date:20031025

RE: [ActiveDir] documenting servers

2003-10-25 Thread Oliver Marshall

OK! Thanks SOOO much for the response. I have had loads of emails these
last few days, and im in a bit of a shock about the number of people
contacting me. Thanks again.

Rather than me add you to the project, could you visit;

www.sourceforge.net/projects/wsdp

Here you can add yourselves to the mailing list (currently
wsdp-discussion).

I have posted an entry on the Open Discussion forum for the project
which details some of my ideas and means to achieve them. 

Please feel free to reply to the post, or use the mailing list. Also, if
any of you want to get *really* involved you can help admin the project
!! :)

Thanks for the owners of the activedir list for putting up with people
saying "me too!" lots, cheers :)

Olly
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - You guys rock

2003-10-25 Thread Joe

Title: Message



You 
know I can't find the original note anywhere that this was a response to. 
When did it go out? The archive doesn't have it either, it appears the whole 
chain starts right with Yusef's note. 
 
  
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf 
YSent: Thursday, October 23, 2003 12:12 PMTo: 
[EMAIL PROTECTED]


I 
agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil …..and and (that’s the 
rest of the folks I haven’t mentioned) have all been well 
appreciated.
 
And 
over these past years you guys have been my inspiration and thus wanting to 
excel myself all of the time
 
Presently 
I am at the age of 24 with only a handful of years of experience and I have 
learnt so much and so much more to learn from all of 
you.
 
With 
me being located at the edge of Africa I am 
hoping at one time I would have the opportunity to rub shoulders with you guys 
sometime or the other.
 
Thanks 
again guys
 
 
yusuf

RE: [ActiveDir] Do you have a development (DEV) forest?

2003-10-25 Thread Myrick, Todd (NIH/CIT)









What are the goals of the Development
forest?

 

You can accomplish a lot with VMware, and
a few host.

 

You are correct.  Maintaining a
development forest is a pain in the but.  Best off to try to create a
Development forest using VMware images, and IP's that are not public so
you can test as much as you can.

 

One strategy is to do the following so you
can roll out new systems in a staging method pretty quickly.

 

Simulate as much of the environment in VMware.

To test out a theory that your
architecture designs work, Deploy boxes on a central Network and a few spoke
networks and verify that the Firewall configs and routers are not going to
cause problems,

Determine the roll of the servers in
production, and have the appropriate backup solution, IDR, and application
specific backup.

During upgrades, I would do 2 full backups
then I would break the OS mirror, Transaction Logs, and replace all the drives
for the data with new drives, then restore the data.

Run a restore of the data.  Then
upgrade the OS, And Application.  If either breaks, you can reinstall the
broken mirrors, and add the data drives back in.  It is expensive, but it
is quick and safe.

 

Q1.  Only add the systems you need to
test with.  No need for redundancy.

Q2.  They don't, it is part of
ADOG.

Q3.  SLA don't work,
abandon that concept.  (This is the minimal amount of work I will do
If someone wants to hand me a SLA or requires it, It makes me feel I need to do business with
someone else.)  
Case in point.  I LOVE YOU.   SLA's didn't add
any value here.

Q5.  Well, they customize COTS
applications, and seem all the web services together.]

Q6.  Current.

Q7.  Dev is more organized by
project.  So they have "programming" on their side to manage
the project.  I find that my efforst are somewhat better because, I am
free to think of several possibilities.

 

Todd Myrick

 

-Original Message-
From: StickmanRunner87
[mailto:[EMAIL PROTECTED] 
Sent: Saturday,
 October 25, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Do you have a
development (DEV) forest?

 



Hello!



BACKGROUND
Recently, our Active Directory Team was asked by executive management
to implement a development forest that very much mimics our production forest
in many ways.  However, many of us struggle with this request because
we're afraid a development forest will incur more work and cost than
benefit.    

QUESTIONS
Do you have a development (DEV) forest?  

If yes,

1. 
How does DEV's size compare to PROD in terms of
users, computers, domain controllers, domains, sites, gpo's? 

2. 
Do DEV admins support PROD too? 

3. 
How does DEV's SLA compare to PROD? 

4. 
How has DEV added-value to your company?  Any
stories to share? 

5. 
How current is DEV compared to PROD?  Identical,
one schema version behind, etc.? 

6. 
How does DEV's change control practices compare to
PROD?

If no, 

1. 
Is there a specific reason why you don't have a DEV
forest? 

2. 
Did you have a DEV forest previously and tear it
down? 

3. 
Are you considering a DEV forest at the present time?

I appreciate any feedback you can share with
me.  If you would prefer to discuss in a telephone call, I'm willing
to "phone a friend."

Sincerely, 
Stick 













Do you Yahoo!?
The
New Yahoo! Shopping - with improved product search

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Robbie Allen

Title: Message



You 
are right, that wasn't the best way to fix them.  I added those quick 
fixes a while back so the scripts wouldn't fail on forests with password 
complexity enabled.  I just added "corrected" code for 6.1-6.3 (http://www.rallenhome.com/books/adcookbook/code.html#ch6).  
All I did was comment out the lines that set userAccountControl and put a note 
about why it isn't necessary to set it.
 
Thanks!
Robbie 
Allen  

  
  -Original Message-From: Michael B. Smith 
  [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 2003 3:35 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Active Directory Cookbook
  OK, Robbie fixed the examples on the webpage for the 
  Tuna book (although I personally don't like the way he changed 6.3) -- 
  however, his change was to set userAccountControl to disabled 
  (514).
   
  Is there an advantage, or disadvantage, either way -- to 
  setting userAccountControl before the first SetInfo or not? Just 
  preference?
  
  
  From: Joe [mailto:[EMAIL PROTECTED] 
  Sent: Saturday, October 25, 2003 2:00 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active 
  Directory Cookbook
  
  Rick, I think he may be referring to our 
  conversation
   
  1.
   
  Here 
  is what I vote for:
   
  set 
  objParent = GetObject("LDAP://>")set 
  objUser   = objParent.Create("user", 
  "cn=")objUser.Put "sAMAccountName", 
  ""objUser.Put "userPrincipalName", 
  ""objUser.Put "givenName", 
  ""objUser.Put "sn", 
  ""objUser.Put "displayName", " 
  "objUser.SetInfoobjUser.SetPassword 
  "password1"objUser.AccountDisabled=FALSEobjUser.SetInfo
   
  Note 
  you don't have to set the account disabled. The default useraccountcontrol on 
  the create will be disabled. You need to swing back and enable it and set the 
  password.
   
   
  2.  If a single domain
      adfind -default -f 
  "&(objectcategory=person)(samaccountname=*)" -dn
   
      NOTE: That may pull trust accounts to, I don't have 
  trusts set up on my home domain to check.
   
      If multiple domain forest
   
  
      adfind -h dcname -default -f 
  "&(objectcategory=person)(samaccountname=*)" -dn
   
  or
  
      adfind -b dc=domain,dc=com -f 
  "&(objectcategory=person)(samaccountname=*)" -dn
   
      NOTE: Same 
  note.
   
      If you do get trusts as 
  well, you need to filter them out and at 1:53AM the thing I think you 
  would do is add a (!samaccountname=*$) which really sucks because !'s kill 
  search time.
   
