.g. 1,5,6,11,12).  

Also realize, if you would do the latter (delegate permissions for some
of the most frequent tasks where EA is required), then you're basically
introducing another group with great power over your forest, which may
not be as well protected as the EA itself.  And if you don't delegate
these tasks, then I'm afraid you'll find yourself adding a user to EA
very often. Maybe too often for comfort; maybe up to a level of certain
frustration...

At last, every Domain Admin is basically an Enterprise Admin (or could
become one, no matter which domain in the forest - should be clear what
I mean).  So whatever you do, keep the members in DA restricted to the
same bare-minimum possible as your EA members.


/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Freitag, 25. Juni 2004 17:22
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Enterprise Admin members

Anything that goes outside the scope of a domain
1. Authorize a DHCP server
2. Create sites
3. Create a subnet object
4. Assign subnet objects to sites

Of course, the above tasks could be delegated

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 25, 2004 8:10 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Enterprise Admin members

I'm after a list of tasks that can only be performed by an Enterprise
Administrator and not by a domain admin in the forest root. eg Authorise
a DHCP server.

In general terms, what does everyone do with their Enterprise Admin
membership? I'm wondering if it should have any members at all on a
day-to-day basis and users only added temporarily when an Enterprise
Admin task crops up, what do you all think?

Also, is anyone aware of any application service accounts that require
Enterprise Admin rights?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to change the computer name of a Domain contr oller

2004-06-27 Thread Grillenmeier, Guido 
Title: Message



there is an important difference between 2000 and 2003: 
true, in 2000 de-moting, renamingand then re-promoting the DC was the only 
way to change the hostname of the DC (lenghty andbandwidth intensive 
procedure requiring 3 reboots).

But in 2003 (once your DOMAIN is at 2003 functional level), 
you have a new DC rename feature: you can configure multiple hostnames for any 
given DC (which will also register appropriately in DNS), set the new name as 
primary name and remove the old name.The varioussteps are best 
performed via the cmd "Netdom.exe COMPUTERNAME ...".This procedure has 
minimal impact on replication and availability of the DC andonly the last 
step requires a reboot of the machine.

This is not to be confused with the Domain Rename feature, 
also available with Win2k3 (available at 2003 FOREST functional 
level).

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, 
ScottSent: Sonntag, 27. Juni 2004 20:22To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] How to change 
the computer name of a Domain contr oller

Well, 
technically you can...but it involves DCPROMOing the DC down and then re-naming 
it, and then DCPROMOing it back up. If this is the only DC in your forest, 
you're effectively rebuilding your forest.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Sunday, June 27, 2004 1:16 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] How to change the computer name of a Domain contr 
  oller
  You 
  cannot change the HOSTNAME of DC on Windows 2000 Server.
  You 
  can only change DOMAIN NAME in Windows 20003.
  
  Hope 
  this helps!
  Cheers,
  Athif
  

-Original Message-From: Manbinder Pal 
Singh [mailto:[EMAIL PROTECTED] Sent: Sunday, June 27, 2004 
9:12 PMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] How to change the computer name of a Domain 
controller
How to change the computer name of a Domain 
controller? Is it possible to change? If yes then is there any tool or step 
by step guide to do that? Is the process different if DC is on w2k or 
w2k3?
Thank You Manbinder 
  - 
  This email and any files transmitted with it are 
  confidential and intended solely for the use of the individual or entity to 
  whom/which they are addressed. If you have received this email in error please 
  notify the system manager at the following email address: 
  [EMAIL PROTECTED] . Please note that any 
  views or opinions presented in this email are solely those of the author and 
  do not necessarily represent those of Al Faisaliah Group. Internet 
  communications cannot be guaranteed to be secure or error-free as information 
  could be intercepted, corrupted, lost, arrive late or contain viruses. The 
  sender therefore does not accept liability for any errors or omissions in the 
  context of this message, which arise as a result of Internet transmission. 
  Finally, the recipient should check this email and any attachments for the 
  presence of viruses. Al Faisaliah Group accepts no liability for any damage 
  caused by any virus transmitted by this email. 
  -

RE: [ActiveDir] Outlook 2003 attachment blocking

2004-06-28 Thread Grillenmeier, Guido 



you might appreciate this little Outlook Attachment Options 
tool:
http://www.pcworld.co.nz/PCWorld/fileworld.nsf/0/1FEB65E47ADDAF37CC256DFE0078B067?OpenDocument

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ManjeetSent: Montag, 28. Juni 2004 06:59To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Outlook 2003 
attachment blocking


Hi,

I have this probem.

Recently we have upgraded Microsoft Outlook 2000 client to Outlook 
2003.

Our production need to send the file attachment with the name $$$. But due 
to outlook local security policy, the recipeitn is not able to opne the sent 
attachment.

I have already tried to to disable the Leve1 1 and Level 2 option 
recommended by microsoft knowledge base but no successfull results.


If you any idea how to disable these file attachment security in outlook 
2003 then please hep me.


Thanks in advance.

Manjeet
System admins
Innodata India Pvt Ltd.






Do you Yahoo!?New 
and Improved Yahoo! Mail - Send 10MB messages!

RE: [ActiveDir] 2 NT4.0 domains to a Forrest

2004-07-09 Thread Grillenmeier, Guido 




Only 5 user accounts exist and these have 
full admin rights. These accounts are required to start the SAP 
applications and are contained within the SAP app. for its built in 
security.

why in the world would you want to setup a seprate 
domain to manage a different PW policy for your 5 user-accounts in SAP? 


You might have had good reasons to implement a separate 
NT4 domain in the past, but it was more likely to ensure restricted access to 
your SAP servers - i.e. you didn't want other domain admins from your 
User-Domain to touch the SAP boxes... - right?


In that case, I would ask myself:

1.who will have administrative access to my 
"User"-AD domain in the future?
= since you can delegate almost anything, you can 
restrict your domain admins in your upgraded Users Domain to the bare 
minimum
= you should plan the delagation setup right from 
the start (even when doing an in-place upgrade)

2. are the domain admins of the User-Domains (the ones 
that are left after you've configured delegation of the AD data-mgmt) 
trustworthy to manage the SAP accounts  
servers?
= if these domain admins are the same that manage 
your SAP environment, then you can simply give up the SAP domain and migrate the 
SAP servers over a protected OU in the Users domain - absolutely no need to 
create a separate child-domain or domain-tree... Just because you won't be 
able to set a different PW policy, doesn't mean you can't configure the SAP 
accounts with 15 char complex-passwords... - it's up to you to make the 
environment secure.= you will then save the costs of maintaining a 
completely separate domain and all the hassles involved with a multi-domain 
forest infrastructure. Not reason to plan a complex environment, if you 
don't require it.

= however, if you're talking about a situation, 
where the user domain admins can't be trusted by the folks responsible for SAP, 
then stick to a separate forest, which will be the only way to isolate the two 
securely. (Robbie Allen would have updated these details in the second 
eddition of this really great book - but the first edition doesn't mention the 
security boundary topic.)


/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
knighTslayerSent: Freitag, 9. Juli 2004 15:29To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains 
to a Forrest

ah, okay. I have just bought a book called Windows 
2000 Active Directory by Alistair G. Lowe-Norris on O'Rilley press. I will 
get my head around all this once I have digested that book I guess. I have 
been on the ADS course, but it was a long time ago and we all know that 
experience comes with practice!

thanks guys.

Ad


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, 
ScottSent: 09 July 2004 14:21To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 domains 
to a Forrest

A 
child domain won't inherit the parent domain's password policy. In fact, 
different security requirements are one of the primary reasons we are sometimes 
forced to go with another domain.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  knighTslayerSent: Friday, July 09, 2004 8:01 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 
  domains to a Forrest
  I guessed I got confused then!
  
  As I understand it I don't want SAP to be a child of 
  users as I don't want it to inherit any domain security polices like password 
  expiration etc. I get what you are saying with the child domain now 
  though.
  
  Ad
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: 09 July 2004 13:20To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 
  domains to a Forrest
  
  Define what you mean by
  
  want the SAP domain to have a separate 
  security policy than the users domain.
  
  Using multiple trees in asingleforest 
  will not buy you anything that you don't get with a child domain in terms of 
  security.
  
  
  You 
  have domains which are policy boundaries and you have a forest which is a 
  security boundary. Domain trees offer no other bounding other than name space 
  and as I mentioned previously that bounding tends to cause 
  confusion.
  
  
   joe
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  knighTslayerSent: Friday, July 09, 2004 7:20 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2 NT4.0 
  domains to a Forrest
  
  Hi Joe,
  
  Thanks for your detailed email.
  
  I want the SAP domain to have a separate security policy 
  than the users domain. 
  
  So I think I am going to go down to the two tree domain 
  road.
  
  So within my forest I have two tree 
  domains.
  
   
   o 

   / \

   
  /\
   
  / 
  \
  users.dom- sap.dom
  So 
  therefore, between these two domains exists an automatic tree trust 
  relationship, which means that any resource in the users domain can be 
  accessed no problem from within the sap domain.
  
  In

RE: [ActiveDir] Authoritative Restores

2004-07-09 Thread Grillenmeier, Guido 
nope that's wrong - it is absolutely no problem to do an Auth Restore of
an object, whithout first doing a non-auth restore (e.g. from tape).

the challenge is to have a valid object in the database you're trying to
do the auth restore against... - i.e. you'll need to be sure, that the
respective DC hasn't first replicated the tombstone record, which was
created when the object was deleted on a different DC.  You'll then
first boot into DSRM mode and can then do an Auth Restore on the
respecive object (I would definitely just choose to restore the object
or subtree and NOT the whole database!)


Simon's method to take a DC offline would work just fine - however, it's
rather clumsy and error-prone. Especially if you forget to take it
on-line again within 60 days...  

All you need to do is to ensure that it doesn't replicate the tombstone
objects - this can be achieved quite well via lag-sites - i.e. site in
which your special backup DC resides, which only replicates once a day
or so.  You should also configure the DNS records this DC registers in
DNS, as you don't want it to register some of the generic records that
allow clients to find this DC for logon etc.

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: Mittwoch, 7. Juli 2004 06:24
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authoritative Restores

Let me clarify one more time, because I don't think I was clear before.

When I say that you can't do an authoritative restore without first
doing a non-authoritative restore, I mean that you can't simply go to
Directory Services Restore Mode, go to NTDSUTIL and select
'Authoritative Restore' and enter a DN and expect it to re-appear.  You
have to first restore the SystemState before running NTDSUTIL.

And again, I'm only going from personal experience.  If there's a way to
do this, then please let me know.  Because I agree that it would be nice
to simply enter a DN within NTDSUTIL and have a deleted object
re-appear.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steve Patrick
Sent: Tuesday, July 06, 2004 2:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Authoritative Restores


I may be a bit off here but wanted to comment.

