RE: [ActiveDir] Computer Accounts logging onto servers

2005-02-28 Thread Grillenmeier, Guido 
just to clarify the machine part for Dennis: this means that some
process is either running as Local System or NT
AUTHORITY\NetworkService - this would typically be some service
installed on the machine. It is then able to leverage the
machine-account's credentials from AD to connect to resources in the
network, such as to a share of your application server.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, February 27, 2005 8:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer Accounts logging onto servers

That simply means a machine attached to the server across the network.
It could be anything, best thing would be to go to those machines and
try to see what they are doing or set up a network sniffer and watch the
traffic coming in from them.

In summary, could be a virus or a worm, could be something else. 

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp
Sent: Sunday, February 27, 2005 1:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Computer Accounts logging onto servers

I have a Sys admin who is seeing two computer accounts logging on to one
of her applications servers.  The computer account logs on with a logon
type 3 and then logs off.  This admin is thinking something nefarious is
going on, while I do not.  Does anyone know what might be causing the
computer accounts to logon to an application server?

Thanks

Dennis
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Mayuresh Kshirsagar 



Hi,

I have installed a CA on my PDC. and now I want to 
connect to this PDC from a different machine to change the "unicodePwd" 
attribute. I created a certificate and exported it and installed it on the 
connecting machine, but dont seem to be able to connect.

Can you tell me how do I issue, and which 
certificate should I issue to be able to connect to the PDC 
machine?

Thanks.

Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, 
Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 
020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 
26th-27th, Santa Clara, 
CA

RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names

2005-02-28 Thread Grillenmeier, Guido 
Title: OT: VERY STRANGE ISSUE - Windows 95 and Long File Names



Hello Jorge and Paul,

...but it happens on all Win95 clients 
?

well, first of all, it may be wise to get rid of Win95, but 
I'm sure you've been through all of that ("no time and budget to do so right 
now", "it worked before, so why shouldn't it work now", "need to get this 
working now and will fix my OS issue later")... Funny how companies 
sometimes spend thousands of dollars for fixing problems that wouldn't exist if 
they spend the same money to update their systems ;-) As you know, 
I'm also currentlysupporting a Novell/AD migration with thousands of NT4 
clients...

Back to your problem:I hope it's fair to assume, that 
you only have a limited amount of Win9x machines in the environment and most 
other clientsare WinNT and above so that anything you're going to do to 
fix the Win95 issue now is of temporary nature - correct?

If that assumption is correct, I wouldn't really do any 
more work on this to solve the issue, as you already have it solved: just re-map 
the homeshare for the Win95 clients during the execution of the login 
script. You shouldn't have an issue simply checking the OS env-variable 
and for all clients that are not equal to Windows_NTunmap and re-map the 
homeshare.Assuming you want to mapa share that contains the 
logon-nameof the user, it may be wise topass the user's samaccount 
name as a parameter to the logon-script(as far as I recall, Win9x clients 
don't automatically get the username variable in their environment). 


/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul van 
GeldropSent: Friday, February 25, 2005 8:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VERY STRANGE 
ISSUE - Windows 95 and Long File Names


Oh,

And to add those finest 
little details:

Same users, same 
documents on Windows 98.. no 
problem.

Open a document with a 
long file name in the corresponding application, and save as under another 
long name.. no problem 
either.

Yeah, time for more 
beer..

Regards,

Paul

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jorge de Almeida 
PintoSent: Friday, February 
25, 2005 7:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: VERY STRANGE ISSUE 
- Windows 95 and Long File Names

Hi, 

During 
our Novell/NT4 to W2K3 migration we are experiencing a very very strange issue 
that we until now have not been able to solve.
The 
situation is: * 
Homedirectory data was stored on Novell en users had a H-mapping to 
it * 
Homedirectory data has been migrated to Windows * 
Netlogon loginscript has been implemented in NT4 domain (clients/users are still 
in NT4 domain) and each user in NT4 has it loginscript attribute with 
LOGON.BAT
* The 
Netlogon loginscript makes a H-mapping for a user to its homedirectory on the 
windows file server * The 
Netlogon loginscript makes a other mappings for a user to other locations on the 
windows file server 
The 
issue: * Users 
can create documents with WORD on H (new document in word and save in H) with 
long file names * Users 
can create documents with WORD on other drives (new document in word and save in 
H) with long file names * Users 
can rename documents in Explorer on other drives with long file names (document 
with some LFN gets another LFN) 
The 
problem: * SOME 
Users (NOT ALL) CANNOT rename documents in Explorer on H-mapping with long 
file names (document with some LFN gets another LFN is not possible!) It only 
accepts 8.3 names!!!
The 
VERY STRANGE ISSUES: * If we 
change the H-mapping for the home directory to some other mapping (lets say T:) 
then the problem does not occur -- ?
* If we 
in the command prompt type "NET USE H: /DELETE" and after that "NET USE H: 
/HOME" (delete the H-mapping and create it again) the problem does not occur 
-- ?
WTF is 
this???!!! I have tried everything, at least I think I have, and it's making me 
nuts. Has any 
of you guys experienced this or do any of you what this is and/or how to solve 
this? 
The 
workaround we have until now is that we've sent those users a batch file that 
recreates the H-mapping, but I would like to solve this by making it work in the 
loginscript
I'm 
going to get a beer and play some darts Hope 
you guys can help. Thanks in advance Have a nice weekend! 

Regards, 
Jorge 

This e-mail and any attachment is for 
authorised use by the intended recipient(s) only. It may contain proprietary 
material, confidential information and/or be subject to legal privilege. It 
should not be copied, disclosed to, retained or used by, any other party. If you 
are not an intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank 
you.

Re: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Mayuresh Kshirsagar 



Hi,

I tried to generate a certificate using the w2k CA, 
but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is 
not able to connect to the server using this certificate.

The name of the PDC is "kaling" in the domain 
"meta.test". But this machine is accessible from outside (eg. from my machine) 
as "kaling.persistent.co.in".

Any thing I must take care while generating the 
certificate?

Regards,
Mayuresh.

  - Original Message - 
  From: 
  Mayuresh Kshirsagar 
  
  To: activeDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 1:51 
  PM
  Subject: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  Hi,
  
  I have installed a CA on my PDC. and now I want 
  to connect to this PDC from a different machine to change the "unicodePwd" 
  attribute. I created a certificate and exported it and installed it on the 
  connecting machine, but dont seem to be able to connect.
  
  Can you tell me how do I issue, and which 
  certificate should I issue to be able to connect to the PDC 
  machine?
  
  Thanks.
  
  Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, 
  Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 
  020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 
  26th-27th, Santa Clara, 
  CA


cert.cer
Description: application/x509-ca-cert

[ActiveDir] A referral was returned from the server when executing a query.

2005-02-28 Thread Mikael Håkansson 
I´m working on an application for listing contacts and address lists
in active directory. But I get an error everytime I execute a query.

I´m using the DirectoryServices namespace in .NET (which encapsulates
the Active Directory Service Interfaces) to communicate with Active
Directory

1. I bind to the RootDSE object to retrieve the DN of the
configuration container and the root domain.
  According to the log file, I get:
  Configuration container: DC=configuration,DC=myDomain,DC=com
  Root Domain: DC=myDomain,DC=com

2. I connect to the configuration container and retrieve all the
address lists (using the directorySearcher with the filter
((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purportedSearch=*))

... so far so good ...

3. I then connect using the value from the rootDomainNamingContext property.
  (this gives me the path: LDAP://DC=myDomain,DC=com;)
  This works fine.

... Now the problem begin ...

I use the .NET DirectorySearcher class to execute an ldap query agains
active directory.
(the query is taken from the currently selected address list)

Whenever I execute a query, I get an exception:
-2147016661  A referral was returned from the server

This is usually an indication that the DN is wrong (i.e the server
does not exist), but it doesn´t add up since
I´m able to connect and retrieve the address lists.

I have set the option to follow all referrals (subordinal  external).

Does anyone know what might be wrong?
I´m pretty convinced it is not a programming error. Probably just my
lack of knowlegde regarding Active Directory :)

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DC behind firewall

2005-02-28 Thread Myrick, Todd (NIH/CC/DNA) 
I think you might want to investigate using a VPN to connect your DC to the
other DC's.  

http://infosecuritymag.techtarget.com/2003/mar/surgeongeneral.shtml

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/deploy/depovg/advpnddd.mspx

Couple words of caution.  By Default AD Replication and FRS operations are
optimized for LAN based operation not WAN.  There are no control panel
applets for controlling AD Replication  RPC behavior.  The only tools you
have are registry settings, KB articles and white papers.  (As well as the
MS diagnostic tools, and third-party tools like AD Troubleshooter)

You also should be aware that AD Replication traffic and Kerberos uses UDP
by default.  I have encountered situations where all the ports are open and
working, but trust keep breaking, and replication keeps failing.  This is
usually due to UDP traffic getting fragmented.  If you encounter this, you
will want to force Kerberos and AD to use TCP packets.

I have spoken to the MS AD Firewall PM about this.  MSFT seems to think
registry modification is good enough in these situations.  I am on them to
change this in Longhorn.  

I would also like to see the replication protocol have some built-in
diagnostics that throw more descriptive events when they encounter
replication problems that are the result of firewall and RPC issues.
  
You might want to run this by MSFT before you implement it, to see what
their support will cover, cause when you encounter problems, they are going
to be the only ones that will be able to really assist you.

Thanks,

Todd Myrick
MS MVP Directory Services


-Original Message-
From: Chris Gauch [mailto:[EMAIL PROTECTED] 
Sent: Sunday, February 27, 2005 7:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DC behind firewall

We currently run 4 Windows 2003 domain controllers on our network(s), all 4
of which are on different public networks (we own several IP blocks as we
are an ISP).  We'd like to place one of the DCs behind our Sonicwall to
serve as a DC/global catalog for al of the servers within NAT'ed
environment, as we've run into odd issues mapping drives, etc. with the
servers behind the firewall (obviously this is caused by DNS issues).
Additionally, we'd like this DC to act as an internal DNS server for the
NAT'ed network behind the firewall.  The problem we've faced with DNS is
that our NAT'ed servers publish their private IP addresses on the public
DCs; we'd like to set up a configuration where our NAT'ed servers publish
ONLY to the internal/NAT'ed DC, and the public addresses that have been set
up for IP forwarding (behind the firewall) are published to the public DCs
(running DNS).