     
  The first single domain query yanked my 
  2034 userids in my home domain in about 5 seconds. That is with a PIII-930 
  with 512 MB running about 10 normal apps(one is VPC 5.2 with a Windows 
  Server 2003 Enterprise guest fired up and allocated 64MB RAM) against my W2K 
  DC which is PII-450 w/ 128MB RAM.
   
   
    joe
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rick 
  KingslanSent: Friday, October 24, 2003 6:35 PMTo: 
  [EMAIL PROTECTED]
  
  Michael -
   
  1) Yes, this is one way.  Just discussed this topic 
  on the list, with code samples, so check the archives.  Setting the user 
  to disabled and then applying the complex password is 
  valid.
  2) Not there directly  ;-)
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
  SmithSent: Friday, October 24, 2003 12:35 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active 
  Directory Cookbook
  
  It's a great book.
   
  Two questions: 1) did you guru's here on activedir come 
  to the conclusion that, due to password complexity, a user should be created 
  disabled? Does that affect any recipes other than 6.1, 6.2, and 6.3? 2) I 
  think you should add one of the simplest and (in my opinion) the most common 
  AD query as a recipe: how to find all the users in a 
  domain.
  
  
  From: Robbie Allen [mailto:[EMAIL PROTECTED] 
  Sent: Friday, October 24, 2003 12:43 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active 
  Directory Cookbook
  
  Thanks for all of the positive feedback about the book.  I give 
  the credit to my all-star cast of reviewers :-)  
   
  My 
  main goal was to produce a reference that would help AD admins get their 
  job done quicker and easier.  There is just too much stuff AD admins have 
  to remember and that's why I thought the O'Reilly cookbook format would 
  work especially well in this case.
   
  If 
  you have the book (or even if you don't), be sure to check out the following 
  web site, which has all of the code in the book and any corrections: 
  http://www.rallenhome.com/books/adcookbook/code.html
   
  Keep 
  the feedback coming
   
  Regards,
  Robbie Allen
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003 11:51 AMTo: 
[EMAIL PROTECT

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Joe

Title: Message



You 
don't need to set it at all as the default creation will set it to password not 
required, disabled, and expired. You can set useraccountcontrol to 512 after the 
password set and the first setinfo. I forgot about the password not required so 
I would set the useraccountcontrol versus doing the accountdisabled=FALSE trick 
outlined below. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Saturday, October 25, 2003 3:35 PMTo: 
[EMAIL PROTECTED]

OK, Robbie fixed the examples on the webpage for the 
Tuna book (although I personally don't like the way he changed 6.3) -- 
however, his change was to set userAccountControl to disabled 
(514).
 
Is there an advantage, or disadvantage, either way -- to 
setting userAccountControl before the first SetInfo or not? Just 
preference?


From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003 2:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

Rick, 
I think he may be referring to our conversation
 
1.
 
Here 
is what I vote for:
 
set 
objParent = GetObject("LDAP://>")set objUser   
= objParent.Create("user", "cn=")objUser.Put 
"sAMAccountName", ""objUser.Put "userPrincipalName", 
""objUser.Put "givenName", 
""objUser.Put "sn", 
""objUser.Put "displayName", " 
"objUser.SetInfoobjUser.SetPassword 
"password1"objUser.AccountDisabled=FALSEobjUser.SetInfo
 
Note 
you don't have to set the account disabled. The default useraccountcontrol on 
the create will be disabled. You need to swing back and enable it and set the 
password.
 
 
2.  If a single domain
    adfind -default -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
    NOTE: That may pull trust accounts to, I don't have 
trusts set up on my home domain to check.
 
    If multiple domain forest
 

    adfind -h dcname -default -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
or

    adfind -b dc=domain,dc=com -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
    NOTE: Same 
note.
 
    If you do get trusts as 
well, you need to filter them out and at 1:53AM the thing I think you would 
do is add a (!samaccountname=*$) which really sucks because !'s kill search 
time.
 
   
The first single domain query yanked my 2034 
userids in my home domain in about 5 seconds. That is with a PIII-930 with 512 
MB running about 10 normal apps(one is VPC 5.2 with a Windows Server 2003 
Enterprise guest fired up and allocated 64MB RAM) against my W2K DC which is 
PII-450 w/ 128MB RAM.
 
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Friday, October 24, 2003 6:35 PMTo: 
[EMAIL PROTECTED]

Michael -
 
1) Yes, this is one way.  Just discussed this topic on 
the list, with code samples, so check the archives.  Setting the user to 
disabled and then applying the complex password is valid.
2) Not there directly  ;-)
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Friday, October 24, 2003 12:35 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

It's a great book.
 
Two questions: 1) did you guru's here on activedir come to 
the conclusion that, due to password complexity, a user should be created 
disabled? Does that affect any recipes other than 6.1, 6.2, and 6.3? 2) I think 
you should add one of the simplest and (in my opinion) the most common AD query 
as a recipe: how to find all the users in a domain.


From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

Thanks 
for all of the positive feedback about the book.  I give the credit to my 
all-star cast of reviewers :-)  
 
My 
main goal was to produce a reference that would help AD admins get their 
job done quicker and easier.  There is just too much stuff AD admins have 
to remember and that's why I thought the O'Reilly cookbook format would 
work especially well in this case.
 
If you 
have the book (or even if you don't), be sure to check out the following web 
site, which has all of the code in the book and any corrections: 
http://www.rallenhome.com/books/adcookbook/code.html
 
Keep 
the feedback coming
 
Regards,
Robbie 
Allen

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Friday, October 24, 2003 11:51 AMTo: 
  [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; 
  [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active 
  Directory CookbookAgreed 
  - I got mine yesterday from Amazon and I must say that this should be on the 
  shelf of every AD administrator. Period. Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems 
  EnablementMaritime Life Assurance Company(902) 453-7300 x3456 
  
  


  
  "Lou Vega" 
<[EMAIL

RE: [ActiveDir] Do you have a development (DEV) forest?

2003-10-25 Thread Joe




We 
have a couple of test labs like Rick. Officially one for Exchange, one for other 
stuff. 
 
I 
would like to see one global dev forest (or maybe better termed Production QA) 
and have been pushing in that way so that the cost is spread out across several 
divisions and also so the number of DC's can be significant as well as the sites 
and subnets involved. I.E. Make it more like production. I would visualize 
primary support by a couple of team members that rotate in and out of the main 
production support team. I.E. The two teams have rotation. Keeps people from 
burning out and keeps dev looking like prod. Would also be a good training 
ground for new admins since we have a 2-3 month spin up time for new admins 
before we give them Domain Admin Keys. This is still not truly enough time. The 
SLA of that would be business hours of the location in the world that the team 
exists at which in our case would be the US. 
 
The 
Exchange Test Lab Domain Controllers are controlled by the folks in Production 
(my team) though we give out more rights in the lab for the lab folks - 
basically Account Operator. 
 
When 
we do Schema Tests we spin up a growth from production. I.E. We promo some DC's 
for each domain from production, then chop them off from the real network and 
then cut the references out of production. And cut the references to production 
out of the "lifeboat" lab. This way we can do testing on real data and the real 
environment. The future of this lies somewhere in Virtual Server so we don't 
have to cut the machines out of production, we will simply have a single DC for 
every domain sitting in a virtual server session and copy the session files 
occasionally to a dark network lab. 
 
The 
Exchange lab has all of the user objects and most of the domains. It is missing 
the data center application domain as it has no bearing on 
exchange.
The 
other testing lab has some random number of users. 
The 
lifeboat lab is a mirror of production in terms of objects, just doesn't have 
the real subnet coverage and site coverage and number of 
DC's.
 
The 
Exchange lab since it is controlled by me has a business hours SLA unless 
someone is really under a time crunch and then they will sweet talk me into 
hanging around. The other test lab is business hours and probably best effort. 

 
There 
are things that are not caught in Dev, you will never catch everything there, 
but it is better than catching everything in production. It is especially useful 
for doing things like turning up logging or doing network tracing since you can 
control the traffic more easily.
 
