[ActiveDir] VERY OT: Preventing Viruses from Lab to Live network

[deji]

I'm sure this does not have much bearing on AD, per se. So, I apologize for
sending it to this forum that has one of the best collection of brains I've
ever seen.
 
I have some Engineering Testing Labs with a number of Domains and computers
sharing the same network with my LIVE domain. It's actually worse than just
sharing, but that's another story. Business requirements prevent some clients
on these domains from installing AV clients, updating patches or even having
passwords for the local admin password. Yeah, I know, but, again, another
story entirely. But, as you can deduce, Viruses happen in these Labs.
 
My question is this. How do you protect your Production networks from
settings like these? All production systems follow strict adherence to strict
security practices, but we occasionally have slippage (like someone on a
month-long vacation turning off a computer and thereby not getting patches
and AV pattern updates). How do you PREVENT share-eating Viruses like Mofei,
Nachi, etc from spreading from the Lab to your live network? I have been
evaluating a Product called Fortigate (from Fortinet), but I gave it up as
soon as I discovered that they do not protect against NetBIOS, share-borne
Viruses.
 
Any product there that can help me out?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
<>

RE: [ActiveDir] Creating programatically when password complexity is in force

[Rick Kingslan]

Joe,

Yeah - turning off the password policy. Hm.  Yummy, chewy insides.

We got it resolved, thank to Mr. Cornetet.  Turns out that what I needed to
do was:

' ~
Const ADS_UF_NORMAL_ACCOUNT = 512
Const ADS_UF_DISABLED_ACCOUNT = 514

set objParent = GetObject("LDAP://) set objUser =
objParent.Create("user", "cn=")  ' e.g rickk
objUser.Put "sAMAccountName", ""   ' e.g rickk
objUser.Put "userPrincipalName", "" ' e.g
[EMAIL PROTECTED]
objUser.Put "givenName", ""   ' e.g Rick
objUser.Put "sn", ""   'e.g Kingslan
objUser.Put "displayName", " " ' e.g Rick
Kingslan 
objUser.Put "userAccountControl", ADS_UF_DISABLED_ACCOUNT
objUser.SetInfo
objUser.SetPassword("")
objUser.AccountDisabled = FALSE
objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
objUser.SetInfo 
' ~~~

Basically, set the account to disabled before creating it so that the
account would be disabled when the password was applied.  Worked like a
charm, so that's one piece of the automation tools resolved.  It's a start
to a long road - but we're finally getting some things realized.

It's a good thing(TM).

>Did it make it into Tuna to do the password set and useraccountcontrol set
prior to the first setinfo.

Sadly, no - that was my first source, and there was nothing that helped,
hence the message out to you guys.

Thanks for the message, however!

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Thursday, October 16, 2003 6:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Creating programatically when password complexity
is in force

Rick you have two options...

1. Turn off your password requirements policy and allow blank passwords...
:op

2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password
until after you create the user object. 

Did it make it into Tuna to do the password set and useraccountcontrol set
prior to the first setinfo. That was something I pointed out. I haven't had
a chance to read through the final. 


Don't be worried, this is a pretty common one. 


 Your buddy joe :)




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Thursday, October 16, 2003 8:06 AM
To: [EMAIL PROTECTED]

I've run into an interesting problem.  If I create a user programatically,
(using C#, but we've confirmed the same with VBScript) the password cannot
be set until the user object exists.  If I try it, we get the error:

"Server is unwilling to process the request" 

when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.

However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.

Would one of the scripting / programming geniuses that we have here tell me
what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users (which
is a major pain in the a$$, to say the least)?


Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Joe]

Title: Message



Well 
for better or worse, what you explained is how I understood it myself. Though I 
admit to not knowing it really well, never wanted to know it all but damn MS to 
hell for inserting AD and Exchange into each other like they did...   
(Hey I haven't ranted on here about E2K in at least a 
week)
 
Oh one 
other thing is that some of that info gets stamped into the msExchADCGlobalNames 
attribute but in a DN format. I believe the AD side of that gets stamped by the 
E55->AD work and then the E55 side gets stamped by the opposite 
direction. Though the 5.5 directory side would have the location in the AD tree 
being stamped, not the 5.5 location. 
 
For 
Exchange, I'm only an egg. I don't Grok it.
 
   joe
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Thursday, October 16, 2003 4:23 PMTo: 
'[EMAIL PROTECTED]'Cc: 
'[EMAIL PROTECTED]'

Let me play this back to see if I have it 
straight:
 
One 
Domain = Empty Root
Domain 
A = Child Domain
Domain 
B = Child Domain
 
Domain 
A  = Exchange 2000 (really, this is Forest Wide, but we'll assume that you 
only consider it installed in this domain)
Domain 
B = Exchange 5.5 installed
 
Is 
that right so far?
 
How 
many ADC's do you have?  I assume just the one from Exchange 2000 media 
rev'd to SP3 or later with the standard CA's plus the recipients and public 
folders.
 
 
When 
you create a user in domain A, it's (presumably) an Exchange 2000 mail-enabled 
user object.  Correct?  The ADC CA picks this up from Domain A where 
it originated as new, and replicates the data to the Exchange 5.5 
directory.  At the point of creation and RUS processing, the mail-enabled 
user object has a legacyExchangeDN ending in \Recipients.  If you stopped 
the CA prior to creating the user-object, this would still be the case because 
Exchange 2000 has no concept of containers like Exchange 5.5 does. The 
legacyExchangeDN gets created assuming that the Recipients container is the only 
one.  Now turn the ADC CA back on to replicate.  The replication 
starts, picks up the new mail-enabled user object, realizes there is no 
corresponding object, checks its rules regarding this situation (advanced tab as 
I recall) and creates the 5.5 directory entry in the container that follows 
those rules.  Often, these rules will be set to follow legacyExchangeDN so 
you don't get a bazillion containers to mimic the OU structure in Active 
Directory.  Your's probably is set that way.  It doesn't end 
there.  Now on the next replication cycle, the ADC CA realizes that 5.5 has 
a new object and replicates it back to the Active Directory.  Anything that 
was changed on the 5.5 side is now replicated to Active Directory and the CA is 
now done with that object. 
 
If you 
create the mailbox-enabled object in 5.5 first, the legacyExchangeDN is, by 
nature, whatever the relative path is for the object in the directory.  So 
if you have an object that is in a different container called "new" then your 
legacyExchangeDN would end in \new.  Right?  So when the ADC CA wakes 
up, it realizes it has a new 5.5 object, replicates it to the target OU in 
Active Directory and then replicates the information back to the 5.5 
directory.  As far as 5.5 users are concerned, it is in the "correct 
container".  
 
What 
you described is expected behavior.  What you seem to want to do is modify 
that behavior so that if you create a user in a particular OU in Active 
Directory, the ADC knows to put in a particular CN in 5.5. Unfortunately, you'll 
have to get somewhat complex with CA's (which I don't recommend), else 
change your process to accomodate (e.g. create the account on 5.5 in the 
container you want it in, and then move it to the appropriate 2000 
server).  You could also educate your users on the finer points of GAL 
usage to get them to understand how to find a user, but that may not be an 
option (I am being totally serious about that even if email makes it sound 
sarcastic). You could also use address book views or even GAL views to mimic 
this behavior, but I think that's lipstick on a pig in this 
situation.
 
If 
I've misunderstood, please correct me as I'd hate to think I didn't understand 
this stuff.  ;-)
 
Al  

  
  -Original Message-From: Brown, Bill 
  [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  October 16, 2003 2:47 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
  
  Al, 
  test-bed scenario:  empty root w/1 
  dc/gc, child domain A w/1 dc/gc E2K ADC installed, child domain B w/1 dc/gc 
  E55 ADC installed.  Created the 
  new user in domain A and tests showed that the GAL in domain B was not showing 
  the new user in the proper container.  
  Found the legacyExchangeDN to be mis-represented.  Created new user in domain B and it 
  displayed correctly.
   
  R/Bill
   
  -Original 
  Message-From: Mulnick, 
  Al [mailto:[EMAIL PROTECTED]Sent: Thursday, October 16, 2003 

RE: [ActiveDir] LDAP'ing a computer object in AD

[Joe]

Title: LDAP'ing a computer object in AD



Anytime the question is 
 
"I am 
looking for an object somewhere in the forest"
 
the 
answer is almost always, do a GC search of the attributes you know that are in 
the GC. In this case you can search on name or samaccountname. 

 
If you 
can easily convert the dns name of the domain to a netbios name you can also use 
the translatename com object.
 
 
 
For an 
example of an ldap search, try this
 
adfind 
-gc -b -f name=computername -dn
 
That 
will pick your machine's default global catalog and search it looking for the 
computername of computername and spit out the dn of the 
object.
 
If you 
have the possibility of having multiple objects with that computer name, try 
instead
 

adfind 
-gc -b -f "&(objectcategory=computer)(name=computername)" 
-dn
 
 
 
C:\>adfind -adfind -gc -b -f 
"&(objectcategory=computer)(name=xplt)" -dn
 
AdFind 
V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) 
May 2003
 
Using 
server: w2kasdc1.joehome.com
 
dn:CN=XPLT,CN=Computers,DC=joehome,DC=com
 
1 
Objects returned
 
C:\>
 
 
  
joe
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frederic 
AllaertSent: Thursday, October 16, 2003 9:50 AMTo: 
[EMAIL PROTECTED]

Hello all, 
I have been searching some good, clear examples how 
to determine the LDAP path for a computer 
object, (without knowing the "location" in AD), with the only input being 
the hostname of the computer, and the 
DNS-name for the domain. All this using a .VBS-script... 
Can someone produce such an example, or direct me to 
some good resource websites on this topic? 
Greetings, 
Frederic Allaert 

RE: [ActiveDir] LDAP in Multi-domain environments

[Joe]

Title: Message



Is it 
doing an ldap authentication of the user or searching for the user and some 
attribute of the user to determine if they can be on?
 
