[ActiveDir] Cannot modify a distribution list
Hi Gurus, I have created a Distribution list which is owned by a particular user. Now I log as that user and try to modify the distribution list, say setting the description attribute. but am getting the error: ***Call Modify...ldap_modify_s(ld, 'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] attrs);Error: Modify: Insufficient Rights. 50 If I bind as the administrator, then I can modify the distribution list. any pointers as to why this is happening? Regards, Mayuresh.
RE: [ActiveDir] Cannot modify a distribution list
Hi All, Yes by owned I meant setting the managedby attribute. I then set the permissions for the user in the security tab giving him full access rights and then I could modify using that user. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Thursday, September 22, 2005 9:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list "If you mean ownership as in setting an owner from the Exchange tab or the managed by tab, neither allows you to modify the membership." Setting an account in the Managed By tab and checking the box "Manager can update membership list" will allow the account to modify the list members. All the checkbox is doing is setting an Allow Write Members ACE. The account *won't* be able to modify other attributes of the list, such as the description, based strictly on the Managed By information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, September 22, 2005 8:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list If you mean ownership as in setting an owner from the Exchange tab or the managed by tab, neither allows you to modify the membership. You need to grant the person the ability to update the membership list. Now if you have an older version of ADUC, you won't see that checkbox under the managed by tab. If you have set this, and you have a multidomain forest, and the group is mail enabled, and the person is trying to manage through outlook, you probably have another issue which I don't have time to go into here but in that situation, don't use outlook to manage the membership. Outlook is a tool to read mail, not manage group membership. I don't use ADUC to check my calendar, so I don't have a problem avoiding using Outlook to manage groups. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a distribution list Hi Gurus, I have created a Distribution list which is owned by a particular user. Now I log as that user and try to modify the distribution list, say setting the description attribute. but am getting the error: ***Call Modify...ldap_modify_s(ld, 'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] attrs);Error: Modify: Insufficient Rights. 50 If I bind as the administrator, then I can modify the distribution list. any pointers as to why this is happening? Regards, Mayuresh.
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain, We set the revision level in the security descriptor in the meta code. And it indeed works fine. Thanks for all your time and guidance. This has indeed come out to be a product defect. Thanks again, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' Self Trustee Set objACE = CreateObject(AccessControlEntry) objACE.Trustee = Self objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain / All, So will this mean that there is no problem with the descriptor that I am setting? Should it be a problem with the Meta directory code? All I can do is try to build the descriptor. But the job of setting it is done by the Meta directory agent code. I tried a sample _vbscript_ available on the Microsoft site for doing this from the same machine and it worked fine. Is there any converted that would convert the string security descriptor to text one, so that I can create a binary value before hand and feed it to the meta directory? Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' Self Trustee Set objACE = CreateObject(AccessControlEntry) objACE.Trustee = Self objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' Self Trustee Set objACE = CreateObject(AccessControlEntry) objACE.Trustee = Self objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common fo
[ActiveDir] MailBox permissioning
Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] MailBox permissioning
In the exchange interface, I saw the associate external user with this account, in the exchange tasks. Is this the option I should be looking for? Also if so, how can I achieve the same effect as this by the meta directory (what attributes and how to set them) Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] MailBox permissioning
Sorry for mailing repeatedly. I am also searching on the net, so am posting my findings so that you can verify them. Do I have to put the objectSID of the account in the retail domain, in the msexchmasteraccountsid attribute of the exchange domain user? Will that do it? Also if this correct, how can I set the permissions so that the associated user has full access to the mailbox? Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning In the exchange interface, I saw the associate external user with this account, in the exchange tasks. Is this the option I should be looking for? Also if so, how can I achieve the same effect as this by the meta directory (what attributes and how to set them) Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] MailBox permissioning
Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Mayuresh, You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties. BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] MailBox permissioning
Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Mayuresh, You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties. BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] MailBox permissioning
More testing showed that everything except the objectSID is constant. How can I get the objects sid in the below form? Any clues? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Mayuresh, You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties. BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] MailBox permissioning
Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Mayuresh, You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties. BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Thanks, Would it be worth running it on the agent machine, or the AD machine? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Ethereal no question. Get it at: www.ethereal.com Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Hi Joe, Solved the problem. The agent doing the Job was not running with correct credentials. It was running as default. I set the credentials explicitly to the user I required, and the users with mailboxes are now being created. Thanks a Lot, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 08, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Either should work, you just need to watch the traffic between the two. If you have a shared hub, you can install it on a third machine and plug it into the hub and watch the traffic that way as well. That works well when there are rules about what software can be installed on a machine. Also if you want, if you have netmon already loaded, you can do a netmon capture and then have ethereal read it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Thanks, Would it be worth running it on the agent machine, or the AD machine? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Ethereal no question. Get it at: www.ethereal.com Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Yes certainly. The useraccountcontrol is set to 544. how can I do the diagnostics on the exchange side? What diagnostics should I enable? I tried setting diagnostics to verbose for some modules, but didnt give me sufficient information. Thanks much, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...) Pasted the part of the tarce only just in an attempt to give more information. The entry I am trying to add
[ActiveDir] Problem adding an Exchange User - An operations error occurred
Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...) Pasted the part of the tarce only just in an attempt to give more information. The entry I am trying to add is as: dn: cn=ZZZGGG\, ANGUS,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGGtest homeMDB: CN=Mailbox Store (RLGMFUMX01),CN=First Storage Group,CN=Information Store,CN=RLGMFUMX01,CN=Servers,CN=First Administrative Group,CN=Administrat ive Groups,CN=RBSG Retail Exchange,CN=Microsoft Exchange,CN=Services,CN=Con figuration,DC=gepurbsres01,DC=net mailNickname: ZZZGGG, ANGUS The homeMDB value is correct and the meta directory connects to the Exchange server machine and the AD machine using the Admin user. Can you please help me debug this. Thanks, Mayuresh.
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...) Pasted the part of the tarce only just in an attempt to give more information. The entry I am trying to add is as: dn: cn=ZZZGGG\, ANGUS,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGGtest homeMDB: CN=Mailbox Store (RLGMFUMX01),CN=First Storage Group,CN=Information Store,CN=RLGMFUMX01,CN=Servers,CN=First Administrative Group,CN=Administrat ive Groups,CN=RBSG Retail Exchange,CN=Microsoft Exchange,CN=Services,CN=Con figuration,DC=gepurbsres01,DC=net mailNickname: ZZZGGG, ANGUS The homeMDB value is correct and the meta directory connects to the Exchange server machine and the AD machine using the Admin user. Can you please help me debug this. Thanks, Mayuresh.
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
The meta directory is on a different domain, and is on HP-UX. The exchange server is on one machine, and the AD is on a different one. Both the AD and the exchange machines have the same admin login (the domain admin). The meta uses this login to connect to the AD and exchange. If I dont pass the attribute homeMDB, a simple AD user is created just fine. Just when I try to create the user with the homeMDB attribute does it give the problem. Found out this on the net # for hex 0x2020 / decimal 8224 : ERROR_DS_OPERATIONS_ERROR Also the homeMDB value is correct. I created a sample mailbox user from the exchange interface (users and computers) and verified the homeMDB attribute. What conditions can then lead to this problem? Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 10:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...) Pasted the part of the tarce only just in an attempt to give more information. The entry I am trying to add is as: dn: cn=ZZZGGG\, ANGUS,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGGtest homeMDB: CN=Mailbox Store
[ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Thanks a lot. I'll try this out and get back to you with the results. Best Regards, Mayuresh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\toolserr 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for 0523 V:\toolsnet helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe nTSecurityDescriptor and objectSid. Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Where can I find this tool for download? I tried to search download.microsoft.com, but couldn't find it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\toolserr 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for 0523 V:\toolsnet helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe nTSecurityDescriptor and objectSid. Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Thanks a Lot. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Friday, August 05, 2005 4:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. http://www.microsoft.com/downloads/details.aspx?FamilyID=be596899-7bb8-4 208-b7fc-09e02a13696cDisplayLang=en -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 12:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Where can I find this tool for download? I tried to search download.microsoft.com, but couldn't find it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\toolserr 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for 0523 V:\toolsnet helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe nTSecurityDescriptor and objectSid. Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting logonHours through Perl Script