 
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
StickmanRunner87Sent: Saturday, October 25, 2003 2:18 
PMTo: [EMAIL PROTECTED]



Hello!
BACKGROUNDRecently, our Active Directory Team was asked 
by executive management to implement 
a development forest that very much mimics our production forest in many 
ways.  However, many of us struggle with this request because we're afraid 
a development forest will incur more work and cost than 
benefit.    
QUESTIONSDo you have a 
development (DEV) forest?  
If yes,

  How does DEV's size compare to PROD in terms of 
  users, computers, domain controllers, domains, sites, gpo's? 
  Do DEV admins support PROD too? 
  How does DEV's SLA compare to PROD? 
  How has DEV added-value to your company?  Any 
  stories to share? 
  How current is DEV compared to PROD?  
  Identical, one schema version behind, etc.? 
  How does DEV's change control practices compare to 
  PROD?
If no, 

  Is there a specific reason why you don't have a DEV forest? 
  Did you have a 
  DEV forest previously and tear it down? 
  Are you considering a DEV forest at the present time?
I appreciate any feedback you can share with 
me.  If you would prefer to discuss in 
a telephone call, I'm willing to "phone a friend."
Sincerely, Stick 


Do you Yahoo!?The 
New Yahoo! Shopping - with improved product search

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Michael B. Smith

Title: Message



OK, Robbie fixed the examples on the webpage for the 
Tuna book (although I personally don't like the way he changed 6.3) -- 
however, his change was to set userAccountControl to disabled 
(514).
 
Is there an advantage, or disadvantage, either way -- to 
setting userAccountControl before the first SetInfo or not? Just 
preference?


From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003 2:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

Rick, 
I think he may be referring to our conversation
 
1.
 
Here 
is what I vote for:
 
set 
objParent = GetObject("LDAP://>")set objUser   
= objParent.Create("user", "cn=")objUser.Put 
"sAMAccountName", ""objUser.Put "userPrincipalName", 
""objUser.Put "givenName", 
""objUser.Put "sn", 
""objUser.Put "displayName", " 
"objUser.SetInfoobjUser.SetPassword 
"password1"objUser.AccountDisabled=FALSEobjUser.SetInfo
 
Note 
you don't have to set the account disabled. The default useraccountcontrol on 
the create will be disabled. You need to swing back and enable it and set the 
password.
 
 
2.  If a single domain
    adfind -default -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
    NOTE: That may pull trust accounts to, I don't have 
trusts set up on my home domain to check.
 
    If multiple domain forest
 

    adfind -h dcname -default -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
or

    adfind -b dc=domain,dc=com -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
    NOTE: Same 
note.
 
    If you do get trusts as 
well, you need to filter them out and at 1:53AM the thing I think you would 
do is add a (!samaccountname=*$) which really sucks because !'s kill search 
time.
 
   
The first single domain query yanked my 2034 
userids in my home domain in about 5 seconds. That is with a PIII-930 with 512 
MB running about 10 normal apps(one is VPC 5.2 with a Windows Server 2003 
Enterprise guest fired up and allocated 64MB RAM) against my W2K DC which is 
PII-450 w/ 128MB RAM.
 
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Friday, October 24, 2003 6:35 PMTo: 
[EMAIL PROTECTED]

Michael -
 
1) Yes, this is one way.  Just discussed this topic on 
the list, with code samples, so check the archives.  Setting the user to 
disabled and then applying the complex password is valid.
2) Not there directly  ;-)
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Friday, October 24, 2003 12:35 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

It's a great book.
 
Two questions: 1) did you guru's here on activedir come to 
the conclusion that, due to password complexity, a user should be created 
disabled? Does that affect any recipes other than 6.1, 6.2, and 6.3? 2) I think 
you should add one of the simplest and (in my opinion) the most common AD query 
as a recipe: how to find all the users in a domain.


From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

Thanks 
for all of the positive feedback about the book.  I give the credit to my 
all-star cast of reviewers :-)  
 
My 
main goal was to produce a reference that would help AD admins get their 
job done quicker and easier.  There is just too much stuff AD admins have 
to remember and that's why I thought the O'Reilly cookbook format would 
work especially well in this case.
 
If you 
have the book (or even if you don't), be sure to check out the following web 
site, which has all of the code in the book and any corrections: 
http://www.rallenhome.com/books/adcookbook/code.html
 
Keep 
the feedback coming
 
Regards,
Robbie 
Allen

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Friday, October 24, 2003 11:51 AMTo: 
  [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; 
  [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active 
  Directory CookbookAgreed 
  - I got mine yesterday from Amazon and I must say that this should be on the 
  shelf of every AD administrator. Period. Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems 
  EnablementMaritime Life Assurance Company(902) 453-7300 x3456 
  
  


  
  "Lou Vega" 
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
10/24/2003 10:37 AM Please respond to ActiveDir 
                  To:     
   <[EMAIL PROTECTED]>         cc:     
        
    Subject:        [ActiveDir] Active 
Directory CookbookReceived my very own copy of Mr. Robbie Allen's "Tuna" book 
  last night from Amazon.com - in the first night's reading the book is already 
  proving it's worth as I see how to do certain things much simpler than I had 
  don

[ActiveDir] Robbie Allen DEC Presentation - LDAP Searching and Profiling

2003-10-25 Thread Joe




http://www.rallenhome.com/conferences/RAllen_LDAP_Searching.ppt 
 
Hey I 
didn't previously know it but Robbie posted his DEC presentation on 
his web site. If this was posted before I apologize. It is a pretty good little 
doc for those who do anything with LDAP. There are probably a couple of you on 
this list...
 
 
  
joe

RE: [ActiveDir] Do you have a development (DEV) forest?

2003-10-25 Thread Rick Kingslan




We do not have a DEV forest, per se.  We have a TEST 
Lab in which anything that would affect AD would be tested before it can be put 
into production.  Our DEV staff does not do any level of programming that 
would touch AD.  They do not do any level of LDAP, GC lookups, ADO 
connections to the AD, or Schema changes / looks / updates.
 
Given what our DEV staff does, it would be a huge waste of 
money for us to put them in their own forest.  If they start to develop AD 
integrated programs, we would likely reconsider as the risk to potential schema 
problems is still too high, IMHO.  Obviously, I'm not going to give access 
to DEV to make changes to schema anyway, but if the program needs to update 
schema, it's obviously going to need to be tested (in our current 'waterfall' 
project management model - ineffective and pointless as it is.) and the test 
lab is currently where that would happen.
 
If they feel that they require production access to 'eat 
their own dog food', then we would have to reconsider.  Likely, a DEV 
forest would be implemented if the requirement changed to a Production-like' 
system for DEV.
 
Hope this helps.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
StickmanRunner87Sent: Saturday, October 25, 2003 1:18 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do 
you have a development (DEV) forest?



Hello!

BACKGROUNDRecently, our Active Directory Team was asked 
by executive management to implement 
a development forest that very much mimics our production forest in many 
ways.  However, many of us struggle with this request because we're afraid 
a development forest will incur more work and cost than 
benefit.    
QUESTIONSDo you have a 
development (DEV) forest?  
If yes,

  How does DEV's size compare to PROD in terms of 
  users, computers, domain controllers, domains, sites, gpo's? 
  Do DEV admins support PROD too? 
  How does DEV's SLA compare to PROD? 
  How has DEV added-value to your company?  Any 
  stories to share? 
  How current is DEV compared to PROD?  
  Identical, one schema version behind, etc.? 
  How does DEV's change control practices compare to 
  PROD?
If no, 

  Is there a specific reason why you don't have a DEV forest? 
  Did you have a 
  DEV forest previously and tear it down? 
  Are you considering a DEV forest at the present time?
I appreciate any feedback you can share with 
me.  If you would prefer to discuss in 
a telephone call, I'm willing to "phone a friend."
Sincerely, Stick 


Do you Yahoo!?The 
New Yahoo! Shopping - with improved product search

[ActiveDir] Do you have a development (DEV) forest?

