RE: [ActiveDir] LDAP query on ObjectSID attribute
Title: Message Would love to get is book. Not available from Chapters. ISBN #0672315874. Do you have an extra copy you would like to sell? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 25, 2003 1:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Hey Joe, Wow, thanks for the compliment dude. Is the SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I haven't seen it before as part of ADSI. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute This is an adsi thing and is called a SID Bind, you can also do a GUID bind in a similar manner. If you are using LDAP API instead of ADSI you need to encode the sid back into an octet string and do the search with it. Check out Gil Kirkpatrick's Programming Active Directory as he has some good info on this type of schtuff. Actually if you are doing any AD programming, get that book. Gil rocks. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards,/Jimmy- Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory-- www.qadvice.com -- -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 12:35 AMTo: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-341234134123412432412344)) Doesn't return anything. I know the sid must converted but I am not surewhat format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ �
RE: [ActiveDir] Add junior admin to Local workstations admin group
Title: Message Nope. We use a listserv internally for bulk mailing. The listserv allows for authenticated broadcasts, built in archiving, unsubscribing, etc. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Their seems to be one case that E5.5 does have them and it appears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECT
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely all Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Their seems to be one case that E5.5 does have them and it appears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] O
RE: [ActiveDir] [SOT] Scripting ACEs
Grrr. Exchange Split Permissions model... The name for that should something a lot more vulgar I think. The Exchange folks tell you to do what MS has told the AD Admins the whole time NOT to do and that is to not have a crapload of ACE's. Yet the way the model was built for Exchange you either give them god rights or at least too many rights or you add a bunch of ACE's. Be careful with the doc I saw, it was wrong because it had you giving write property access to nTSecurityDescriptor... If you do that, you might as well make the Exchange Admins Account Ops or whatever else over the user objects or to whatever you apply that write prop access to. We ended up giving a little more access than we wanted (no choice because of the horrible way the property sets were used by MS for E2K)but it isn't incredibly bad. Mostly the bad part is that the Exchange Admins have access to change SPN's and UPN's which they shouldn't be able to get near to but again, we hate Deny ACEs. It took a while to work out the "REAL" permissions needed to do mailbox reconnects/adds/deletes/moves but we have that now. The fun part of that one was that there is a permission that has to be applied to users that isn't even a property for users, so basically a garbage ACE that is only useful for E2K. Our provisioning of users mostly comes out of an automated web based provisioning system written in house so the E2K Admins don't need many user rights. The Exchange Admins mostly only do work on the Servers though since MS doesn't have an easy way to do reconnects from the command line (looking for source code to MBCONN...) for W2K so the Exchange Admins have to go through the manual GUI (blech) processes to do reconnects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Monday, August 25, 2003 4:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [SOT] Scripting ACEs Your script confirmed what I was getting when I checked the ACEs using a Vbscript, and what you said earlier about having the same number of ACEs regardless of how the permissions are set. I'd rather avoid setting the Deny ACEs, but there doesn't seem to be much alternative in implementing the Exchange "split permissions" model. Which gets back to one of the other threads here recently. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 8:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [SOT] Scripting ACEs LOL. No problem. My new lab here at home is definitely in the experiment stage. The only part that is set up in a semi-permanent way is my Onkyo TX-SR601/JVC XL-F215 and Bose 701's so I have music to help set up the rest. As for the computer stuff I have network cables strung about the room so it looks like I am having a limbo contest (looking for wire wraps so I can run them right...). :o) To add to the madness I added a new WAP (G type) to add to my B-Type and my other switches/hubs. It was getting too easy otherwise. :op To bring this slightly back on topic here is a copy of the perl script. Not sure if this is the latest version but seems to produce a good amount of output. :op Very raw output, if you don't have some idea of ACL and ACE's oh my already then it may be a trifle overwhelming. Verbose and debug modes more so but gives people values for GUIDs and such so if they