1. You can do an Auth restore without a non-auth restore in Simon's
scenario.
2. If this is Win2k3 you could optionally re-animate the object from the
deleted items, and we retain the SID as well as a few other key
(relative)
attributes (such as last parent)
3. I dont really see the value of the plan here, as if you KNOW you are
going to delete an obejct that you should not delete ( since you had the
foresight to replicate and take a DC offline) then why bother with this?
It
doesnt seem feasible to take this DC offline for every change operation
in
your domain. Best practices should be a proper backup schedule IMHO

my  .02

-steve

- Original Message - 
From: Rachui, Scott [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 06, 2004 7:22 AM
Subject: RE: [ActiveDir] Authoritative Restores


 I'm re-sending what I sent out last night, because it looks like it
wasn't
noticed.  Here is the answer to your question:

 It's not possible to do an authoritative restore without first doing a
non-authoritative restore.

 The process of an authoritative restore is simply marking a portion of
the
restored directory so that it's not overwritten by the backfill process.
It
does this by increasing the version of the objects that will be
authoritatively restored.  If you don't first run a non-authoritative
restore, there is nothing to mark authoritative.

 And, from your description, it sounds like you are planning to
authoritatively restore the entire directory, thus catching the one user
that was deleted.  Since you have to do an authoritative restore only
after
a non-authoritative restore, what you're suggesting will roll back the
directory to the point of the last backup.

 If you want to backup your directory on a DC, and then bring it
offline
prior to deleting a single user account, that's fine.  But if that user
account is to be restored, you'll have to run a non-authoritative
restore
first.  And if you select the entire directory of the offline DC to be
authoritative, you'll not only be grabbing the account you want to
restore,
but you'll be rolling back the entire directory (and every change made
in
the directory) to the state of the last backup.

 This is why AD allows you to specify the OU or CN that you want to
restore...so you don't un-do all of the other changes in the directory
since
the last backup.  Only the ones that you genuinely want to un-do.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of
 [EMAIL PROTECTED]
 Sent: Tuesday, July 06, 2004 7:44 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Authoritative Restores


 This is how I would usually do it but I have a customer who wants to
do
 the DC

RE: [ActiveDir] Authoritative Restores

2004-07-09 Thread Grillenmeier, Guido 
I didn't yet do a comprehensive check against every possible attribute,
however I do know that you can't include back-linked attributes in the
tombstone (e.g. memberOf).  This mainly causes issues for multi-domain
environments and even single-domain, if Win2000 AD.  Likely there are
also some Exchange related attributes that you can't include in the
tombstone object, but I've yet to run through all those tests.

However, you'll definitely want to adjust the searchFlags of the
Password and SIDhistory attributes so that these are includes in the
tombstones, since you can't recover these via normal methods when using
the tombstone-reanimation approach.  Most of the other stuff can be
re-gained from a dump of the user-data in to some other store.

Ofcourse, when you do the normal Auth restore, you don't have to worry
to adjust the search-flags, as you'll get the full object back - except
for the links to objects in other domains (e.g. group-memberships)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Freitag, 9. Juli 2004 04:13
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authoritative Restores

The page I know about at MS is 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/c
hara
cteristics_of_attributes.asp

It tells you what the search flags are but doesn't talk about how to
update
the schema, but there are lots of other papers on doing that. It isn't
rocket science, just scary. :o)

Again, it is known that not all things will be retained even if you do
this.
What that list is, I don't think it is published unless Guido did a
comprehensive check and published it. This is one of those things that
MS
should publish but doesn't because there are probably only 3 people that
actually know and no one wants to piss those three off by making them
write
public docs. :o) So instead you will do it, find something that doesn't
work, complain to MS and the answer will come back, of course that
doesn't
work you silly... MS is big on the we can't tell you what you could do
wrong
but will let you know when we see it philosophy. 

Anyway, the procedure to undelete the object can be found at 

http://support.microsoft.com/?kbid=840001

In the section called How to manually undelete objects in a deleted
object's container. Of course it is a bit easier to use my command line
ADMOD tool to do the undelete and it will support undeleting masses of
objects just as easily as one object. 

  joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, July 07, 2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authoritative Restores

 I seem to remember that I talked with Microsoft Support about this
awhile
 back, and they indicated there was a way to force deleted objects to 
 retain additional attributes than those retained by default.

0x8 in searchFlags on the attribute in question in the schema.
This is a forest-wide setting as it is a schema mod.
I'm sure searching the website for something like 8  schema  tombstone
would yield a document that walks you through this if you'd like to try
it
in the lab.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: Tuesday, July 06, 2004 11:27 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authoritative Restores

I seem to remember that I talked with Microsoft Support about this
awhile
back, and they indicated there was a way to force deleted objects to
retain
additional attributes than those retained by default.  Of course, this
could
result in a larger database since more data is retained.  It would
probably
be something I'd want to test before implementing.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, July 06, 2004 4:27 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Authoritative Restores


Last I checked, the reanimate ability doesn't retain enough information
to
make this useful in all situations; if anyone can correct that
information
I'd be obliged (for ref:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/r
esto
ring_deleted_objects.asp?frame=true).  Fine for some situations and
possibly
the one that Simon originally mentioned, but there are going to be many
situations where that's not enough and it would be faster/easier to have
a
DC that doesn't replicate as often or that goes off-line on a regular
basis.


There was a discussion about this a while back on this list.  Here's a
link
to a similar thread and there's a link in there to Guido's doc at
Aelita.

http://www.mail-archive.com/[EMAIL PROTECTED]/msg14517.html


Al Mulnick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Tuesday, July 06, 2004 3:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Authoritative Restores

I may be a bit off

RE: [ActiveDir] Exporting Workstation Information

2004-07-09 Thread Grillenmeier, Guido 
 What specifically?  

e.g. the capability to udpate existing objects in AD...


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Freitag, 9. Juli 2004 04:42
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exporting Workstation Information

 Microsoft has stated that their direction is to move toward LDIF
formats
rather than CSV formats.

Anything you can point at to substantiate this comment?


 For this reason, LDIFDE has more functionality than CSVDE. 

What specifically? 



I agree that people should be familiar with the LDIF format but if the
goal
is to get the data into a format to be imported into some other database
or
run some basic scripts across it CSV is far more friendly for those
purposes. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: Tuesday, July 06, 2004 12:59 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exporting Workstation Information

One point about using CSVDE is that Microsoft has stated that their
direction is to move toward LDIF formats rather than CSV formats.  This
is
because LDIF is the standard for directories, and they're trying to be
in
compliance with the larger directory community of which Active Directory
is
now a part.

For this reason, LDIFDE has more functionality than CSVDE.  I would
highly
encourage anyone to become familiar with the LDIF format, and the LDIFDE
tool specifically.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rutherford,
Robert
Sent: Monday, July 05, 2004 6:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exporting Workstation Information


Csvde does though...

Rob

-Original Message-
From: Sean Johnson [mailto:[EMAIL PROTECTED]
Sent: 05 July 2004 12:10
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Exporting Workstation Information


I would reccomend using the ldifde utility. It doesn't put the data into
CSV, but it is in a text file format, and quite easy to parse.

You might also want to look at this link:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
com:80/support/kb/articles/Q237/6/77.ASPNoWebContent=1

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DC Promo Question....

2004-07-09 Thread Grillenmeier, Guido 
I can confirm that you have to tranfer the role manually - 2003 won't
try to do this by itself.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Freitag, 9. Juli 2004 16:32
To: Send - AD mailing list
Subject: RE: [ActiveDir] 2003 DC Promo Question

Hmmm ... re: If you do an OS Upgrade from 2K to K3 on a Domain
Controller I
believe it will pull the PDC functionality to it; nothing I've
witnessed
would seem to back that up.  In the event I'm just a bad witness or
someone
with the retention of a Gold Fish and they do indeed do that, it's just
plain wrong, wrong, wrong.  PDC physical placement is important in
certain
scenarios, to arbitrarily move the role during an upgrade process could
have
significant security implications.

--
Dean Wells
MSEtechnology
* Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 08, 2004 9:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC Promo Question

Hey Todd. 

If you do an OS Upgrade from 2K to K3 on a Domain Controller I believe
it
will pull the PDC functionality to it. If you DCPROMO in a fresh K3 it
will
not pull the role from what I have seen with the domains I have been
involved with. Personally though, I am not into upgrades of OSes, much
rather wipe and reload. A brilliant friend of mine once came up with a
method for us to do that remotely that we used for NT4 to 2K. We would
shoot
the load down to the machine, then fire up a script that would look at
some
config info and store it, then boot into Win98 and slam the load down on
the
machine and reconfigure it when it finished rebuilding. 

While you should move those roles I don't believe there is an absolute
requirement EXCEPT for the Domain Naming role which may be needed for
setting up DNS App partitions. The PDC role should be moved just so that
it
can create the new security principals that K3 has that are already
ACLed on
your directory (look at the dsacls output of your domain after the
domain
prep and you will see unresolved SIDS), however I do not believe there
is a
requirement to keep it there or in fact do it at all. I am sure if I am
wrong ~Eric will chime in or someone else will say something though I am
surprised I see no responses to this post and it was sent a couple of
weeks
ago... 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Thursday, June 24, 2004 9:58 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2003 DC Promo Question


Greetings,

I have a Windows 2000 forest that has been Forest Prepped and had the
root
domain of the forest domain prepped as well as another domain tree root
domain prepped.

I plan to follow the recommendations outlined in the article below in
order
to upgrade to 2003.  My plan is to transfer FSMO roles to 2000 machines,
and
DCPROMO down existing DC's.  Rebuild them as 2003 Servers then DCPROMO
the
box.  According to my experience and what is outlined below in the
article.
The first DC's that are joined to the domain need to be servers that
hold
PDC and DNC FSMO roles.  My experience was that when I tried the method
outlined above, the first New 2003 DC joined to the root forest took on
the
PDC emulator role automatically.  (I did this back in November 2003)  

http://support.microsoft.com/default.aspx?scid=kb;EN-US;325379

I want to verify this behavior because there is a movement in my group
to
want to deploy new 2003 DC's before upgrading the FSMO role holders.
One
person on my team says that the wording in the Q article isn't clear
enough,
that you must upgrade the FSMO role holders.  

So I bring this to the AD guru list to help me verify my perceptions,
and to
help answer any remaining questions.

Thanks in advance,

Todd
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DC Promo Question....

2004-07-12 Thread Grillenmeier, Guido 
I was truly surprised myself to have missed Todd's original question - I
just noticed it when you started answering to it. 