I guess I'm just looking for tips/advice for how to best go about running a
single Windows 2003 domain across both public and private networks with
regards to the situation above.  Thanks in advance for any input.

- Chris


--
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD User Export and Import

2005-02-28 Thread Santhosh Sivarajan 




Good morning,

I have 2 AD 2003 forest with Ex2003. We need to export all the users from one 
forest and import ito the second Forest as contacts. Unfortunately, IIFP is not an option 
because we are going to merge both forests in 2 weeks. During this 2 weeks 
period, we need to sync both GAL. Is there a way I can copy the GAL between the 
forests and schedule the task? 

Thanks in advance!

RE: [ActiveDir] A referral was returned from the server when executing a query.

2005-02-28 Thread joe 
1. Cool

2. Your search should use objectcategory, not objectclass. 

3a. Ok 

3b. What exactly is the query? The rest of the stuff building up to it isn't
throwing the referral, the query you neglect to show is. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson
Sent: Monday, February 28, 2005 4:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] A referral was returned from the server when
executing a query.

I´m working on an application for listing contacts and address lists in
active directory. But I get an error everytime I execute a query.

I´m using the DirectoryServices namespace in .NET (which encapsulates the
Active Directory Service Interfaces) to communicate with Active Directory

1. I bind to the RootDSE object to retrieve the DN of the configuration
container and the root domain.
  According to the log file, I get:
  Configuration container: DC=configuration,DC=myDomain,DC=com
  Root Domain: DC=myDomain,DC=com

2. I connect to the configuration container and retrieve all the address
lists (using the directorySearcher with the filter
((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purportedSea
rch=*))

... so far so good ...

3. I then connect using the value from the rootDomainNamingContext property.
  (this gives me the path: LDAP://DC=myDomain,DC=com;)
  This works fine.

... Now the problem begin ...

I use the .NET DirectorySearcher class to execute an ldap query agains
active directory.
(the query is taken from the currently selected address list)

Whenever I execute a query, I get an exception:
-2147016661  A referral was returned from the server

This is usually an indication that the DN is wrong (i.e the server does not
exist), but it doesn´t add up since I´m able to connect and retrieve the
address lists.

I have set the option to follow all referrals (subordinal  external).

Does anyone know what might be wrong?
I´m pretty convinced it is not a programming error. Probably just my lack of
knowlegde regarding Active Directory :)

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD User Export and Import

2005-02-28 Thread joe 



Yes, it requires you writing a script to export mailbox 
enabled users from both forests, then create mail-enabled contacts in the other 
forest. This could get involved if you have naming collisions.It could 
take 2 weeks just to work the script out so it doesn't cause more issues than it 
helps. It depends on what you are starting with.

You could look for another third party toolto buy as 
well, but not sure you would want to do that for 2 
weeks.

 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh 
SivarajanSent: Monday, February 28, 2005 8:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD User Export and 
Import


Good morning,

I have 2 AD 2003 forest with Ex2003. We need to export all the users from one 
forest and import ito the second Forest as 
contacts. Unfortunately, IIFP is not an option because we are going to merge 
both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. 
Is there a way I can copy the GAL between the forests and schedule the task? 


Thanks in advance!

RE: [ActiveDir] AD User Export and Import

2005-02-28 Thread Myrick, Todd (NIH/CC/DNA) 








You might look at the AD toolkit from www.javelinasoftware.com if you
want to manually do it.



Quest / Aelita have a tool called
collaboration services that syncs GALs. http://wm.quest.com/products/collaborationservicesexchange/



Todd Myrick

MVP Directory Services











From: Santhosh
Sivarajan [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 28, 2005
8:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD User
Export and Import







Good morning,



I have 2 AD 2003 forest with Ex2003. We need to export all the users
from one forest and import ito the second Forest
as contacts. Unfortunately, IIFP is not an option because we are going to merge
both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL.
Is there a way I can copy the GAL between the forests and schedule the task? 



Thanks in advance!

RE: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread joe 



Slow down. This isn't the instant email AD support hotline. 
You sent the message when most of the people are offline that tend to 
respond to things. If you seeit goes a couple of days without a response, 
then it is probably good to ping the list asking if anyone has seen 
it.

In the meanwhile, have you referred to the MS websites 
oncerts? Read the white papers and related docs? You were unaware of the 
cert requirement for an LDAP update at all until I responded Saturday with a 
fairly well known KB article that you could have found through 
google.

Unless you are doing this from a non-windows machine, also 
consider alternative mechanisms for changing passwords that don't require the 
cert and ssl connection as well. 

joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: 
Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Problem using Certificates to connect to AD 
machine

any views?

- Original Message - 

  From: 
  Mayuresh Kshirsagar 
  
  To: Siddharth Sawkar 
  Cc: activeDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 2:06 
  PM
  Subject: Re: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  Hi,
  
  I tried to generate a certificate using the w2k 
  CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS 
  server) is not able to connect to the server using this 
  certificate.
  
  The name of the PDC is "kaling" in the domain 
  "meta.test". But this machine is accessible from outside (eg. from my machine) 
  as "kaling.persistent.co.in".
  
  Any thing I must take care while generating the 
  certificate?
  
  Regards,
  Mayuresh.
  
- Original Message - 
From: 
Mayuresh Kshirsagar 

To: activeDir@mail.activedir.org 

Sent: Monday, February 28, 2005 1:51 
PM
Subject: [ActiveDir] Problem using 
Certificates to connect to AD machine

Hi,

I have installed a CA on my PDC. and now I want 
to connect to this PDC from a different machine to change the "unicodePwd" 
attribute. I created a certificate and exported it and installed it on the 
connecting machine, but dont seem to be able to connect.

Can you tell me how do I issue, and which 
certificate should I issue to be able to connect to the PDC 
machine?

Thanks.

Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, 
Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 
020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 
26th-27th, Santa Clara, 
CA

RE: [ActiveDir] AD User Export and Import

2005-02-28 Thread Robert Bobel 








It is my understanding that you can
download the free MIIS Identity Integration Feature Pack for this purpose.



http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5DisplayLang=en

http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/galsynchstep.mspx



Bob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 28, 2005
8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD User
Export and Import





Yes, it requires you writing a script to
export mailbox enabled users from both forests, then create mail-enabled
contacts in the other forest. This could get involved if you have naming
collisions.It could take 2 weeks just to work the script out so it
doesn't cause more issues than it helps. It depends on what you are starting
with.



You could look for another third party
toolto buy as well, but not sure you would want to do that for 2
weeks.



 joe




















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan
Sent: Monday, February 28, 2005
8:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD User
Export and Import



Good morning,



I have 2 AD 2003 forest with Ex2003. We need to export all the users
from one forest and import ito the second Forest
as contacts. Unfortunately, IIFP is not an option because we are going to merge
both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL.
Is there a way I can copy the GAL between the forests and schedule the task? 



Thanks in advance!

RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names

2005-02-28 Thread Jorge de Almeida Pinto 
Title: OT: VERY STRANGE ISSUE - Windows 95 and Long File Names



Hi Guido,
See inline 
answers
We are not going to put more 
time in this as we are not able to find the problem. Last week we had a user 
where it first did not work and a day later it did work (nothing changed as 
I know of). For those where it still does not work we provided a batch file to 
re-create the H- mapping after the user has logged on
Greetz,
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: maandag 28 februari 2005 9:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VERY STRANGE 
ISSUE - Windows 95 and Long File Names

Hello Jorge and Paul,

...but it happens on all Win95 clients ?
ANSWER: that's the funny part... NO, 
not on all Win95 clients

well, first of all, it may be wise to get rid of 
Win95, but I'm sure you've been through all of that ("no time and budget to do 
so right now", "it worked before, so why shouldn't it work now", "need to get 
this working now and will fix my OS issue later")... Funny how companies 
sometimes spend thousands of dollars for fixing problems that wouldn't exist if 
they spend the same money to update their systems ;-) As you know, 
I'm also currentlysupporting a Novell/AD migration with thousands of NT4 
clients...
ANSWER:I know what you mean 
that companies sometimes believe that it's cheaper to screw around and keep the 
old crap running than implementing a new clean system. In short term they might 
be true, but in long term the money that was used to keep the old crap running 
could used to implement a new system and afterwards to have a huge party! 
;-))
At the 
same time we're migrating from theclient/server concept to the SBC 
concept. Users on Win95/98 have appsinstalled locally. In time, local apps 
(I mean the exe that start the 
app)are de-installed and they receive their new version 
app through Citrix. When all apps are almost 
done

Back to your problem:I hope it's fair to 
assume, that you only have a limited amount of Win9x machines in the environment 
and most other clientsare WinNT and above so that anything you're going to 
do to fix the Win95 issue now is of temporary nature - correct?
ANSWER:it's the other way 
around. Mostly W95/98 and some NT based systems 
(WNT/W2K/WXP)

If that assumption is correct, I wouldn't really do 
any more work on this to solve the issue, as you already have it solved: just 
re-map the homeshare for the Win95 clients during the execution of the login 
script. You shouldn't have an issue simply checking the OS env-variable 
and for all clients that are not equal to Windows_NTunmap and re-map the 
homeshare.Assuming you want to mapa share that contains the 
logon-nameof the user, it may be wise topass the user's samaccount 
name as a parameter to the logon-script(as far as I recall, Win9x clients 
don't automatically get the username variable in their environment).
ANSWER:That's the fun part... 
it's the mappingthat created through the loginscript (NET USE H: /HOME) 
thatsometimes does not allow to rename to LFN. After the user has logged 
and executes "NET USE H: /DELETE  NET USE H: 
/HOME" the problem disappears. If I map the home directory 
in the loginscript to another DRIVE it works without the error!!!??? Fun ain't 
it?

