If you use the dom admin account in that way, then yes - but of course you use service accounts instead, whose passwords are managed and changed periodically, don't you :-^
neil --------------------------------------- Neil Ruston Nomura International Plc Tel: 020 7521 3481 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bland, Jeri Sent: 19 September 2005 22:33 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] [ActiveDir Digest] If I change the domain admin password in AD, do I also have to change it in all the Services accounts? Do I have to change it anywhere else? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, September 18, 2005 11:16 PM Subject: [ActiveDir Digest] --------------------------------------------------------- Subject: [ActiveDir] AD & Websense Date: Sun, 18 Sep 2005 14:25:49 +0300 From: "Saleem, Mohamed Yunus" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C5BC43.E1588686 Content-Type: text/plain; charset="us-ascii" **** MIME Non-Text Attachment Skipped ***** **** MIME Non-Text Attachment Skipped ***** --------------------------------------------------------- From: "joe" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Magazines(OT) Date: Sun, 18 Sep 2005 10:52:20 -0400 Reply-To: ActiveDir@mail.activedir.org This is a multi-part message in MIME format. ------=_NextPart_000_0357_01C5BC3F.0BA37370 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I used to like and read Windows NT Mag which became Windows 2000 Mag which became Windows .NET Mag which became Windows IT Pro. I stopped subscribing several years ago when the price start going through the roof as did the ratio of advertising to good content. Now I will stop by a book store occasionally and look at the magazine and if it has something I see that is useful (or if there is a writeup on one of the joeware tools) I will buy it. I used to send in little pieces to them as well but I also stopped that when they published one of my pieces in their security newsletter instead of in the main mag. The reason I wrote it up was to get it into the main mag so people could read it and use it, the security newsletter was not just overpriced, it was ridiculously overpriced. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, September 16, 2005 2:14 PM To: activedirectory Subject: [ActiveDir] Magazines(OT) Anyone read Windows IT Pro magazine and can recomend it? also, anyone know anything about Exchange and Outlook Administrator mag? Why is it so pricey? Is it really worth the $129 a year? seems like a lot for 12 issues. Thanks. I know this is really irrelevant, so thanks in advance for anyone for responding ------=_NextPart_000_0357_01C5BC3F.0BA37370 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D664004714-18092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2>I used to like and read Windows NT Mag which = became Windows=20 2000 Mag which became Windows .NET Mag which became Windows IT Pro. I = stopped=20 subscribing several years ago when the price start going through the = roof as did=20 the ratio of advertising to good content. Now I will stop by a book = store=20 occasionally and look at the magazine and if it has something I see that = is=20 useful (or if there is a writeup on one of the joeware tools) I = will buy=20 it. I used to send in little pieces to them as well but I also stopped = that when=20 they published one of my pieces in their security newsletter instead of = in the=20 main mag. The reason I wrote it up was to get it into the main mag so = people=20 could read it and use it, the security newsletter was not just = overpriced, it=20 was ridiculously overpriced. </FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D664004714-18092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D664004714-18092005><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] <B>On Behalf Of </B>Tom=20 Kern<BR><B>Sent:</B> Friday, September 16, 2005 2:14 PM<BR><B>To:</B>=20 activedirectory<BR><B>Subject:</B> [ActiveDir]=20 Magazines(OT)<BR></FONT><BR></DIV> <DIV></DIV> <DIV>Anyone read Windows IT Pro magazine and can recomend it?</DIV> <DIV>also, anyone know anything about Exchange and Outlook Administrator = mag?</DIV> <DIV>Why is it so pricey? Is it really worth the $129 a year? seems like = a lot=20 for 12 issues.