Been too busy lately to go through all of the Active Dir posts - this
awsome list has become very active.  And besides that, I know you don't
have kids and thus have so much spare time on your hand for answering
every single question out there ;-)  Ok - now that I know that you seem
to be drinking while typing some of the answers, I'll have to do more
quality checking again ;-))


Back to the topic: another quick note on inplace-upgrading 2000 - 2003
DCs or other machines: this is a VERY different experience than going
from NT4 to 2000.  Since the file-structure between 2000/2003 basically
stayed the same (other than the name of the OS directory, which changed
from WinNT to Windows), you won't really notice a negative impact on a
machine which was inplace-upgraded to one, which was installed from
scratch.  I've also always had a gut-feeling to preferr new-installs
over an inplace-upgrade (definitely for NT4 to 2000), and likely people
would still feel better when re-installing a 2003 OS instead of in-place
uprading... 

But especially for DCs, the two scenarios can well be combined, as we
did at HP:

- we first in-place upgraded all 2000 DCs to 2003 to move to 2003 forest
functional level as quick as possible
- then with more time to spare, we backed-up the systemstate of the 2003
DCs locally, DC-Promoed them down, and re-installed them with 2003 from
scratch
- at last re-promoted them to DCs using the IFM (install from media)
option with the previously backed up systemstate
= this got a us to 2003 very easily and had least impact on the WAN
durint the re-installation

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Samstag, 10. Juli 2004 00:06
To: 'joe'; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC Promo Question

And BTW, where were all you smart guys earlier when Todd was in need of
an
answer and you could have responded before I made myself look like a
boob.

Oh yeah, good to see you posting again Guido.

Oh and Dean, you have been quiet lately too, but good to see you are
still
watching for my dumb-a** posts so you can thump me right proper. :o)

  joe 

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 09, 2004 6:04 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] 2003 DC Promo Question

Yeah, I looked around, I can't find where I might have read that and it
was
a long time ago. I found a doc that I could have interpreted that way
had I
been out drinking with Guido and Dean, but not sober.  So either I was
drunk
or the doc disappeared, though I swear I had heard this separately as
well
as I recall being, WTF! But then wasn't too worried as I do not do OS
upgrades unless it is absolutely unavoidable which is almost never (NT4
to
2K was an exception, at least for the PDC...)

Todd, I am curious what you saw now as I had it in my mind it was a
possibility. Now it seems it insn't so what happened?


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, July 09, 2004 5:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC Promo Question

I can confirm that you have to tranfer the role manually - 2003 won't
try to
do this by itself.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Freitag, 9. Juli 2004 16:32
To: Send - AD mailing list
Subject: RE: [ActiveDir] 2003 DC Promo Question

Hmmm ... re: If you do an OS Upgrade from 2K to K3 on a Domain
Controller I
believe it will pull the PDC functionality to it; nothing I've
witnessed
would seem to back that up.  In the event I'm just a bad witness or
someone
with the retention of a Gold Fish and they do indeed do that, it's just
plain wrong, wrong, wrong.  PDC physical placement is important in
certain
scenarios, to arbitrarily move the role during an upgrade process could
have
significant security implications.

--
Dean Wells
MSEtechnology
* Tel: +1 (954) 501-4307
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 08, 2004 9:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2003 DC Promo Question

Hey Todd. 

If you do an OS Upgrade from 2K to K3 on a Domain Controller I believe
it
will pull the PDC functionality to it. If you DCPROMO in a fresh K3 it
will
not pull the role from what I have seen with the domains I have been
involved with. Personally though, I am not into upgrades of OSes, much
rather wipe and reload. A brilliant friend of mine once came up with a
method for us to do that remotely that we used for NT4 to 2K. We would
shoot
the load down to the machine, then fire up a script that would look at
some
config info and store it, then boot into Win98 and slam the load down

RE: [ActiveDir] 2000 to 2003 Migrations

2004-07-13 Thread Grillenmeier, Guido 
unless you really have a badly designed or misbehaving Win2k AD today,
there is no reason for you to go through a migration with all the
hassles involved (the hassles are worth it for consolidation and other
reasons, but not to go from 2000 to 2003).  So stick to an inplace
upgrade and check out the following KB with more details:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325379

You mainly have to be aware of the preparations to take for the mangled
attributes during forestprep and the changes in the default security of
AD, which could impact some legacy clients.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Dienstag, 13. Juli 2004 00:36
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2000 to 2003 Migrations

I know MS has some decent whitepapers on migrations, but I was curious
if
any of you have any real-world feedback on tips or gotchas to be aware
of
when going from 2000 to 2003.  The kind of migration I'm talking about
is
for a small environment, all Windows 2000, native mode, 8 DC's in 5
sites,
maybe 3000 users.  Exchange 2003 is also in use.

I'm thinking of doing an in-place upgrade as opposed to a migration with
ADMT into a new Forest.  I know to run adprep /forestprep and
/domainprep.
I'm loosely aware of the possible mangled(?) attributes when Exchange is
deployed; I'll need to re-read up on that.

I haven't decided yet on if I'll perform an OS upgrade of the PDCE to
2003
or try building a new 2003 DC.

Most of what I've read/heard about so far is that this type of migration
should be pretty straight forward, but I figured I'd ask while still in
the
early planning stages while I still have time to adjust as necessary.

Oh, and if anyone knows of any post 2003 RTM hotfixes that should be
applied
to the DC's right off the bat, I'd appreciate info on that, too.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Redirecting Comps

2004-07-13 Thread Grillenmeier, Guido 
as far as I know, you have to be at 2003 domain functional level (native domain), 
since 2000 (or even NT4) DCs wouldn't know how to handle the redirection.

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sonntag, 11. Juli 2004 07:24
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Redirecting Comps

In pt 8.12 of the AD Cookbook, Robbie talks about modifying the wellknown value by 
hand. Does this work in a non 2003 native domain? Same with the users CN
 
--Brian
..jjryv

RE: [ActiveDir] User changing account properties

2004-07-14 Thread Grillenmeier, Guido 
if this is normal or not really depends on the security you've set in
your AD or on the objects.  With the default permissions this doesn't
work (i.e. would it not be normal), since  a normal user can only edit
specific attributes on his own account object (everything that's granted
to be writable to SELF - which is actually more than 40 attributes, so
it's quite a lot)

The easiest way to find the difference to the default security is to
know the default security descriptor as it's set on newly created
objects (either check out on user-class in schema of newly installed AD
or read the AD Delegation WP
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-4
8fa-9730-dae7c0a1d6d3DisplayLang=en)

Then compare to what permissions your objects have been granted - take
special care to check the permissions for Authenticated Users...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Mittwoch, 14. Juli 2004 20:18
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] User changing account properties

Users seem to be able to use the windows XP built in people search to
change
other users AD attributes.

I assume this isn't normal. Is there a tool I can use to find
differences
from the default AD attributes security. This is a windows 2000 AD.

Thank you
jb
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2000 to 2003 Migrations

2004-07-14 Thread Grillenmeier, Guido 
hey Joe - just to clarify: I was talking about an inplace-upgrade of the
DOMAIN - vs. migration to a new DOMAIN...  that was David's main
question.  Inplace-Upgrading the DCs themselves is a separate
discussion.

but I know you just read my answer and assumed the later ;-)  

And I truly doubt that you preferr a fresh forest every time there's a
new WinServer-OS and happily migrate all users and applications
accross...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Dienstag, 13. Juli 2004 21:57
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2000 to 2003 Migrations

This sounds like a valid approach but would recommend new installs of
2K3 if
you can do it versus upgrades. 

You could show me hundreds of perfectly fine upgrades but will still
prefer
a fresh install until MS displays a report at the end of the upgrade
that
tells me what items are using old OS configurations versus new
configurations and what I would have to do to correct them to the new
configurations. 


  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 13, 2004 8:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] 2000 to 2003 Migrations

unless you really have a badly designed or misbehaving Win2k AD today,
there
is no reason for you to go through a migration with all the hassles
involved
(the hassles are worth it for consolidation and other reasons, but not
to go
from 2000 to 2003).  So stick to an inplace upgrade and check out the
following KB with more details:

http://support.microsoft.com/default.aspx?scid=kb;en-us;325379

You mainly have to be aware of the preparations to take for the mangled
attributes during forestprep and the changes in the default security of
AD,
which could impact some legacy clients.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Dienstag, 13. Juli 2004 00:36
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2000 to 2003 Migrations

I know MS has some decent whitepapers on migrations, but I was curious
if
any of you have any real-world feedback on tips or gotchas to be aware
of
when going from 2000 to 2003.  The kind of migration I'm talking about
is
for a small environment, all Windows 2000, native mode, 8 DC's in 5
sites,
maybe 3000 users.  Exchange 2003 is also in use.

I'm thinking of doing an in-place upgrade as opposed to a migration with
ADMT into a new Forest.  I know to run adprep /forestprep and
/domainprep.
I'm loosely aware of the possible mangled(?) attributes when Exchange is
deployed; I'll need to re-read up on that.

I haven't decided yet on if I'll perform an OS upgrade of the PDCE to
2003
or try building a new 2003 DC.

Most of what I've read/heard about so far is that this type of migration
should be pretty straight forward, but I figured I'd ask while still in
the
early planning stages while I still have time to adjust as necessary.

Oh, and if anyone knows of any post 2003 RTM hotfixes that should be
applied
to the DC's right off the bat, I'd appreciate info on that, too.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Weird KB article

2004-07-14 Thread Grillenmeier, Guido 
maybe it's useful when you have problems with creating new users in
either a child domain or it's parent domain ;-)  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Mittwoch, 14. Juli 2004 22:38
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Weird KB article


Anyone know what this is all about??

http://support.microsoft.com/?kbid=145675


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming the Administrator account

2004-07-21 Thread Grillenmeier, Guido 



there's no issue renaming it - in 2003 you can actually 
disable it to make the environment more secure (but caution - this is the only 
account that doesn't get locked when you have configured a lockout threshold in 
your PW policy)

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
EdwinSent: Mittwoch, 21. Juli 2004 13:38To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Renaming the 
Administrator account


I have always renamed the default 
Administrator account on every system build I have performed for security 
reasons.

I did the same on the domain but was 
then scolded by a more experienced AD Administrator. The reason given to 
me was because there are parts of AD that authenticate or use the SID of the 
administrator account while other areas may use the Administrator username 
explicitly. If I were to rename the default Administrator account then 
those references that call the username explicitly may 
fail.

I am still new to AD so I took the 
above warning with caution and therefore renamed the default user back to its 
original settings.

I would appreciate anyones input on 
the above. I would like to rename the Administrator account as part of 
best practices but if it may cause problems then of course this would not be an 
option. However, I have a hard time understanding why renaming the account 
could cause potential problems. I would think that any reference to the 
Administrator account would be made by the SID and if any call to the username 
itself was made, it would access a database that was populated with the correct 
information as it was changed.

The only information I have about 
renaming the account is above.

Thank you all for your 
responses.