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul van 
GeldropSent: Friday, February 25, 2005 8:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VERY STRANGE 
ISSUE - Windows 95 and Long File Names


Oh,

And to add those finest 
little details:

Same users, same 
documents on Windows 98.. no 
problem.

Open a document with a 
long file name in the corresponding application, and save as under another 
long name.. no problem 
either.

Yeah, time for more 
beer..

Regards,

Paul

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jorge de Almeida 
PintoSent: Friday, February 
25, 2005 7:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: VERY STRANGE ISSUE 
- Windows 95 and Long File Names

Hi, 

During 
our Novell/NT4 to W2K3 migration we are experiencing a very very strange issue 
that we until now have not been able to solve.
The 
situation is: * 
Homedirectory data was stored on Novell en users had a H-mapping to 
it * 
Homedirectory data has been migrated to Windows * 
Netlogon loginscript has been implemented in NT4 domain (clients/users are still 
in NT4 domain) and each user in NT4 has it loginscript attribute with 
LOGON.BAT
* The 
Netlogon loginscript makes a H-mapping for a user to its homedirectory on the 
windows file server * The 
Netlogon loginscript makes a other mappings for a user to other locations on the 
windows file server 
The 
issue: * Users 
can create documents with WORD on H (new document in word and save in H) with 
long file names * Users 
can create documents with WORD on other drives (new document in word and save in 
H) with long

Re: [ActiveDir] A referral was returned from the server when executing a query.

2005-02-28 Thread Mikael Håkansson 
Any query throws the referral exception.

Like 

( (mailnickname=*) (|
((objectCategory=person)(objectClass=contact)) )) which is from the
All Contacts address list.

or

( (mailnickname=*) (|
((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)
))
whis is from the Default Global Address list.

Any ideas are welcome =)

Mikael Håkansson

On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote:
 1. Cool
 
 2. Your search should use objectcategory, not objectclass.
 
 3a. Ok
 
 3b. What exactly is the query? The rest of the stuff building up to it isn't
 throwing the referral, the query you neglect to show is.
 
  joe
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson
 Sent: Monday, February 28, 2005 4:10 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] A referral was returned from the server when
 executing a query.
 
 I´m working on an application for listing contacts and address lists in
 active directory. But I get an error everytime I execute a query.
 
 I´m using the DirectoryServices namespace in .NET (which encapsulates the
 Active Directory Service Interfaces) to communicate with Active Directory
 
 1. I bind to the RootDSE object to retrieve the DN of the configuration
 container and the root domain.
  According to the log file, I get:
  Configuration container: DC=configuration,DC=myDomain,DC=com
  Root Domain: DC=myDomain,DC=com
 
 2. I connect to the configuration container and retrieve all the address
 lists (using the directorySearcher with the filter
 ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purportedSea
 rch=*))
 
 ... so far so good ...
 
 3. I then connect using the value from the rootDomainNamingContext property.
  (this gives me the path: LDAP://DC=myDomain,DC=com;)
  This works fine.
 
 ... Now the problem begin ...
 
 I use the .NET DirectorySearcher class to execute an ldap query agains
 active directory.
 (the query is taken from the currently selected address list)
 
 Whenever I execute a query, I get an exception:
 -2147016661  A referral was returned from the server
 
 This is usually an indication that the DN is wrong (i.e the server does not
 exist), but it doesn´t add up since I´m able to connect and retrieve the
 address lists.
 
 I have set the option to follow all referrals (subordinal  external).
 
 Does anyone know what might be wrong?
 I´m pretty convinced it is not a programming error. Probably just my lack of
 knowlegde regarding Active Directory :)
 
 Thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disabling Inactive Users

2005-02-28 Thread Mulnick, Al 
Any other times that you know of?  Outlook wouldn't be a simple bind (I hope
not anyway!!).

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, February 25, 2005 11:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling Inactive Users

lastLogon isn't updated during a simple bind.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, February 23, 2005 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling Inactive Users

One of the things mentioned in this thread was that lastlogon doesn't get
updated in all cases even if the user-ojbect is used for authentication.  


I'm very interested in knowing under what circumstances this can occur and
why lastlogon wouldn't update when a user authenticates. From some off-line
conversations, one example might be that when they use Outlook with prompt
for credentials option.  I would suspect that if a user-object that lives in
AD authenticates from a NT 4 domain that this might be possible as well.

I'm also interested in what would be a true indicator of the credentials
being used.

My expectation is that any time a credential is used, lastlogon should get
updated and that lastlogonTimeStamp would get updated every 7 days and
replicated out. I would appreciate hearing the details if possible. 


Anyone?

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Wednesday, February 23, 2005 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling Inactive Users

James,

 

I would like to just expand a little on what Gil said about Javelina's
product.  http://www.Javelinasoftware.com http://www.javelinasoftware.com/
AD Toolkit is the Hyena of reporting / bulk AD Administration tools.  It is
extremely useful and has the ability to schedule the execution of reports
and bulk administration.  It can also be customized relatively quickly and
distributed to data administrators so they can only do certain AD functions
and are limited to what they can modify on AD objects.  

 

One report that comes canned with the tool is a report that identifies
accounts based on last login date.  With some work, I think you could
automate a process that would report on this, and then you could us the
report to bulk deactivate accounts and move them.  

 

I encourage everyone to evaluate the tool and make their own conclusions,
but it is extremely powerful and useful.

 

Todd Myrick

MVP 

 

 



From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 22, 2005 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling Inactive Users

 

AFAIK there's no GPO setting to do this. Most people run a script
periodically or use a 3rd part tool like Javelina.

 

-g

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James
Sent: Tuesday, February 22, 2005 1:56 PM
To: ActiveDir@Mail.ActiveDir.org
Subject: [ActiveDir] Disabling Inactive Users

Is there a GPO setting (or some other path) to disable inactive users after
a specified period of time?  In other words, I'd like to automatically
disable Joe User if he has not logged on in more than 90 days.

Thanks,
James R. Rogers 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Unlock Workstation User Right

2005-02-28 Thread Tim Foster 








I want to grant some users the right to unlock workstations
in a W2K3 domain. I have scanned through Group Policy and I cant
seem to find the appropriate setting to do this. Is this a right that is
automatically granted to one of the Built-In groups? If so, which
one? It seems overkill to have to add users to the Administrators group
to get this right.



Thanks in advance for any help the list can give.



Tim

RE: [ActiveDir] A referral was returned from the server when ex ecuting a query.

2005-02-28 Thread Mulnick, Al 
Can you include the code snippet where this occurs?

Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate
that you don't get the same results from those tools?

??Is this a single domain forest that you're testing in? 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson
Sent: Monday, February 28, 2005 9:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] A referral was returned from the server when
executing a query.

Any query throws the referral exception.

Like 

( (mailnickname=*) (|
((objectCategory=person)(objectClass=contact)) )) which is from the All
Contacts address list.

or

( (mailnickname=*) (|
((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServer
Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHome
ServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategor
y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributi
onList)
))
whis is from the Default Global Address list.

Any ideas are welcome =)

Mikael Håkansson

On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote:
 1. Cool
 
 2. Your search should use objectcategory, not objectclass.
 
 3a. Ok
 
 3b. What exactly is the query? The rest of the stuff building up to it 
 isn't throwing the referral, the query you neglect to show is.
 
  joe
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mikael 
 Håkansson
 Sent: Monday, February 28, 2005 4:10 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] A referral was returned from the server when 
 executing a query.
 
 I´m working on an application for listing contacts and address lists 
 in active directory. But I get an error everytime I execute a query.
 
 I´m using the DirectoryServices namespace in .NET (which encapsulates 
 the Active Directory Service Interfaces) to communicate with Active 
 Directory
 
 1. I bind to the RootDSE object to retrieve the DN of the 
 configuration container and the root domain.
  According to the log file, I get:
  Configuration container: DC=configuration,DC=myDomain,DC=com
  Root Domain: DC=myDomain,DC=com
 
 2. I connect to the configuration container and retrieve all the 
 address lists (using the directorySearcher with the filter 
 ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purpor
 tedSea
 rch=*))
 
 ... so far so good ...
 
 3. I then connect using the value from the rootDomainNamingContext
property.
  (this gives me the path: LDAP://DC=myDomain,DC=com;)  This works 
 fine.
 
 ... Now the problem begin ...
 
 I use the .NET DirectorySearcher class to execute an ldap query agains 
 active directory.
 (the query is taken from the currently selected address list)
 
 Whenever I execute a query, I get an exception:
 -2147016661  A referral was returned from the server
 
 This is usually an indication that the DN is wrong (i.e the server 
 does not exist), but it doesn´t add up since I´m able to connect and 
 retrieve the address lists.
 
 I have set the option to follow all referrals (subordinal  external).
 
 Does anyone know what might be wrong?
 I´m pretty convinced it is not a programming error. Probably just my 
 lack of knowlegde regarding Active Directory :)
 
 Thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Unlock Workstation User Right

2005-02-28 Thread Myrick, Todd (NIH/CC/DNA) 








Account Operators Local Group I think.
Must us ADUC, you might have to grant permissions to the group if inheritance
is blocked on some OUs.



Todd Myrick











From: Tim Foster [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 28, 2005
9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock
Workstation User Right





I want to grant some users the right to unlock workstations
in a W2K3 domain. I have scanned through Group Policy and I cant
seem to find the appropriate setting to do this. Is this a right that is
automatically granted to one of the Built-In groups? If so, which
one? It seems overkill to have to add users to the Administrators group
to get this right.



Thanks in advance for any help the list can give.