If 
only authenticating and they have the user's upn (say everyone in the company 
has [EMAIL PROTECTED]) or full same name 
(including domain) they can pass that in the ldap bind instead of the user's dn 
thereby getting around searching for the user's dn and then authenticating them. 

 
  
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Thursday, October 16, 2003 4:52 PMTo: 
[EMAIL PROTECTED]


The app in question 
(and there’s one more doing the same thing) is supposed to validate a user’s 
logon. That’s basically the only thing the LDAP functionality is used for. But 
the user could be in either of two peer subdomains of an empty root. (If you’re 
interested specifically, the 2 apps are Kintana, which is a web-based change 
management tool, and Pixion, which is a web-based collaboration 
tool.)
 

 
-Original 
Message-From: Mulnick, Al 
[mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 4:25 
PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP in 
Multi-domain environments
 

depends on 
what you're searching for in the app.  What's the app and what's it 
searching for. 

 

Remember 
GC's are going to hold some of the information these apps are looking 
for.

 

 

Al

  -Original 
  Message-From: Creamer, 
  Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 4:18 
  PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] LDAP in Multi-domain 
  environments
  We have some apps that make LDAP 
  queries to allow a user to log in. Picture an "empty" root with two 
  sub-domains. If the app is to be used only in a single sub-domain, i.e. 
  dc=domain1,dc=company,dc=com, it works fine. If it needs to cross over to the 
  other domain we have, though, i.e. dc=domain2,dc=company,dc=com, we're out of 
  luck. We can't make the root dc=company,dc=com LDAP query search BOTH 
  sub-domains for the user. Is this a limitation of LDAP, or of the apps that 
  are trying to use it? I suspect it's the apps, but maybe there's a global 
  (middleware?) fix someone can suggest?
   
  If any of you are using an app 
  called Kintana and have conquered this problem, I'd especially like to hear 
  from you.
   
  Thanks!
   
  Mark 
  Creamer Systems 
  Engineer Cintas 
  Corporation http://www.cintas.com 
  Honesty 
  and Integrity in Everything We Do 
   

RE: [ActiveDir] Creating programatically when password complexity is in force

[Joe]

Rick you have two options...

1. Turn off your password requirements policy and allow blank passwords...
:op

2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password
until after you create the user object. 

Did it make it into Tuna to do the password set and useraccountcontrol set
prior to the first setinfo. That was something I pointed out. I haven't had
a chance to read through the final. 


Don't be worried, this is a pretty common one. 


 Your buddy joe :)




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T.
Sent: Thursday, October 16, 2003 8:06 AM
To: [EMAIL PROTECTED]

I've run into an interesting problem.  If I create a user programatically,
(using C#, but we've confirmed the same with VBScript) the password cannot
be set until the user object exists.  If I try it, we get the error:

"Server is unwilling to process the request" 

when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.

However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.

Would one of the scripting / programming geniuses that we have here tell me
what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users (which
is a major pain in the a$$, to say the least)?


Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Intrasite Replication Schedule

[Joe]

I have modified our production and lab environments to 30 seconds pause
after modify and 15 second pause between DSA's and have been running in that
configuration for months with no perceived issues. 

  joe 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC
Sent: Wednesday, October 15, 2003 7:46 PM
To: [EMAIL PROTECTED]

As most of you know, the default intrasite replication schedule in Windows
2000 is 5 minutes yet 15 seconds in Windows Server 2003.  Has anyone changed
the setting in a Windows 2000 domain (Q214678) to match the settings that
are now the default in Windows Server 2003?

The five minute replication is frustrating, because it can actually be up to
15 minutes with lots of DC's in a site.  Any advice would be appreciated.
Thanks.

-Rick Dayton

__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Slow Active Directory Users and Computers Snap in

[Joe]

This is almost certainly some form of DNS issue.

The quickest way to figure it out is to fire up netmon and then start
dsa.msc and look to see what happens in the trace. Most likely you will see
DNS calls that are not being responded to. 

  joe 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Sumilang
Sent: Wednesday, October 15, 2003 2:00 PM
To: [EMAIL PROTECTED]

I am running Windows 2000 Server with Active Directory and have a network of
about 30 users. For some reason each time I try to load the Active Directory
Users and Computers Snap in it takes about 3-5 minutes to load. Any reason?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Replication question

[daniel . gilbert]

Title: Message




To All:
 
I am looking for some answers to questions I have about the REPADMIN 
command.  I am running the Windows 
2003 Support Tools version of the command with the following switches: /replsum 
/bysrc /bydest /sort:delta
 
I get a display like the following:
 
Replication Summary Start Time: 2003-10-16 
14:14:31
 
Beginning data collection for replication summary, this 
may take awhile:  
 
(excerpt of actual data)
 
Source 
DC   
largest delta  
fails/total  %%  error 
SRV-SITEA0017   14h:25m:59s    0 /  15    0   
SRV-SITEC0002   14h:25m:53s    0 /   9    0   
SRV-SITEB0001   02h:25m:57s    0 /  22    0   
Destination DC    largest delta    fails/total  %%  
error 
SRV-SITEA0017   14h:26m:43s    0 /  28    0   
SRV-SITEC0002   
17m:59s    0 /   5    0   
SRV-SITEB0001   
17m:43s    0 /  17    0   
 
Now before everyone jumps on me telling me the deltas are way to large, I 
agree. I think. I have found one replication schedule misconfigured and it has 
been corrected.
 
Now, my real question is how to interpret the results.  I think I understand the information 
about the largest delta (time since last replication), the fails/total (number 
of failures in the last number of replication attempts), %% (percent of 
failures), and error (an explanation of any errors)
 
What I can seem to get a grasp on is the Source DC or Destination DC 
column.  I have looked at the 
repadmin command in the Microsoft Help and Support page and it gives some 
information but not have to interpret the results.
 
If someone can explain to me what the Source DC and Destination DC 
columns tell me I would appreciate it. 
 
Dan
 

Daniel L. Gilbert, 
Contractor
Senior Active 
Directory Specialist
CONUS 
Theater Network Operations and Security 
Center (CONUS-TNOSC
(520) 
533-6700 DSN: 821-6700
[EMAIL PROTECTED]
 

RE: [ActiveDir] Username

[Joe]

You can not override the limitation in the sam name. You can have a longer
UPN, but you will have a disjoint between the two logon principals, the sam
account and the upn then.  

BTW, who wants to type that every time they log on? Have a long password,
not a long username. :op

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Wednesday, October 15, 2003 7:47 AM
To: [EMAIL PROTECTED]

Hi people,
Can anyone tell me if there is a way to expand the number of characters I
can use to create a username in W2K AD. Most people over in Serbia have long
first names and last names. I ran into a problem when creating a username
that was longer than 20 characters long. My example is as follows,
andjelka.teodosijevic W2K AD would create her username as
andjelka.teodosijevi without the c at the end. 


  


George Arezina
BA, A+, Net+, MCSE 2000
Information Technology Consultant
National Bank of Serbia
Pop Lukina 7-9, 11000 Belgrade.
P E-mail: [EMAIL PROTECTED]
g Phone:+381 (11) 3202-474
  GSM:  +381 (63)  342-321
 



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Lock-outs after only one attempt...

[Joe]

I have 
seen many security people who say that 5 is the best and they want 5 including 
my internal security people. However, the purpose behind the lockout threshhold 
is to stop people from trying to hack an account with guesses or bruteforce. If 
you lock out at say 25 and stay locked for an hour that means someone gets 600 
guesses a day. Unless you have a most pathetic policy for password size and 
frequency of change, that shouldn't be enough for people to crack you. If 
someone feels it is enough, they need to up the password required size and 
possibly the frequency of change. Also consider turning on complexity rules. 

 
The 
problem with 5 or less is many. It assumes that the only authentication attempts 
are direct logon attempts by a real human. This isn't the case because even an 
interactive  logon will in many cases cause multiple attempts with 
different security providers. Also some clients like Win9x can send up to 3 bads 
per single attempt. You also have the cases where you could unsuspend a machine 
that has 5 or 6 network connections that it tries to reconnect and the password 
has changed and wham, account locked right away as they all try to reconnect. 
Finally you get Viruses like MUMU that will slam local admin accounts because it 
will try to guess like 10-15 or more passwords against every admin ID on a box 
thereby locking them all out if it doesn't get in. 
 
The 
lower the threshhold and the longer the lockout period, the more help desk calls 
you get. Alternatively if you start really raising the threshhold and lowering 
the period, you should be looking at what methods you have for tracking bad 
attempts and do event correlation. 
 
  
joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond 
McClinnisSent: Wednesday, October 15, 2003 5:59 AMTo: 
[EMAIL PROTECTED]


One of these days I’ll 
learn how to proof read for coherency J…  I just read 
what I sent, doesn’t make much sense.
 