Edwin

RE: [ActiveDir] Empty Group Lists

2004-07-21 Thread Grillenmeier, Guido 



sounds like groups with hidden group-memberships, where the 
Exchange store process kindly "screws-up" the ACLs of the groups for you = 
Exchange puts the ACEs in a non-canonical order, which basically allows an Allow 
ACE (for the Exchange Enterprise Server group) to be listed before the 
Deny Read ACE for Everyone. You can add your own Admin accountto the 
Exchange Enterprise Server group to get around that problem.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Diel,Nick 
(Work)Sent: Tuesday, July 20, 2004 7:25 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Empty Group 
Lists


I am new to this list and have a 
problem hopefully someone can help me out with. In several of my groups 
(both security and distribution, all universal) the Members section is 
blank. There are still members in them, but I just cant see the 
members. The distribution and security groups still work and what 
not. The list is blank on both DCs (one is an exchange server), also blank 
on my local MMC (have AdminPak), and blank when looking at the groups through 
Outlook. These groups are roughly my largest groups (some will have 50+, 
while others not as many).

Any help would be 
great,
Nick

RE: [ActiveDir] Renaming The Admin Account

2004-07-22 Thread Grillenmeier, Guido 
Rocky - this thread is actually quite incredible - you're wandering from user and 
group names and object types to NTFS permission and nesting objects into groups, over 
to discussing SIDs and friendly names, and now you're talking about the visibility of 
memberships of groups in AD ;-)

Also, I don't know about your domain, but I never knew that there was an account 
called Domain Admin - by default, you should only have an Administrator account 
that is member of the Domain Admins group (and if this is the root, it would also be 
member of the Enterprise Admins and Schema Admins group)...  Besides the Best 
Practise of renaming the default Adminstrator account (not group), it's also a good 
practise to take it out of the Schema Admins group (this group should be empty until 
you want to change anything in the schema - will prevent accidental schema extensions, 
e.g. by some crappy program or script)


So, I'm not sure which is the part that's really most painful to you, but I guess you 
mainly want to hide any hints to the default Admin account in your domain as otherwise 
renaming them doesn't make any sense to you - is that about right? 

I think Deji already covered very well on how you shouldn't set ACLs for any 
user-account directly - you'll merely do so via groups and the account that has access 
to the (non-homeshare) resource won't be visible by looking at the ACLs of the 
machine. This includes administrative accounts. 


And if people see a group on an ACL (e.g. Domain Admins), you don't want them to be 
able to lookup who is a Domain Admin by checking the group-membership of that group - 
right again?

This can also be resolved by setting the appropriate permissions on the respective AD 
OU which contains the groups (or any other objects) which you don't want your users to 
view.  E.g. move your administrative accounts and the Domain Admins group to a 
separate OU in your domain and then remove the Read permissions for Authenticated 
Users on that OU - this will hinder them to browse to that OU and so they can't even 
try to open the group to see the content.  You could also work with permissions on the 
groups themselves, but that's more and unnessesary work.  If you don't even want your 
users to see the special OU, then you'll have to work with the List Object 
permission.

LIST OBJECT is not active or visible in the ACL Editor by default. To activate (for 
whole AD forest) change the DSHeuristics property on the Directory Service object 
(cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=ForestRootDomain) 
to 001. The first two bits impact the ANR searching in AD, so don't change them 
without knowing what you want them to be.

BTW, it's much easier to implement the strategy of a special OU (e.g. Domain 
Operations), when you have separate accounts for administrative users - i.e. they 
have another normal account for eMail etc.  All adminsitrative accounts should be in 
this special OU.


And thanks for the flowers in your previous mails - I'll send some of them to Deano ;-)


Cheers,
Guido


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, July 22, 2004 9:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account

Okay,

First off, yes the club's expensive.  And rightly so, but, do you know what joe wanted 
to come to my little shop and point out to me exactly what I already know (which is 
exactly how much I don't know already.)?  Now HE was expensive.  Serves him right 
for getting fired. ;-O.  No wait.  He didn't get fired.  Some of the |stupidest| 
people in the world (notice the absolute symbol) just let him walk!  I'm telling you, 
that was about as smart as the Russians selling us Alaska for 7 million.  I could not 
believe that.  How smart do you have to be?  Not as smart as joe, that much I know.

Now, let me show you how much I don't know. ( I can explain why that is someday, if it 
comes to that).  When I click (on my W2K boxes in my mixed mode W2K domain) on My 
Network Places  Entire Network  Directory  DNSDomainName it opens up my AD and 
everybody can see all the OUs.  If I click on my Microsoft_Groups (OU which houses the 
native groups) I see every group.  If I click on Domain Admins, I see the members.  
The same with all the other groups.  How do I hide the memberships of these native MS 
groups?

Thanks Deji (and all youse other guys!)

RH
__




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account


You just prove that you are very confused about membership? Tony, Robbie, Guido, 
Gil, Roger, and Joe That's an expensive club. Can't afford the membership fee. 
Next thing I know, you'd be lumping me in with Dean :-P

Seriously, let's back up a bit.

RE: [ActiveDir] [OT] NTFS Read-only Status

2004-07-25 Thread Grillenmeier, Guido 



first of all - are you sure you're 
a) talking about a volume (e.g. physical or logical disk?) 
that you want to mount on one box, or 
b) are you talking about a share with data, which you want 
to make available to others, but they should only read from 
it?

if a), this is simply related to ACLs (Access Control Lists 
= Permissions, set via the Security tab) at the root of the drive - mounting the 
drive itself doesn't allow to configure it for read-only. But you can 
remove the "Everyone - Full Control" ACLs and replace them with something you'd 
preferr (e.g. Administrators - Full Control and Users - Read Only). XCACLS 
is one of those magic programs, which can do this for you.

if b), you simply set read-access at the share-level before 
you mount the share for your users.This is now default in Win2003, but 
prior versions grant Everyone Fullcontrol at the 
share-level.


/Guido



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Friday, July 23, 2004 9:44 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] [OT] NTFS Read-only 
Status

I've tried this on 
other groups, and it is not A/D related. But you guys know so 
much...

I want a way to 
mount an NTFS volume read-only. I want a magic command like "mode e: read-only". 
:-)

It is clear to me 
(and I've found references) that this is supported with NTFS (Windows XP and 
above), but I cannot figure out/find out how to set it.

Any 
ideas?

Thanks,
Michael

RE: [ActiveDir] Apply GP to computer account or user account?

2004-07-26 Thread Grillenmeier, Guido 
really depends on your situation - if you always want the same
user-policies to be applied to these machines, then you can live with a
single GPO and configure it for loopback-processing. 

This will then apply the computer-policy part for the machine and will
apply the user-policy part for any user that logs on. 

You can choose replace or merge mode, whereby the latter will also apply
other GPOs applied to the user via his OU-path (which may or may not be
what you want).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jared Manhat
Sent: Monday, July 26, 2004 4:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Apply GP to computer account or user account?

I see, so you cant just create 1 GPO with BOTH computer settings  user
settings. That sux.

Jared Manhat
Systems Administrator
Accutest Laboratories

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, July 26, 2004 9:21 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Apply GP to computer account or user account?

You'll need to apply your Computer GPO to the OUs that contain your
computer objects and your User GPO to the OUs that contain your user
objects.

Note that the computer settings in the GPO will apply to the computer
and are not affected by user logon and logoff.

Tony
-- Original Message --
Wrom: QHYUCDDJBLVLMHAALPTCXLYRWTQTIPWIGYOK
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 26 Jul 2004 08:42:44 -0400

I have created 2 GP's, one with User software restrictions and the other
with Computer OS configurations. I want them both to be applied when
User's log on. If I attach them both to an OU containing users then will
the computer GP be applied, or do I need to link the Computer GP to an
OU containing computers and the User GP to an OU containing only users?

Thanks

Jared Manhat
Systems Administrator
Accutest Laboratories



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] group structure -universal groups

2004-07-27 Thread Grillenmeier, Guido 
yes, for DLs this would definitely be an issue - in a multi-domain
forest be sure only to use UGs as DLs... (and DON'T nest GGs into the
UGs).   In a single domain forest it doesn't matter.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, July 27, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] group structure -universal groups

Daniel

Well, one option would be to simply skip the Global Group part and add
your accounts directly to the UG.  

A problem with UGs in Windows 2000 AD was that they potentially created
a lot of replication traffic between GCs.  Any change to a UG membership
would result in the whole membership being replicated.  Windows 2003 AD
offers Linked Value Replication (LVR), which allows individual group
membership changes to be replicate, rather than the whole attribute.
This is clearly much more efficient and removes this limitation on the
use of UGs.

In any case, wouldn't having Global Groups nested in UGs cause a problem
for Distribution Groups expansion?  For example, how would a GC from
DomainA manage to successfully expand a distribution group that contains
Global Groups from DomainB?  

Tony  _  

From: Cariglia, Daniel [mailto:[EMAIL PROTECTED]
Sent: Montag, 26. Juli 2004 22:08
To: [EMAIL PROTECTED]
Subject: [ActiveDir] group structure -universal groups


Hello,
 
I have a question regarding group structure and
administration
of such.  We run a multi-domain AD environment with basically an empty
root
domain and 2 child domains where the users live.  The problem is if we
structure groups the way it is recommended (accounts into Global groups
which are then placed into Universal Groups which are then placed into
Domain Local groups in the domain where the resource lives and
permissions
applied using the Domain local group.  
The problem is we prefer our distribution lists (universal
groups) to be managed/administered by the users/owner of the list.   All
distribution lists are composed of individual users presently (came from
an
NT 4 domain) and if we follow the recommended group practices we will
nest
the Global group(s) from both domains inside the Universal groups and
remove
the individual users presently in them and effectively they will have
the
same members, but when the owners try to modify the members through
their
Outlook client they will only see the Global group(s) and not the
members of
the group who will receive the messages sent to the distribution list.
Is
there a better way to administer permissions in a multi domain Active
Directory environment or do we set every owner of a distribution list up
with rights and a tool to manage the global groups effectively adding
these
users to the Universal groups by nesting the global groups?   Any
feedback
is appreciated, thank you.
 
 


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Batch Account Creation and Removal

2004-07-27 Thread Grillenmeier, Guido 



there are a lot of provisioning and sync-apps that can do 
this for you in a very automated fashion - search for "user provisioning" and 
you'll get lots of hits on google

alternatively, you can leverage the new DS cmdline-tools 
from 2003 (DSADD, DSMOD etc.) and/or a couple of scripts that can accomplish 
this task for you. A good start is Robbie Allen's AD Cookbook and the 
related scripts: http://www.rallenhome.com/books/adcookbook/code.html

Most of it can also be accomplished by importing correctly 
formatted LDIFDE or CSVDE input files (both native tools for Win2k and newer 
versions).

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan 
HendersonSent: Tuesday, July 27, 2004 6:50 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Batch Account 
Creation and Removal

Anyone have any 
great tips for batch creation and removal of accounts? We want to be able 
to batch create accounts for our students based off either a database or even 
text file and create their user account, e-mail (in a separate message store), 
and add them to the correct OUs and groups. 