want to generate their own ACE's they can use this tool to dump one to see what values they need to pump in. Here is snippet of a sample: F:\temp>perl perlchksec.pl cn=anon,d,dc=joehome,dc=com PerlChkSec V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June 2002 -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 8:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting ACEs The way ACE's work you should have two ACE's either way, it is simply how the GUI is interpreting. If you look at the ACE and ACL structures in MSDN you will see that each ace can only have a single Principal, access type, and attribute specified. More than likely the way the ACE's are being ordered when the GUI does it matches a profile it sets up for decoding them. If you do it from the GUI and then dump from a script you should be able to duplicate the ordering if that is what you would like to do. I believe I posted a perl script to ms.public.adsi.general once or twice that will dump out the ACE's for the ACL of an object specifically to help determine the ACE's and ordering put together by the GUI. Google that group for it if you want it, otherwise you can send me a separate email and I will try to go dig it up at some point for you. I am a bit in a disarray right now as I we just went through the power outage plus I am in the middle of moving and at work am buried in E2K "stuff". I don't know where anything is right now. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sen
RE: [ActiveDir] LDAP query on ObjectSID attribute
Title: Message No problem, you wrote the good book, I simply mention it. SID Bind is like the GUID bind using the LDAP provider of ADSI. Only part of ADSI 2.5+ I believe. I am not the big consumer of ADSI, just recall running into it several times, google for "LDAP:// -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, August 25, 2003 1:03 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Hey Joe, Wow, thanks for the compliment dude. Is the SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I haven't seen it before as part of ADSI. -g Gil KirkpatrickCTO, NetPro -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute This is an adsi thing and is called a SID Bind, you can also do a GUID bind in a similar manner. If you are using LDAP API instead of ADSI you need to encode the sid back into an octet string and do the search with it. Check out Gil Kirkpatrick's Programming Active Directory as he has some good info on this type of schtuff. Actually if you are doing any AD programming, get that book. Gil rocks. :op joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 9:27 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy AnderssonSent: Thu 21/08/2003 7:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query on ObjectSID attribute
Props to Gil, too. Noted that he asked the same question. Don't want anyone to go without due credit (sucking up for smarta$$ South-West comments at Gil and Roger's expense.) Best part is - Roger is getting dissed and isn't even here yet to defend himself yet. But, then - he doesn't know us yet. We don't care if you're here on or. Flame on! >:-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Monday, August 25, 2003 1:53 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Rick, You found the solution to my problem. LDP version 3.0 worked flawlessly. Jimmy's solution will not work with any other. Thanks Yves From: Rick KingslanSent: Mon 25/08/2003 1:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Jimmy, What version of OS and version of LDP are you doing this on? I can't get it to work either - and I'm using the Builtin Group SIDS. I would suspect that I should get a consistent return on those, but I'm getting a BAD_NAME error. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Monday, August 25, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I've tried it again and again With different SIDs on existing objects, and it works every time for me. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 4:02 PM To: [EMAIL PROTECTED] Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy Andersson Sent: Fri 22/08/2003 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To:
RE: [ActiveDir] Add junior admin to Local workstations admin group
Title: Message You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Their seems to be one case that E5.5 does have them and it appears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, August 17, 2003 11:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and
RE: [ActiveDir] I would like to vote for Roger Abell