Windows 2K Domain, 
Majority of Clients is Windows 2K.
Attempts is set 
<=5,(for obvious reasons I don’t want to say the exact #)
 
Joe: I thought best 
practices were to have it set to less than 5?  At least that’s what I 
remember hearing from our auditors…   I’ll give anything a try to keep 
this from happening though, just takes it happening to your boss one time before 
you have to dedicate a whole day on attempting to fix it. J
 
 
Next time I hear it 
reported I’ll use EventCombMT to get more forensic data.  I know I did it 
once before, and was discouraged quickly by my findings.
 
I’ll post more when I 
get a call (probably later today) Thanks for all the suggestions so 
far!
 

Thanks,
 
Raymond
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of deji AgbaSent: Tuesday, October 14, 2003 9:46 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after 
only one attempt...
 


they are very probably 
XP clients. They very likely have "fast user switch" option enabled on the XP. 
and Raymond has probably set his lockout threshold somewhere < = 5. I wager 
that this is the problem, barring the obvious multiple wrong password of 
course.

 

I know there is a Q article 
regarding this somewhere on support.microsoft.com. Good 
luck



 

Sincerely,Dèjì Akómöláfé, 
MCSE 
MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the 
Tomorrow you were worried about Yesterday?  
-anon

 



From: 
JoeSent: Tue 10/14/2003 6:07 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Lock-outs after 
only one attempt...
How low is your policy set? If it is 10 or less reconsider. Think about whatthe lockout policy is in place to avoid and what a good logical number is touse to accomplish that goal.  Are your machines all W2K+ or what are they?  Do you have logging enabled on your DC's and have you chased the event logentries to see how the requests are coming in (i.e. very quickly or spreadout or ?).   joe  -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Tuesday, October 14, 2003 7:40 PMTo: [EMAIL PROTECTED] Hello All, We recently implemented the Require Strong Passwords on out WIN2K and itseems that some users get locked out after entering an incorrect passwordonly one time.  (I assure you that I allow more than one mistake; I too amhuman) This was happening before the change, but I am seeing it more now(harder password's = more mistakes) The only thing I can think of is that we have multiple remote DCs in abridged WAN environment, so when someone logs on, it hits a couple of themat the same time and they all count it as an invalid try.  That's my theoryanyways, I'm open for suggestions.    Thanks, Raymond List info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list

RE: [ActiveDir] NTDIS Size

[Joe]

I'm 
not sure I am following. Are you saying that even though you are using the same 
physical spindles the disk subsystem will be less busy if you split the 
physical space into separate logical partitions?
 
  
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
ReijndersSent: Wednesday, October 15, 2003 2:24 AMTo: 
[EMAIL PROTECTED]

I agree with the fact that it won't buy you anything in terms of 
performance. However, splitting up into D/E/F does reduce the chance that 
journal wraps might occur. Journal wrap errors occur if a sufficient number of changes 
take place while FRS is turned off or busy such that the last USN change 
that FRS recorded during shutdown no longer exists in the USN journal during 
startup. The risk is that changes to files and folders for FRS replicated trees 
(like the SysVOL or another DFS tree being hosted) may have taken 
place while the service was turned off, and no record of the change exists in 
the USN journal. To guard against data inconsistency, FRS asserts into a journal 
wrap state.
 
So by placing the SysVOL on a less busy Volume, that chance that journal 
wraps occur is less.
 
Cheers!
John

  
  
  From: Joe [mailto:[EMAIL PROTECTED] 
  Sent: woensdag 15 oktober 2003 1:12To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] NTDIS 
  Size
  
  That 
  should be plenty but it depends a lot on what AD Apps you will be using and 
  what kind of data they will be jamming into the directory. For instance if you 
  start shoving a bunch of binary blobs (like pictures) in you could eat space 
  pretty quickly. For a basic authorization and Exchange environment you should 
  have more than enough.
   
  You 
  won't be buying anything in terms of performance by splitting up into D/E/F 
  and putting files on the other logical drives. If you do it, do it for 
  organizational reasons if at all. Personally I would recommend keeping 
  them all together. 
   
    joe
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of George 
  ArezinaSent: Tuesday, October 14, 2003 5:33 AMTo: 
  [EMAIL PROTECTED]
  
  
  Unfortunately, 
  
  Management wants us 
  to abide by their budget for the year. Therefore, we have to be within budget 
  goals when it comes to spending money on 
hardware.
   
  How about this hdd configuration:
   
  First Mirror: System 
  Partition (18GB)
   
  Second Mirror: 72GB broken into D, E, F 
  volumes.
  
Database location: 
D:\NTDS 
Log location: 
E:\NTDS 
SYSVOL Location: 
F:\SYSVOL 
   
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Nadalin, Oliver 
  (REA - AUS)Sent: Tuesday, 
  October 14, 
  2003 11:15 
  AMTo: 
  '[EMAIL PROTECTED]'
   
  
  you 
  could probably have the AD DB log files on a separate mirror - if your budget 
  allows it.
  
-Original 
Message-From: George 
Arezina [mailto:[EMAIL PROTECTED]Sent: Tuesday, 14 October 2003 7:00 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] NTDIS 
Size
Hi 
people,
Can someone please confirm that 
I have given enough GB for 1500 users in my AD database? I plan to install 
two mirrored drives on my server. One Mirror will be the system partition 
(18GB) and the second mirror will be 72GB where my ndts.dit database will be 
located. 
Thanks
 
 
  
George 
Arezina
BA, A+, Net+, MCSE 
2000
Information 
Technology Consultant 
National Bank of 
Serbia
Pop Lukina 7-9, 
11000 Belgrade.
* 
E-mail: [EMAIL PROTECTED]
( 
Phone:+381 (11) 3202-474
( 
GSM:  +381 (63)  
342-321
 
 
  This e-mail is for the use of the intended 
  recipient(s) only.  If you have received this e-mail in error, please 
  notify the sender immediately and then delete it.  If you are not the 
  intended recipient, you must not use, disclose or distribute this e-mail 
  without the author's permission.  We have taken precautions to minimise 
  the risk of transmitting software viruses, but we advise you to carry out your 
  own virus checks on any attachment to this e-mail.  We cannot accept 
  liability for any loss or damage caused by software 
  viruses.
<>

RE: [ActiveDir] LDAP in Multi-domain environments

[Creamer, Mark]

Title: Message









The app in question (and there’s one
more doing the same thing) is supposed to validate a user’s logon. That’s
basically the only thing the LDAP functionality is used for. But the user could
be in either of two peer subdomains of an empty root. (If you’re
interested specifically, the 2 apps are Kintana, which is a web-based change
management tool, and Pixion, which is a web-based collaboration tool.)

 



 



-Original Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
4:25 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] LDAP in
Multi-domain environments

 



depends on what you're
searching for in the app.  What's the app and what's it searching for. 





 





Remember GC's are going
to hold some of the information these apps are looking for.





 





 





Al





-Original
Message-
From: Creamer, Mark
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
4:18 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP in
Multi-domain environments

We have some apps that make LDAP
queries to allow a user to log in. Picture an "empty" root with two
sub-domains. If the app is to be used only in a single sub-domain, i.e.
dc=domain1,dc=company,dc=com, it works fine. If it needs to cross over to the
other domain we have, though, i.e. dc=domain2,dc=company,dc=com, we're out of
luck. We can't make the root dc=company,dc=com LDAP query search BOTH
sub-domains for the user. Is this a limitation of LDAP, or of the apps that are
trying to use it? I suspect it's the apps, but maybe there's a global
(middleware?) fix someone can suggest?

 

If any of you are using an app
called Kintana and have conquered this problem, I'd especially like to hear
from you.

 

Thanks!

 

Mark Creamer 
Systems Engineer 
Cintas Corporation 
http://www.cintas.com

Honesty
and Integrity in Everything We Do 

 

RE: [ActiveDir] LDAP in Multi-domain environments

[Fuller, Stuart]

Mark,
 
I had a similar situation with the LDAP implementation in 
the PeopleSoft v8 Portal.  
 
Solved it by configuring the PeopleSoft LDAP request to 
point at the Global Catalog port (3268) instead of the normal LDAP port 
(389).  Also configured the LDAP target server to be the PDC FSMO 
role holder in the forest root domain.  
 
As I understand it  A LDAP search to the AD LDAP 
port will only return the objects for the domain of the DC and not the 
forest.  Since the Global Catalog literally knows about every object in the 
forest, then a LDAP search on the GC will return any object even across 
domains. 
 
The one caveat is that with the GC, you only get a subset 
of attributes for the object and not the full list.  See MS article 256938 
and 229662 for information about what attributes are in included in the GC 
and how to add to that list.
 
-Stuart Fuller
State of Montana
 
 


From: Creamer, Mark [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 2:18 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP in Multi-domain 
environments


We have some apps that make LDAP 
queries to allow a user to log in. Picture an "empty" root with two sub-domains. 
If the app is to be used only in a single sub-domain, i.e. 
dc=domain1,dc=company,dc=com, it works fine. If it needs to cross over to the 
other domain we have, though, i.e. dc=domain2,dc=company,dc=com, we're out of 
luck. We can't make the root dc=company,dc=com LDAP query search BOTH 
sub-domains for the user. Is this a limitation of LDAP, or of the apps that are 
trying to use it? I suspect it's the apps, but maybe there's a global 
(middleware?) fix someone can suggest?
 
If any of you are using an app 
called Kintana and have conquered this problem, I'd especially like to hear from 
you.
 
Thanks!
 