Is there anything 
native that could accomplish this or is the best option a third-party 
app?

-Nate
_

Nathan Henderson
Network Engineer
NorthwestUniversity
ph: 425.889.5358
fax: 
425.827.2807

RE: [ActiveDir] Accented characters in a CSVDE output

2004-07-28 Thread Grillenmeier, Guido 
it's not a CSVDE *problem* - it is the *solution* to keep the data
transferrable via CSVDE... You'll find the same issue when trying to
export address-fields which include carriage returns.

you should be able to export the data in a readable format via normal
LDAP queries e.g. via DSQUERY or Joe's ADFIND 

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY
Sent: Wednesday, July 28, 2004 4:12 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accented characters in a CSVDE output

When using CSVDE to output a .csv file, any 'sn' and 'givenname' entries
with an accented character are displayed in the CSV file as something
like
this: X'41c3af737361746f75' when opened in Excel. Is this an Excel or
CSVDE problem? Anyone tell me how to display such names properly? When I
go into AD and remove the accented character the sn or givenname
displays correctly. Maybe there is a better tool than CSVDE?

Here are a couple of examples of the CSVDE command:

C:\WINDOWS\system32csvde -s 12.34.56.78   -f 
D:\IMG\IUCNEmail\Exchange\CSVDE\csvde1.csv  -r
((objectclass=user)(proxyaddresses=SMTP*)) -l
cn,mail,physicalDeliveryOfficeName

-

C:\WINDOWS\system32csvde -s 12.34.56.78   -f 
D:\IMG\IUCNEmail\Exchange\CSVDE\csvde1.csv  -r
((objectclass=user)(proxyaddresses=SMTP*)) -l
displayname,mail,physicalDeliveryOfficeName -o DN

(The -o to omit the DN output appears not to work)


Dan Hinckleyt: (41 22) 999 0183
Information Management Groupf: (41 22) 999 0010
IUCN, The World Conservation Union  e: [EMAIL PROTECTED]
1196 Gland, Switzerland w: http://iucn.org/ 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] w2k authoritative restore

2004-08-17 Thread Grillenmeier, Guido 



 this 
would seem to contradict the concept of authoritative 
restore?

that's because of everyone's notion of what you EXPECT an 
auth. restore to do and how it is being promised in trainings etc. = "Auth. 
Restore" will allow you to turn back the hands of time...

But once you dig into it and understand what the Auth. 
Restore really does (as you say, it "only" increases the version number 
ofexisting attributes that it knows of in the database), you find that it 
doesn't really work as you might expect - I've had my share of troubles with 
restoring users and their groups in other parts of the forest... Tough to 
restore links to objects if these links aren't contained in the domain backup 
you're just restoring (e.g. when a user is a member in Universal Groups or Local 
Groups in other domains).
Check out the following KB for details on this: http://support.microsoft.com/?id=840001

The CAs and the eMail addresses in your case are just 
another example = neither version number of the eMail attribute of your 
users had been set, nor were the CA objects existent before you backed up the 
domain / forest (if I remember correctly, the CA objects are stored in the 
config NC = so if you really wanted to get rid of them via backup/restore, 
you'd have to do a forest restore --- I would much suggest to go for manual 
cleanup instead...). Same for the eMail attributes, which are easily 
cleaned via a script.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, August 17, 2004 11:50 
AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] 
w2k authoritative restore

Brett, thanks for post reply 
ADC - ex2k3 active directory connector 
CA - is connection agreement defined within ADC 
 ... So is the CA data perhaps in attributes that are not set on the 
backup  objects? - YES 
"Ergo it kind of works as a merge of old attributesthat were set and 
new attributes that were set post backup. "
doi read this right in that the authoritative restore allows data to be 
replicated back from a DC ?? - don't see how this can work unless of course an 
attribute that has no data in it has a null USN (as on my restored backup set 
?)which is not incremented by the authoritative restore command, and which 
is therefore overwritten by another server which has some data in it 
this would seem to contradict the concept of authoritative restore?
Thanks 
GT
 do i read your post correctly in that the attribute data that is 
being (in my view incorrectly) replicated back is - Original Message 
- From: [EMAIL PROTECTED] Date: Mon, 16 Aug 2004 
11:25:05 -0700 (PDT) To: [EMAIL PROTECTED] Subject: Re: 
[ActiveDir] w2k authoritative restore  Auth restore will auth 
restore attributes that _exist_ in the  backup as they were at the time 
of backup, but not auth restore attributes  that didn't exist. Ergo it 
kind of works as a merge of old attributes  that were set and new 
attributes that were set post backup.   ... So is the CA data 
perhaps in attributes that are not set on the backup  objects?  
 Further like we merge the attributes that are auth restored over any 
 existing ones, we also merge in objects as well. So a new object post 
 backup will not get "auth restored" (i.e. the c loses thing woudl be to 
 delete the new object)   Just grasping at straws, don't 
know much specifics about CA or ADC.   Cheers,  Brett 
Shirley (msft)  AD Developer   On Mon, 16 Aug 2004 
[EMAIL PROTECTED] wrote:dear all, sorry to "bomb" 
the list with queries, but was hoping to get   a heads up on this 
issue of authoritative restore subsequent to a   directory 
modification using ADC we are testing the procedure 
of rollback of a domain that has been   modified using an ADC 
connection agreement i have a backup set taken prior 
to the processing of the ADC CA and   can confirm the successful 
restore of a DC to the prior state. (no   email address in the user 
objects no CA objects etc) despite the fact that 
this data is restored authoritati vely as soon as   the restored DC 
is attached to the network with its DS started the   data prior to 
the CA processing is overwritten with the data from an   another 
server have followed what seems to be a simple 
process of auth restore; 1. boot into DS restore 
  2. restore system state and c: using the original location / 
always overwrite   3. restart   4. boot into DS restore 
mode   5. run ntdsutil / authoritative restore / restore database 
my first thought was that the ADC has created that 
many chages that   the default version increment of auth restore 
(700) is not enough   for the restored DC to have higher USN 
than the server that is left   online 
have tried auth restore with the verinc value of 1000 but still  
 the old d ata gets overwritten any clues ?? 
GT   
  List info : 
http://www.activedir.org/mail_list.htm   List FAQ : 
http://www.activedir.org/list_faq.htm   List archive:

RE: [ActiveDir] w2k authoritative restore

2004-08-17 Thread Grillenmeier, Guido 
Brett, I guess you're talking about the restore of back-linked
references (e.g. the memberOf links of a user object), by auth-restoring
the appropriate forward-links (e.g. the member links of the appropriate
groups) during the auth restore of an object (e.g. the user).

yes, that's nice, but it's still not complete as the process will only
restore the references in the same NC - which is fine in a
single-domain/single-forest infrastructure, but still leads to problems
in multi-domain implementations (e.g. even with LVR, you won't restore
the UG references to groups in another domain).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 17, 2004 3:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] w2k authoritative restore

We actually go one step further than this ... we also if we're in LVR
mode, and the link reference/membership was added post forest mode
change, then we even auth restore restore references.  That's sort of
merging from the other angle.

Cheers,
Brett Shirley
(msft) AD Dev

On Tue, 17 Aug 2004, Grillenmeier, Guido wrote:

 sounds like you need a forest (or full domain) recovery if you screw 
 up with the ADC... - how many DCs per domain do you have?
 
 btw - the logic of merging data gets a new touch when you auth.
 restore groups in Win2003: once you're at 2003 forest-functional-level

 (LVR enabled) and you wish to restore group authoritatively, you'll 
 also find members that were added to the group after the backup will 
 re-populate into the auth-restored group, since with LVR the members 
 are replicated separately as well...  In this case, I usually preferr 
 this merge feature, as this will guarantee you to get the group back

 to a most up to date state (unless a specific script, virus, stupid 
 admin or whatever process accidentally populated all your groups with 
 garbage
 data...)
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Monday, August 16, 2004 8:25 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] w2k authoritative restore
 
 Auth restore will auth restore attributes that _exist_ in the backup 
 as they were at the time of backup, but not auth restore attributes 
 that didn't exist.  Ergo it kind of works as a merge of old attributes

 that were set and new attributes that were set post backup.
 
 ... So is the CA data perhaps in attributes that are not set on the 
 backup objects?
 
 Further like we merge the attributes that are auth restored over any 
 existing ones, we also merge in objects as well.  So a new object post

 backup will not get auth restored (i.e. the closes thing woudl be to

 delete the new object)
 
 Just grasping at straws, don't know much specifics about CA or ADC.
 
 Cheers,
 Brett Shirley (msft)
 AD Developer
 
 On Mon, 16 Aug 2004 [EMAIL PROTECTED] wrote:
 
  dear all, sorry to bomb the list with queries, but was hoping to 
  get
 
  a heads up on this issue of authoritative restore subsequent to a 
  directory modification using ADC
  
  we are testing the procedure of rollback of a domain that has been 
  modified using an ADC connection agreement
  
  i have a backup set taken prior to the processing of the ADC CA and 
  can confirm the successful restore of a DC to the prior state. (no 
  email address in the user objects no CA objects etc)
  
  despite the fact that this data is restored authoritatively as soon 
  as
 
  the restored DC is attached to the network with its DS started the 
  data prior to the CA processing is overwritten with the data from an

  another server
  
  have followed what seems to be a simple process of auth restore;
  
  1. boot into DS restore
  2. restore system state and c: using the original location / always 
  overwrite 3. restart 4. boot into DS restore mode 5. run ntdsutil  /

  authoritative restore / restore database
  
  my first thought was that the ADC has created that many chages that 
  the default version increment of auth restore (700) is not 
  enough for the restored DC to have higher USN than the server that 
  is left online
  
  have tried auth restore with the verinc value of 1000 but still 
  the old data gets overwritten
  
  any clues ??
  
  GT
  
  
  
  
  
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http

RE: [ActiveDir] w2k authoritative restore

2004-08-17 Thread Grillenmeier, Guido 
small correction: it's not the USNs that are increased = it the version
number 

and as far as I understand it, an object won't inherit an attribut until
it's used the first time - so only attributes which are populated for
an object will have a version number in the first place.  

maybe Brett can confirm this.

As such, a previously unused attribute can't be auth. restored (unless
you eliminate all occurences in the domain/forest - which is equal to a
domain/forest recovery)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 17, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] w2k authoritative restore

Guido, thanks for post reply 

full recovery of the domain is what i have fallen back to - 

was looking for a sanity check on this issue of authoritative (or not so
as it seems ) restore 

is it a fair qu to ask though how the directory service resolves this
issue of replication of attribute data that is blank (but which should
have a higher USN by virtue of the authoritative restore) and that which
has been populated but has a lower USN 

does it somehow use a system of a null USN for an attribute that has no
data and which can be overwritten ??