Title: Message LOL. Ain't that the truth... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, August 25, 2003 12:55 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] I would like to vote for Roger Abell Now, y'all understand that I'm gonna have to shoot y'all for that kinda comment. Nothin' personal, understand? But there's more men need shootin' than servers need rebootin'. -g Gil KirkpatrickCTO, NetPro -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 7:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I would like to vote for Roger Abell Deji, We don't take them South-Western types in here (oh, sorry Gil!). I'll give Roger a shout and invite him to join us. Roger has been a good friend for many years - I think he'll find his way here shortly... Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, August 18, 2003 8:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] I would like to vote for Roger Abell Now that we have Joe, Todd, Dean Rick and other superstars, I have been (privately) wondering for a long time what is keeping one other very fine gentleman away from this list. I am sure many of you have heard of Roger Abell. Pardon the euphemism, but it is my considered opinion that this list will not be worse off if we can get him to grace us with his membership. Unless there is a policy that says we only let them wander in on their own volition, I propose that we draft him :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Graham TurnerSent: Mon 8/18/2003 8:24 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] authoritative GPO restore Rick, please excuse the whingeborne out of a bit of frustration i am afraid !!am needing to write procedural documents for what i would regard as a fairlysimple task (and given issues we have with allowed run list policy valuesnot unlikely either !!)ie restore of a inadvertantly (or otherwise !) deleted or corrupt GPOnot unreasonable to have had functionality equiv to GPMC in win2k ??duly noted on GPMC - will recommend to deploy as soon as possiblewithout GPMC, it seems there are all sorts of interdependencies on ADobjects / SYSVOL file system objects which need to be got right whenrestoring GPOwas looking to seek the views of others on the procedure for this restoresay of a single GPO ??as per my original mail;1. DS restore mode2. restore of what sysvol file system directories / system state to original3. restore (what ?) to alternate location3. ntdsutil - run authoritative restore (seems only to apply to AD objects)4. copy certain file system directories (polices / scripts ??) to originallocationThanks for your help throughoutGTGT- Original Message -From: "Rick Kingslan" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Monday, August 18, 2003 2:34 PMSubject: RE: [ActiveDir] authoritative GPO restore> Graham,>> Though I don't totally disagree, I'm not sure what part of the picture is> missing to cause you to make a statement such as:>> "Microsoft seem incapable of delivering finished products !">> The GPMC *does* make it much easier - and I have been a big champion onthis> product, and is by far the preferred method. But, before GPMC (6 years> before, in fact) we have survived quite well with Auth Restore, Systems> State resore, and Data backup restores.>> What part of the picture am I missing that would indicate Microsoft missed> the boat on restoring GPOs in your case?>> Rick Kingslan MCSE, MCSA, MCT> Microsoft MVP - Active Directory> Associate Expert> Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner> Sent: Monday, August 18, 2003 3:05 AM> To: [EMAIL PROTECTED]> Subject: Re: [ActiveDir] authoritative GPO restore>> Darren, thanks for the very informative post reply.>> you seem only to confirm my views of what should be a relatively simpletask> is not so - although happy to see this complexity reduced with GPMC doesnot> nothing to dispel my opinion that Microsoft seem incapable of delivering> finis
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Their seems to be one case that E5.5 does have them and it appears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, August 17, 2003 11:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP -
RE: [ActiveDir] [SOT] Scripting ACEs
Your script confirmed what I was getting when I checked the ACEs using a Vbscript, and what you said earlier about having the same number of ACEs regardless of how the permissions are set. I'd rather avoid setting the Deny ACEs, but there doesn't seem to be much alternative in implementing the Exchange "split permissions" model. Which gets back to one of the other threads here recently. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 8:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [SOT] Scripting ACEs LOL. No problem. My new lab here at home is definitely in the experiment stage. The only part that is set up in a semi-permanent way is my Onkyo TX-SR601/JVC XL-F215 and Bose 701's so I have music to help set up the rest. As for the computer stuff I have network cables strung about the room so it looks like I am having a limbo contest (looking for wire wraps so I can run them right...). :o) To add to the madness I added a new WAP (G type) to add to my B-Type and my other switches/hubs. It was getting too easy otherwise. :op To bring this slightly back on topic here is a copy of the perl script. Not sure if this is the latest version but seems to produce a good amount of output. :op Very raw output, if you don't have some idea of ACL and ACE's oh my already then it may be a trifle overwhelming. Verbose and debug modes more so but gives people values for GUIDs and such so if they want to generate their own ACE's they can use this tool to dump one to see what values they need to pump in. Here is snippet of a sample: F:\temp>perl perlchksec.pl cn=anon,d,dc=joehome,dc=com PerlChkSec V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June 2002 -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 8:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting ACEs The way ACE's work you should have two ACE's either way, it is simply how the GUI is interpreting. If you look at the ACE and ACL structures in MSDN you will see that each ace can only have a single Principal, access type, and attribute specified. More than likely the way the ACE's are being ordered when the GUI does it matches a profile it sets up for decoding them. If you do it from the GUI and then dump from a script you should be able to duplicate the ordering if that is what you would like to do. I believe I posted a perl script to ms.public.adsi.general once or twice that will dump out the ACE's for the ACL of an object specifically to help determine the ACE's and ordering put together by the GUI. Google that group for it if you want it, otherwise you can send me a separate email and I will try to go dig it up at some point for you. I am a bit in a disarray right now as I we just went through the power outage plus I am in the middle of moving and at work am buried in E2K "stuff". I don't know where anything is right now. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, August 14, 2003 12:44 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting ACEs I'm seeing a discrepancy between setting ACEs through the GUI (Security tab on an object) and setting them through a script. If I go into the Security Tab on an OU and set a Deny ACE for some global group on "Change Password" and "Reset Password" for User objects, I end up with a single Deny ACE for those two operations. However, if I script it, I seem to end up with two Deny ACEs, one for "Change Password" and a second, separate one for "Reset Password." I'm only setting a single objectType on the scripted ACE at this point, and having to repeat that code to set the second objectType. Is there a way to specify multiple objectTypes, or am I stuck with a larger DACL if I script the ACEs? Thanks, Hunter List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] I would like to vote for Roger Abell
Title: Message LOL! -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, August 25, 2003 11:55 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] I would like to vote for Roger Abell Now, y'all understand that I'm gonna have to shoot y'all for that kinda comment. Nothin' personal, understand? But there's more men need shootin' than servers need rebootin'. -g Gil KirkpatrickCTO, NetPro -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 7:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I would like to vote for Roger Abell Deji, We don't take them South-Western types in here (oh, sorry Gil!). I'll give Roger a shout and invite him to join us. Roger has been a good friend for many years - I think he'll find his way here shortly... Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, August 18, 2003 8:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] I would like to vote for Roger Abell Now that we have Joe, Todd, Dean Rick and other superstars, I have been (privately) wondering for a long time what is keeping one other very fine gentleman away from this list. I am sure many of you have heard of Roger Abell. Pardon the euphemism, but it is my considered opinion that this list will not be worse off if we can get him to grace us with his membership. Unless there is a policy that says we only let them wander in on their own volition, I propose that we draft him :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Graham TurnerSent: Mon 8/18/2003 8:24 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] authoritative GPO restore Rick, please excuse the whingeborne out of a bit of frustration i am afraid !!am needing to write procedural documents for what i would regard as a fairlysimple task (and given issues we have with allowed run list policy valuesnot unlikely either !!)ie restore of a inadvertantly (or otherwise !) deleted or corrupt GPOnot unreasonable to have had functionality equiv to GPMC in win2k ??duly noted on GPMC - will recommend to deploy as soon as possiblewithout GPMC, it seems there are all sorts of interdependencies on ADobjects / SYSVOL file system objects which need to be got right whenrestoring GPOwas looking to seek the views of others on the procedure for this restoresay of a single GPO ??as per my original mail;1. DS restore mode2. restore of what sysvol file system directories / system state to original3. restore (what ?) to alternate location3. ntdsutil - run authoritative restore (seems only to apply to AD objects)4. copy certain file system directories (polices / scripts ??) to originallocationThanks for your help throughoutGTGT- Original Message -From: "Rick Kingslan" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Monday, August 18, 2003 2:34 PMSubject: RE: [ActiveDir] authoritative GPO restore> Graham,>> Though I don't totally disagree, I'm not sure what part of the picture is> missing to cause you to make a statement such as:>> "Microsoft seem incapable of delivering finished products !">> The GPMC *does* make it much easier - and I have been a big champion onthis> product, and is by far the preferred method. But, before GPMC (6 years> before, in fact) we have survived quite well with Auth Restore, Systems> State resore, and Data backup restores.