2003-10-25 Thread StickmanRunner87



Hello!

BACKGROUNDRecently, our Active Directory Team was asked by executive management to implement a development forest that very much mimics our production forest in many ways.  However, many of us struggle with this request because we're afraid a development forest will incur more work and cost than benefit.    
QUESTIONSDo you have a development (DEV) forest?  
If yes,

How does DEV's size compare to PROD in terms of users, computers, domain controllers, domains, sites, gpo's? 
Do DEV admins support PROD too? 
How does DEV's SLA compare to PROD? 
How has DEV added-value to your company?  Any stories to share? 
How current is DEV compared to PROD?  Identical, one schema version behind, etc.? 
How does DEV's change control practices compare to PROD?
If no, 

Is there a specific reason why you don't have a DEV forest? 
Did you have a DEV forest previously and tear it down? 
Are you considering a DEV forest at the present time?
I appreciate any feedback you can share with me.  If you would prefer to discuss in a telephone call, I'm willing to "phone a friend."
Sincerely, Stick 
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search

RE: [ActiveDir] You guys amaze me!

2003-10-25 Thread Joe

No problem. I will still respond again, it is nasty out and don't feel like
doing real work (house work that is). :op

First off we used MTEC's PSYNCH, I have had a bug up my butt to write a
joeware tool, but the bug is waiting in line with other things. It may be
one of my first Dot Net Web projects I play with.

> I'm most interested in how you approached and solved the security issues
in how to absolutely and uniquely identify a user.  

1. Log on with existing Windows ID and password - this is to change up front
or sync other systems or set up Q&A profile.
2. Q&A profile - You have a bunch of questions with stored responses, system
randomly asks you several of them, if you score 100% you can get in and set
your password or change your profile or sync other systems.
3. SecurID authentication - this is a self set pin with a random number
generated on a RSA SecurID FOB you carry with you. Once in you can set your
password, change your profiles, sync other systems. Also if you have a
delegated admin ID you can set the password on that account with this
option. Note that our Enterprise and Domain Admin ID's can not be handled by
this system for extremely obvious reasons.

 
> If everyone is subject to such a system, can it be used as a DoS tool, if
not - how did you mitigate?

The system doesn't have to be used, you can still change passwords the old
fashioned way so killing the site doesn't stop people completely. This was
one of my critical considerations. 


> 1.  Sounds like a perfect conversation topic now that we've beat the shit
out of Exchange

The more I learn, the bigger the bat I get out in the morning. :op


> 2.  I'm self-serving and tried to do this only to get shot down by our Sec
Director

I don't want to be around anyone who isn't self-serving... If they aren't,
what are their goals and intentions, too difficult to figure out. 

> Reasons why it got shot down are valid, but will come out during the
discussion, so I won't taint it up front.
1. Money
2. Perceived risk
3. Money
4. Not enough complaints by users that the help desk doesn't respond timely
or a management rule that is stood by strongly of no password help after
business hours. 
5. Money
6. Additional server support overhead
7. ...more Money (and look here's a lovely new twenty dollar bill...)

How much more tainted can it get? Give me the reasons, let me see if I can
beat them down. 


> What say you, Mr. Richards?  

Dad? You here? . 


> Are you game?  Or, just gamey?  ;p

Both, neither, one or the other, I will accept the judgement of my peers.
:o)

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, October 25, 2003 10:52 AM
To: [EMAIL PROTECTED]

Joe,

Hm.  Apparently, we were typing about the same time.  Question/topic
comes about the same time as the response.  

E.  What the heck - maybe next time.  

;)

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, October 25, 2003 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] You guys amaze me!

OK - here's a GOOD topic.  Joe, can you explain some of the in's and out's
of your password reset system (without, obviously - revealing sensitive
issues) and how it works (again - same caveat applies).

I'm most interested in how you approached and solved the security issues in
how to absolutely and uniquely identify a user.  Clearly, the implications
are huge.  If everyone is subject to such a system, can it be used as a DoS
tool, if not - how did you mitigate?  Natuarally, with a password policy in
place the easiest way to DoS anyone is to just attempt to login with a bogus
password until it locks the account.  Obviously, many of us are getting more
script aware, and this sounds like a cool application we all could use.

The reason that I ask is two-fold:

1.  Sounds like a perfect conversation topic now that we've beat the shit
out of Exchange 2.  I'm self-serving and tried to do this only to get shot
down by our Sec Director

Reasons why it got shot down are valid, but will come out during the
discussion, so I won't taint it up front.

What say you, Mr. Richards?  Are you game?  Or, just gamey?  ;p

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Saturday, October 25, 2003 12:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] You guys amaze me!

Right up front, the domain rename scares me. Everyone seems to say, yeah it
is there but 

Before I answer anything else though, what kind of data do you have in AD?
Is it the basic NOS stuff or have you deployed Exchange or other AD aware
apps that h

RE: [ActiveDir] You guys amaze me!

2003-10-25 Thread David Adner


I'm most interested in how you approached and solved the security issues in
how to absolutely and uniquely identify a user.
Has to be better than our system which just asks for employee # and 
birthdate.  :-/   You don't even need to know the old password.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network

2003-10-25 Thread Joe




Thanks 
Michael. 
 
  
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, October 23, 2003 
2:10 PMTo: [EMAIL PROTECTED]

Not sure if this was 
mentioned by anyone - have you checked this out? http://www.microsoft.com/windows2000/technologies/directory/AD/redir-adsegment.asp 
Michael Parent MCSE MCTAnalyst I - Web 
Services ITOS - Systems EnablementMaritime Life Assurance 
Company(902) 453-7300 x3456 

  
  

"Joe" 
  <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
  10/18/2003 11:22 AM Please respond to ActiveDir 
                To:     
     <[EMAIL PROTECTED]>         cc:     
            
    Subject:        RE: [ActiveDir] VERY OT: 
  Preventing Viruses from Lab to Live 
networkThis is similar to the solution I was thinking of as well. It only costs 
youa firewall and the full protection of a single machine. I wouldn't even 
givefull access to this box to production, it would allow HTTP access to 
it.Someone checks a file in on the lab side, you check it out on the prod 
side.Ditto but in reverse to get something from prod to dev. I was 
just telling my team this this last week. You have a see-saw, on oneside is 
security, on the other is flexibility/useabilty. You need to decidewhich 
side should be focused on. If you have to have the flexibility anduseability 
you have to sacrifice security. If you are sane, you choosesecurity and 
sacrifice flexibility and useability.  Just because people areused to 
having full access doesn't mean it should continue or that it makessense. It 
is something that has been pushed due to how MS trains admins andDevelopers 
(MC* programs) and there own software and with how theenvironment has 
evolved with third party stuff. I know I beat on E2K a lot, but it is a 
great example of a poor directoryintegrated poor security app. I recall when 
I got the instructions for howto separate the administrators of Exchange and 
AD... I looked down the list,you had multiple ways to do it. First was to 
give property sets and add abunch of deny's, the other was to add a bunch of 
individual grants. Eitherway really goes against the recommendation of 
managing your directorysecurity well because it is confusing plus you don't 
want a bunch of ace'son your objects. Additionally one of the attributes 
that was to be delegatedwas the nTSecurityDescriptor... Heh Game over. 
It is only recently that true security has started to become 
something thatless than a minority on Windows is becoming aware of. You know 
me, I havealways been paranoid about it. It is good to see the rest of the 
worldstarting to show up at that party (though I ate all the peanuts and 
drankall the beer already so BYOB). Additionally, I think it is not 
only silly, not only dangerous, but outrightstupid to allow people to pull 
something directly from dev or the lab intothe production environment 
without some form of logged process in between.   
joe-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
On Behalf Of Bill MoranSent: Friday, October 17, 2003 3:01 PMTo: 
[EMAIL PROTECTED]Well, I still think you 
could work it out with an intermediate machine.Just put a Server in between 
the two networks with two interfaces on it.Load it up with all the virus 
protection you can find (most server-basedvirus protection will check 
incomming and outgoing files as they areup/downloaded) and keep the machine 
updated with all patches/etc.Then set it up so the only way to get files 
from production to lab is tocopy them on to this server first.  It's a 
little annoying for the peoplecopying the files ("Damn ... I forgot to copy 
this to the transfer serverfrom thelab") but I would say that this is 
where you've got to draw the line if youwant have any level of 
safety/protection whatsoever.List info   : 
http://www.activedir.org/mail_list.htmList FAQ    : 
http://www.activedir.org/list_faq.htmList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] You guys amaze me!