Tim

RE: [ActiveDir] AD User Export and Import

2005-02-28 Thread Jerry Welch 



Santhosh,
If you would like to download our SimpleSync product from 
www.CPS-Systems.com you can use it in a 
'test' mode for two weeks. Should take less than an hour to implement a 
2-way synchronization.
If you would like to discuss please give me a 
call.
Thanks,
Jerry


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 
GMT)
IP Phone (Skype): Jerry_Welch ( www.skype.net )


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Santhosh 
SivarajanSent: Monday, February 28, 2005 8:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD User Export and 
Import


Good morning,

I have 2 AD 2003 forest with Ex2003. We need to export all the users from one 
forest and import ito the second Forest as 
contacts. Unfortunately, IIFP is not an option because we are going to merge 
both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. 
Is there a way I can copy the GAL between the forests and schedule the task? 


Thanks in advance!

RE: [ActiveDir] Unlock Workstation User Right

2005-02-28 Thread joe 



If you mean unlock the console of a machine locked by a 
user, I think you have to be an administrator on that machine. It doesn't take 
any domain level permissions except being an authenticatable user unless the 
machine someone wants to unlock is a DC, at which point they have to be an admin 
of the DCs. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DNA)Sent: Monday, February 28, 2005 9:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unlock 
Workstation User Right


Account Operators Local 
Group I think. Must us ADUC, you might have to grant permissions to 
the group if inheritance is blocked on some OUs.

Todd 
Myrick





From: Tim Foster 
[mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 
AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unlock Workstation 
User Right

I want to grant some users the right 
to unlock workstations in a W2K3 domain. I have scanned through Group 
Policy and I cant seem to find the appropriate setting to do this. Is 
this a right that is automatically granted to one of the Built-In groups? 
If so, which one? It seems overkill to have to add users to the 
Administrators group to get this right.

Thanks in advance for any help the 
list can give.

Tim

RE: [ActiveDir] A referral was returned from the server when ex ecuting a query.

2005-02-28 Thread joe 
Hopefully JoeK will swing by shortly to say his piece on the NET call.

For the queries below, unless you want them scoped at a specific domain
anyway, consider querying a GC since all of those attribs are in the GC.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 28, 2005 9:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A referral was returned from the server when ex
ecuting a query.

Can you include the code snippet where this occurs?

Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate
that you don't get the same results from those tools?

??Is this a single domain forest that you're testing in? 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson
Sent: Monday, February 28, 2005 9:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] A referral was returned from the server when
executing a query.

Any query throws the referral exception.

Like 

( (mailnickname=*) (|
((objectCategory=person)(objectClass=contact)) )) which is from the All
Contacts address list.

or

( (mailnickname=*) (|
((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServer
Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHome
ServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategor
y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributi
onList)
))
whis is from the Default Global Address list.

Any ideas are welcome =)

Mikael Håkansson

On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote:
 1. Cool
 
 2. Your search should use objectcategory, not objectclass.
 
 3a. Ok
 
 3b. What exactly is the query? The rest of the stuff building up to it 
 isn't throwing the referral, the query you neglect to show is.
 
  joe
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mikael 
 Håkansson
 Sent: Monday, February 28, 2005 4:10 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] A referral was returned from the server when 
 executing a query.
 
 I´m working on an application for listing contacts and address lists 
 in active directory. But I get an error everytime I execute a query.
 
 I´m using the DirectoryServices namespace in .NET (which encapsulates 
 the Active Directory Service Interfaces) to communicate with Active 
 Directory
 
 1. I bind to the RootDSE object to retrieve the DN of the 
 configuration container and the root domain.
  According to the log file, I get:
  Configuration container: DC=configuration,DC=myDomain,DC=com
  Root Domain: DC=myDomain,DC=com
 
 2. I connect to the configuration container and retrieve all the 
 address lists (using the directorySearcher with the filter 
 ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purpor
 tedSea
 rch=*))
 
 ... so far so good ...
 
 3. I then connect using the value from the rootDomainNamingContext
property.
  (this gives me the path: LDAP://DC=myDomain,DC=com;)  This works 
 fine.
 
 ... Now the problem begin ...
 
 I use the .NET DirectorySearcher class to execute an ldap query agains 
 active directory.
 (the query is taken from the currently selected address list)
 
 Whenever I execute a query, I get an exception:
 -2147016661  A referral was returned from the server
 
 This is usually an indication that the DN is wrong (i.e the server 
 does not exist), but it doesn´t add up since I´m able to connect and 
 retrieve the address lists.
 
 I have set the option to follow all referrals (subordinal  external).
 
 Does anyone know what might be wrong?
 I´m pretty convinced it is not a programming error. Probably just my 
 lack of knowlegde regarding Active Directory :)
 
 Thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] A referral was returned from the server when ex ecuting a query.

2005-02-28 Thread Mikael Håkansson 
Well, this is the problem... I don´t really know.
This module is a part of a bigger application, and the error occurs on
one of the customers networks. I assume there exists several forests
since it´s a big company (world-wide). Unfortunately, I can´t run any
test with e.g. LDP since they do not allow any test on their live
environment. I was hoping that someone might have any idea what could
cause a problem like this.

Code snippet:
dim de as new directoryEntry(LDAP://;  m_sRootDomain)
dim dsDirSearcher as new DirectorySearcher(de)
dim src as SearchResultCollection

dsDirSearcher.Filter = m_AddressBook.Filter
dsDirSearcher.SizeLimit = Options.MaxHits
dsDirSearcher.PropertiesToLoad = m_arrProperties
dsDirSearcher.ReferralChasing = ReferralChasingOption.All
dsDirSearcher.SearchScope = SearchScope.Subtree
dsDirSearcher.CacheResults = True

src = dsDirSearcher.FindAll()    boom, this is where it all goes to h***

Regarding Joe´s post about GC.
Which attributes are stored in the GC? I need to retrieve information
like phone numbers, name, address, mail etc.

This are the attributes I´m interested in:
givenName,sn,title,mail,company,department,info,whenChanged,physicalDeliveryOfficeName,whenCreated,userPrincipalName,targetaddress,Street,l,postalCode,c,st,telephoneNumber,facsimileTelephoneNumber,otherFacsimileTelephoneNumber,homePhone,otherHomePhone,mobile,otherMobile,otherTelephone,distinguishedname

Mikael

On Mon, 28 Feb 2005 09:52:08 -0500, joe [EMAIL PROTECTED] wrote:
 Hopefully JoeK will swing by shortly to say his piece on the NET call.
 
 For the queries below, unless you want them scoped at a specific domain
 anyway, consider querying a GC since all of those attribs are in the GC.
 
  joe
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
 Sent: Monday, February 28, 2005 9:19 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] A referral was returned from the server when ex
 ecuting a query.
 
 Can you include the code snippet where this occurs?
 
 Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate
 that you don't get the same results from those tools?
 
 ??Is this a single domain forest that you're testing in?
 
 Al
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson
 Sent: Monday, February 28, 2005 9:06 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] A referral was returned from the server when
 executing a query.
 
 Any query throws the referral exception.
 
 Like
 
 ( (mailnickname=*) (|
 ((objectCategory=person)(objectClass=contact)) )) which is from the All
 Contacts address list.
 
 or
 
 ( (mailnickname=*) (|
 ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServer
 Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHome
 ServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategor
 y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributi
 onList)
 ))
 whis is from the Default Global Address list.
 
 Any ideas are welcome =)
 
 Mikael Håkansson
 
 On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote:
  1. Cool
 
  2. Your search should use objectcategory, not objectclass.
 
  3a. Ok
 
  3b. What exactly is the query? The rest of the stuff building up to it
  isn't throwing the referral, the query you neglect to show is.
 
   joe
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mikael
  Håkansson
  Sent: Monday, February 28, 2005 4:10 AM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] A referral was returned from the server when
  executing a query.
 
  I´m working on an application for listing contacts and address lists
  in active directory. But I get an error everytime I execute a query.
 
  I´m using the DirectoryServices namespace in .NET (which encapsulates
  the Active Directory Service Interfaces) to communicate with Active
  Directory
 
  1. I bind to the RootDSE object to retrieve the DN of the
  configuration container and the root domain.
   According to the log file, I get:
   Configuration container: DC=configuration,DC=myDomain,DC=com
   Root Domain: DC=myDomain,DC=com
 
  2. I connect to the configuration container and retrieve all the
  address lists (using the directorySearcher with the filter
  ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purpor
  tedSea
  rch=*))
 
  ... so far so good ...
 
  3. I then connect using the value from the rootDomainNamingContext
 property.
   (this gives me the path: LDAP://DC=myDomain,DC=com;)  This works
  fine.
 
  ... Now the problem begin ...
 
  I use the .NET DirectorySearcher class to execute an ldap query agains
  active directory.
  (the query is taken from the currently selected address list)
 
  Whenever I execute a query, I get an exception:
  -2147016661  A referral was returned from the server
 
  This is

[ActiveDir] Lee Jessup is out of the office.

2005-02-28 Thread Lee Jessup 

I will be out of the office starting  02/28/2005 and will not return until 03/04/2005.

I will respond to your message when I return.

Re: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Steve Patrick 



If you installed the CA on the PDC then did you 
install it as an Enterprise CA?
If this is a production environment you should 
reallyunderstand the PKIneeds for your company currently, 
andany future plans.
In a nutshell you need a Domain Controller 
certor Server Auth cert on the DCwith the FQDN of the DC in the 
Subjectfield.
Your clients need tobe able to resolve the 
FQDN and be able to reach the CDP locations you specified when setting up the CA 
(defaults are LDAP and HTTP pathsto the CA itself)
Clients also need tohave the Root CA cert in 
the TrustedRoots storeso the cert chains up 
correctly.

good luck!

steve



  - Original Message - 
  From: 
  joe 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 5:58 
  AM
  Subject: RE: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  Slow down. This isn't the instant email AD support 
  hotline. You sent the message when most of the people are offline 
  that tend to respond to things. If you seeit goes a couple of days 
  without a response, then it is probably good to ping the list asking if anyone 
  has seen it.
  