Mark 
Creamer Systems 
Engineer Cintas 
Corporation http://www.cintas.com 
Honesty 
and Integrity in Everything We Do 
 

RE: [ActiveDir] Unorthodox NT4 -> W2k3 Migration Plan???

[Wright, T. MR NSSB]

Eric, 
Have you looked at ADMT.  We are using it for our NT4 to Win2k
AD migration and although our NetBIOS names are not the same as in your
case, ADMT uses the NetBIOS name of our NT4 domain as the "Source" and
the FQDN of our AD domain as the Destination.  It may not offer some of
the bells and whistles that the 3rd party products offer, but you can't
beat the price;-)

-Tim

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 3:50 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Unorthodox NT4 -> W2k3 Migration Plan???





Hello everyone,  I'm looking for some peer feedback on part of a
migration
plan.

We are currently an NT4 environment.  We've decided to go with W2k3 & AD
for our migration.  We're doing a parallel migration into a W2k3 Native
functional level forest.  This was specifically to give us easier
roll-back
capability and to allow us to leave *most* of the "junk" behind.  The
unorthodox parts of the migration are as follows:

The AD forest will have an empty PFR (protected forest root) domain, and
all users and various other objects will go into a child domain.  The
child
FQDN of the child domain will be logically named based on our
infrastructure standards, but the *netbios* name of the child domain
will
be the same as our NT4 domain.  No I'm not crazy...and it is possible.
The
DCs of the AD forest will each sit on a separate VLAN than the servers
in
the NT4 domain.  This setup keeps netbios broadcast traffic separate.
This
also keeps the domains from seeing their respective twin.
Correspondingly
they aren't answering each other's requests for service.  Also since the
DCs are on separate VLANs from the NT4 domain, they are also on
different
subnets.  Although the setup will be well documented, if someone were to
*accidentally* plug one of the AD DCs into the wrong port, it wouldn't
matter since the DC wouldn't be able to communicate with its IP on the
wrong subnet.

The reason the NetBIOS names are being kept the same is for ease of
migration, specifically application migration.  We have about 500
servers
and have a very large number of server based application running.  As
with
many environments, we're sure that there are applications that have the
domain name hardcoded or manually entered and thus not easily changed.
This migration method would seem to allow us to get the best of all
worlds.

The caveats that I've encountered thus far actually exist with 3rd party
migration applications.  Migration applications tend to see the
migration
as being from Domain A to Domain A even when specifying particular
domain
controllers.  If the respective migration tool would either ignore
NetBIOS
names or only use DNS names, their would be no issue.

Has anyone else tried this before? Is this actually a common path?

Any constructive feedback would be appreciated.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP in Multi-domain environments

[Gil Kirkpatrick]

Title: Message



Do you 
know if the app has referral-chasing turned on in the LDAP search? If it does, 
it should be able to start at the root and search down the tree that 
way.
 
In any 
case, why not just point the app to the GC; that's what its there for. Be sure 
to set the port properly (3268)
 
-gil
 
Gil KirkpatrickCTO, NetPro

  
  -Original Message-From: Creamer, Mark 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:18 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  LDAP in Multi-domain environments
  
  We have some apps that make LDAP 
  queries to allow a user to log in. Picture an "empty" root with two 
  sub-domains. If the app is to be used only in a single sub-domain, i.e. 
  dc=domain1,dc=company,dc=com, it works fine. If it needs to cross over to the 
  other domain we have, though, i.e. dc=domain2,dc=company,dc=com, we're out of 
  luck. We can't make the root dc=company,dc=com LDAP query search BOTH 
  sub-domains for the user. Is this a limitation of LDAP, or of the apps that 
  are trying to use it? I suspect it's the apps, but maybe there's a global 
  (middleware?) fix someone can suggest?
   
  If any of you are using an app 
  called Kintana and have conquered this problem, I'd especially like to hear 
  from you.
   
  Thanks!
   
  Mark 
  Creamer Systems 
  Engineer Cintas 
  Corporation http://www.cintas.com 
  Honesty 
  and Integrity in Everything We Do 
   

RE: [ActiveDir] Unorthodox NT4 -> W2k3 Migration Plan???

[Mulnick, Al]

Why not use the native tools then?  ADMTv2 is pretty good. 

As for the same netbios names.  Yuck.  Hopefully the clients will be using
new WINS servers then?  :)

As for the apps, I think you're skirting the issue to deal with it another
day.  I also think some of those apps are likely to fail miserably when they
hit 2K3's security changes.  You'll know soon I suspect.


Al



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 3:50 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Unorthodox NT4 -> W2k3 Migration Plan???






Hello everyone,  I'm looking for some peer feedback on part of a migration
plan.

We are currently an NT4 environment.  We've decided to go with W2k3 & AD for
our migration.  We're doing a parallel migration into a W2k3 Native
functional level forest.  This was specifically to give us easier roll-back
capability and to allow us to leave *most* of the "junk" behind.  The
unorthodox parts of the migration are as follows:

The AD forest will have an empty PFR (protected forest root) domain, and all
users and various other objects will go into a child domain.  The child FQDN
of the child domain will be logically named based on our infrastructure
standards, but the *netbios* name of the child domain will be the same as
our NT4 domain.  No I'm not crazy...and it is possible.  The DCs of the AD
forest will each sit on a separate VLAN than the servers in the NT4 domain.
This setup keeps netbios broadcast traffic separate.  This also keeps the
domains from seeing their respective twin.  Correspondingly they aren't
answering each other's requests for service.  Also since the DCs are on
separate VLANs from the NT4 domain, they are also on different subnets.
Although the setup will be well documented, if someone were to
*accidentally* plug one of the AD DCs into the wrong port, it wouldn't
matter since the DC wouldn't be able to communicate with its IP on the wrong
subnet.

The reason the NetBIOS names are being kept the same is for ease of
migration, specifically application migration.  We have about 500 servers
and have a very large number of server based application running.  As with
many environments, we're sure that there are applications that have the
domain name hardcoded or manually entered and thus not easily changed. This
migration method would seem to allow us to get the best of all worlds.

The caveats that I've encountered thus far actually exist with 3rd party
migration applications.  Migration applications tend to see the migration as
being from Domain A to Domain A even when specifying particular domain
controllers.  If the respective migration tool would either ignore NetBIOS
names or only use DNS names, their would be no issue.

Has anyone else tried this before? Is this actually a common path?

Any constructive feedback would be appreciated.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP in Multi-domain environments

[Mulnick, Al]

Title: Message



depends on what you're searching for in the app.  What's the app and 
what's it searching for. 
 
Remember GC's are going to hold some of the information these apps are 
looking for.
 
 
Al

  
  -Original Message-From: Creamer, Mark 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 4:18 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  LDAP in Multi-domain environments
  
  We have some apps that make LDAP 
  queries to allow a user to log in. Picture an "empty" root with two 
  sub-domains. If the app is to be used only in a single sub-domain, i.e. 
  dc=domain1,dc=company,dc=com, it works fine. If it needs to cross over to the 
  other domain we have, though, i.e. dc=domain2,dc=company,dc=com, we're out of 
  luck. We can't make the root dc=company,dc=com LDAP query search BOTH 
  sub-domains for the user. Is this a limitation of LDAP, or of the apps that 
  are trying to use it? I suspect it's the apps, but maybe there's a global 
  (middleware?) fix someone can suggest?
   
  If any of you are using an app 
  called Kintana and have conquered this problem, I'd especially like to hear 
  from you.
   
  Thanks!
   
  Mark 
  Creamer Systems 
  Engineer Cintas 
  Corporation http://www.cintas.com 
  Honesty 
  and Integrity in Everything We Do 
   

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Mulnick, Al]

Title: Message



Let me 
play this back to see if I have it straight:
 
One 
Domain = Empty Root
Domain 
A = Child Domain
Domain 
B = Child Domain
 
Domain 
A  = Exchange 2000 (really, this is Forest Wide, but we'll assume that you 
only consider it installed in this domain)
Domain 
B = Exchange 5.5 installed
 
Is 
that right so far?
 
How 
many ADC's do you have?  I assume just the one from Exchange 2000 media 
rev'd to SP3 or later with the standard CA's plus the recipients and public 
folders.
 
 
When 
you create a user in domain A, it's (presumably) an Exchange 2000 mail-enabled 
user object.  Correct?  The ADC CA picks this up from Domain A where 
it originated as new, and replicates the data to the Exchange 5.5 
directory.  At the point of creation and RUS processing, the mail-enabled 
user object has a legacyExchangeDN ending in \Recipients.  If you stopped 
the CA prior to creating the user-object, this would still be the case because 
Exchange 2000 has no concept of containers like Exchange 5.5 does. The 
legacyExchangeDN gets created assuming that the Recipients container is the only 
one.  Now turn the ADC CA back on to replicate.  The replication 
starts, picks up the new mail-enabled user object, realizes there is no 
corresponding object, checks its rules regarding this situation (advanced tab as 
I recall) and creates the 5.5 directory entry in the container that follows 
those rules.  Often, these rules will be set to follow legacyExchangeDN so 
you don't get a bazillion containers to mimic the OU structure in Active 
Directory.  Your's probably is set that way.  It doesn't end 
there.  Now on the next replication cycle, the ADC CA realizes that 5.5 has 
a new object and replicates it back to the Active Directory.  Anything that 
was changed on the 5.5 side is now replicated to Active Directory and the CA is 
now done with that object. 
 