2003-10-25 Thread Rick Kingslan

Joe,

Hm.  Apparently, we were typing about the same time.  Question/topic
comes about the same time as the response.  

E.  What the heck - maybe next time.  

;)

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, October 25, 2003 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] You guys amaze me!

OK - here's a GOOD topic.  Joe, can you explain some of the in's and out's
of your password reset system (without, obviously - revealing sensitive
issues) and how it works (again - same caveat applies).

I'm most interested in how you approached and solved the security issues in
how to absolutely and uniquely identify a user.  Clearly, the implications
are huge.  If everyone is subject to such a system, can it be used as a DoS
tool, if not - how did you mitigate?  Natuarally, with a password policy in
place the easiest way to DoS anyone is to just attempt to login with a bogus
password until it locks the account.  Obviously, many of us are getting more
script aware, and this sounds like a cool application we all could use.

The reason that I ask is two-fold:

1.  Sounds like a perfect conversation topic now that we've beat the shit
out of Exchange 2.  I'm self-serving and tried to do this only to get shot
down by our Sec Director

Reasons why it got shot down are valid, but will come out during the
discussion, so I won't taint it up front.

What say you, Mr. Richards?  Are you game?  Or, just gamey?  ;p

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Saturday, October 25, 2003 12:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] You guys amaze me!

Right up front, the domain rename scares me. Everyone seems to say, yeah it
is there but 

Before I answer anything else though, what kind of data do you have in AD?
Is it the basic NOS stuff or have you deployed Exchange or other AD aware
apps that have populated it? My guess is you aren't doing a lot with AD yet
so most likely following option two doesn't lose much if any information
that you can't export off into LDIFs and reimport after you are back to W2K
DC's.

Pay isn't bad. However, in relative terms you are probably doing better. 100
users per admin versus our ratio of something like 83000 users per admin and
I would be lucky to be making 5x-10x what you make let alone 830x On the
flip side though, you probably haven't put a provisioning system and auto
password reset system into place - yet. :op

   joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, October 23, 2003 10:06 AM
To: [EMAIL PROTECTED]

I'm serious.

Here is a question for you.  As always, if you could offer any info, I would
be very grateful.  We're a small shop with only 2 Admins managing 200 users
in 4 states and we don't have the firepower you guys do.

Let's say you don't like your AD domain name and you want to change it.  You
have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed
mode.  You could move the NT DC to 2K, then move everyone to W2K3, then
raise the Forest functionality level and then play Russian Roulette with
Rendom.  That's one option.  Or could it be as simple as DCPromoing all 3
W2K3 servers down to Standalone servers, allowing the NT4 DC which still
controls the pre-W2K subdomain name to take full control of the domain
again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO
and renaming the domain to what you want?  I would love to believe I could
do it and get away with it.

Thank you people.

PS:  I don't envy you Joe.  I hope you're being paid well!

RH

-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-ar

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Rick Kingslan

Title: Message



Bite me, Joe.
 
:P
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
JoeSent: Saturday, October 25, 2003 1:17 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

I 
thought you would think that was a good thought. But you have a good point to 
counter that good thought. I should submit something, I wouldn't mind being in 
the acknow. err wait a minute. How about this, people who are already in it 
can submit something and pick one person to be removed from the 
acknowledgements... Oh Rick :op
 
Hmmm 
what could I submit... Oh I know, something I had to do today really quick... 
Find all OU's with any GPO link whatsoever...
 
First 
off I wondered, is gplink in the GC?
 
adfind 
-schema -f ldapdisplayname=gplink 
ismemberofpartialattributeset
 
Gets 
you 
 
dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=com>isMemberOfPartialAttributeSet: 
TRUE
 
 
So it 
sure is... This is easy!
 
adfind 
-gc -b -f "&(objectcategory=organizationalunit)(gplink=*)" 
gplink
 
On my 
home domain that rips off in less than a second...
 
dn:OU=Domain Controllers,DC=joehome,DC=com>gPLink: 
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0]
 
dn:OU=Cmps,DC=joehome,DC=com>gPLink: 
[LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0]
 
Oh ok, 
you now want to know what the nice name of those are...
 
adfind 
-b 
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com 
-s base displayname
 
and
 
adfind 
-b 
CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com 
-s base
 
 
 
I 
don't recall those exact examples in the book. :op
 
 
Can 
anyone guess how often I use adfind in the course of a normal 
workday?
 
Me 
neither. But I have wrapped it with a couple of batch files. 

 
The 
first is called findthis.cmd
 
It 
takes whatever I enter and basically does a
 
adfind 
-gc -b -f name=%1 -dn
 
I also 
have a kids.cmd
 
adfind 
-gc -b %1 -s one -f * -dn
 
 
and 
also I have a get
 
adfind 
-b %1 -s base
 
 
Ok 
that is enough, I don't want to hurt anyone. ;o)
 
 
Good 
night!
 
 
  
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robbie 
AllenSent: Saturday, October 25, 2003 1:40 AMTo: 
'[EMAIL PROTECTED]'

And what have you been drinking at 1am?? :-)  
Good thought, but my guess is that people who offer 
good suggestions probably already have a copy of the book (since they know 
what's in there and what isn't).  FWIW, I would be happy to 
mention in the acknowledgements section anyone who suggests a recipe I 
include in the next edition.
 
Robbie 
Allen
http://www.rallenhome.com/

  
  -Original Message-From: Myrick, Todd 
  (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25, 
  2003 12:54 AMTo: '[EMAIL PROTECTED]'Subject: 
  RE: [ActiveDir] Active Directory Cookbook
  
  Hey 
  Rob,
   
  What about this 
  donate a cookbook a month for someone who comes up with a great idea for 
  additions to the next version of the cookbook.
   
  Basically the 
  submissions have to follow the format of the book, and have to work.  
  
   
  They would be judge 
  based on the following criteria.
   
  The topic covered in 
  AD.  1-25 points (Existing topics with a spin get up to 12.5 points; new 
  topics getting up to 25 if worthy.)
  The issues identified 
  within the topic 1-25 points.  (Each issue identified gets 2.5 points for 
  existing topics. Max 10)
  The solutions that 
  meet the needs identified for each topic. 1-50 points.  (Each need that 
  gets a solution gets 5 points per solutions.  Solutions should identify 
  any GUI, CLI, and VB methods for automation.)
   