  In the meanwhile, have you referred to the MS websites 
  oncerts? Read the white papers and related docs? You were unaware of the 
  cert requirement for an LDAP update at all until I responded Saturday with a 
  fairly well known KB article that you could have found through 
  google.
  
  Unless you are doing this from a non-windows machine, 
  also consider alternative mechanisms for changing passwords that don't require 
  the cert and ssl connection as well. 
  
  joe
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
  KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: 
  Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] Problem using Certificates to connect to AD 
  machine
  
  any views?
  
  - Original Message - 
  
From: 
Mayuresh Kshirsagar 

To: Siddharth Sawkar 
Cc: activeDir@mail.activedir.org 

Sent: Monday, February 28, 2005 2:06 
PM
Subject: Re: [ActiveDir] Problem using 
Certificates to connect to AD machine

Hi,

I tried to generate a certificate using the w2k 
CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS 
server) is not able to connect to the server using this 
certificate.

The name of the PDC is "kaling" in the domain 
"meta.test". But this machine is accessible from outside (eg. from my 
machine) as "kaling.persistent.co.in".

Any thing I must take care while generating the 
certificate?

Regards,
Mayuresh.

  - Original Message - 
  From: 
  Mayuresh Kshirsagar 
  
  To: activeDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 1:51 
  PM
  Subject: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  Hi,
  
  I have installed a CA on my PDC. and now I 
  want to connect to this PDC from a different machine to change the 
  "unicodePwd" attribute. I created a certificate and exported it and 
  installed it on the connecting machine, but dont seem to be able to 
  connect.
  
  Can you tell me how do I issue, and which 
  certificate should I issue to be able to connect to the PDC 
  machine?
  
  Thanks.
  
  Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, 
  Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 
  020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 
  April 26th-27th, Santa Clara, 
  CA

Re: [ActiveDir] A referral was returned from the server when ex ecuting a query.

2005-02-28 Thread Mikael Håkansson 
Ok, thanks.

I will check this immediately :)

Mikael

On Mon, 28 Feb 2005 10:25:50 -0500, Mulnick, Al [EMAIL PROTECTED] wrote:
 I would expect the error to occur in the part of the code that makes the
 search request.  src = dsDirSearcher.FindAll()
 
 The referral may be occurring because of a multi-domain environment.  You're
 making a call to the directory looking for objects that exist in one domain
 while the string you are using to connect may be the root domain instead.
 
 You can debug that by writing out your variables and strings to see what the
 exact query string is (I like to write out the query string exactly as it's
 called to make sure I'm not making a syntax error).  When you posted here,
 you cleaned it up, but look again to make sure that the domain you're trying
 to query against is the domain your app lives in.  This one m_sRootDomain
 would be an interesting string/var to know the value of at runtime.
 
 As Joe mentioned, the GC is likely a better bet to use since you won't have
 to worry about domain location as much.  The GAL is made up of attributes
 that are in the GC since it needs to be global anyway.  Microsoft put the
 GAL attributes into the GC so you can find all users globally in a forest
 and that is presented back to you as an Address List. You can find out
 exactly which attributes get put there from MDSN and looking at the Exchange
 attributes.
 
 
 Al
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson
 Sent: Monday, February 28, 2005 10:14 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] A referral was returned from the server when ex
 ecuting a query.
 
 Well, this is the problem... I don´t really know.
 This module is a part of a bigger application, and the error occurs on one
 of the customers networks. I assume there exists several forests since it´s
 a big company (world-wide). Unfortunately, I can´t run any test with e.g.
 LDP since they do not allow any test on their live
 environment. I was hoping that someone might have any idea what could cause
 a problem like this.
 
 Code snippet:
 dim de as new directoryEntry(LDAP://;  m_sRootDomain) dim dsDirSearcher as
 new DirectorySearcher(de) dim src as SearchResultCollection
 
 dsDirSearcher.Filter = m_AddressBook.Filter dsDirSearcher.SizeLimit =
 Options.MaxHits dsDirSearcher.PropertiesToLoad = m_arrProperties
 dsDirSearcher.ReferralChasing = ReferralChasingOption.All
 dsDirSearcher.SearchScope = SearchScope.Subtree dsDirSearcher.CacheResults =
 True
 
 src = dsDirSearcher.FindAll()    boom, this is where it all goes to
 h***
 
 Regarding Joe´s post about GC.
 Which attributes are stored in the GC? I need to retrieve information like
 phone numbers, name, address, mail etc.
 
 This are the attributes I´m interested in:
 givenName,sn,title,mail,company,department,info,whenChanged,physicalDelivery
 OfficeName,whenCreated,userPrincipalName,targetaddress,Street,l,postalCode,c
 ,st,telephoneNumber,facsimileTelephoneNumber,otherFacsimileTelephoneNumber,h
 omePhone,otherHomePhone,mobile,otherMobile,otherTelephone,distinguishedname
 
 Mikael
 
 On Mon, 28 Feb 2005 09:52:08 -0500, joe [EMAIL PROTECTED] wrote:
  Hopefully JoeK will swing by shortly to say his piece on the NET call.
 
  For the queries below, unless you want them scoped at a specific
  domain anyway, consider querying a GC since all of those attribs are in
 the GC.
 
   joe
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
  Sent: Monday, February 28, 2005 9:19 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] A referral was returned from the server
  when ex ecuting a query.
 
  Can you include the code snippet where this occurs?
 
  Have you tried using an alternate tool (LDP or Joe's ADFIND) to
  validate that you don't get the same results from those tools?
 
  ??Is this a single domain forest that you're testing in?
 
  Al
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mikael
  Håkansson
  Sent: Monday, February 28, 2005 9:06 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] A referral was returned from the server
  when executing a query.
 
  Any query throws the referral exception.
 
  Like
 
  ( (mailnickname=*) (|
  ((objectCategory=person)(objectClass=contact)) )) which is from the
  All Contacts address list.
 
  or
 
  ( (mailnickname=*) (|
  ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHome
  Server
  Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msEx
  chHome
  ServerName=*)))((objectCategory=person)(objectClass=contact))(objectC
  ategor
  y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDist
  ributi
  onList)
  ))
  whis is from the Default Global Address list.
 
  Any ideas are welcome =)
 
  Mikael Håkansson
 
  On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED]

[ActiveDir] Change the Password Error Message

2005-02-28 Thread Myrick, Todd (NIH/CC/DNA) 
Is it possible to change the error message you get when you set a password
to something that isn't compliant to the password policy.  A couple of
people on my team think it is a registry setting in NT 4.

Thanks,

Todd Myrick  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change the Password Error Message

2005-02-28 Thread joe 
Nope.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change the Password Error Message

Is it possible to change the error message you get when you set a password
to something that isn't compliant to the password policy.  A couple of
people on my team think it is a registry setting in NT 4.

Thanks,

Todd Myrick  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change the Password Error Message

2005-02-28 Thread Myrick, Todd (NIH/CC/DNA) 
Actually, I did find a KB that pointed to a hotfix that addresses the issue
slightly.

http://support.microsoft.com/?kbid=821425

Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 28, 2005 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Nope.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change the Password Error Message

Is it possible to change the error message you get when you set a password
to something that isn't compliant to the password policy.  A couple of
people on my team think it is a registry setting in NT 4.

Thanks,

Todd Myrick  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change the Password Error Message

2005-02-28 Thread joe 
Yep, the good fix would be able to specify exactly the text of the message.
This has been one of the banes against deploying custom password filters for
years and years and has forced people into building or buying custom
packages that send people to special web sites prior to the system expiring
their password or having special client apps on the workstations to do the
work and display the correct message.


  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Actually, I did find a KB that pointed to a hotfix that addresses the issue
slightly.

http://support.microsoft.com/?kbid=821425

Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Nope.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change the Password Error Message

Is it possible to change the error message you get when you set a password
to something that isn't compliant to the password policy.  A couple of
people on my team think it is a registry setting in NT 4.

Thanks,

Todd Myrick  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Unlock Workstation User Right

2005-02-28 Thread James_Day 
Hi Tim

We have some users who were delegated the right to do this.  The delegation
wizard will not do it but you can change the security settings on the OU or
domain to allow specific groups / users the right without making them part
of any elevated group.

1.On the Object tab, find Apply onto: click on the down arrow to find
User objects (last entry).

2.In the Permissions:  window find Reset Password (2nd from the
bottom), check the Allow box.

3.Click on the Properties tab, find Apply onto: click on the down arrow
to find User objects (last entry).

4.In the  Permissions:  window check the Allow box for the following 4
permissions. (Permissions are more or less alphabetical, look about 1/3
down the list.)

  Read lockoutTime
  Write lockoutTime
  Read pwdLastSet
  Write pwdLastSet



Remark:  The user who is given this permission will not be able to unlock
any user that does not have Inherit from parent the permission entries that
apply to child objects checked off under the Security tab in an users
properties


This came out of the MS KB article
  http://support.microsoft.com/?kbid=294952

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   Myrick, Todd  |
| |   (NIH/CC/DNA)  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/28/2005 09:30 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Unlock Workstation User Right   
 |
  
--|




Account Operators Local Group I think.  Must us ADUC, you might have to
grant permissions to the group if inheritance is blocked on some OUs.

Todd Myrick


From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock Workstation User Right

I want to grant some users the right to unlock workstations in a W2K3
domain.  I have scanned through Group Policy and I cant seem to find the
appropriate setting to do this.  Is this a right that is automatically
granted to one of the Built-In groups?  If so, which one?  It seems
overkill to have to add users to the Administrators group to get this
right.

Thanks in advance for any help the list can give.

Tim

RE: [ActiveDir] Unlock Workstation User Right

2005-02-28 Thread James_Day 
Sorry, ignore my last post completely - I read that as unlock user right,
not the unlock workstation.