If you 
create the mailbox-enabled object in 5.5 first, the legacyExchangeDN is, by 
nature, whatever the relative path is for the object in the directory.  So 
if you have an object that is in a different container called "new" then your 
legacyExchangeDN would end in \new.  Right?  So when the ADC CA wakes 
up, it realizes it has a new 5.5 object, replicates it to the target OU in 
Active Directory and then replicates the information back to the 5.5 
directory.  As far as 5.5 users are concerned, it is in the "correct 
container".  
 
What 
you described is expected behavior.  What you seem to want to do is modify 
that behavior so that if you create a user in a particular OU in Active 
Directory, the ADC knows to put in a particular CN in 5.5. Unfortunately, you'll 
have to get somewhat complex with CA's (which I don't recommend), else 
change your process to accomodate (e.g. create the account on 5.5 in the 
container you want it in, and then move it to the appropriate 2000 
server).  You could also educate your users on the finer points of GAL 
usage to get them to understand how to find a user, but that may not be an 
option (I am being totally serious about that even if email makes it sound 
sarcastic). You could also use address book views or even GAL views to mimic 
this behavior, but I think that's lipstick on a pig in this 
situation.
 
If 
I've misunderstood, please correct me as I'd hate to think I didn't understand 
this stuff.  ;-)
 
Al  

  
  -Original Message-From: Brown, Bill 
  [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  October 16, 2003 2:47 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
  
  Al, 
  test-bed scenario:  empty root w/1 
  dc/gc, child domain A w/1 dc/gc E2K ADC installed, child domain B w/1 dc/gc 
  E55 ADC installed.  Created the 
  new user in domain A and tests showed that the GAL in domain B was not showing 
  the new user in the proper container.  
  Found the legacyExchangeDN to be mis-represented.  Created new user in domain B and it 
  displayed correctly.
   
  R/Bill
   
  -Original 
  Message-From: Mulnick, 
  Al [mailto:[EMAIL PROTECTED]Sent: Thursday, October 16, 2003 2:30 
  PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
   
  When you 
  created the mailbox, it was on a 5.5 server or a 2000 server?  
  
  -Original 
  Message-From: Brown, 
  Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:57 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
  Nice 
  reply Al - however I do not believe that the legacyExchangeDN of the first 
  administrative group has anything to do with the legacyExchangeDN of a newly 
  created user in AD.  Well, maybe I 
  am missing something here.  I do 
  not intend on "mucking about" with the attributes for anything other than the 
  users that need correction.  
  Additionally, I question the fact about the ADC being the mechanism 
  involved with the setting.  The 
  reason I state that is because I created a new u

[ActiveDir] LDAP in Multi-domain environments

[Creamer, Mark]

We have some apps that make LDAP queries to allow a user to
log in. Picture an “empty” root with two sub-domains. If the app is
to be used only in a single sub-domain, i.e. dc=domain1,dc=company,dc=com, it
works fine. If it needs to cross over to the other domain we have, though, i.e.
dc=domain2,dc=company,dc=com, we’re out of luck. We can’t make the
root dc=company,dc=com LDAP query search BOTH sub-domains for the user. Is this
a limitation of LDAP, or of the apps that are trying to use it? I suspect it’s
the apps, but maybe there’s a global (middleware?) fix someone can
suggest?

 

If any of you are using an app called Kintana and have
conquered this problem, I’d especially like to hear from you.

 

Thanks!

 

Mark Creamer 
Systems Engineer 
Cintas Corporation 
http://www.cintas.com

Honesty
and Integrity in Everything We Do 

 

[ActiveDir] Unorthodox NT4 -> W2k3 Migration Plan???

[Eric_Jones]

Hello everyone,  I'm looking for some peer feedback on part of a migration
plan.

We are currently an NT4 environment.  We've decided to go with W2k3 & AD
for our migration.  We're doing a parallel migration into a W2k3 Native
functional level forest.  This was specifically to give us easier roll-back
capability and to allow us to leave *most* of the "junk" behind.  The
unorthodox parts of the migration are as follows:

The AD forest will have an empty PFR (protected forest root) domain, and
all users and various other objects will go into a child domain.  The child
FQDN of the child domain will be logically named based on our
infrastructure standards, but the *netbios* name of the child domain will
be the same as our NT4 domain.  No I'm not crazy...and it is possible.  The
DCs of the AD forest will each sit on a separate VLAN than the servers in
the NT4 domain.  This setup keeps netbios broadcast traffic separate.  This
also keeps the domains from seeing their respective twin.  Correspondingly
they aren't answering each other's requests for service.  Also since the
DCs are on separate VLANs from the NT4 domain, they are also on different
subnets.  Although the setup will be well documented, if someone were to
*accidentally* plug one of the AD DCs into the wrong port, it wouldn't
matter since the DC wouldn't be able to communicate with its IP on the
wrong subnet.

The reason the NetBIOS names are being kept the same is for ease of
migration, specifically application migration.  We have about 500 servers
and have a very large number of server based application running.  As with
many environments, we're sure that there are applications that have the
domain name hardcoded or manually entered and thus not easily changed.
This migration method would seem to allow us to get the best of all worlds.

The caveats that I've encountered thus far actually exist with 3rd party
migration applications.  Migration applications tend to see the migration
as being from Domain A to Domain A even when specifying particular domain
controllers.  If the respective migration tool would either ignore NetBIOS
names or only use DNS names, their would be no issue.

Has anyone else tried this before? Is this actually a common path?

Any constructive feedback would be appreciated.



Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Spyware/Adware

[Free, Bob]

We have been looking into client solutions and that will probably take a
while, since we already use Websense we got the Premium Group III to
block MMC at the edge.
http://www.websense.com/products/premiumgroups/#pgiii


-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 10:06 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Spyware/Adware

I was wondering what programs everyone was using to combat
spyware/adware. I noticed that Ad-Aware now has a professional version
out (http://www.lavasoftusa.com/software/adawareprofessional/) and I was
wondering if anyone has been using this, and how you like it?


Thanks
Chris Hummert


Network Administrator - Albany Agency of Insurance Webmaster for
Noghri.net http://www.noghri.net MS Beta tester ID #: 388366

Sometimes I think the surest sign that intelligent life exists elsewhere
in the universe is that none of it has tried to contacts us." 

- from Calvin and Hobbes
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Brown, Bill [contractor]]

Title: Message









Al, test-bed scenario: 
empty root w/1 dc/gc, child domain A w/1 dc/gc E2K ADC installed, child
domain B w/1 dc/gc E55 ADC installed. 
Created the new user in domain A and tests showed that the GAL in domain
B was not showing the new user in the proper container.  Found the legacyExchangeDN to be
mis-represented.  Created new user
in domain B and it displayed correctly.

 

R/Bill

 

-Original
Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003
2:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

 

When you created the
mailbox, it was on a 5.5 server or a 2000 server?  

-Original Message-
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
1:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

Nice reply Al - however I do not believe that the
legacyExchangeDN of the first administrative group has anything to do with the
legacyExchangeDN of a newly created user in AD.  Well, maybe I am missing something here.  I do not intend on "mucking
about" with the attributes for anything other than the users that need
correction.  Additionally, I
question the fact about the ADC being the mechanism involved with the
setting.  The reason I state that
is because I created a new user in AD in the domain that handles the E55 server
and then a mailbox for the user. 
Guess what?  ADSI Edit shows
the legacyExchangeDN attribute correctly for that user and that information was
populated via the ADC.  Finally, I
believe that there can be a delivery issue involved when the user
legacyExchangeDN does not match up with what E55 "sees" in the DS
attribute OBJ-DIST-NAME...

 

R/Bill

 

-Original
Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003
1:32 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

 

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the description of how to do this.  However, I should
caution you that mucking about with the legacyExchangeDN attribute is not a
good idea.  Getting your users to live with it now is a better
approach.  They will be living with it going forward since Exchange GAL in
Exchange 200x doesn't care about containers.  You could also create ABV's
to mimic this, but again, I don't recommend spending much time on the legacy
system. 

 

At some
point, you're going to have to work with these users to make the change. 
If they cannot make that change, there might be a reason to use the GAL views
in Exchange 200x and it's best to know that early.  

 

Finally,
keep in mind that the ADC is the mechanism involved in this
setting.  To move them between 5.5 containers is not as simple as changing
the legacyExchangeDN since 5.x didn't understand or allow movement between
containers; it requires the Microsoft shuffle (copy, delete, create) on the 5.5
side + replication times.  In other words, there's a lot of moving parts
to make this scenario work.

 

Luck! :)

 

Al

-Original Message-
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
12:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

Al,

 

The immediate thing that comes to mind is that in our
mixed mode environment [that we will have to live with for a while yet...] is
that in the E55 sites the GAL lists these folks as being in the Recipients container
(ou) where they are really in a different departmental container (ou).  Believe it or not - we have users that
insist on going to a container listing in the GAL and picking their send to
addresses!  Short of that - I am
sure there are other issues. 
Lastly, if MS put the attribute into AD - I think the attribute should
represent the user exactly and this is not the case.

 

R/Bill

 

-Original
Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003
10:59 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

 

Plenty,
but I have a question first.  Why are you wanting to change it?  What
benefit is there if you change it?

-Original Message-
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
10:01 AM
To: ActiveDirList
Subject: [ActiveDir] OT? - LEGACY
EXCHANGE DN

To
All,

When I create a user in
AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what
ou the user was created under.  Using ADSI Edit to change the value to
reflect the correct setting fails as the value is immediately
changed back.  Does anyone have any thoughts on this???