  To make things 
  interesting if it takes off,  If one of the vendors (CoughNETPRO, 
  CoughAELITA, Cough.Quest, Cough..BV) was willing to support this 
  contest, it would be really interesting.
   
  Just an Idea at 
  1AM...
   
  Toddler
   
   
   
  -Original 
  Message-From: Robbie 
  Allen [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 12:43 
  PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active Directory 
  Cookbook
   
  
  Thanks 
  for all of the positive feedback about the book.  I give the credit to my 
  all-star cast of reviewers :-)  
  
   
  
  My main 
  goal was to produce a reference that would help AD admins get their job 
  done quicker and easier.  There is just too much stuff AD admins have to 
  remember and that's why I thought the O'Reilly cookbook format would work 
  especially well in this case.
  
   
  
  If you 
  have the book (or even if you don't), be sure to check out the following web 
  site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/cod

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Rick Kingslan

Title: Message



Yeah, that looks like us.  Thank 
you!
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
JoeSent: Saturday, October 25, 2003 1:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

Rick, 
I think he may be referring to our conversation
 
1.
 
Here 
is what I vote for:
 
set 
objParent = GetObject("LDAP://>")set objUser   
= objParent.Create("user", "cn=")objUser.Put 
"sAMAccountName", ""objUser.Put "userPrincipalName", 
""objUser.Put "givenName", 
""objUser.Put "sn", 
""objUser.Put "displayName", " 
"objUser.SetInfoobjUser.SetPassword 
"password1"objUser.AccountDisabled=FALSEobjUser.SetInfo
 
Note 
you don't have to set the account disabled. The default useraccountcontrol on 
the create will be disabled. You need to swing back and enable it and set the 
password.
 
 
2.  If a single domain
    adfind -default -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
    NOTE: That may pull trust accounts to, I don't have 
trusts set up on my home domain to check.
 
    If multiple domain forest
 

    adfind -h dcname -default -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
or

    adfind -b dc=domain,dc=com -f 
"&(objectcategory=person)(samaccountname=*)" -dn
 
    NOTE: Same 
note.
 
    If you do get trusts as 
well, you need to filter them out and at 1:53AM the thing I think you would 
do is add a (!samaccountname=*$) which really sucks because !'s kill search 
time.
 
   
The first single domain query yanked my 2034 
userids in my home domain in about 5 seconds. That is with a PIII-930 with 512 
MB running about 10 normal apps(one is VPC 5.2 with a Windows Server 2003 
Enterprise guest fired up and allocated 64MB RAM) against my W2K DC which is 
PII-450 w/ 128MB RAM.
 
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Friday, October 24, 2003 6:35 PMTo: 
[EMAIL PROTECTED]

Michael -
 
1) Yes, this is one way.  Just discussed this topic on 
the list, with code samples, so check the archives.  Setting the user to 
disabled and then applying the complex password is valid.
2) Not there directly  ;-)
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Friday, October 24, 2003 12:35 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

It's a great book.
 
Two questions: 1) did you guru's here on activedir come to 
the conclusion that, due to password complexity, a user should be created 
disabled? Does that affect any recipes other than 6.1, 6.2, and 6.3? 2) I think 
you should add one of the simplest and (in my opinion) the most common AD query 
as a recipe: how to find all the users in a domain.


From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003 12:43 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Cookbook

Thanks 
for all of the positive feedback about the book.  I give the credit to my 
all-star cast of reviewers :-)  
 
My 
main goal was to produce a reference that would help AD admins get their 
job done quicker and easier.  There is just too much stuff AD admins have 
to remember and that's why I thought the O'Reilly cookbook format would 
work especially well in this case.
 
If you 
have the book (or even if you don't), be sure to check out the following web 
site, which has all of the code in the book and any corrections: 
http://www.rallenhome.com/books/adcookbook/code.html
 
Keep 
the feedback coming
 
Regards,
Robbie 
Allen

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Friday, October 24, 2003 11:51 AMTo: 
  [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; 
  [EMAIL PROTECTED]Subject: Re: [ActiveDir] Active 
  Directory CookbookAgreed 
  - I got mine yesterday from Amazon and I must say that this should be on the 
  shelf of every AD administrator. Period. Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems 
  EnablementMaritime Life Assurance Company(902) 453-7300 x3456 
  
  


  
  "Lou Vega" 
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
10/24/2003 10:37 AM Please respond to ActiveDir 
                  To:     
   <[EMAIL PROTECTED]>         cc:     
        
    Subject:        [ActiveDir] Active 
Directory CookbookReceived my very own copy of Mr. Robbie Allen's "Tuna" book 
  last night from Amazon.com - in the first night's reading the book is already 
  proving it's worth as I see how to do certain things much simpler than I had 
  done them before (with regards to the VBScripts included), as well as learn 
  new things I didn't realize could be done (in bot

RE: [ActiveDir] You guys amaze me!

2003-10-25 Thread Rick Kingslan

OK - here's a GOOD topic.  Joe, can you explain some of the in's and out's
of your password reset system (without, obviously - revealing sensitive
issues) and how it works (again - same caveat applies).

I'm most interested in how you approached and solved the security issues in
how to absolutely and uniquely identify a user.  Clearly, the implications
are huge.  If everyone is subject to such a system, can it be used as a DoS
tool, if not - how did you mitigate?  Natuarally, with a password policy in
place the easiest way to DoS anyone is to just attempt to login with a bogus
password until it locks the account.  Obviously, many of us are getting more
script aware, and this sounds like a cool application we all could use.

The reason that I ask is two-fold:

1.  Sounds like a perfect conversation topic now that we've beat the shit
out of Exchange
2.  I'm self-serving and tried to do this only to get shot down by our Sec
Director

Reasons why it got shot down are valid, but will come out during the
discussion, so I won't taint it up front.

What say you, Mr. Richards?  Are you game?  Or, just gamey?  ;p

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Saturday, October 25, 2003 12:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] You guys amaze me!

Right up front, the domain rename scares me. Everyone seems to say, yeah it
is there but 

Before I answer anything else though, what kind of data do you have in AD?
Is it the basic NOS stuff or have you deployed Exchange or other AD aware
apps that have populated it? My guess is you aren't doing a lot with AD yet
so most likely following option two doesn't lose much if any information
that you can't export off into LDIFs and reimport after you are back to W2K
DC's.

Pay isn't bad. However, in relative terms you are probably doing better. 100
users per admin versus our ratio of something like 83000 users per admin and
I would be lucky to be making 5x-10x what you make let alone 830x On the
flip side though, you probably haven't put a provisioning system and auto
password reset system into place - yet. :op

   joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, October 23, 2003 10:06 AM
To: [EMAIL PROTECTED]

I'm serious.

Here is a question for you.  As always, if you could offer any info, I would
be very grateful.  We're a small shop with only 2 Admins managing 200 users
in 4 states and we don't have the firepower you guys do.

Let's say you don't like your AD domain name and you want to change it.  You
have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed
mode.  You could move the NT DC to 2K, then move everyone to W2K3, then
raise the Forest functionality level and then play Russian Roulette with
Rendom.  That's one option.  Or could it be as simple as DCPromoing all 3
W2K3 servers down to Standalone servers, allowing the NT4 DC which still
controls the pre-W2K subdomain name to take full control of the domain
again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO
and renaming the domain to what you want?  I would love to believe I could
do it and get away with it.

Thank you people.

PS:  I don't envy you Joe.  I hope you're being paid well!

RH

-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Silly Question probably....

2003-10-25 Thread Rick Kingslan

"JOEHOME\hosehead"
 
Wow!  Here, I was just kidding, and you did go and create a user for me on
your domain.
 
I'm touched..  Or, is that 'tetched.'
 