</DIV> <DIV> </DIV> <DIV>Thanks. I know this is really irrelevant, so thanks in advance for = anyone=20 for responding</DIV></BODY></HTML> ------=_NextPart_000_0357_01C5BC3F.0BA37370-- --------------------------------------------------------- From: "joe" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] User attribute manipulation via vbscript question. Date: Sun, 18 Sep 2005 11:00:16 -0400 Reply-To: ActiveDir@mail.activedir.org Yep, just populate that attribute with the proper string format of a = GUID, I call it Active Directory GUID format 3. The first GUID format is = actually the binary GUID like you see with objectGUID, the second GUID format is = the string format sans braces ({}) like you see with the rightsGuid = attribute, and the third format is the string format with braces. That is what I = like about AD, the consistency. :o) As Michael indicated there can be multiple policies (GUIDs) set there, however it isn't comma separated. It is multivalued so each additional string GUID would have its own value. ADMOD will obviously handle this properly.=20 admod -b some_DN msExchPoliciesExcluded:+:{26491CFC-9E50-4857-861B-0CB8DF22B5D7} to set or admod -b some_DN msExchPoliciesExcluded:-:{26491CFC-9E50-4857-861B-0CB8DF22B5D7} to clear it. Note the :+: and :-: versus :: and :-. This is because it is a = multivalue attribute and there may already be other values there. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of = [EMAIL PROTECTED] Sent: Friday, September 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. Isn't this simply controlled by the msExchPoliciesExcluded attribute? =20 The corresponding value is {26491CFC-9E50-4857-861B-0CB8DF22B5D7}. When = the value is absent, then email addy generation is controlled by RUS = policies. When the value is present, RUS policies have no effect. =20 =20 Sincerely, D=E8j=EC Ak=F3m=F6l=E1f=E9, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 9/15/2005 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. This particular attribute is a bit of a PITA and most sample programs = don't handle it properly (which doesn't imply that joeware doesn't). :-) =20 There may be multiple policies or a single policy or no policy. The = variable type is dependent on which of those is true. Further, if there is a = policy (or more than one), then there can be multiple related policies in the policy-value, comma-separated. =20 In VBS this is somewhat lengthy to code. But certainly doable. =20 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 15, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;318072 =20 ADModify would also do this, and joeware is likely to do this as well.=20 =20 Al ________________________________ From: [EMAIL PROTECTED] on behalf of Burns, Clyde Sent: Thu 9/15/2005 8:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User attribute manipulation via vbscript question. Can anyone tell me which attribute of a user object stores the value for "Automatically update e-mail addresses based on recipient policy" in a 2003 AD and 2003 Exchange org? Or at least point out documentation on = how that value is stored in AD and manipulated via vbscript? Thanks Clyde Burns --------------------------------------------------------- Subject: RE: [ActiveDir] User attribute manipulation via vbscript question. Date: Sun, 18 Sep 2005 12:22:34 -0400 From: "Michael B. Smith" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Y'all are the experts, not me, but I've certainly got lots of objects = that have msExchPoliciesIncluded being both multivalued and having = individual values with multiple policies separated by commas. For example (adfind output of a global security group having an Exchange = e-mail address): dn:CN=3Dbri-consulting,CN=3DUsers,DC=3Dbrnets,DC=3Dlocal >msExchPoliciesIncluded: = {7465A59E-DA9B-452F-8ADD-031DE8890E99},{26491CFC-9E50-4857-861B-0CB8DF22B= 5D7} >msExchPoliciesIncluded: = {6EE5D5B4-440D-4B68-A2F9-B74144969E51},{26491CFC-9E50-4857-861B-0CB8DF22B= 5D7}=20 LDP output for the same attribute: 2> msExchPoliciesIncluded:=20 {7465A59E-DA9B-452F-8ADD-031DE8890E99},{26491CFC-9E50-4857-861B-0CB8DF22B= 5D7};=20 {6EE5D5B4-440D-4B68-A2F9-B74144969E51},{26491CFC-9E50-4857-861B-0CB8DF22B= 5D7};=20 I have been told, by people whom I trust to know, that this can apply to = msExchPoliciesExcluded as well. If they were wrong, well so be it. But I = special-case both attributes in my code in the same way because of it. -----Original Message----- From: [EMAIL PROTECTED] = [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, September 18, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. Yep, just populate that attribute with the proper string format of a = GUID, I call it Active Directory GUID format 3. The first GUID format = is actually the binary GUID like you see with objectGUID, the second = GUID format is the string format sans braces ({}) like you see with the = rightsGuid attribute, and the third format is the string format with = braces. That is what I like about AD, the consistency. :o) As Michael indicated there can be multiple policies (GUIDs) set there, = however it isn't comma separated. It is multivalued so each additional = string GUID would have its own value. ADMOD will obviously handle this = properly.