GT

- Original Message -
From: Grillenmeier, Guido 
Date: Tue, 17 Aug 2004 11:57:32 +0200
To: 
Subject: RE: [ActiveDir] w2k authoritative restore 

 sounds like you need a forest (or full domain) recovery if you screw 
 up with the ADC... - how many DCs per domain do you have?
 
 btw - the logic of merging data gets a new touch when you auth. 
 restore groups in Win2003: once you're at 2003 forest-functional-level

 (LVR enabled) and you wish to restore group authoritatively, you'll 
 also find members that were added to the group after the backup will 
 re-populate into the auth-restored group, since with LVR the members 
 are replicated separately as well... In this case, I usually preferr 
 this merge feature, as this will guarantee you to get the group back

 to a most up to date state (unless a specific script, virus, stupid 
 admin or whatever process accidentally populated all your groups with 
 garbage
 data...)
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Monday, August 16, 2004 8:25 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] w2k authoritative restore
 
 Auth restore will auth restore attributes that _exist_ in the backup 
 as they were at the time of backup, but not auth restore attributes 
 that didn't exist. Ergo it kind of works as a merge of old attributes 
 that were set and new attributes that were set post backup.
 
 ... So is the CA data perhaps in attributes that are not set on the 
 backup objects?
 
 Further like we merge the attributes that are auth restored over any 
 existing ones, we also merge in objects as well. So a new object post 
 backup will not get auth restored (i.e. the closes thing woudl be to

 delete the new object)
 
 Just grasping at straws, don't know much specifics about CA or ADC. 
 
 Cheers,
 Brett Shirley (msft)
 AD Developer
 
 On Mon, 16 Aug 2004 [EMAIL PROTECTED] wrote: 
 
  dear all, sorry to bomb the list with queries, but was hoping to 
  get
 
  a heads up on this issue of authoritative restore subsequent to a 
  directory modification using ADC
  
  we are testing the procedure of rollback of a domain that has been 
  modified using an ADC connection agreement
  
  i have a backup set taken prior to the processing of the ADC CA and 
  can confirm the successful restore of a DC to the prior state. (no 
  email address in the user objects no CA objects etc)
  
  despite the fact that this data is restored authoritatively as soon 
  as
 
  the restored DC is attached to the network with its DS started the 
  data prior to the CA processing is overwritten with the data from an

  another server
  
  have followed what seems to be a simple process of auth restore;
  
  1. boot into DS restore
  2. restore system state and c: using the original location / always 
  overwrite 3. restart 4. boot into DS restore mode 5. run ntdsutil / 
  authoritative restore / restore database
  
  my first thought was that the ADC has created that many chages that 
  the default version increment of auth restore (700) is not 
  enough for the restored DC to have higher USN than the server that 
  is left online
  
  have tried auth restore with the verinc value of 1000 but still 
  the old data gets overwritten
  
  any clues ?? 
  
  GT
  
  
  
  
  
  List info : http://www.activedir.org/mail_list.htm
  List FAQ : http://www.activedir.org/list_faq.htm
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
 
 List info : http://www.activedir.org/mail_list.htm 
 List FAQ : http://www.activedir.org/list_faq.htm 
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org

RE: [ActiveDir] w2k authoritative restore

2004-08-18 Thread Grillenmeier, Guido 
thanks Brett for the confirmation and clarification 

 If we set meta-data elements for all attributes for unset attributes 
 just to get a delete of the attribute to win (remember there are
100s 
 of unset attributes) you could experience like 5k+ bloat per object.

 Administrators would be very unhappy about that.

agreed, but Administrators also don't like not be able to restore
something to a known version.

I guess a viable solution could be to figure out the most critital of
the 100s of unset attributes and pre-populate them with NULL or some
other meaningless data at the time of creation of normal admin objects
(i.e. users, groups, computers, contacts etc., but not config items like
site-links etc.). These settings could be removed right afterwards, but
the versioning of the attribute remains - this could allow you to get
the best of both worlds.  

A tedious job though...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, August 18, 2004 3:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] w2k authoritative restore

Well, first GT, below I think you're thinking of version numbers, not
USNs like Guido said.

Both are used in replication, but for different purposes. USNs are
strictly used for determining _what to replicate_, never _what wins in a
replication conflict_.  Replication conflicts are decided by version
numbers + other junk if version numbers are equal.

With version numbers (which is what gets bumped when you auth restore,
not USNs*), a unset attribute has none, and as such loses to any other
change with a set version number.
* USNs may change, but they're not bumped up by a large amount
they're just incremented from the last max USN
(simplification).

The meta-data attribute for an AD object (you can see through repadmin
/showobjmeta (or in older repadmin use just /showmeta)), is a sparse
format, meaning we only set meta-data rows** for attributes set on the
object.
** they're not really DB rows, but in repadmin they come out as
rows in a table.

When we auth restore we only bump versions on attributes represented in
the meta-data this is why you get the merge behavior, if an attribute
was never set before backup then the no version will lose to even a
version 1 attribute set post backup.

If we set meta-data elements for all attributes for unset attributes
just to get a delete of the attribute to win (remember there are 100s
of unset attributes) you could experience like 5k+ bloat per object.  
Administrators would be very unhappy about that.

Well, that scratches the surface enough, I hope?  I think this is
probably all documented in the Win2k Distributed System's Guide, if
you've the patience to read an 1600 page volume like that.

Cheers,
Brett Shirley
(msft) (I guess today) the auth restore dev


On Wed, 18 Aug 2004 [EMAIL PROTECTED] wrote:

 Guido, i appreciate this is going into what seem to be the murky 
 depths of AD but would you be able to expand on this concept of 
 version number - it must relate somehow to replication which i 
 thought to be based on USN's ?
 
 GT
 
 - Original Message -
 From: Grillenmeier, Guido [EMAIL PROTECTED]
 Date: Tue, 17 Aug 2004 17:35:37 +0200
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] w2k authoritative restore
 
 Re: small correction: it's not the USNs that are increased = it the 
 version
 Re: number
 Re: 
 Re: and as far as I understand it, an object won't inherit an attribut

 until
 Re: it's used the first time - so only attributes which are 
 populated for
 Re: an object will have a version number in the first place.  
 Re: 
 Re: maybe Brett can confirm this.
 Re: 
 Re: As such, a previously unused attribute can't be auth. restored 
 (unless
 Re: you eliminate all occurences in the domain/forest - which is equal

 to a
 Re: domain/forest recovery)
 Re: 
 Re: /Guido
 Re: 
 Re: -Original Message-
 Re: From: [EMAIL PROTECTED]
 Re: [mailto:[EMAIL PROTECTED] On Behalf Of
 Re: [EMAIL PROTECTED]
 Re: Sent: Tuesday, August 17, 2004 12:32 PM
 Re: To: [EMAIL PROTECTED]
 Re: Subject: RE: [ActiveDir] w2k authoritative restore
 Re: 
 Re: Guido, thanks for post reply
 Re: 
 Re: full recovery of the domain is what i have fallen back to -
 Re: 
 Re: was looking for a sanity check on this issue of authoritative (or 
 not so
 Re: as it seems ) restore
 Re: 
 Re: is it a fair qu to ask though how the directory service resolves 
 this
 Re: issue of replication of attribute data that is blank (but which 
 should
 Re: have a higher USN by virtue of the authoritative restore) and that

 which
 Re: has been populated but has a lower USN
 Re: 
 Re: does it somehow use a system of a null USN for an attribute that 
 has no
 Re: data and which can be overwritten ??
 Re: 
 Re: GT
 Re: 
 Re: - Original Message -
 Re: From: Grillenmeier, Guido 
 Re: Date: Tue, 17 Aug 2004 11:57:32 +0200
 Re: To: 
 Re: Subject: RE: [ActiveDir

RE: [ActiveDir] DFS on Domain Controllers

2004-08-23 Thread Grillenmeier, Guido 
Title: DFS on Domain Controllers



there's nothing wrong with what you're doing - DCs can host 
DFS roots perfectly well and can contain link targets which point to shares on 
any server in your infrastructure.The one thing that you need to be aware 
of in this respect is that whoever manages the link targets in the DFS root 
requires administrative rights on the DFS root server = if this is a DC, 
this means it has to be a domain admin...

/Guido

P.S: small correction from the previous answer to this 
post: SYSVOL share ARE handled by DFS - it's a special DFS root 
whichexists on every DC. Andthe contents ofSYSVOL is obviously 
replicatedvia FRS.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Cary, 
MarkSent: Wednesday, August 18, 2004 11:30 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] DFS on Domain 
Controllers

I wasn't going to have any real files on the DCs just 
the DFS root and links the point to real shares on file servers. 


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bruce 
  ClingamanSent: Wednesday, August 18, 2004 3:44 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFS on Domain 
  Controllers
  
  The sysvol shares are not handled by dfs. You can put dfs 
  roots on DCs but as a matter of policy it's not a good idea to have any file 
  shares other than sysvol on a DC. But for a small network and limited 
  resources...
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Cary, 
  MarkSent: Wednesday, August 18, 2004 3:01 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] DFS on Domain 
  Controllers
  
  Is it a bad idea to make DFS Root Targets 
  on Domain Controllers? If I browse to my AD 2003 domain \\example.com I see the two folders: Netlogon  Sysvol. But if I browse 
  to \\example.com\DFS-Root 
  I see my Links which point to shares on file servers
  \\example.com\DFS-Root\Acctg -- \\File-Server-1\Acctg\\example.com\DFS-Root\Eng -- \\File-Server-2\Engineering 
  Thanks

RE: [ActiveDir] Joining Computers to a Domain

2004-08-24 Thread Grillenmeier, Guido 



Hey Kevin - good to "read you" ;-)

just want to add, that you, Edwin, need to differentiate 
where you want your non-admin user to place the computer account. The 
method given by Kevin is only applicable to add computers to the default 
computers container in the domain. Unless you're running 2003 and made some 
changes, this is not an OU, so you can't configure GPOs 
here...

Often you'll want to do the opposite: disallow non-admin 
users to add computers to the default computers container (e.g. by configuring 
the ms-DC-MachineAccountQuota to 0 or changing the permissions for the Add 
workstations to domain user right), then grant permissions to join clients to a 
specificOU - for the latter the non-admin user needs to have create 
computer object permissions on the OU (and since he's the owner after creating 
the account, he can also delete it...)

Realize though, that by default the System-Properties UI of 
the clients will only join the computer to the default computer container (which 
will fail if you've restricted this approach), unless the non-admin users either 
first creates the computer account in the appropriate OU, or you make him use 
NETDOM with the /OU option to join a client to the correct OU at the time of the 
domain-join.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin 
SullivanSent: Tuesday, August 24, 2004 3:24 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Joining 
Computers to a Domain


Edwin,

You can do this a 
couple of different ways. First off, by default there is an attribute on the 
domain level called ms-DC-MachineAccountQuota and the value is 10. This allows 
users to join 10 computers to the domain without additional permissions. You can 
change this value if you need to.