R/Bill

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Mulnick, Al]

Title: Message



When 
you created the mailbox, it was on a 5.5 server or a 2000 server?  


  
  -Original Message-From: Brown, Bill 
  [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  October 16, 2003 1:57 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
  
  Nice 
  reply Al - however I do not believe that the legacyExchangeDN of the first 
  administrative group has anything to do with the legacyExchangeDN of a newly 
  created user in AD.  Well, maybe I 
  am missing something here.  I do 
  not intend on "mucking about" with the attributes for anything other than the 
  users that need correction.  
  Additionally, I question the fact about the ADC being the mechanism 
  involved with the setting.  The 
  reason I state that is because I created a new user in AD in the domain that 
  handles the E55 server and then a mailbox for the user.  Guess what?  ADSI Edit shows the legacyExchangeDN 
  attribute correctly for that user and that information was populated via the 
  ADC.  Finally, I believe that 
  there can be a delivery issue involved when the user legacyExchangeDN does not 
  match up with what E55 "sees" in the DS attribute 
  OBJ-DIST-NAME...
   
  R/Bill
   
  -Original 
  Message-From: Mulnick, 
  Al [mailto:[EMAIL PROTECTED]Sent: Thursday, October 16, 2003 1:32 
  PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
   
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the 
  description of how to do this.  However, I should caution you that 
  mucking about with the legacyExchangeDN attribute is not a good idea.  
  Getting your users to live with it now is a better approach.  They will 
  be living with it going forward since Exchange GAL in Exchange 200x doesn't 
  care about containers.  You could also create ABV's to mimic this, but 
  again, I don't recommend spending much time on the legacy system. 
  
   
  At some 
  point, you're going to have to work with these users to make the change.  
  If they cannot make that change, there might be a reason to use the GAL views 
  in Exchange 200x and it's best to know that early.  
   
  Finally, 
  keep in mind that the ADC is the mechanism involved in this 
  setting.  To move them between 5.5 containers is not as simple as 
  changing the legacyExchangeDN since 5.x didn't understand or allow movement 
  between containers; it requires the Microsoft shuffle (copy, delete, create) 
  on the 5.5 side + replication times.  In other words, there's a lot of 
  moving parts to make this scenario work.
   
  Luck! 
  :)
   
  Al
  -Original 
  Message-From: Brown, 
  Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 12:16 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
  Al,
   
  The 
  immediate thing that comes to mind is that in our mixed mode environment [that 
  we will have to live with for a while yet...] is that in the E55 sites the GAL 
  lists these folks as being in the Recipients container (ou) where they are 
  really in a different departmental container (ou).  Believe it or not - we have users that 
  insist on going to a container listing in the GAL and picking their send to 
  addresses!  Short of that - I am 
  sure there are other issues.  
  Lastly, if MS put the attribute into AD - I think the attribute should 
  represent the user exactly and this is not the 
  case.
   
  R/Bill
   
  -Original 
  Message-From: Mulnick, 
  Al [mailto:[EMAIL PROTECTED]Sent: Thursday, October 16, 2003 10:59 
  AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
   
  Plenty, 
  but I have a question first.  Why are you wanting to change it?  
  What benefit is there if you change it?
  -Original 
  Message-From: Brown, 
  Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:01 
  AMTo: 
  ActiveDirListSubject: 
  [ActiveDir] OT? - LEGACY EXCHANGE DN
  To 
  All,
  When I create a user 
  in AD the legacyExchangeDN attribute is always set to cn=Recipients no matter 
  what ou the user was created under.  Using ADSI Edit to change the value 
  to reflect the correct setting fails as the value is immediately 
  changed back.  Does anyone have any thoughts on 
  this???
  R/Bill

Re: [ActiveDir] ODBC query of Active DIrectory

[stefano tufillaro]

You can export / import data in AD by database connection
You can use oledb provider
If you use visual basic 6.0 you can set the ado object to this connection 
string

adodc1.connectionstring =
"Provider=ADsDSOObject;Encrypt Password=False;Integrated Security=SSPI;
Location=< the server name Ex: a domain controller >
;Mode=Read;Bind Flags=0;ADSI Flag=-2147483648"
you can interrogate the AD in the recordsource property Ex:

adodc1.recordsource = ";(objectClass=*);AdsPath, 
cn; subTree"

you can export the data in a datagrid or othet visual object (excel 
worksheet) to have what you need.

Bye

PS:
It's better to substitute Microsoft with another AD domain

From: "Narkinsky, Brian" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: [ActiveDir] ODBC query of Active DIrectory
Date: Thu, 16 Oct 2003 10:25:31 -0400
MIME-Version: 1.0
Received: from mail.activedir.org ([64.245.160.7]) by mc6-f10.hotmail.com 
with Microsoft SMTPSVC(5.0.2195.5600); Thu, 16 Oct 2003 07:28:24 -0700
Received: from tlhexsprot2.floridadep.net [199.73.152.177] by 
mail.activedir.org with ESMTP  (SMTPD32-8.03) id AA5CE650074; Thu, 16 Oct 
2003 10:25:32 -0400
Received: from tlhexsmb3.floridadep.net ([172.20.30.46]) by 
tlhexsprot2.floridadep.net with Microsoft SMTPSVC(5.0.2195.4905); Thu, 16 
Oct 2003 10:25:31 -0400
X-Message-Info: yilqo4+6kc6E5jjLp3UcOo1PEp/AAGul
X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0
content-class: urn:content-classes:message
Message-ID: 
<[EMAIL PROTECTED]>
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ODBC query of Active 
DIrectory
Thread-Index: AcOT8Vq4q2TQ7SHrRdC82sggDGz0RA==
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 16 Oct 2003 14:25:31.0835 (UTC) 
FILETIME=[5AEC68B0:01C393F1]
Precedence: bulk
Sender: [EMAIL PROTECTED]

Is it possible to set up an ODBC to Active Directory?  I wish to do some
reporting using Access and apart from dumping and importing flat files  I
haven't found a way to do it.


Brian



Brian Narkinsky

System Manager

Department of Environmental Protection

MS 6520

2600 Blairstone RD

Tallahassee, FL 32399

phone (850)245-8314

fax (850)412-0400



_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Brown, Bill [contractor]]

Title: Message









Nice reply Al – however I do not believe that the legacyExchangeDN of
the first administrative group has anything to do with the legacyExchangeDN of
a newly created user in AD.  Well,
maybe I am missing something here. 
I do not intend on “mucking about” with the attributes for anything
other than the users that need correction.  Additionally, I question the fact about the ADC being the
mechanism involved with the setting. 
The reason I state that is because I created a new user in AD in the
domain that handles the E55 server and then a mailbox for the user.  Guess what?  ADSI Edit shows the legacyExchangeDN attribute correctly for
that user and that information was populated via the ADC.  Finally, I believe that there can be a
delivery issue involved when the user legacyExchangeDN does not match up with
what E55 “sees” in the DS attribute OBJ-DIST-NAME…

 

R/Bill

 

-Original
Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003
1:32 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

 

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the description of how to do this.  However, I should
caution you that mucking about with the legacyExchangeDN attribute is not a
good idea.  Getting your users to live with it now is a better
approach.  They will be living with it going forward since Exchange GAL in
Exchange 200x doesn't care about containers.  You could also create ABV's
to mimic this, but again, I don't recommend spending much time on the legacy
system. 

 

At some point, you're
going to have to work with these users to make the change.  If they cannot
make that change, there might be a reason to use the GAL views in Exchange 200x
and it's best to know that early.  

 

Finally, keep in mind
that the ADC is the mechanism involved in this setting.  To move
them between 5.5 containers is not as simple as changing the legacyExchangeDN
since 5.x didn't understand or allow movement between containers; it requires
the Microsoft shuffle (copy, delete, create) on the 5.5 side + replication
times.  In other words, there's a lot of moving parts to make
this scenario work.

 

Luck! :)

 

Al

-Original Message-
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
12:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

Al,

 

The immediate thing that comes to mind is that in our
mixed mode environment [that we will have to live with for a while yet...] is
that in the E55 sites the GAL lists these folks as being in the Recipients
container (ou) where they are really in a different departmental container
(ou).  Believe it or not - we have
users that insist on going to a container listing in the GAL and picking their
send to addresses!  Short of that -
I am sure there are other issues. 
Lastly, if MS put the attribute into AD - I think the attribute should
represent the user exactly and this is not the case.

 

R/Bill

 

-Original
Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003
10:59 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

 

Plenty,
but I have a question first.  Why are you wanting to change it?  What
benefit is there if you change it?

-Original Message-
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
10:01 AM
To: ActiveDirList
Subject: [ActiveDir] OT? - LEGACY
EXCHANGE DN

To
All,

When I create a user in
AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what
ou the user was created under.  Using ADSI Edit to change the value to
reflect the correct setting fails as the value is immediately
changed back.  Does anyone have any thoughts on this???

R/Bill

Re: [ActiveDir] OT: Spyware/Adware

[Rick Reynolds]

http://security.kolla.de

Freeware, works great. over 10,000 items tracking to date, with some
immunization to prevent ie hijacking etc.