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Saturday, October 25, 2003 12:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Silly Question probably


Hmmm I downloaded that and looked at it, I like sidtoname much better
 
F:\Dev\cpp\SidToName>sidtoname S-1-5-21-1275210071-789336058-1957994488-1113
 
SidToName V02.00.00cpp Joe Richards ([EMAIL PROTECTED]) March 2003
 
[User]: JOEHOME\hosehead
 
The command completed successfully.
 

F:\Dev\cpp\SidToName>sidtoname S-1-5-21-1275210071-789336058-1957994488
 
SidToName V02.00.00cpp Joe Richards ( 
[EMAIL PROTECTED]) March 2003
 
[Domain]: JOEHOME
 
The command completed successfully.
 

F:\Dev\cpp\SidToName>
 
 
On the free win32 c++ tools page of www.joeware.net
 
:op
 
  joe



  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, October 23, 2003 2:50 PM
To: [EMAIL PROTECTED]


Steve-
Check out Sid2User, written by Euvgenii Rudnyi. You can get it at
http://www.securityfocus.com/tools/544. It will translate a SID to a text
user name.

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Technology Listserves 
Sent: Thu 10/23/2003 2:10 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] Silly Question probably



Gentlemen,

We had a few folders within a specific share just "dissappear" earlier this
morning. At first, we thought they had been deleted (since our initial
search came up with no trace of them) and ordered a backup tape with the
files. A few moments ago, we found them...all of them. However, when we
looked at the security properties on the folders and files, we noticed that
a specific CSLID was listed there:

S-1-5-21-7796645487-3596344109-306335-2737-1211

We do all of our permissioning by group assignment, of course, so I'm
guessing this is probably the person or account that moved those files
without knowing it. Is there a way in AD to determine whose CSLID this is?
Or some 3rd-Party tool the group can recommend? I'd also be interested in
any options you might have for preventing this from happening again.

My thanks to the group, in advance.

-Steve
Steven Dunn
Director, Technology Services
Executive Director, Incorporated

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Rick Kingslan

Todd,

You looking for me to address the getting a sponsor or the auto-responder?
The sponsor is yours, and the auto-responder is Tony.  See?  I just
delegated myself right out of the conversation!

;o)

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Saturday, October 25, 2003 12:15 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Cookbook

Na, I am not that Bad, it is the guy who keeps auto responding to every
message we send on the list.  He needs a hockey puck; Slapshot style.

Rick!  Care to address the issue?

Thanks,

Toddler  

-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
Sent: Saturday, October 25, 2003 1:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Cookbook

Todd,

You are s badd

Dan
>  Original Message 
> Subject: RE: [ActiveDir] Active Directory Cookbook
> From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> Date: Fri, October 24, 2003 9:54 pm
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> Hey Rob,
> 
>  
> 
> What about this donate a cookbook a month for someone who comes up 
> with a great idea for additions to the next version of the cookbook.
> 
>  
> 
> Basically the submissions have to follow the format of the book, and 
> have to work.
> 
>  
> 
> They would be judge based on the following criteria.
> 
>  
> 
> The topic covered in AD.  1-25 points (Existing topics with a spin get 
> up to
> 12.5 points; new topics getting up to 25 if worthy.)
> 
> The issues identified within the topic 1-25 points.  (Each issue 
> identified gets 2.5 points for existing topics. Max 10)
> 
> The solutions that meet the needs identified for each topic. 1-50 
> points.
> (Each need that gets a solution gets 5 points per solutions. 
> Solutions
> should identify any GUI, CLI, and VB methods for automation.)
> 
>  
> 
> To make things interesting if it takes off,  If one of the vendors 
> (CoughNETPRO, CoughAELITA, Cough.Quest, Cough..BV) was 
> willing to support this contest, it would be really interesting.
> 
>  
> 
> Just an Idea at 1AM...
> 
>  
> 
> Toddler
> 
>  
> 
>  
> 
>  
> 
> -Original Message-
> From: Robbie Allen [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 24, 2003 12:43 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Active Directory Cookbook
> 
>  
> 
> Thanks for all of the positive feedback about the book.  I give the 
> credit to my all-star cast of reviewers :-)
> 
>  
> 
> My main goal was to produce a reference that would help AD admins get 
> their job done quicker and easier.  There is just too much stuff AD 
> admins have to remember and that's why I thought the O'Reilly cookbook 
> format would work especially well in this case.
> 
>  
> 
> If you have the book (or even if you don't), be sure to check out the 
> following web site, which has all of the code in the book and any
> corrections: http://www.rallenhome.com/books/adcookbook/code.html
> 
> 
>  
> 
> Keep the feedback coming
> 
>  
> 
> Regards,
> 
> Robbie Allen
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> 
> Sent: Friday, October 24, 2003 11:51 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Active Directory Cookbook
> 
> 
> Agreed - I got mine yesterday from Amazon and I must say that this 
> should be on the shelf of every AD administrator. Period.
> 
> Michael Parent MCSE MCT
> Analyst I - Web Services
> ITOS - Systems Enablement
> Maritime Life Assurance Company
> (902) 453-7300 x3456
> 
> 
> 
> 
>  
> 
> "Lou Vega" <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 
> 10/24/2003 10:37 AM
> Please respond to ActiveDir
> 
> 
> To:<[EMAIL PROTECTED]> 
> cc: 
> Subject:[ActiveDir] Active Directory Cookbook
> 
> 
> 
> 
> Received my very own copy of Mr. Robbie Allen's "Tuna" book last night 
> from Amazon.com - in the first night's reading the book is already 
> proving it's worth as I see how to do certain things much simpler than 
> I had done them before (with regards to the VBScripts included), as 
> well as learn new things I didn't realize could be done (in both AD2K 
> and AD2K3). The book will be very handy as I continue to stand up my 
> development Windows 2003 domain.
>   
> To anyone else on this list who hasn't gotten it yet...it's a 
> worthwhile addition to your Active Directory library.
>   
> To Robbie (and all the others who assisted him!) - thanks for a great 
> resource!
>   
> r/
> Lou
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40

RE: [ActiveDir] auto password reset

2003-10-25 Thread Joe

Auto password reset is a good thing. And I know the Vendor we use watch this
list so they may be surprised by what I say. Well not the first part.

We use MTEC PSYNCH. A couple of years ago I would have gone off to no end
about their product and their company and that you needed to stay away from
it and them. My interaction with them was entirely as the Ops guy that had
to be involved because I ran the systems. It was actually our part of our
security/DR group that was bringing the product in. I was very unhappy with
how the vendor thought it had to be done and heard some really stupid things
being said culminating in me writing the unlock (tm) tool which is now one
of my top downloads. It was intended as a P.O.C. to show that yes indeed,
you could delegate the ability to unlock accounts and programmatically
unlock them. Later after they worked through that I had an issue with some
crap about how they thought we needed certs on all the DC's to do password
changes. All told I would say the complaints I raised helped push that
product's launch in our organization at least a year, probably more. I'm not
one for doing it quick if we sacrifice security or supportability. I wasn't
purposely trying to slow it down either, it just took that long for them to
address my points and others brought up at the time.

After they worked through the issues I found we launched it and it was
pretty good. I can't say how the daily support is because I am not involved,
but it uses a low level domain ID with the basic reset password and write
lockoutTime delegations. It has run (from my viewpoint anyway) flawlessly
since then with the one exception around reports it generates to notify
users of pending password changes. We added about 150,000 contacts to one of
the domains and that blew up these report generator tools due to timeout
issues. I was actually able to reproduce the blowup exactly using ADFIND by
looking at the network trace and seeing the query they used. I gave info on
how to set the timeout values so that wouldn't occur and wrote some q-n-d
script or something for the security group so they could continue sending
the notes while MTEC straightened it all out. I believe they eventually did
but don't know for sure as I never had to work on it again.