>> What part of the picture am I missing that would indicate Microsoft missed> the boat on restoring GPOs in your case?>> Rick Kingslan MCSE, MCSA, MCT> Microsoft MVP - Active Directory> Associate Expert> Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner> Sent: Monday, August 18, 2003 3:05 AM> To: [EMAIL PROTECTED]> Subject: Re: [ActiveDir] authoritative GPO restore>> Darren, thanks for the very informative post reply.>> you seem only to confirm my views of what should be a relatively simpletask> is not so - although happy to see this complexity reduced with GPMC doesnot> nothing to dispel my opinion that Microsoft seem incapable of delivering> finished products !>> Thanks again>> GT> - Original Message -> From: "Darren Mar-Elia" <[EMAIL PROTECTED]>> To: <[EMAIL PROTECTED]>> Sent: Sunday, August 17, 2003 9:30 PM> Subject: RE: [ActiveDir] authoritative GPO restore>>> Graham-> You're absolutely rigth
RE: [ActiveDir] LDAP query on ObjectSID attribute
I know, and I posted it some time ago but it hasn't showed up on the list yet... I use LDP 3.0 in all my 'Inside AD' classes and it works perfect for all my students and clients. Note-to-self, include the LDP version in the future. :) Glad you got it working! Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 8:53 PM To: [EMAIL PROTECTED] Rick, You found the solution to my problem. LDP version 3.0 worked flawlessly. Jimmy's solution will not work with any other. Thanks Yves From: Rick Kingslan Sent: Mon 25/08/2003 1:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Jimmy, What version of OS and version of LDP are you doing this on? I can't get it to work either - and I'm using the Builtin Group SIDS. I would suspect that I should get a consistent return on those, but I'm getting a BAD_NAME error. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Monday, August 25, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I've tried it again and again With different SIDs on existing objects, and it works every time for me. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 4:02 PM To: [EMAIL PROTECTED] Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy Andersson Sent: Fri 22/08/2003 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how
RE: [ActiveDir] LDAP query on ObjectSID attribute
Rick, You found the solution to my problem. LDP version 3.0 worked flawlessly. Jimmy's solution will not work with any other. Thanks Yves From: Rick KingslanSent: Mon 25/08/2003 1:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Jimmy, What version of OS and version of LDP are you doing this on? I can't get it to work either - and I'm using the Builtin Group SIDS. I would suspect that I should get a consistent return on those, but I'm getting a BAD_NAME error. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Monday, August 25, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I've tried it again and again With different SIDs on existing objects, and it works every time for me. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 4:02 PM To: [EMAIL PROTECTED] Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy Andersson Sent: Fri 22/08/2003 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www
RE: [ActiveDir] LDAP query on ObjectSID attribute
I use LDP version 3.0. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 25, 2003 6:53 PM To: '[EMAIL PROTECTED]' AFIK, the SID syntax is not part of the LDAP interface... So it is likely that it is supported by code inside LDP. What versions of LDP are you all using? That might be why it works for some people and not others. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 7:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I've tried it again and again With different SIDs on existing objects, and it works every time for me. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 4:02 PM To: [EMAIL PROTECTED] Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy Andersson Sent: Fri 22/08/2003 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: h
RE: [ActiveDir] Number of Interactive Logons
Title: Message I'm asking my 'softie contacts for someone internal who can answer this - and be on the record. My experience is different than Dave's. And, looking at documentation on the MS site and at large, we're in the majority. there are two clear opinions on HOW this works. Unfortunately, there can be only one correct answer. My confusion runneth over. http://www.nsa.gov/snac/win2k/guides/w2k-3.pdf http://security.ouhsc.edu/docs/grouppolicyreference.doc Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Monday, August 25, 2003 11:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of Interactive Logons Rick - I'm not trying to beat a dead horse here...just want to make sure I understand how it really works. Since I trust your experience, I had to figure out where my testing went wrong. So I redid it. Multiple times. I haven't hit Ctrl-Alt_del so many times at a sitting since Windows 3.1 :) Problem is, the results were the same as I got before, which does not square with your results. I set the parameter at 2, and found that only the last 2 logons were cached, but that I could use them more than 2 or 3 or even 10 times while disconnected. Actually, I stopped at 16 successful logins