I think Joe is correct - I believe only admins on the machine can unlock
computers.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   joe  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/28/2005 09:42 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org  
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Unlock Workstation User Right   
 |
  
--|




If you mean unlock the console of a machine locked by a user, I think you
have to be an administrator on that machine. It doesn't take any domain
level permissions except being an authenticatable user unless the machine
someone wants to unlock is a DC, at which point they have to be an admin of
the DCs.

  joe

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unlock Workstation User Right

Account Operators Local Group I think.  Must us ADUC, you might have to
grant permissions to the group if inheritance is blocked on some OUs.

Todd Myrick


From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock Workstation User Right

I want to grant some users the right to unlock workstations in a W2K3
domain.  I have scanned through Group Policy and I cant seem to find the
appropriate setting to do this.  Is this a right that is automatically
granted to one of the Built-In groups?  If so, which one?  It seems
overkill to have to add users to the Administrators group to get this
right.

Thanks in advance for any help the list can give.

[EMAIL PROTECTED]   Vry-4ibb

RE: [ActiveDir] Unlock Workstation User Right

2005-02-28 Thread Tim Foster 
Thanks for the input from all.

Sorry to not be clear - I meant unlock workstations.  Thanks, Joe, for pointing 
out that I meant local admins group on the workstation.  I was hoping that I 
could be a bit more granular in assigning this right - i.e. just the right to 
unlock the workstation instead of being a local administrator.

Maybe I'll have to think again - maybe force logoff outside of office hours 
instead of allowing the workstation to lock.

Tim   

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unlock Workstation User Right

Sorry, ignore my last post completely - I read that as unlock user right,
not the unlock workstation.

I think Joe is correct - I believe only admins on the machine can unlock
computers.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   joe  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/28/2005 09:42 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org  
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Unlock Workstation User Right   
 |
  
--|




If you mean unlock the console of a machine locked by a user, I think you
have to be an administrator on that machine. It doesn't take any domain
level permissions except being an authenticatable user unless the machine
someone wants to unlock is a DC, at which point they have to be an admin of
the DCs.

  joe

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unlock Workstation User Right

Account Operators Local Group I think.  Must us ADUC, you might have to
grant permissions to the group if inheritance is blocked on some OUs.

Todd Myrick


From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock Workstation User Right

I want to grant some users the right to unlock workstations in a W2K3
domain.  I have scanned through Group Policy and I cant seem to find the
appropriate setting to do this.  Is this a right that is automatically
granted to one of the Built-In groups?  If so, which one?  It seems
overkill to have to add users to the Administrators group to get this
right.

Thanks in advance for any help the list can give.

[EMAIL PROTECTED]   Vry-4ibb

Re: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Mayuresh Kshirsagar 



This is the error number I am able to 
see.

session=3741BE8 cannot negotiate SSL security error 
8048

can you speculate what this means?

  - Original Message - 
  From: 
  Steve 
  Patrick 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 9:03 
  PM
  Subject: Re: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  If you installed the CA on the PDC then did you 
  install it as an Enterprise CA?
  If this is a production environment you should 
  reallyunderstand the PKIneeds for your company currently, 
  andany future plans.
  In a nutshell you need a Domain Controller 
  certor Server Auth cert on the DCwith the FQDN of the DC in the 
  Subjectfield.
  Your clients need tobe able to resolve the 
  FQDN and be able to reach the CDP locations you specified when setting up the 
  CA (defaults are LDAP and HTTP pathsto the CA itself)
  Clients also need tohave the Root CA cert 
  in the TrustedRoots storeso the cert chains up 
  correctly.
  
  good luck!
  
  steve
  
  
  
- Original Message - 
From: 
joe 

To: ActiveDir@mail.activedir.org 

Sent: Monday, February 28, 2005 5:58 
AM
Subject: RE: [ActiveDir] Problem using 
Certificates to connect to AD machine

Slow down. This isn't the instant email AD support 
hotline. You sent the message when most of the people are 
offline that tend to respond to things. If you seeit goes a couple of 
days without a response, then it is probably good to ping the list asking if 
anyone has seen it.

In the meanwhile, have you referred to the MS websites 
oncerts? Read the white papers and related docs? You were unaware of 
the cert requirement for an LDAP update at all until I responded Saturday 
with a fairly well known KB article that you could have found through 
google.

Unless you are doing this from a non-windows machine, 
also consider alternative mechanisms for changing passwords that don't 
require the cert and ssl connection as well. 

joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: 
Siddharth SawkarCc: 
activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem 
using Certificates to connect to AD machine

any views?

- Original Message - 

  From: 
  Mayuresh Kshirsagar 
  
  To: Siddharth Sawkar 
  Cc: activeDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 2:06 
  PM
  Subject: Re: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  Hi,
  
  I tried to generate a certificate using the 
  w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP 
  MDS server) is not able to connect to the server using this 
  certificate.
  
  The name of the PDC is "kaling" in the domain 
  "meta.test". But this machine is accessible from outside (eg. from my 
  machine) as "kaling.persistent.co.in".
  
  Any thing I must take care while generating 
  the certificate?
  
  Regards,
  Mayuresh.
  
- Original Message - 
From: 
Mayuresh 
Kshirsagar 
To: activeDir@mail.activedir.org 

Sent: Monday, February 28, 2005 
1:51 PM
Subject: [ActiveDir] Problem using 
Certificates to connect to AD machine

Hi,

I have installed a CA on my PDC. and now I 
want to connect to this PDC from a different machine to change the 
"unicodePwd" attribute. I created a certificate and exported it and 
installed it on the connecting machine, but dont seem to be able to 
connect.

Can you tell me how do I issue, and which 
certificate should I issue to be able to connect to the PDC 
machine?

Thanks.

Mayuresh KshirsagarPersistent Systems Pvt. 
Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 
16.Phone: 
020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 
April 26th-27th, Santa Clara, 
CA

RE: [ActiveDir] Change the Password Error Message

2005-02-28 Thread joe 
You as an MVP have a mechanism to submit this request. :o)

Something bug  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Thanks Joe,

I think my main point was to make sure there wasn't a way to specify it
without modifying MSgina.dll on all workstations and servers.  

With MS Identity Management push in Longhorn, maybe we can sway them to
allow for more customized account management operations / jobs.  

Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 11:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Yep, the good fix would be able to specify exactly the text of the message.
This has been one of the banes against deploying custom password filters for
years and years and has forced people into building or buying custom
packages that send people to special web sites prior to the system expiring
their password or having special client apps on the workstations to do the
work and display the correct message.


  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Actually, I did find a KB that pointed to a hotfix that addresses the issue
slightly.

http://support.microsoft.com/?kbid=821425

Todd

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change the Password Error Message

Nope.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change the Password Error Message

Is it possible to change the error message you get when you set a password
to something that isn't compliant to the password policy.  A couple of
people on my team think it is a registry setting in NT 4.

Thanks,

Todd Myrick  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Mayuresh Kshirsagar 



I generated this certificate from the CA and it 
says, it doesn't have enough information to verify this 
certificate!

I generated a new certificate from 
"Personal-certificate" from Certificate snap-in. Then copied this 
certificate onto my machine and installed it here under the "Trusted Root 
Certification Authorities" store. But am still not able to connect.

:-(

  - Original Message - 
  From: 
  Mayuresh Kshirsagar 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 11:33 
  PM
  Subject: Re: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  This is the error number I am able to 
  see.
  
  session=3741BE8 cannot negotiate SSL security 
  error 8048
  
  can you speculate what this means?
  
- Original Message - 
From: 
Steve 
Patrick 
To: ActiveDir@mail.activedir.org 

Sent: Monday, February 28, 2005 9:03 
PM
Subject: Re: [ActiveDir] Problem using 
Certificates to connect to AD machine

If you installed the CA on the PDC then did you 
install it as an Enterprise CA?
If this is a production environment you should 
reallyunderstand the PKIneeds for your company currently, 
andany future plans.
In a nutshell you need a Domain Controller 
certor Server Auth cert on the DCwith the FQDN of the DC in the 
Subjectfield.
Your clients need tobe able to resolve 
the FQDN and be able to reach the CDP locations you specified when setting 
up the CA (defaults are LDAP and HTTP pathsto the CA 
itself)
Clients also need tohave the Root CA cert 
in the TrustedRoots storeso the cert chains up 
correctly.

good luck!

steve



  - Original Message - 
  From: 
  joe 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 5:58 
  AM
  Subject: RE: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  Slow down. This isn't the instant email AD support 
  hotline. You sent the message when most of the people are 
  offline that tend to respond to things. If you seeit goes a couple 
  of days without a response, then it is probably good to ping the list 
  asking if anyone has seen it.
  
  In the meanwhile, have you referred to the MS 
  websites oncerts? Read the white papers and related docs? You were 
  unaware of the cert requirement for an LDAP update at all until I 
  responded Saturday with a fairly well known KB article that you could have 
  found through google.
  
  Unless you are doing this from a non-windows machine, 
  also consider alternative mechanisms for changing passwords that don't 
  require the cert and ssl connection as well. 
  
  joe
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
  KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: 
  Siddharth SawkarCc: 
  activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  any views?
  
  - Original Message - 
  
From: 
Mayuresh 
Kshirsagar 
To: Siddharth Sawkar 
Cc: activeDir@mail.activedir.org 

Sent: Monday, February 28, 2005 
2:06 PM
Subject: Re: [ActiveDir] Problem 
using Certificates to connect to AD machine

Hi,

I tried to generate a certificate using the 
w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP 
MDS server) is not able to connect to the server using this 
certificate.

The name of the PDC is "kaling" in the 
domain "meta.test". But this machine is accessible from outside (eg. 
from my machine) as "kaling.persistent.co.in".

Any thing I must take care while generating 
the certificate?

Regards,
Mayuresh.