=20 admod -b some_DN msExchPoliciesExcluded:+:{26491CFC-9E50-4857-861B-0CB8DF22B5D7} to set or admod -b some_DN msExchPoliciesExcluded:-:{26491CFC-9E50-4857-861B-0CB8DF22B5D7} to clear it. Note the :+: and :-: versus :: and :-. This is because it is a = multivalue attribute and there may already be other values there. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of = [EMAIL PROTECTED] Sent: Friday, September 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. Isn't this simply controlled by the msExchPoliciesExcluded attribute? =20 The corresponding value is {26491CFC-9E50-4857-861B-0CB8DF22B5D7}. When = the value is absent, then email addy generation is controlled by RUS = policies. When the value is present, RUS policies have no effect. =20 =20 Sincerely, D=E8j=EC Ak=F3m=F6l=E1f=E9, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about = Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 9/15/2005 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. This particular attribute is a bit of a PITA and most sample programs = don't handle it properly (which doesn't imply that joeware doesn't). :-) =20 There may be multiple policies or a single policy or no policy. The = variable type is dependent on which of those is true. Further, if there = is a policy (or more than one), then there can be multiple related = policies in the policy-value, comma-separated. =20 In VBS this is somewhat lengthy to code. But certainly doable. =20 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 15, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;318072 =20 ADModify would also do this, and joeware is likely to do this as well.=20 =20 Al ________________________________ From: [EMAIL PROTECTED] on behalf of Burns, Clyde Sent: Thu 9/15/2005 8:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User attribute manipulation via vbscript question. Can anyone tell me which attribute of a user object stores the value for = "Automatically update e-mail addresses based on recipient policy" in a 2003 AD and 2003 Exchange org? Or at least point out documentation on = how that value is stored in AD and manipulated via vbscript? Thanks Clyde Burns List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: = http://www.mail-archive.com/activedir%40mail.activedir.org/ --------------------------------------------------------- From: "joe" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] User attribute manipulation via vbscript question. Date: Sun, 18 Sep 2005 17:00:43 -0400 Reply-To: ActiveDir@mail.activedir.org Hmmm, in that case I change the statement It is multivalued so each additional string GUID would have its own = value.=20 to It is multivalued so each additional string GUID SHould have its own = value. I was aware of the policies included piece with commas in it, it = actually seems to make sense. I once sat down and looked at it and it appeared = that they stuck the objectGUID of a RUS policy that applied to the object = then a comma and then the GUID used in the policiesExcluded for not using the = RUS. I surmised that that second GUID is simply a GUID to describe the RUS Service in AD in the event that other policy engines also used the same attribute. For the example below, I would guess that you have two policies that = apply to the object in question. Maybe an email policy and some mailbox = managerial settings? Do an objectGUID search on both of the first two different GUIDs. adfind -b "<GUID=3D7465A59E-DA9B-452F-8ADD-031DE8890E99>" -dn -s base and adfind -b "<GUID=3D6EE5D5B4-440D-4B68-A2F9-B74144969E51>" -dn -s base The single value in the policiesExcluded also seems to make sense since = you are disabling the processing of that object for the given policy engine. = I guess they could say disable a portion of the policy engine and then = have some other value in the string but I think that would have to be = completely played by ear. If someone currently has a policiesExcluded with more = than a single GUID in it, I would like to see the data so I could try and work = out what it was doing. If the people you trust to know are MS people, don't be upset if they = don't really know. I run into that on a nearly monthly if not weekly basis = with MS engineers. There is a ton to that product, there isn't anyone who knows = all of it just like there isn't anyone who knows all of AD, in or outside of = MS. Just this last week I ran into an Alliance PSS Tech who firmly stated = that he was told in an absolute manner that an aspect of Server Side rules = was handled in a specific way and I outright proved that incorrect with a = very simple test. The way it was described to work made absolutely no sense = to me so I pushed it and positively showed it couldn't work the way it was described. Now it is a