Thanks a lot Al and Joe. This helped me. Regards, Mayuresh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, August 02, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Setting logonHours through Perl Script How? Something like this maybe? http://www.mail-archive.com/perl-win32-admin@listserv.activestate.com/msg036 72.html I'm quite sure there are other ways that could be used as well, but this seems pretty straight forward. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Tuesday, August 02, 2005 1:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Setting logonHours through Perl Script I see we have to set a 21 byte value for this. How can I set a 21 byte value for this?? Any ideas will be of great help. Thanks, Mayuresh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 01, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Setting logonHours through Perl Script Hi, I want to set the logon hours attribute through a perlscript. Can you guide me as to how can I do it? Also the format of the logonHours attribute?? Thanks in Advance, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Setting logonHours through Perl Script
Hi, I want to set the logon hours attribute through a perlscript. Can you guide me as to how can I do it? Also the format of the logonHours attribute?? Thanks in Advance, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting logonHours through Perl Script
I see we have to set a 21 byte value for this. How can I set a 21 byte value for this?? Any ideas will be of great help. Thanks, Mayuresh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 01, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Setting logonHours through Perl Script Hi, I want to set the logon hours attribute through a perlscript. Can you guide me as to how can I do it? Also the format of the logonHours attribute?? Thanks in Advance, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Resource unavailable temporarily
I am connecting to an Active Directory Server, using a Meta Directory server. But while performing a base level it fails with error Schema search for 'attributeTypes' ERROR='Resource temporarily unavailable' Any clues as to how can I debug this problem? Thanks, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Resource unavailable temporarily
Also when I perform various operations to AD using tools like ldp, or a perl script, they are performed successfully. - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, July 19, 2005 11:15 PM Subject: Resource unavailable temporarily I am connecting to an Active Directory Server, using a Meta Directory server. But while performing a base level it fails with error Schema search for 'attributeTypes' ERROR='Resource temporarily unavailable' Any clues as to how can I debug this problem? Thanks, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Error while adding user to AD
Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Thanks a lot Joe, This has been of tremendous help for diagnosing the issue! Grateful to you! Mayuresh. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:32 AM Subject: RE: [ActiveDir] Error while adding user to AD I expect the policy hasn't completely applied yet. Can you control the process used by the metadirectory software for object creation? If so, have it create the object in the way specified below. The alternative is to create it with the useraccountcontrol flagged to allow the account to not have a password. Then after the initial object create set a password and change useraccountcontrol to 512. I highly recommend creating it disabled and then setting the password and then setting the useraccountcontrol to 512 though. It is more obvious if something gets dropped and not handled properly. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail
Re: [ActiveDir] [OT] Windows Update Service
does this help in any way?? http://support.microsoft.com/?kbid=870692 - Original Message - From: Peter Jessop To: ActiveDir@mail.activedir.org Sent: Thursday, May 26, 2005 4:07 PM Subject: [ActiveDir] [OT] Windows Update Service Good day to you allA server with Windows 2000 sp4 is no longer receiving updates from SUS. It used to work fine. The message 'Windows update service not available' appears on the automatic update dialog box (in control panel). I have tried taking it out of the OU in order to update it through the Windows update page but it still gives me the message service not available. Thus it is not a SUS or GPO problem. I can't find any relevant messages in the eventvwr. The only error I can find is the message "Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for SILURIA$." on running NETDIAG.Any ideas? Is it possible to enable logging for Windows Update Service?Regards Peter Jessop
Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD
Got a shot at it! i am using a Criticalpath Meta directory server to push the values. so in my customised perl script extension, I only converted the string to UTF8 using perl SimpleUTF8 APIs and then pushed this to the destination. You were right, I didn't require to convert the value to base64. Just converting it to UTF8 was sufficient in this case. Thanks again. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 8:17 PM Subject: RE: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Hi Mayuresh, What API or tool are you using to add the data to AD? The only time in know you use base64 for binary data is with LDIF. I have no idea why your string below is getting mangled, but if you could provide more details again about how you pushed the data into AD, that would be helpful. Cheers, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, March 21, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Hi Again. I am sending this as I have done some more testing on this. Please take your own time while answering. I dont intend to push you for this. I created a new attribute in AD azsite of type Unicode string and flown the value xSÖDERTÄLJE - GÄRTUNA but it is flown as xSDERTLJE - GRTUNA Is there any other syntax other than Unicode String that i should use to display? I am using a base84 conversion of the non-ascii to push the value into AD. Regards, Mayuresh - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 2:05 PM Subject: Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Also to add to this question, if at all userCert is not a correct attribute to pass a binary attribute, can you suggest any other binary attribute where I can pass the binary value? I am using iNetOrgPerson objectclass. Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 1:21 PM Subject: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Hi Experts, I am trying using an Application (Criticalpath Meta Directory server) to push the value (utf8) xSÖDERTÄLJE - GÄRTUNA into some binary field after converting it into base64, e.g. userCert. But when I push it, I don't see the value i pushed. I see xSDERT. What can I do to push the exact value into AD? also should some character set be set for the AD server or something like that? Regards Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD
Thanks for all the help... I just flowed the UTF8 values to the directory and that solved the problem. Regards. - Original Message - From: Dean Wells [EMAIL PROTECTED] To: Send - AD mailing list [EMAIL PROTECTED] Sent: Monday, March 21, 2005 9:15 PM Subject: RE: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Here's a snippet of my command shell that I used to import your values - snippet C:\type foo.ldf dn: CN=Guest,CN=Users,DC=mset,DC=net changetype: modify replace: userCert userCert:: eFOZREVSVI5MSkUgLSBHjlJUVU5BDQo= - C:\ldifde -i -f \foo.ldf /snippet I experienced no problem importing it. Once complete, I exported it and compared the exported result against the original import value which resulted in a match. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, March 21, 2005 2:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Hi Experts, I am trying using an Application (Criticalpath Meta Directory server) to push the value (utf8) xSÖDERTÄLJE - GÄRTUNA into some binary field after converting it into base64, e.g. userCert. But when I push it, I don't see the value i pushed. I see xSDERT. What can I do to push the exact value into AD? also should some character set be set for the AD server or something like that? Regards Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD
Also to add to this question, if at all userCert is not a correct attribute to pass a binary attribute, can you suggest any other binary attribute where I can pass the binary value? I am using iNetOrgPerson objectclass. Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 1:21 PM Subject: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Hi Experts, I am trying using an Application (Criticalpath Meta Directory server) to push the value (utf8) xSÖDERTÄLJE - GÄRTUNA into some binary field after converting it into base64, e.g. userCert. But when I push it, I don't see the value i pushed. I see xSDERT. What can I do to push the exact value into AD? also should some character set be set for the AD server or something like that? Regards Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD
Hi Again. I am sending this as I have done some more testing on this. Please take your own time while answering. I dont intend to push you for this. I created a new attribute in AD azsite of type Unicode string and flown the value xSÖDERTÄLJE - GÄRTUNA but it is flown as xSDERTLJE - GRTUNA Is there any other syntax other than Unicode String that i should use to display? I am using a base84 conversion of the non-ascii to push the value into AD. Regards, Mayuresh - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 2:05 PM Subject: Re: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Also to add to this question, if at all userCert is not a correct attribute to pass a binary attribute, can you suggest any other binary attribute where I can pass the binary value? I am using iNetOrgPerson objectclass. Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 1:21 PM Subject: [ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD Hi Experts, I am trying using an Application (Criticalpath Meta Directory server) to push the value (utf8) xSÖDERTÄLJE - GÄRTUNA into some binary field after converting it into base64, e.g. userCert. But when I push it, I don't see the value i pushed. I see xSDERT. What can I do to push the exact value into AD? also should some character set be set for the AD server or something like that? Regards Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Base64 UTF8 non-ascii value not pushed properly into AD
Hi Experts, I am trying using an Application (Criticalpath Meta Directory server) to push the value (utf8) xSÖDERTÄLJE - GÄRTUNA into some binary field after converting it into base64, e.g. userCert. But when I push it, I don't see the value i pushed. I see xSDERT. What can I do to push the exact value into AD? also should some character set be set for the AD server or something like that? Regards Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Problem using Certificates to connect to AD machine
Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA
Re: [ActiveDir] Problem using Certificates to connect to AD machine
Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA cert.cer Description: application/x509-ca-cert
Re: [ActiveDir] Problem using Certificates to connect to AD machine
This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA
Re: [ActiveDir] Problem using Certificates to connect to AD machine
I generated this certificate from the CA and it says, it doesn't have enough information to verify this certificate! I generated a new certificate from "Personal-certificate" from Certificate snap-in. Then copied this certificate onto my machine and installed it here under the "Trusted Root Certification Authorities" store. But am still not able to connect. :-( - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 11:33 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine?