  - Original Message - 
  From: 
  Mayuresh 
  Kshirsagar 
  To: activeDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 
  1:51 PM
  Subject: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  Hi,
  
  I have installed a CA on my PDC. and now 
  I want to connect to this PDC from a different machine to change the 
  "unicodePwd" attribute. I created a certificate and exported it and 
  installed it on the connecting machine, but dont seem to be able to 
  connect.
  
  Can you tell me how do I issue, and which 
  certificate should I issue to be able to connect to the PDC 
  machine?
  
  Thanks.
  
  Mayuresh KshirsagarPersistent

Re: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Mayuresh Kshirsagar 



I also see that The certificate that I see from 
right clicking the CA is as attached. But when I check using a utility from my 
machine, I see the following information:

Subject name: CN=kaling.meta.testIssuer name : 
C=IN, L=Pune, O=PSPL, OU=support, CN=meta-testValid from (dd/mm/): 
25/03/2004Valid to (dd/mm/): 25/03/2006

Which is not matching.

How can I correct this?

  - Original Message - 
  From: 
  Mayuresh Kshirsagar 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, March 01, 2005 1:30 
  AM
  Subject: Re: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  I generated this certificate from the CA and it 
  says, it doesn't have enough information to verify this 
  certificate!
  
  I generated a new certificate from 
  "Personal-certificate" from Certificate snap-in. Then copied this 
  certificate onto my machine and installed it here under the "Trusted Root 
  Certification Authorities" store. But am still not able to 
  connect.
  
  :-(
  
- Original Message - 
From: 
Mayuresh Kshirsagar 

To: ActiveDir@mail.activedir.org 

Sent: Monday, February 28, 2005 11:33 
PM
Subject: Re: [ActiveDir] Problem using 
Certificates to connect to AD machine

This is the error number I am able to 
see.

session=3741BE8 cannot negotiate SSL security 
error 8048

can you speculate what this means?

  - Original Message - 
  From: 
  Steve 
  Patrick 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 9:03 
  PM
  Subject: Re: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  If you installed the CA on the PDC then did 
  you install it as an Enterprise CA?
  If this is a production environment you 
  should reallyunderstand the PKIneeds for your company 
  currently, andany future plans.
  In a nutshell you need a Domain Controller 
  certor Server Auth cert on the DCwith the FQDN of the DC in 
  the Subjectfield.
  Your clients need tobe able to resolve 
  the FQDN and be able to reach the CDP locations you specified when setting 
  up the CA (defaults are LDAP and HTTP pathsto the CA 
  itself)
  Clients also need tohave the Root CA 
  cert in the TrustedRoots storeso the cert chains up 
  correctly.
  
  good luck!
  
  steve
  
  
  
- Original Message - 
From: 
joe 

To: ActiveDir@mail.activedir.org 

Sent: Monday, February 28, 2005 
5:58 AM
Subject: RE: [ActiveDir] Problem 
using Certificates to connect to AD machine

Slow down. This isn't the instant email AD support 
hotline. You sent the message when most of the people are 
offline that tend to respond to things. If you seeit goes a couple 
of days without a response, then it is probably good to ping the list 
asking if anyone has seen it.

In the meanwhile, have you referred to the MS 
websites oncerts? Read the white papers and related docs? You were 
unaware of the cert requirement for an LDAP update at all until I 
responded Saturday with a fairly well known KB article that you could 
have found through google.

Unless you are doing this from a non-windows 
machine, also consider alternative mechanisms for changing passwords 
that don't require the cert and ssl connection as well. 


joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Monday, February 28, 2005 8:34 
AMTo: Siddharth SawkarCc: 
activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem 
using Certificates to connect to AD machine

any views?

- Original Message - 

  From: 
  Mayuresh 
  Kshirsagar 
  To: Siddharth Sawkar 
  Cc: activeDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 
  2:06 PM
  Subject: Re: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  Hi,
  
  I tried to generate a certificate using 
  the w2k CA, but smehow, I am not able to correctly generate one. The 
  s/w (CP MDS server) is not able to connect to the server using this 
  certificate.
  
  The name of the PDC is "kaling" in the 
  domain "meta.test". But this machine is accessible from outside (eg. 
  from my machine) as "kaling.persistent.co.in".
  
  Any thing I must take care while 
  generating the certificate?
  
  Regards,
  Mayuresh.

RE: [ActiveDir] DEC questions

2005-02-28 Thread Kevin Sullivan 








Hi Dave,



This will be my fourth DEC and everyone has
been worth it. I think I have learned more at this conference than any other I
have attended. It is very focused, intimate and full of some incredibly
interesting people who are out there doing it.



The content ranges in complexity but
almost all is going to be accessible if you have been working with AD for
years. What helps at this show is after the talk you are having conversations
with attendees who can clarify topics based on their own experiences as well as
provide tips on how it may be applicable to your situation.



Like Joe mentioned the ability to have
candid conversations with people from Microsoft is also incredibly valuable. There
are a slew of Microsoft people there and they are all focused on Directories
and surrounding technologies. 



The networking outside of the Microsoft
people is also a great value.



Oh yeah, occasionally watching hung over
people try to pay attention to deep DNS discussions is sort of fun as well
G. Being a hung over person trying to pay attention to deep DNS
discussions, well, that is not quite as fun!



I hope to see you there.



Kevin











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, February 24, 2005
12:38 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DEC questions







Hi all,











 Hope you don't mind these...











 My company has considered the idea
of sending a couple of us to the conference, but are wondering if they
shoulduse ourvouchers to have us attend
someADtroubleshooting workshops [by Microsoft] instead. While
I don't know any specific details as to what that entails, we've also never
been to one of these DECs! Our managers have asked us tojustify in
writing what we think we'll get out of this conference, and if it will prove
more worthwhile than the MS offering (again - sorry that I don't know exactly
*what* that is).











 Myself? I have4+ years
in a live AD environment, andcan honestly say that some of what I've seen
written on this list zooms high overhead (!), while other stuff falls right in
line, so am hoping that I would be a good candidate to attend.











 I see many testimonials, etc...on
the conf. website, so just hoping to get any brief thoughts from anyone - with
many thanks in advance!









-DaveC

Reuters AITS Infrastructure









-
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Lee Jessup is out of the office.

2005-02-28 Thread Kingslan, Rick T. 








Well - great, Lee. Have a safe Holiday and well be happy to hear from you when
you return.



:oP



-rtk













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee Jessup
Sent: Monday, February 28, 2005
9:33 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lee Jessup is
out of the office.





I will be
out of the office starting 02/28/2005 and will not return until 03/04/2005.

I will respond to your message when I return.

Re: [ActiveDir] Problem using Certificates to connect to AD machine

2005-02-28 Thread Mayuresh Kshirsagar 



One more thing I noticed here is that it is using 
the cert which was installed long while ago. But after that, the CA was 
installed/uninstalled several times, and new certificates were issued. but still 
it is using the same cert?

  - Original Message - 
  From: 
  Mayuresh Kshirsagar 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, March 01, 2005 1:44 
  AM
  Subject: Re: [ActiveDir] Problem using 
  Certificates to connect to AD machine
  
  I also see that The certificate that I see from 
  right clicking the CA is as attached. But when I check using a utility from my 
  machine, I see the following information:
  
  Subject name: CN=kaling.meta.testIssuer name 
  : C=IN, L=Pune, O=PSPL, OU=support, CN=meta-testValid from (dd/mm/): 
  25/03/2004Valid to (dd/mm/): 25/03/2006
  
  Which is not matching.
  
  How can I correct this?
  
- Original Message - 
From: 
Mayuresh Kshirsagar 

To: ActiveDir@mail.activedir.org 

Sent: Tuesday, March 01, 2005 1:30 
AM
Subject: Re: [ActiveDir] Problem using 
Certificates to connect to AD machine

I generated this certificate from the CA and it 
says, it doesn't have enough information to verify this 
certificate!

I generated a new certificate from 
"Personal-certificate" from Certificate snap-in. Then copied this 
certificate onto my machine and installed it here under the "Trusted Root 
Certification Authorities" store. But am still not able to 
connect.

:-(

  - Original Message - 
  From: 
  Mayuresh Kshirsagar 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 11:33 
  PM
  Subject: Re: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  This is the error number I am able to 
  see.
  
  session=3741BE8 cannot negotiate SSL security 
  error 8048
  
  can you speculate what this 
  means?
  
- Original Message - 
From: 
Steve Patrick 
To: ActiveDir@mail.activedir.org 

Sent: Monday, February 28, 2005 
9:03 PM
Subject: Re: [ActiveDir] Problem 
using Certificates to connect to AD machine

If you installed the CA on the PDC then did 
you install it as an Enterprise CA?
If this is a production environment you 
should reallyunderstand the PKIneeds for your company 
currently, andany future plans.
In a nutshell you need a Domain Controller 
certor Server Auth cert on the DCwith the FQDN of the DC in 
the Subjectfield.
Your clients need tobe able to 
resolve the FQDN and be able to reach the CDP locations you specified 
when setting up the CA (defaults are LDAP and HTTP pathsto the CA 
itself)
Clients also need tohave the Root CA 
cert in the TrustedRoots storeso the cert chains up 
correctly.

good luck!

steve



  - Original Message - 
  From: 
  joe 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, February 28, 2005 
  5:58 AM
  Subject: RE: [ActiveDir] Problem 
  using Certificates to connect to AD machine
  
  Slow down. This isn't the instant 
  email AD support hotline. You 
  sent the message when most of the people are offline that tend to 
  respond to things. If you seeit goes a couple of days without a 
  response, then it is probably good to ping the list asking if anyone 
  has seen it.
  
  In the meanwhile, have you referred to 
  the MS websites oncerts? Read the white papers and related docs? 
  You were unaware of the cert requirement for an LDAP update at all 
  until I responded Saturday with a fairly well known KB article that 
  you could have found through google.
  