question as to exactly how it works which is something I am working out in my lab. I have to say it is a bit more convoluted than I even expected. Anyway, back to the second topic, many times when an engineer thinks something, it is stated as a known = something versus as a "I think". Everyone does it at times. My most favorite MS = people are the ones who are willing to say, "hell if I know, but I will find = out.". =20 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. = Smith Sent: Sunday, September 18, 2005 12:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. Y'all are the experts, not me, but I've certainly got lots of objects = that have msExchPoliciesIncluded being both multivalued and having individual values with multiple policies separated by commas. For example (adfind output of a global security group having an Exchange e-mail address): dn:CN=3Dbri-consulting,CN=3DUsers,DC=3Dbrnets,DC=3Dlocal >msExchPoliciesIncluded:=20 >{7465A59E-DA9B-452F-8ADD-031DE8890E99},{26491CFC-9E50-4857-861B-0CB8DF2 >2B5D7} >msExchPoliciesIncluded:=20 >{6EE5D5B4-440D-4B68-A2F9-B74144969E51},{26491CFC-9E50-4857-861B-0CB8DF2 >2B5D7} LDP output for the same attribute: 2> msExchPoliciesIncluded:=20 {7465A59E-DA9B-452F-8ADD-031DE8890E99},{26491CFC-9E50-4857-861B-0CB8DF22B= 5D7 }; {6EE5D5B4-440D-4B68-A2F9-B74144969E51},{26491CFC-9E50-4857-861B-0CB8DF22B= 5D7 };=20 I have been told, by people whom I trust to know, that this can apply to msExchPoliciesExcluded as well. If they were wrong, well so be it. But I special-case both attributes in my code in the same way because of it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, September 18, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. Yep, just populate that attribute with the proper string format of a = GUID, I call it Active Directory GUID format 3. The first GUID format is = actually the binary GUID like you see with objectGUID, the second GUID format is = the string format sans braces ({}) like you see with the rightsGuid = attribute, and the third format is the string format with braces. That is what I = like about AD, the consistency. :o) As Michael indicated there can be multiple policies (GUIDs) set there, however it isn't comma separated. It is multivalued so each additional string GUID would have its own value. ADMOD will obviously handle this properly.=20 admod -b some_DN msExchPoliciesExcluded:+:{26491CFC-9E50-4857-861B-0CB8DF22B5D7} to set or admod -b some_DN msExchPoliciesExcluded:-:{26491CFC-9E50-4857-861B-0CB8DF22B5D7} to clear it. Note the :+: and :-: versus :: and :-. This is because it is a = multivalue attribute and there may already be other values there. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of = [EMAIL PROTECTED] Sent: Friday, September 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. Isn't this simply controlled by the msExchPoliciesExcluded attribute? =20 The corresponding value is {26491CFC-9E50-4857-861B-0CB8DF22B5D7}. When = the value is absent, then email addy generation is controlled by RUS = policies. When the value is present, RUS policies have no effect. =20 =20 Sincerely, D=E8j=EC Ak=F3m=F6l=E1f=E9, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Michael B. Smith Sent: Thu 9/15/2005 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. This particular attribute is a bit of a PITA and most sample programs = don't handle it properly (which doesn't imply that joeware doesn't). :-) =20 There may be multiple policies or a single policy or no policy. The = variable type is dependent on which of those is true. Further, if there is a = policy (or more than one), then there can be multiple related policies in the policy-value, comma-separated. =20 In VBS this is somewhat lengthy to code. But certainly doable. =20 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 15, 2005 9:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User attribute manipulation via vbscript = question. http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;318072 =20 ADModify would also do this, and joeware is likely to do this as well.=20 =20 Al ________________________________ From: [EMAIL PROTECTED] on behalf of Burns, Clyde Sent: Thu 9/15/2005 8:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User attribute manipulation via vbscript question. Can anyone tell me which attribute of a user object stores the value for "Automatically update e-mail addresses based on recipient policy" in a 2003 AD and 2003 Exchange org? Or at least point out documentation on = how that value is stored in AD and manipulated via vbscript? Thanks Clyde Burns List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: = http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: = http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/