for each of those accounts. Then I set it at 3 and started all over. Again, only that number of logins were cached, but I was able to log in with each of them 16 times, which is where I stopped. Both workstation and DC are Win2K, SP4. Clearly, something is different between our two environments, since all your accounts were cached, but none of them could go beyond 11 logins while disconnected. Since you picked the number 11, I take it that you left the policy setting in question at its default of 10 ? Regarding your hope that "Microsoft can be deemed authoritative", I echo Ken's comments from Saturday that some of those documents seem contradictory. One would hope that all of the documantation would exactly reflect product design and behavior, but I can't ignore what I see in actual practice either. Perhaps there's yet another setting (other than Number of previous logons to cache (in case domain controller is not available) ) that could be at work here ??? Dave -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]Sent: Friday, August 22, 2003 6:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of Interactive Logons And the correct answer is. Not correct. Look at this: (because the way that I wavered this morning - I'm not realiable) http://msdn.microsoft.com/library/default.asp?url=""> <--- Windows 2000 http://www.microsoft.com/technet/treeview/default.asp?url=""> < --- Windows XP http://www.microsoft.com/technet/treeview/default.asp?url=""> <--- Windows 2003 Please let this resolve this and close off this thread. I'm hoping that Microsoft can be deemed authoritative. Oh, and by the way - I tried this, David. I login 10 times, and it tells me that, basically, I can't login anymore because a DC cannot be contacted on the 11th try. I have 11 dummy users (h... Maybe I'm the dummy user.) and each of the 11 get 10 attempts and are denied on the 11th. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: Friday, August 22, 2003 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of Interactive Logons And the correct answer is This setting has nothing to do with how many times a given user can log in when no DC is available. It has everything to do with how many users will have their credentials cached on the workstation while it is connected. Try this simple experiment in the lab. Set the policy in question to a value of 2. Make sure a workstation applies the GPO, then log in and out as several different domain users. Disconnect the workstation from the network. Try logging in as each of those users. You will find that you can log in with the credentials of the last two users, but none of the ones before that. The two that DO work will work as many times as you like. The value of 2 in the policy simply means it caches the credentials of the last two unique individuals that logged in, and any credentials previously cached 'roll off'. The credentials that remain in the cache are valid forever once you disconnect from the network. Now, as to the original question - a value of 10 or 50 makes little difference if less than 10 individuals ever need to use the same machine
RE: [ActiveDir] LDAP query on ObjectSID attribute
Jimmy, What version of OS and version of LDP are you doing this on? I can't get it to work either - and I'm using the Builtin Group SIDS. I would suspect that I should get a consistent return on those, but I'm getting a BAD_NAME error. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Monday, August 25, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I've tried it again and again With different SIDs on existing objects, and it works every time for me. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 4:02 PM To: [EMAIL PROTECTED] Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy Andersson Sent: Fri 22/08/2003 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http:
RE: [ActiveDir] LDAP query on ObjectSID attribute
Title: Message Hey Joe, Wow, thanks for the compliment dude. Is the SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I haven't seen it before as part of ADSI. -g Gil KirkpatrickCTO, NetPro -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute This is an adsi thing and is called a SID Bind, you can also do a GUID bind in a similar manner. If you are using LDAP API instead of ADSI you need to encode the sid back into an octet string and do the search with it. Check out Gil Kirkpatrick's Programming Active Directory as he has some good info on this type of schtuff. Actually if you are doing any AD programming, get that book. Gil rocks. :op joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 9:27 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy AnderssonSent: Thu 21/08/2003 7:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FYI - Office 2003 went RTM today