- Original Message - 
From: "Christopher Hummert" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 16, 2003 10:05 AM
Subject: [ActiveDir] OT: Spyware/Adware


> I was wondering what programs everyone was using to combat
> spyware/adware. I noticed that Ad-Aware now has a professional version
> out (http://www.lavasoftusa.com/software/adawareprofessional/) and I was
> wondering if anyone has been using this, and how you like it?
>
>
> Thanks
> Chris Hummert
>
> 
> Network Administrator - Albany Agency of Insurance
> Webmaster for Noghri.net
> http://www.noghri.net
> MS Beta tester ID #: 388366
>
> Sometimes I think the surest sign that intelligent life exists elsewhere
> in the universe is that none of it has tried to contacts us."
>
> - from Calvin and Hobbes
> 
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Mulnick, Al]

Title: Message



http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273863 is the description 
of how to do this.  However, I should caution you that mucking about with 
the legacyExchangeDN attribute is not a good idea.  Getting your users to 
live with it now is a better approach.  They will be living with it going 
forward since Exchange GAL in Exchange 200x doesn't care about containers.  
You could also create ABV's to mimic this, but again, I don't recommend spending 
much time on the legacy system. 
 
At some point, you're going to have to work with these 
users to make the change.  If they cannot make that change, there might be 
a reason to use the GAL views in Exchange 200x and it's best to know that 
early.  
 
Finally, keep in mind that the ADC is the 
mechanism involved in this setting.  To move them between 5.5 
containers is not as simple as changing the legacyExchangeDN since 5.x didn't 
understand or allow movement between containers; it requires the Microsoft 
shuffle (copy, delete, create) on the 5.5 side + replication times.  In 
other words, there's a lot of moving parts to make this scenario 
work.
 
Luck! :)
 
Al

  
  -Original Message-From: Brown, Bill 
  [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  October 16, 2003 12:16 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
  
  Al,
   
  The 
  immediate thing that comes to mind is that in our mixed mode environment [that 
  we will have to live with for a while yet...] is that in the E55 sites the GAL 
  lists these folks as being in the Recipients container (ou) where they are 
  really in a different departmental container (ou).  Believe it or not - we have users that 
  insist on going to a container listing in the GAL and picking their send to 
  addresses!  Short of that - I am 
  sure there are other issues.  
  Lastly, if MS put the attribute into AD - I think the attribute should 
  represent the user exactly and this is not the 
  case.
   
  R/Bill
   
  -Original 
  Message-From: Mulnick, 
  Al [mailto:[EMAIL PROTECTED]Sent: Thursday, October 16, 2003 10:59 
  AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT? - LEGACY 
  EXCHANGE DN
   
  Plenty, 
  but I have a question first.  Why are you wanting to change it?  
  What benefit is there if you change it?
  -Original 
  Message-From: Brown, 
  Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:01 
  AMTo: 
  ActiveDirListSubject: 
  [ActiveDir] OT? - LEGACY EXCHANGE DN
  To 
  All,
  When I create a user 
  in AD the legacyExchangeDN attribute is always set to cn=Recipients no matter 
  what ou the user was created under.  Using ADSI Edit to change the value 
  to reflect the correct setting fails as the value is immediately 
  changed back.  Does anyone have any thoughts on 
  this???
  R/Bill

RE: [ActiveDir] OT: Spyware/Adware

[England, Christopher M]

We at Indiana University have licenses to AdAware Pro and Spybot. I have not
used them much, but they do find a lot of stuff - a LOT. Also, Awaware has
adwatch which allows it to sit in the tray and watch things (kind of gets
annoying sometimes with popups but is still neat). I would recommend AdAware
at least (just to have a copy for computers that have issues) and then Spybot
as a backup.

Just my two cents,
Chris

-Original Message-
From: Christopher Hummert [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003 12:06 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Spyware/Adware

I was wondering what programs everyone was using to combat spyware/adware. I
noticed that Ad-Aware now has a professional version out
(http://www.lavasoftusa.com/software/adawareprofessional/) and I was wondering
if anyone has been using this, and how you like it?


Thanks
Chris Hummert


Network Administrator - Albany Agency of Insurance Webmaster for Noghri.net
http://www.noghri.net MS Beta tester ID #: 388366

Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contacts us."

- from Calvin and Hobbes


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



smime.p7s
Description: S/MIME cryptographic signature

[ActiveDir] OT: Spyware/Adware

[Christopher Hummert]

I was wondering what programs everyone was using to combat
spyware/adware. I noticed that Ad-Aware now has a professional version
out (http://www.lavasoftusa.com/software/adawareprofessional/) and I was
wondering if anyone has been using this, and how you like it?


Thanks
Chris Hummert


Network Administrator - Albany Agency of Insurance
Webmaster for Noghri.net
http://www.noghri.net 
MS Beta tester ID #: 388366

Sometimes I think the surest sign that intelligent life exists elsewhere
in the universe is that none of it has tried to contacts us." 

- from Calvin and Hobbes
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Brown, Bill [contractor]]

Title: Message









Al,

 

The immediate
thing that comes to mind is that in our mixed mode environment [that we will
have to live with for a while yet…] is that in the E55 sites the GAL lists
these folks as being in the Recipients container (ou) where they are really in
a different departmental container (ou). 
Believe it or not – we have users that insist on going to a container
listing in the GAL and picking their send to addresses!  Short of that – I am sure there are
other issues.  Lastly, if MS put
the attribute into AD – I think the attribute should represent the user exactly
and this is not the case.

 

R/Bill

 

-Original
Message-
From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 16, 2003
10:59 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? -
LEGACY EXCHANGE DN

 

Plenty, but I have a
question first.  Why are you wanting to change it?  What benefit is
there if you change it?

-Original Message-
From: Brown, Bill [contractor]
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003
10:01 AM
To: ActiveDirList
Subject: [ActiveDir] OT? - LEGACY
EXCHANGE DN

To
All,

When I create a user in
AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what
ou the user was created under.  Using ADSI Edit to change the value to
reflect the correct setting fails as the value is immediately
changed back.  Does anyone have any thoughts on this???

R/Bill

[ActiveDir] DHCP/Netsh

[Jerry Johnson]

Everyone,

 

Has anyone ever used Netsh to move DHCP to another server?

In Mark Minasi’s book he talks about using it to add
another DHCP server to your network by dumping it with Netsh from one machine
and Exec it to another machine.

He did not go into much detail but I did not think you could
have identically configured DHCP server’s on a network.

 

Thanks

Jerry

 

Scicom Data Services

Minnetonka,Mn

 

 

RE: [ActiveDir] Intrasite Replication Schedule

[Gil Kirkpatrick]

Just to be clear, the 5 minute/15 second value is the amount of time a DC
will delay after an originating change before notifying its replication
partners. Its not a replication schedule per se. The idea is that changes
happen in clumps over time, and that its better to replicate a bunch of
changes together in one cycle, which saves processing overhead doing mutual
authentication and such

I would say that if your CPU loads are low and update rates aren't
unreasonable, there would be no problem reducing the delay.

-g

Gil Kirkpatrick
CTO, NetPro


-Original Message-
From: FDiskThePC [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 15, 2003 4:46 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Intrasite Replication Schedule


As most of you know, the default intrasite replication
schedule in Windows 2000 is 5 minutes yet 15 seconds
in Windows Server 2003.  Has anyone changed the
setting in a Windows 2000 domain (Q214678) to match
the settings that are now the default in Windows
Server 2003?

The five minute replication is frustrating, because it
can actually be up to 15 minutes with lots of DC's in
a site.  Any advice would be appreciated.  Thanks.

-Rick Dayton

__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LDAP'ing a computer object in AD

[james . cate]

Return Receipt
   
Your  [ActiveDir] LDAP'ing a computer object in AD 
document   
:  
   
was   James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV  
received   
by:
   
at:   10/16/2003 10:27:23 AM   
   





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP'ing a computer object in AD

[Mulnick, Al]

Title: Message



http://www.microsoft.com/technet/treeview/default.asp?url="">
Is a 
good start.  What you also want to do is add some capability for the script 
to determine the path to the domain.  You do this by starting with rootDSE 
and building the domain path from there.  After that, you just need to add 
to the select statement what specific name you want to find.  

 
 
Al

  
  -Original Message-From: Frederic Allaert 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 
  16, 2003 9:50 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] LDAP'ing a computer object in AD
  Hello all, 
  I have been searching some good, clear examples how 
  to determine the LDAP path for a computer 
  object, (without knowing the "location" in AD), with the only input being 
  the hostname of the computer, and the 
  DNS-name for the domain. All this using a .VBS-script... 
  Can someone produce such an example, or direct me 
  to some good resource websites on this topic? 
  Greetings, 
  Frederic Allaert 

RE: [ActiveDir] OT? - LEGACY EXCHANGE DN

[Mulnick, Al]

Title: Message



Plenty, but I have a question first.  Why are you wanting to change 
it?  What benefit is there if you change it?

  
  -Original Message-From: Brown, Bill 
  [contractor] [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  October 16, 2003 10:01 AMTo: ActiveDirListSubject: 
  [ActiveDir] OT? - LEGACY EXCHANGE DN
  To 
  All,
  When I 
  create a user in AD the legacyExchangeDN attribute is always set to cn=Recipients no 
  matter what ou the user was created under.  Using ADSI Edit to change 
  the value 
  to reflect the correct setting fails as the 
  value is immediately changed back.  
  Does anyone have any thoughts on this???
  R/Bill

RE: [ActiveDir] Creating programatically when password complexity is in force

[Kingslan, Rick T.]

See!  I knew that I was asking the right guys.

Thanks!  You solved it, Ken.

Much appreciated!