If you want to give 
specific users the ability to create machine accounts you can use Group Policy 
and give the Add workstations to domain right to the users in question. 
(Computer Configuration\Windows Settings\Security Settings\Local Policies\User 
Rights Assignment\Add workstations to domain)

This should do it. Also 
remember if the systems are pre-created in AD you will not need to go through 
this.

Kevin







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: Tuesday, August 24, 2004 8:01 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Joining Computers to a 
Domain

I believe that I have read something 
like this before but now that I need it, I cant find the 
answer.

I would like to be able to have a 
non-admin user with permissions of nothing more than being able to add a 
computer to a domain. Is this possible?

Thank you for your 
responses.

Edwin

RE: [ActiveDir] File Replication Services

2004-08-24 Thread Grillenmeier, Guido 
 The File Replication Service cannot replicate f:\users because it
overlaps 
 the replicating directory f:\users.

are you trying to use a LOCAL drive as a link target in DFS and then
replicate data from this to a local drive on some other server (via
FRS)? 

you should always use UNC path's for your link-targets in DFS
(independent of your wish to use FRS to replicate multiple link-targets)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Filipe Joel de
Almeida
Sent: Tuesday, August 24, 2004 1:50 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] File Replication Services

Hi all,

I'm trying to set up a Domain DFS root working between 2 Windows 2000
servers (Both Domain Controllers).

I proceeded as I usually do, but there is no way for this to replicate!

The event viewer is full of errors, such as this ones:

__

The File Replication Service is unable to add this computer to the
following replica set: 
_ROOT$|USERS 
 
This could be caused by a number of problems such as: 
  --  an invalid root path,
  --  a missing directory,
  --  a missing disk volume,
  --  a file system on the volume that does not support NTFS 5.0 
 
The information below may help to resolve the problem: 
Computer DNS name is server.csmf.local 
Replica set member name is {99C9ADCD-D6F3-4468-9E7C-9764EA2BDE7F} 
Replica set root path is f:\users 
Replica staging directory path is e:\frs-staging 
Replica working directory path is c:\winnt\ntfrs\jet 
Windows error status code is ERROR_BAD_COMMAND FRS error status code is
FrsErrorResourceInUse 
 
Other event log messages may also help determine the problem.  Correct
the problem and the service will attempt to restart replication
automatically at a later time.




Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
server.csmf.local for FRS replica set configuration information. 
 
 The nTFRSMember object
cn={4f36c0a7-23da-4535-89ae-148f1538c4df},cn=_root|grupos,cn=_root,cn=df
s
volumes,cn=file replication service,cn=system,dc=csmf,dc=local has a
invalid value for the attribute frsComputerReference.

The nTFRSMember object
cn={4f36c0a7-23da-4535-89ae-148f1538c4df},cn=_root|users,cn=_root,cn=dfs
volumes,cn=file replication service,cn=system,dc=csmf,dc=local has a
invalid value for the attribute frsComputerReference.

 
_

The File Replication Service cannot replicate f:\users because it
overlaps the replicating directory f:\users.
-


I only have one DFS root with 2 dfs links (users and groups).

One thing that might be causing this problem is that I used to have a
W2k3 server with the same name as one of this 2 servers, and it
completely crashed, so I had to re-install it with W2k and used the same
name... 

Anyone has any idea about how to make this work?

Filipe Joel de Almeida
Network Consultant
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admt2.0 permissioning

2004-08-24 Thread Grillenmeier, Guido 
actually, it all depends on how you run ADMT. 
Often you'd want to split the requirements between user/group migration
and computer migration.


The rules for migrating users and groups are:
1. for the PES (Password export server) to work, the account used to
migrate the users must be a member of the LOCAL ADMIN group in the
SOURCE domain 
2. for SID-History to work, the account used to migrate must be a member
of the domain admins group on the TARGET domain

Both can only be fulfilled by adding a TARGET domain admin account to
the local administrator group in the SOURCE domain, since you can't add
a user from a different domain to the global domain admin group in your
TARGET domain. 


Then, to migrate the computers, you need local admin rights on the
clients in the SOURCE domain and appropriate permissions on the OU in
the TARGET domain - this can be achieved in various ways, e.g. by using
a SOURCE domain admin and then only granting permissions to add computer
objects to the respective OU in the target domain.  Or by first adding a
group from your target domain to the local admins of your clients and
then work with a TARGET domain user for the computer migration as well.


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 24, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] admt2.0 permissioning

dear all, know this is real old hat' by now but just wanted to confirm
issue of permissioning for an ADMT migration of a small NT 4.0 account
domain to a Windows 2000 domain. 

a quoted requirement is that 'sourcedomain/domain admins' is added to
'targetdomain/administrators and vice-versa. 

is this a definite requirement for migration of just a 'catch all' that
grants everything ??

i dont understand why the 'sourcedomain/domain admins' need to have
admin privilege in the target domain  - THIS IS THE BIGGEST ISSUE 

- the issue here surely here is the context in which the ADMT is being
run - i do see why this needs Administrative rights on the desktops
being migrated and an elevated level of privilege on the target domain
to be able to create the necessary objects et al 

TIA 

GT 





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admt2.0 permissioning

2004-08-24 Thread Grillenmeier, Guido 
good point - but realize that it's somewhat of a risky business to grant
lower level admins the permissions to migrate-sid-history.  Although I
agree with 2003 you at least have this option.

/Guido 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willem Kasdorp
Sent: Tuesday, August 24, 2004 7:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] admt2.0 permissioning

 for SID-History to work, the account used to migrate must be a member
of the domain admins group on the TARGET domain

Addition: on W2003 you have the extended right Migrate-Sid-History
which you can use to delegate the SidHistory permissions to a lower
level Admin.
I've done this with limited success. It works fine from the ADMT GUI,
but fails miserably from the commandline. Strange but true. Hopefully
fixed with ADMT 3.0.

--
Regards, Willem


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, August 24, 2004 6:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] admt2.0 permissioning

actually, it all depends on how you run ADMT. 
Often you'd want to split the requirements between user/group migration
and computer migration.


The rules for migrating users and groups are:
1. for the PES (Password export server) to work, the account used to
migrate the users must be a member of the LOCAL ADMIN group in the
SOURCE domain 2. for SID-History to work, the account used to migrate
must be a member of the domain admins group on the TARGET domain

Both can only be fulfilled by adding a TARGET domain admin account to
the local administrator group in the SOURCE domain, since you can't add
a user from a different domain to the global domain admin group in your
TARGET domain. 


Then, to migrate the computers, you need local admin rights on the
clients in the SOURCE domain and appropriate permissions on the OU in
the TARGET domain - this can be achieved in various ways, e.g. by using
a SOURCE domain admin and then only granting permissions to add computer
objects to the respective OU in the target domain.  Or by first adding a
group from your target domain to the local admins of your clients and
then work with a TARGET domain user for the computer migration as well.


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, August 24, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] admt2.0 permissioning

dear all, know this is real old hat' by now but just wanted to confirm
issue of permissioning for an ADMT migration of a small NT 4.0 account
domain to a Windows 2000 domain. 

a quoted requirement is that 'sourcedomain/domain admins' is added to
'targetdomain/administrators and vice-versa. 

is this a definite requirement for migration of just a 'catch all' that
grants everything ??

i dont understand why the 'sourcedomain/domain admins' need to have
admin privilege in the target domain  - THIS IS THE BIGGEST ISSUE 

- the issue here surely here is the context in which the ADMT is being
run - i do see why this needs Administrative rights on the desktops
being migrated and an elevated level of privilege on the target domain
to be able to create the necessary objects et al 

TIA 

GT 





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] windows 2000 directory permissioning

2004-09-02 Thread Grillenmeier, Guido 
Hello Graham - as always: it depends... and this is mostly about if
you're in a single domain or multi-domain forest.

in a single domain, the group-scope obviously doesn't matter - you can
even nest groups of the same type to achieve any nesting, if you need
it. 

Nesting still makes sense at times, e.g. when you grant differnt
admins-groups different permissions to an OU, but in the end, all of the
Admins should have read permissions to the whole OU (assuming you're
hiding something for normal users) = I typically have an
PREFIX-AllAdmins group for each OU representing an Administrative Unit
and this group contains all other admin groups for that unit (e.g.
user-admins, client-admins, helpdesk etc.).  Scope for all groups can be
local as you're likely not going to set permissions via these groups to
other objects in AD.

in a multi-domain environment, the sope of the groups are obviously more
important - if permissions are to be applied for objects from different
domains and these permissions are granted on the configuration container
(e.g. for Exchange), you'll want to use universal groups, as a local
group can't grant the required permission on the same data in the config
container hosted on a DC in another domain... 
However, even in multi-domain forests, you often just need access to
data of in your own domain NC, so that local groups are usually fine to
use.

At last - also for multi-domain-forests - you have to consider
visibility: if you want to see the memberships of your AD groups on the
users (i.e. memberOf tab) for any groups in the forest, then you may
want to choose UGs just for that reason.  If you don't care, then local
groups will be fine and cause less replication traffic (but more
headaches during recovery of deleted members).

HTH

Cheers,
Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Thursday, September 02, 2004 2:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] windows 2000 directory permissioning

this post relates to the general tenet of permissioning of AD objects -
ou's et al - and seeking views on how ACL's are applied to OU (or for
that matter any directory object I suppose)

all the delegation references seem to indicate that group objects should
be used as ACE's - totally happy with this

however the main issue i seek views is the SCOPE of these groups -

on days where we used ACL's to set permissions on NTFS directories we
were given the tenet of use LOCAL GROUPS to set permissions, add
global groups to the local groups . -  AGLP being the well known acronym

if we reference the raft of delegation guides these seem to propose the
use of  GLOBAL groups as the entity that is added to the ACL

i have no problem with this but it just seems to go against the grain
of the methodology of the NTFS permissioning ??

is this perhaps borne out of subtlety in the way the Windows 2000 LSA
manages directory objects vs NTFS permissions ??

final point that i think relevant references the way in which 'DNS
Admins - this is in fact a group but which is LOCAL in scope

views will be gladly received

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Using CMD

2004-09-02 Thread Grillenmeier, Guido 
You actually did something - you just didn't see it: you switched the
current directory for the C: drive to C:\directory.  So if you'd
switch to the drive (via c: [enter]) even after you typed the change
directory command, you should be in C:\directory.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Thursday, September 02, 2004 6:28 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Using CMD

Alright I am trying to use CMD on windows XP, my account is setup as a
local admin and all the other admin settings I could think of.  But in
cmd it
defaults to my home dir.  H:\   so I need to be in C:\  I type  cd
C:\directory  and it does nothing, no error and doesn't swich dir.
How do I switch to C:\ in the command prompt.  Is this GP setting???\

Thanks

--
Jacob Stabl
Network Engineer
Plain Local Schools
http://plainlocal.org
Work: 330.492.3500 x.383
Cell: 330.704.1278

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sid Filtering will not disable

2004-09-04 Thread Grillenmeier, Guido 
 I have a new empty forest root (efr.something.com which is W2K3, brand
new and 
 I have not set a functional level yet, it's what it would be natively
upon creation). 