Re: [ActiveDir] Problem using Certificates to connect to AD machine
I also see that The certificate that I see from right clicking the CA is as attached. But when I check using a utility from my machine, I see the following information: Subject name: CN=kaling.meta.testIssuer name : C=IN, L=Pune, O=PSPL, OU=support, CN=meta-testValid from (dd/mm/): 25/03/2004Valid to (dd/mm/): 25/03/2006 Which is not matching. How can I correct this? - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Tuesday, March 01, 2005 1:30 AM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine I generated this certificate from the CA and it says, it doesn't have enough information to verify this certificate! I generated a new certificate from "Personal-certificate" from Certificate snap-in. Then copied this certificate onto my machine and installed it here under the "Trusted Root Certification Authorities" store. But am still not able to connect. :-( - Original Message ----- From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 11:33 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate
Re: [ActiveDir] Problem using Certificates to connect to AD machine
One more thing I noticed here is that it is using the cert which was installed long while ago. But after that, the CA was installed/uninstalled several times, and new certificates were issued. but still it is using the same cert? - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Tuesday, March 01, 2005 1:44 AM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine I also see that The certificate that I see from right clicking the CA is as attached. But when I check using a utility from my machine, I see the following information: Subject name: CN=kaling.meta.testIssuer name : C=IN, L=Pune, O=PSPL, OU=support, CN=meta-testValid from (dd/mm/): 25/03/2004Valid to (dd/mm/): 25/03/2006 Which is not matching. How can I correct this? - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Tuesday, March 01, 2005 1:30 AM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine I generated this certificate from the CA and it says, it doesn't have enough information to verify this certificate! I generated a new certificate from "Personal-certificate" from Certificate snap-in. Then copied this certificate onto my machine and installed it here under the "Trusted Root Certification Authorities" store. But am still not able to connect. :-( - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 11:33 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDi
[ActiveDir] URGENT - Problem changing Password in a Active directory User.
Hi I am using LDP browser to simulate the problem I am seeing in my software (Critical Path MDS server), where I am trying to replace the existing Unicode Pasword with a new one: I can see the following errors in the LDP browserm CP MDS server, as well as Active Directory's event logs: Event Type: Information Event Source: NTDS General Event Category: (8) Event ID: 1175 Date: 2/26/2005 Time: 8:07:15 AM User: META\administrator Computer: KALING Description: A privileged operation (rights required = 0x) on object CN=u1,OU=Password Managed AD CV,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test failed because a non-security related error occurred. Event Type: Information Event Source: NTDS LDAP Event Category: (16) Event ID: 1535 Date: 2/26/2005 Time: 8:07:15 AM User: META\administrator Computer: KALING Description: The LDAP server returned the following error string: 2077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data 0 I cant get how can I solve the problem. Any hints how to solve this? Its urgent! Mayuresh Mayuresh Kshirsagar Persistent Systems Pvt. Ltd., 402E, Bhageerath, Senapati Bapat Road. Pune - 16. Phone: 020-25602983 Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] URGENT - Problem changing Password in a Active directory User.
Hi, I am on Win 2k server, SP4 and trying to do the operation installed on this AD server, which the the PDC! Thanks. - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, February 26, 2005 10:21 AM Subject: URGENT - Problem changing Password in a Active directory User. Hi I am using LDP browser to simulate the problem I am seeing in my software (Critical Path MDS server), where I am trying to replace the existing Unicode Pasword with a new one: I can see the following errors in the LDP browserm CP MDS server, as well as Active Directory's event logs: Event Type: Information Event Source: NTDS General Event Category: (8) Event ID: 1175 Date: 2/26/2005 Time: 8:07:15 AM User: META\administrator Computer: KALING Description: A privileged operation (rights required = 0x) on object CN=u1,OU=Password Managed AD CV,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test failed because a non-security related error occurred. Event Type: Information Event Source: NTDS LDAP Event Category: (16) Event ID: 1535 Date: 2/26/2005 Time: 8:07:15 AM User: META\administrator Computer: KALING Description: The LDAP server returned the following error string: 2077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data 0 I cant get how can I solve the problem. Any hints how to solve this? Its urgent! Mayuresh Mayuresh Kshirsagar Persistent Systems Pvt. Ltd., 402E, Bhageerath, Senapati Bapat Road. Pune - 16. Phone: 020-25602983 Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/