  Unless you are doing this from a 
  non-windows machine, also consider alternative mechanisms for changing 
  passwords that don't require the cert and ssl connection as well. 
  
  
  joe
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 
  AMTo: Siddharth SawkarCc: 
  activeDir@mail.activedir.orgSubject: Re: [ActiveDir] 
  Problem using Certificates to connect to AD 
  machine
  
  any views?
  
  - Original Message - 
  
From: 
Mayuresh 
Kshirsagar 
To: Siddharth Sawkar 
Cc: activeDir@mail.activedir.org

[ActiveDir] GPO List

2005-02-28 Thread Noah Eiger 
Hi -
 
Can anyone point me to a comprehensive list of the GPO options on a standard
2003 install? I have an Excel sheet that I downloaded from MS some years
ago, but it is for 2000 only. 
 
This actually leads to another question: how do admins track their policies
and links? I have been using this sheet (all options down the left) with
each GPO/linked object across the top. Any better ideas?
 
Thanks.
attachment: winmail.dat

RE: [ActiveDir] GPO List

2005-02-28 Thread Jorge de Almeida Pinto 
Title: RE: [ActiveDir] GPO List





Hi,


See http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14=en (Group Policy Settings Reference for .adm files and Security Settings included with Windows XP Professional Service Pack 2)

This includes all Administrative Template policy settings supported on the following operating systems: Microsoft Windows Server(tm) 2003, Windows XP Professional with SP2 or earlier service packs, and Microsoft Windows 2000 with Service Pack 4 or earlier service packs

To Manage GPOs there are some third party tools (Quest, etc.), but MS has also a GPO Tool (Group Policy Management Console) that's free and has great capabilities. Check it out at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Cheers
Jorge


-Original Message-
From: Noah Eiger
To: ActiveDir@mail.activedir.org
Sent: 2/28/2005 10:34 PM
Subject: [ActiveDir] GPO List


Hi -

Can anyone point me to a comprehensive list of the GPO options on a
standard 2003 install? I have an Excel sheet that I downloaded from MS
some years ago, but it is for 2000 only. 

This actually leads to another question: how do admins track their
policies and links? I have been using this sheet (all options down the
left) with each GPO/linked object across the top. Any better ideas?

Thanks.




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] Querying for all users

2005-02-28 Thread Alex Fontana 








Is there any attribute that is unique to real user accounts
only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user
and givenname=*, but of course not all users have to have a given name. Then
tried teaming up the objectclass with useraccountcontrol=5*, then we found out
about the 66048s and 262656s.damn them. So, is there an
ldap query that will give me all enabled active directory user accounts? Most
likely its so simple I would never have even thought about it.



TIA

Alex.

RE: [ActiveDir] Querying for all users

2005-02-28 Thread Jorge de Almeida Pinto 
Hi,

The following should return all user accounts (DNs only)

ADFIND -dn -b dc=joehome,dc=net -f
(objectcategory=person)(samaccountname=*)

Cheers
Jorge


-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 2/28/2005 11:48 PM
Subject: [ActiveDir] Querying for all users

Is there any attribute that is unique to real user accounts only (mail
enabled and non-mail enabled)?  We tried teaming up objectclass=user and
givenname=*, but of course not all users have to have a given name.
Then tried teaming up the objectclass with useraccountcontrol=5*, then
we found out about the 66048's and 262656'sdamn them.  So, is there an
ldap query that will give me all enabled active directory user accounts?
Most likely it's so simple I would never have even thought about it.

 

TIA

Alex. 

 


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Querying for all users

2005-02-28 Thread Sakari Kouti 



Hi Alex,

The following filter might be right for 
you:

((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512))

Yours, Sakari

PS. 
This gives the same result as Jorge's filter, that he just sent, but mine look 
cooler :-)


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Alex 
  FontanaSent: Tuesday, March 01, 2005 12:48 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Querying for all 
  users
  
  
  Is there any attribute that is 
  unique to real user accounts only (mail enabled and non-mail enabled)? 
  We tried teaming up objectclass=user and givenname=*, but of course not all 
  users have to have a given name. Then tried teaming up the objectclass 
  with useraccountcontrol=5*, then we found out about the 66048’s and 
  262656’s….damn them. So, is there an ldap query that will give me all 
  enabled active directory user accounts? Most likely it’s so simple I 
  would never have even thought about it.
  
  TIA
  Alex.

RE: [ActiveDir] Querying for all users

2005-02-28 Thread Alex Fontana 








Lol



Dang! Always forget about the objectcategory
attrib.



Thanks guys!











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, February 28, 2005
3:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Querying
for all users





Hi Alex,



The following filter might be right for
you:



((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512))



Yours, Sakari









PS.
This gives the same result as Jorge's filter, that he just sent, but mine look
cooler :-)



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Tuesday, March 01, 2005
12:48 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Querying for
all users

Is there any attribute that is unique to real user accounts
only (mail enabled and non-mail enabled)? We tried teaming up
objectclass=user and givenname=*, but of course not all users have to have a
given name. Then tried teaming up the objectclass with
useraccountcontrol=5*, then we found out about the 66048s and
262656s.damn them. So, is there an ldap query that will
give me all enabled active directory user accounts? Most likely
its so simple I would never have even thought about it.



TIA

Alex.

RE: [ActiveDir] Querying for all users

2005-02-28 Thread joe 



A couple of different ways

adfind -bit -b dc=domain,dc=com -f 
"(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))"

adfind -bit -b dc=domain,dc=com -f 
"(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))"

adfind -bit -b dc=domain,dc=com -f 
"(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))"


The tricky part is your 
requirement of being ENABLED. The only way to do that is to make sure the 
disabled flag is not set in the useraccountcontrol. That will seriously slow 
down the query.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alex 
FontanaSent: Monday, February 28, 2005 5:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Querying for all 
users


Is there any attribute that is 
unique to real user accounts only (mail enabled and non-mail enabled)? We 
tried teaming up objectclass=user and givenname=*, but of course not all users 
have to have a given name. Then tried teaming up the objectclass with 
useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn 
them. So, is there an ldap query that will give me all enabled active 
directory user accounts? Most likely its so simple I would never have 
even thought about it.

TIA
Alex.

RE: [ActiveDir] Querying for all users

2005-02-28 Thread Saleem, Mohamed Yunus 








Hi All



Is there a way that I can know which users
have logon to which DC.



On individual client pc if I type set command
I will know the logon server. But this is huge burden. If there a command in AD
that can tell me which users have logon to which DCthis will help me to
isolate user logon delays and authentication.











Thanks  Have a Wonderful Day

Mohamed Yunus Saleem 
System  Network Specialist - IT Dept.
Royal Commission for Jubail Project. 
Jubail Industrial City. 
): +966-3-3414213 
*: [EMAIL PROTECTED] 
: www.rcjubail.gov.sa

[ActiveDir] lsass.exe hogs my domain controller cpu

2005-02-28 Thread Sharif Naser 








Hello experts,



Lsass.exe hogs my domain controllers cpu (99%), what could be the reason for this, how do I
get rid off this problem.



Machine was started twice but the problem still persists.

By the way, machines has advanced windows 2000 with sp4.



Regards,



DISCLAIMER:This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure, copying, distribution or use of the contents of this information, including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).

RE: [ActiveDir] Querying for all users

2005-02-28 Thread Jorge de Almeida Pinto 



Yeah, enable auditing on each DC 
through the DDC-GPO and then suck-out the security log of each DCs. One of the 
free tools to do this is EventComb from MS
Regards,
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Saleem, Mohamed 
YunusSent: Tuesday, March 01, 2005 05:25To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all 
users


Hi 
All

Is there a way that I 
can know which users have logon to which DC.

On individual client pc 
if I type set command I will know the logon server. But this is huge burden. If 
there a command in AD that can tell me which users have logon to which DCthis 
will help me to isolate user logon delays and 
authentication.





Thanks 
 Have 
a Wonderful Day
Mohamed 
Yunus Saleem 
System  Network 
Specialist - IT Dept.Royal Commission for 
Jubail Project. 
Jubail Industrial City. ): 
+966-3-3414213 
*: 
[EMAIL PROTECTED] ": www.rcjubail.gov.sa

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] lsass.exe hogs my domain controller cpu

2005-02-28 Thread Jorge de Almeida Pinto 



See the following if it 
applies:
http://support.microsoft.com/Default.aspx?kbid=842382
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sharif 
NaserSent: Tuesday, March 01, 2005 08:22To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] lsass.exe hogs my 
domain controller cpu


Hello 
experts,

Lsass.exe hogs my domain controllers 
cpu (99%), what could be the 
reason for this, how do I get rid off this problem.

Machine was started twice but the 
problem still persists.
By the way, machines has advanced 
windows 2000 with sp4.

Regards,

DISCLAIMER:This electronic message transmission contains information from 
Qatar Steel Company (QASCO) which may be confidential or privileged. The 
information is intended to be for the use of the individual or entity named 
above. Be aware that any disclosure, copying, distribution or use of the 
contents of this information, including attachments, is prohibited without the 
written consent of Qatar Steel Company (QASCO). 

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] EntDrv52 service failed

2005-02-28 Thread Tashildar, Dinesh \(Cognizant\) 
Title: EntDrv52 service failed 






Hi

I am getting an error in my system event log one every 4 minutes. It states that The EntDrv52 service failed to start due to the following error: The system cannot find the file specified. Does anyone know what this service is? This started after upgrading the server from 2000 to 2003. I can't find anything on Google and Microsoft's KB.

Regards,
Dinesh Tashildar
Cognizant Technology Solutions India Pvt. Ltd.
Tel : 91-20-4062600 Extn : 3119
Vnet : 23119 



This e-mail and any files transmitted with it are for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
If you are not the intended recipient, please contact the sender by reply 
e-mail and destroy all copies of the original message. Any unauthorised review, 
use, disclosure, dissemination, forwarding, printing or copying of this email 
or any action taken in reliance on this e-mail is strictly prohibited and may 
be unlawful.
Visit us at http://www.cognizant.com