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 8:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Creating programatically when password
complexity is in force


Rick, I'll bet what you are doing wrong is to set the userAccountControl
(to enable the account) when creating the user. Don't do that - create
the user without setting userAccountControl, which will result in the
created user being disabled, then set the password, then set
userAccountControl to enable the user. This seems to work for me. I can
send my code if you like (but it is in perl...)

-Original Message-
From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 7:06 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Creating programatically when password complexity
is in force


I've run into an interesting problem.  If I create a user
programatically, (using C#, but we've confirmed the same with VBScript)
the password cannot be set until the user object exists.  If I try it,
we get the error:

"Server is unwilling to process the request" 

when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.

However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.

Would one of the scripting / programming geniuses that we have here tell
me what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users
(which is a major pain in the a$$, to say the least)?


Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] ODBC query of Active DIrectory

[Narkinsky, Brian]

Is it possible to set up an ODBC to Active Directory?  I
wish to do some reporting using Access and apart from dumping and importing
flat files  I haven’t found a way to do it.

 

Brian

 

Brian Narkinsky

System Manager

Department of Environmental Protection

MS 6520

2600 Blairstone RD

Tallahassee, FL 32399

phone (850)245-8314

fax (850)412-0400

 

RE: [ActiveDir] Creating programatically when password complexity is in force

[Kingslan, Rick T.]

Code I can give you:

Directly from Robbie's "Active Directory Cookbook":

' Taken from ADS_USER_FLAG_ENUM
Const ADS_UF_NORMAL_ACCOUNT = 512

set objParent = GetObject("LDAP://)
set objUser = objParent.Create("user", "cn=")  ' e.g rickk
objUser.Put "sAMAccountName", ""   ' e.g rickk
objUser.Put "userPrincipalName", "" ' e.g
[EMAIL PROTECTED]
objUser.Put "givenName", ""   ' e.g Rick
objUser.Put "sn", ""   'e.g Kingslan
objUser.Put "displayName", " " ' e.g Rick
Kingslan
objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT
objUser.SetInfo   ' <=Fails right here with
the error
objUser.SetPassword("")
objUser.AccountDisabled = FALSE
objUser.SetInfo

This will work (given that the replaceable parameters [ those in the
'<>'] are either fed in from the command line or replaced otherwise -
pick your means) IF the password complexity is not enforced AND the
password length is equal to or greater than the minimum.

The problem is one of 'The Chicken and The Egg'.  The user can't be
created because the password is not complex and does not meet the
minimum criteria - it's currently NULL - not set, but the user object
must have a password value associated with it.  

You cannot SET the password for a user until after the user object
exists.

So, how do I get around this?

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]

-Original Message-
From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 7:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Creating programatically when password
complexity is in force


Right, 
Can we see some code? We can then deduce from there exactly what you
need. 
Carlos 
-Original Message- 
From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 2:06 PM 
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] Creating programatically when password complexity
is in force 
I've run into an interesting problem.  If I create a user 
programatically, (using C#, but we've confirmed the same with VBScript) 
the password cannot be set until the user object exists.  If I try it, 
we get the error: 
"Server is unwilling to process the request" 
when a SetInfo is done on the creation of the user object.  All required

fields for the user object are being entered, and checked per the 'Tuna'

just to be sure. 
However, the user cannot exist with a blank password because the blank 
password violates the password complexity and the minimum length rules. 
And, as stated, the password cannot be set until the object exists. 
Would one of the scripting / programming geniuses that we have here tell

me what I'm missing?  I have to believe that there is a way to do this. 
Or, am I going to be relegated to using ADUC again to create my users 
(which is a major pain in the a$$, to say the least)? 


Rick Kingslan  MCSE, MCSA, MCT 
Microsoft MVP - Active Directory 
LAN Administration - Windows 2000 
West Corporation 
[EMAIL PROTECTED] 
List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT? - LEGACY EXCHANGE DN

[Brown, Bill [contractor]]

Title: OT? - LEGACY EXCHANGE DN






To All,

When I create a user in AD the legacyExchangeDN attribute is always set to cn=Recipients no matter what ou the user was created under.  Using ADSI Edit to change the value to reflect the correct setting fails as the value is immediately changed back.  Does anyone have any thoughts on this???

R/Bill

RE: [ActiveDir] Creating programatically when password complexity is in force

[Coleman, Hunter]

Is this against a Win 2003 DC? I can run the following against a 2000 DC
(complex passwords required) without any problems:

Set objOU = GetObject("LDAP://OU=myOU,dc=teststate,dc=testmt,dc=testads";)
Set objUser = objOU.Create("User", "cn=MyerKena")
objUser.Put "sAMAccountName", "myerkena"
objUser.SetInfo
objUser.AccountDisabled = false
objUser.SetPassword "ComplexPW1"
objUser.SetInfo

However, if I change the password to "ComplexPW" then I get the same error
that you receive, which I would expect. Oddly, I can comment out the
SetPassword altogether and the user gets successfully created.

Hunter 

-Original Message-
From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 6:06 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Creating programatically when password complexity is in
force

I've run into an interesting problem.  If I create a user programatically,
(using C#, but we've confirmed the same with VBScript) the password cannot
be set until the user object exists.  If I try it, we get the error:

"Server is unwilling to process the request" 

when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.

However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.

Would one of the scripting / programming geniuses that we have here tell me
what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users (which
is a major pain in the a$$, to say the least)?


Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP'ing a computer object in AD

[Ken Cornetet]

Title: Message



I think this is 
what you want. Search for samaccountname=computername$ (append a "$" to the 
computer name). 

  
  -Original Message-From: Frederic Allaert 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 
  16, 2003 8:50 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] LDAP'ing a computer object in AD
  Hello all, 
  I have been searching some good, clear examples how 
  to determine the LDAP path for a computer 
  object, (without knowing the "location" in AD), with the only input being 
  the hostname of the computer, and the 
  DNS-name for the domain. All this using a .VBS-script... 
  Can someone produce such an example, or direct me 
  to some good resource websites on this topic? 
  Greetings, 
  Frederic Allaert 

RE: [ActiveDir] Creating programatically when password complexity is in force

[Ken Cornetet]

Rick, I'll bet what you are doing wrong is to set the userAccountControl
(to enable the account) when creating the user. Don't do that - create
the user without setting userAccountControl, which will result in the
created user being disabled, then set the password, then set
userAccountControl to enable the user. This seems to work for me. I can
send my code if you like (but it is in perl...)

-Original Message-
From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 16, 2003 7:06 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Creating programatically when password complexity
is in force


I've run into an interesting problem.  If I create a user
programatically, (using C#, but we've confirmed the same with VBScript)
the password cannot be set until the user object exists.  If I try it,
we get the error:

"Server is unwilling to process the request" 

when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.

However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.

Would one of the scripting / programming geniuses that we have here tell
me what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users
(which is a major pain in the a$$, to say the least)?


Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LDAP'ing a computer object in AD

[Frederic Allaert]

Title: LDAP'ing a computer object in AD





Hello all,


I have been searching some good, clear examples how to determine the LDAP path
for a computer object, (without knowing the "location" in AD), with the only input being 
the hostname of the computer, and the DNS-name for the domain. All this using a .VBS-script...


Can someone produce such an example, or direct me to some good resource websites on this topic?


Greetings,


Frederic Allaert

RE: [ActiveDir] Creating programatically when password complexity is in force

[Carlos Magalhaes]

Title: RE: [ActiveDir] Creating programatically when password complexity is in force





Right, 


Can we see some code? We can then deduce from there exactly what you need.


Carlos


-Original Message-
From: Kingslan, Rick T. [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, October 16, 2003 2:06 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Creating programatically when password complexity is in force


I've run into an interesting problem.  If I create a user
programatically, (using C#, but we've confirmed the same with VBScript)
the password cannot be set until the user object exists.  If I try it,
we get the error:


"Server is unwilling to process the request" 


when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.


However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.


Would one of the scripting / programming geniuses that we have here tell
me what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users
(which is a major pain in the a$$, to say the least)?



Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



-
This email and any files transmitted are
confidential and intended solely for the
use of the individual or entity to which
they are addressed, whose privacy
should be respected.  Any views or
opinions are solely those of the author
and do not necessarily represent those
of the Trencor Group, or any of its
representatives, unless specifically
stated.  

Email transmission cannot be guaranteed
to be secure, error free or without virus
contamination.  The sender therefore
accepts no liability for any errors or
omissions in the contents of this message,
nor for any virus infection that might result
from opening this message.  Trencor is not
responsible in the event of any third party
interception of this email.   

If you have received this email in error please notify
[EMAIL PROTECTED]   For more information about
Trencor, visit www.trencor.net 

[ActiveDir] Creating programatically when password complexity is in force

[Kingslan, Rick T.]

I've run into an interesting problem.  If I create a user
programatically, (using C#, but we've confirmed the same with VBScript)
the password cannot be set until the user object exists.  If I try it,
we get the error:

"Server is unwilling to process the request" 

when a SetInfo is done on the creation of the user object.  All required
fields for the user object are being entered, and checked per the 'Tuna'
just to be sure.

However, the user cannot exist with a blank password because the blank
password violates the password complexity and the minimum length rules.
And, as stated, the password cannot be set until the object exists.

Would one of the scripting / programming geniuses that we have here tell
me what I'm missing?  I have to believe that there is a way to do this.
Or, am I going to be relegated to using ADUC again to create my users
(which is a major pain in the a$$, to say the least)?


Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
LAN Administration - Windows 2000
West Corporation
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/