That would be Win2000 mixed mode at the domain level (which doesn't
support SID-History anyways) and Win2000 mode at the forest level...
but if I read correctly, you don't want to migrate into the existing
root domain anyways 

Instead, you want to migrate to a NOT YET created child domain
(cd1.efr.something.com)
= you'll have to turn off SID-Filtering on the trust between THIS (not
yet existing) child domain and your source domain, not the root (as you
SID-Filtering is configured per trust).  

To do so, you'll first have to create the child domain, set this domain
to the Win2003 domain functional level (if you don't expect/want any
2000 DCs in this domain), then create the trust and turn off
SIDfiltering on this trust (not from the root).

At last, I expect that the error The parameter quarantine:No was
unexpected. comes from the fact that you are using the 2003 syntax, but
the source domain is still Windows 2000, wich uses a different syntax
for disabling SID-Filtering: 
NETDOM.EXE Trust sourcedom /Domain:targetdom /FilterSIDs NO


/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Saturday, September 04, 2004 9:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Sid Filtering will not disable

People,,

I cannot get sid filtering to disable in my migration action.  I have a
new empty forest root (efr.something.com which is W2K3, brand new and I
have not set a functional level yet, it's what it would be natively upon
creation).
I have a source domain in a different forest that I want to get ready to
migrate to a NOT YET created child domain (cd1.efr.something.com)  The
W2K3 Server notes from efr state that in the trusting domain (the one I
want to migrate source.com which is W2K mixed mode ) I need to disable
sid filtering with the command:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
/usero:DomainAdministratorAcct /passwordo:DomainAdminPwd so I type the
following:
Netdom trust source.com /domain:efr.something.com /quarantine:No
/usero:Administrator /passwordo:source.comAdminPassword
It returns The parameter quarantine:No was unexpected.  The parameter
is
incorrect:  So I said, Maybe it's because the child domain is not
created yet and you can't migrate to an empty forest root.  Then I said
No, how does it know it's an empty forest root.  It does not know.  So
now I can't effect that command.  Can anyone help me decipher my logic
failure here?  I really appreciate all the help(ers) on this list.  It
has been invaluable.

And For cripes sake joe, Don't listen to Rick tell you to give just
one line answers! :-0 Just kidding.
Love you both.

Thanks.

-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Raising of functional levels

2004-09-04 Thread Grillenmeier, Guido 



usually works like a charm 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, 
Brian L.Sent: Saturday, September 04, 2004 6:09 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Raising of 
functional levels


We are getting ready to 
raise the forest and domain functional levels from Windows Interim to Windows 
Server 2003.
We have tested in our 
lab and all has gone well. Does anyone have any gotchas or words of wisdom 
before we do this?
All DCs are at W2K3 
and replication is working fine.

Thanks in 
advance.
Brian

RE: [ActiveDir] Fun with Kerberos

2004-09-09 Thread Grillenmeier, Guido 
that's correct - even if you configure an additional UPN suffix for the
forest (or for an OU) and assign this to an account when you create the
account (e.g. via ADUC), every account will still have an implicit UPN
suffix that is made up of his samAccountName + the domain-suffix of his
AD domain.  So even though your first user had an explicit UPN of
[EMAIL PROTECTED], he also had an implicit UPN of [EMAIL PROTECTED]

Looks like the reason for your problem was mainly caused due to the
special char in your ADM accounts (as it only used the first part of the
name to create) - or did you configure your 2nd account like this on
purpose?  I assume that the accounts were created programmatically, as
the ADUC UI will check for duplicate UPNs by querying a GC - so usually
this is only a problem if accounts are created at roughly the same time
on differnt DCs (even in different domains). But I'm not sure if ADUC
only queries for the explicit UPN that you've assigned at creation and
ignores the implicit UPN (seems to be the case). But I'm quite sure that
this check is not performed when you programmatically add accounts to
AD.

As a result the duplicate UPNs caused a Kerberos conflict as you well
noticed - interesting to read how your users noticed this on their XP
clients.  Can you elaborate on the Once in a while... - i.e. how
often? and did this only occurr if they were also logged on as the
guy$adm at the same time?  
And when did the 2nd account get locked out - at the time the kerberos
ticket of #1 was getting refreshed (i.e. after 10 hours past logon of
#1)? Or at logon of #1?

I'll have to check out this sort of attack a little closer...


BTW - the same risk applies with machine-accounts in AD, wich register
an SPN (service principal name) that must also be unique: if they're
able to register the same name as another machine (e.g. when DDNS is not
secured sufficiently well), they can hinder both machines from receiving
kerberos tickets and (if the attacked server was set to allow kerberos
delegation e.g. for some web-application) could thus cause a DOS for
applications running on the other server.


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, September 09, 2004 6:22 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fun with Kerberos

Stumbled upon an issue couple of days ago and wanted to hear what you
guys think about it.
 
Suppose that your AD is called myad.com and you also configure
additional UPN suffix company.com.
Now I create 2 users in child.myad.com child domain:
  
1) sAMAccountName: guy
userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
 
2) sAMAccountName: guy$adm
userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
 
(Notice that in ADUC the userPrincipalName is constructed from 2 fields:
W2K username and suffix)
 
From AD point of view this is all nice and legit and UI will be happy
to create both.
But if you look at the users explicit Kerberos principals, both look the
same:
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]  (checked with klist
tgt).
In our environment, if you are logged on with account #1, two things
happened:
1. Once in a while LAN users had XP pop up a baloon in systrey with XP
needs your user credentials
2. The corresponding account #2 was getting locked out.
 
Renaming UPNs of supplemental accounts fixed the issue (the name clash
was not intentional from the beginning as you might guess). Still I am
wondering why AD allowed creation of account with Kerberos principal
that already existed in AD. If AD check for sAMAccountName collisions,
is there any special reason not to check Kerberos principals ?
How can I prevent this from happening ? (the implications would mean
that anyone with permissions to create user accounts can do some very
nasty things)
 
Guy
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Fun with Kerberos

2004-09-10 Thread Grillenmeier, Guido 
Title: RE: [ActiveDir] Fun with Kerberos



Al, realize that the user accounts Guy is talking about are 
all in one forest - so the issue is not related to UPNs being unique accross 
more than one forest. They're just logging in from a machine in a different 
forest.

I've already discussed offline with Guy that the clash is 
between the implicit UPN of the regular account (which would be [EMAIL PROTECTED]) and the explicit 
UPN of the supplemental account (which had previously been set to[EMAIL PROTECTED])= fixing the 
explicit UPN of the supplemental account fixed the clash and the related 
problems...


BTW, we're thinking that the account lockouts and 
theXPrequestfor credentialsis likely related to Kerberos preauthentication. During preauth, AD looks up accounts using 
the UPN - so if it hits the wrong account, and uses the wrong password hash for 
validation of the Kerberos preauth data this may have the same effect as logging 
on with the wrong password.

Here's a nice articlethat explains Kerberos 
preauthentication in more detailhttp://www.windowsitlibrary.com/Content/617/06/6.html

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Friday, September 10, 2004 4:38 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Fun with 
Kerberos

No, that sounds about right. 

Across two forests? Be tough for any 
administrative program to enforce uniqueness unless it was authoritative for 
both forests. That said, that's something you want your admin 
processes to compensate for and ensure that all accounts are unique across 
forests that can talk to each other.

Al


From: Guy Teverovsky 
[mailto:[EMAIL PROTECTED] On Behalf Of Guy 
TeverovskySent: Thursday, September 09, 2004 8:26 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Fun with 
Kerberos


ok... this starts to be more 
interesting. If the implicitUPN is constructed from samaccountname and AD 
DNS name, I do not see how Kerberos principals could clash. This is what I 
initially had (names changed to protect the innocent):

Regular account:
dn:[EMAIL PROTECTED],OU=Accounts,DC=child,DC=myad,DC=comsAMAccountName: 
guyuserPrincipalName: [EMAIL PROTECTED]

Supplemental account:
dn:CN=Teverovsky\, Guy 
(Supplemental),OU=Accounts,DC=child,DC=myad,DC=comsAMAccountName: 
guysuuserPrincipalName: [EMAIL PROTECTED]

The regular account was programmatically 
created as disabled and was renamed+enabled when user migrated from NT domain. 
Supplemental account was created beforehand for administrative purposes (the 
user ismember of IT staff)

Renaming the UPN ofsupplemental 
accountto [EMAIL PROTECTED] was the 
fix.
Now I am totally confused and can't 
understand why the lockouts happened. It is almost as if [EMAIL PROTECTED] and [EMAIL PROTECTED] UPNs were somehow 
resolved to the same account.

P.S.: it's worth to mention that the 
machine the user was logged to was in another forest which has Kerberos trust 
with myad.com forest.

Guy




From: 
[EMAIL PROTECTED] on behalf of Grillenmeier, 
GuidoSent: Thu 9/9/2004 11:52 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Fun with 
Kerberos

that's correct - even if you configure an additional UPN suffix 
for theforest (or for an OU) and assign this to an account when you create 
theaccount (e.g. via ADUC), every account will still have an implicit 
UPNsuffix that is made up of his samAccountName + the domain-suffix of 
hisAD domain. So even though your first user had an explicit UPN 
of[EMAIL PROTECTED], he also had an implicit UPN of 
[EMAIL PROTECTED]Looks like the reason for your problem was mainly 
caused due to thespecial char in your ADM accounts (as it only used the 
first part of thename to create) - or did you configure your 2nd account 
like this onpurpose? I assume that the accounts were created 
programmatically, asthe ADUC UI will check for duplicate UPNs by querying a 
GC - so usuallythis is only a problem if accounts are created at roughly the 
same timeon differnt DCs (even in different domains). But I'm not sure if 
ADUConly queries for the explicit UPN that you've assigned at creation 
andignores the implicit UPN (seems to be the case). But I'm quite sure 
thatthis check is not performed when you programmatically add accounts 
toAD.As a result the duplicate UPNs caused a Kerberos conflict as 
you wellnoticed - interesting to read how your users noticed this on their 
XPclients. Can you elaborate on the "Once in a while..." - i.e. 
howoften? and did this only occurr if they were also logged on as 
theguy$adm at the same time?And when did the 2nd account get 
locked out - at the time the kerberosticket of #1 was getting refreshed 
(i.e. after 10 hours past logon of#1)? Or at logon of #1?I'll have 
to check out this sort of attack a little closer...BTW - the same 
risk applies with machine-accounts in AD, wich registeran SPN (service 
principal name) that must also be unique: if they'reable to register the 
same name as another machine (e.g. when DDNS is

  1   2   3   4   5   6   7   8   >