The retail partnumbers were just released. I don't know that they map to WWF disk kit partnumbers. I just ran a list on WWF and Office 2003 wasn't listed. 021-06145 Office 2003 Standard (Retail) 269-06738 Office 2003 Professional (Retail) 588-02636 Office 2003 Small Business (Retail) 021-06280 Office 2003 Standard (Open Business) 269-06807 Office 2003 Professional (Open Business) -Original Message- From: Ryan Finnesey [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 11:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FYI - Office 2003 went RTM today Does anyone know the MS WWF part number for Office 2003? Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 19, 2003 10:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FYI - Office 2003 went RTM today Heh - Roger's in rare form once again! Actually, I was told that everyone else is getting it free - however, Inovis is getting charged double. Hold onGads! That's still nothing! Damn! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 19, 2003 8:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FYI - Office 2003 went RTM today So they're worth their free price? ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rod Trent [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 19, 2003 8:39 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] FYI - Office 2003 went RTM today > > > Agreed...Outlook 2k3 is probably the best product in the group. Spam > features alone are worth the price of admission. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, August 19, 2003 7:56 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] FYI - Office 2003 went RTM today > > Just a heads up to those of you who want to be 'in the know' > > If you haven't had the chance to use the new Outlook - it's very nice! > > Visio, SharePoint Portal will lag a little bit - October timeframe, as > I recall. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query on ObjectSID attribute
I've tried it again and again With different SIDs on existing objects, and it works every time for me. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, August 25, 2003 4:02 PM To: [EMAIL PROTECTED] Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy Andersson Sent: Fri 22/08/2003 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add junior admin to Local workstations admin group
Title: Message Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, August 17, 2003 11:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Sunday, August 17, 2003 12:38 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group We like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG
RE: [ActiveDir] LDAP query on ObjectSID attribute
Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy AnderssonSent: Fri 22/08/2003 5:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) Don't forget the '<' and '>' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "(&(ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message -- From: AD <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN Filter (&(ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO & Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] SP4 and DC's
Title: Message Yeah - actually my answer was a little too short. Per the KB article I did remove the protected group from delegation so that it wouldn't get wiped out again...*then* had to re-apply the delegation to the groups that had been nested inside itthank goodness for scripting :) - Original Message - From: Joe To: [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 10:15 AM Subject: RE: [ActiveDir] SP4 and DC's Actually if the delegation is to the protected groups, reapplying the delegation won't do anything for you because it will be wiped again. Basically the functional reach of adminsdholder has been extended to more groups. What specifically are you trying to delegate and maybe we can come up with a safe workaround for you. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis P. VegaSent: Thursday, August 21, 2003 10:57 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SP4 and DC's See the following KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 I know the heading says 2003 Server, but it also applies to W2K server after applying a certain hotfix. Anyways - this caused a minor headache for me after applying SP and I noticed some of my delegation didn't work anymore - the fix? Re-apply the delegation. r/ Lou VegaSoftware Engineer CSSI, Inc. -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 10:28 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] SP4 Has anyone had issues with SP4 on DC's? We are getting hammered by the latest virus. Don L. Murawski Sr. Network Administrator WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 <>
[ActiveDir] Media Player and Screen Saver Policy
Title: Message Enforcing some policies like a Screen Saver on our PC's was a good idea, except some of our people needs to look at some movies etc (mostly at home). So I disabled the Allow Screen saver policybut this doesn't seem to work, a screen saver always pups up, and we have Media player 9.00.00.2980 on XP Pro and WIN2000 SP4... So if I'm right about this setting then we should disable it to override the screen saver, or am I completely wrong about this one? To make sure I copied the explanation Allow Screen Saver Enables a screen saver to interrupt playback. This policy displays a screen saver during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. When this policy is disabled, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available. When this policy is not configured, users can change the setting for the Allow screen saver during playback check box. Marc * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