As for password complexity, they do have password filters that can be
installed on the domain controllers so you can control complexity rules to a
very high degree. We don't use them ourselves but may someday, I was a
little concerned about the scaleability of it because it required the DC
making a call back to a central server to verify passwords when someone
tried to change a password through the normal Windows methods which I didn't
like. If you have a few DC's and especially if they centralized that would
probably be an excellent thing as I believe it was extremely configurable. 

The password web site is nice, you can log in with your old windows
password, you can log in with a Q&A profile, you can log in with a securid
authentication. Once in you can change any/all of your passwords that the
system maintains for you including Unix, Mainframe, Windows, etc. You just
check some boxes on what passwords you want synced up. You can also force it
to only let you in with a specific type of authentication. For instance a
normal user ID  that needs to be reset can use all of the above methods, but
if someone wanted to reset one of their delegated admin ID's (we use
separate admin and user ID's for obvious security reasons) they can only log
on via securid as we want strong authentication for that. 

I would definitely recommend looking at this product if you are looking to
purchase something. From what I have seen they have been very responsive to
requests and questions as well which is always a good thing. 

OTOH, If you have developers, you could probably produce a system yourself
as well though you would have to balance out the features you want, what the
dev guys figure it would cost, and what this product would cost you. If you
have ops guys who can code and you have more time than money, you could have
them do it as it would be a fun project to do in "spare time" when they
aren't doing something else. Just make sure it is secure in the end. :op


 joe


 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Saturday, October 25, 2003 8:06 AM
To: [EMAIL PROTECTED]

Hi All,
Since Joe mentioned those magic words "auto password reset", I wonder
what kind of recommendations are out there.  This was an idea I presented 6
months ago to management and was abruptly shot down.  Now it has come back
up again as maybe a worthwhile tool.  I'd like to hear your experiences with
this type of software, cost, installation effort, how well it hooks into
complex password settings, etc.  Thanks!
 
Mike Thommes
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List ar

RE: [ActiveDir] OT? - You guys rock

2003-10-25 Thread Rick Kingslan

Sadly, it doesn't look as though the t-shirt is being offered any longer.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Thursday, October 23, 2003 4:55 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT? - You guys rock

Sure,

Small, medium or Large.

Also BTW.  Go on over to Aelita's website and click around.  They have a
promo to get a t-shirt that says "Master of My Active Directory".  It is
really cool.  My whole team got them today.

Todd Myrick

-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 23, 2003 2:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT? - You guys rock


So, you are saying he gets a Puck?
>  Original Message 
> Subject: RE: [ActiveDir] OT? - You guys rock
> From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>
> Date: Thu, October 23, 2003 11:07 am
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> 
> Check is in the mail Yusuf.  :P
>  
> Thanks for the kind words, I appreciate it.  Especially being compared 
> to Joe, Rick, Robbie and Gil.
>  
> Todd Myrick
> -Original Message-
> From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 23, 2003 12:12 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT? - You guys rock
> 
> 
> I agree Al that the contributions from the likes of Joe, Rick, 
> Robbie,Todd, Gil .and and (that's the rest of the folks I haven't 
> mentioned) have all
> been well appreciated.
>  
> And over these past years you guys have been my inspiration and thus 
> wanting to excel myself all of the time
>  
> Presently I am at the age of 24 with only a handful of years of 
> experience and I have learnt so much and so much more to learn from 
> all of you.
>  
> With me being located at the edge of Africa I am hoping at one time I 
> would have the opportunity to rub shoulders with you guys sometime or 
> the other.
>  
> Thanks again guys
>  
>  
> yusuf 
> __
> __
> __
> For information about the Standard Bank group visit our web site
> http://www.standardbank.co.za> >
>

> __
>  
> Disclaimer and confidentiality note
> Everything in this e-mail and any attachments relating to the official
> business of Standard Bank Group Limited  is proprietary to the group. 
> It is confidential, legally privileged and protected by law. 
> Standard Bank does not own and endorse any other content. Views and
> opinions
> are those of the sender unless clearly stated as being that of the
> group. 
> The person addressed in the e-mail is the sole authorised recipient.
> Please
> notify the sender immediately if it has unintentionally reached you and
> do
> not read, 
> disclose or use the content in any way.
> Standard Bank can not assure that the integrity of this communication
> has
> been maintained nor that it is free of errors, virus, interception or
> interference.
>

> ___
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT? - You guys rock

2003-10-25 Thread Rick Kingslan

Title: Message



Wow - am I late on getting to the mail this 
week
 
Yusuf - Thank You.  You put me with lofty 
company.  I just hope to meet some of these guys face to face soon, 
too.  ;-)
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf 
YSent: Thursday, October 23, 2003 11:12 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - You guys 
rock


I 
agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil …..and and (that’s the 
rest of the folks I haven’t mentioned) have all been well 
appreciated.
 
And 
over these past years you guys have been my inspiration and thus wanting to 
excel myself all of the time
 
Presently 
I am at the age of 24 with only a handful of years of experience and I have 
learnt so much and so much more to learn from all of 
you.
 
With 
me being located at the edge of Africa I am 
hoping at one time I would have the opportunity to rub shoulders with you guys 
sometime or the other.
 
Thanks 
again guys
 
 
yusuf
__
For information about the Standard Bank group visit our web site __ Disclaimer 
and confidentiality note Everything in this e-mail and any attachments 
relating to the official business of Standard Bank Group Limited  is 
proprietary to the group. It is confidential, legally privileged and 
protected by law. Standard Bank does not own and endorse any other content. 
Views and opinions are those of the sender unless clearly stated as being that 
of the group. The person addressed in the e-mail is the sole authorised 
recipient. Please notify the sender immediately if it has unintentionally 
reached you and do not read, disclose or use the content in any 
way.Standard Bank can not assure that the integrity of this communication 
has been maintained nor that it is free of errors, virus, interception or 
interference.___

RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)

2003-10-25 Thread Myrick, Todd (NIH/CIT)

I am currently working on a project to deploy Windows 2003 PKI.  

I will do my best to post to my BLOG things I take away from the planning
"Or lack there of", implementation, and operations to show you how we are
going about establishing PKI infrastructure, and integrating both Microsoft
Technology, and third-party technology.

The biggest low hanging fruit Microsoft deployed their PKI for recently was
to support both VPN, and Wireless access to their networks.

Many people get hung up on trying to deploy PKI for E-mail, or Web sites and
get bogged down in organization politics.  It is pretty easy to do.

Windows 2003 PKI has a couple pretty good features that address the Chronic
problems associated with PKI deployments for user certificates, and also
address some of the acute problems associated with certificates for
potential clients of PKI infrastructure.

Specifically:  

Identity Management

Auto enrollment are now features of the OS, not Exchange.

Root CA's can now be Bridge for Bridge CA's so it is easier to create
relationships with outside entities and not have to rely on costly solutions
from the major vendors to give end users certs for signing and encryption.

There is still work to be done when it comes to presenting the path and
location the user is at with in the organization.  

I believe by default Microsoft will put on the certificates the location
within the AD to find the PKI credentials Public keys.  This works well for
internal operations of PKI, but Extranet, and Intranet use of the
credentials should not expose the organizational structure IMHO, and the
directory should be pretty flat.  IE xyz.com  Not
CN=userID,OU=AD,DC=xyz,DC=gov.  More like = CN=UPN,DC=xyz,DC=gov.  I have
not done that much research yet to determine the best way to accomplish
that.

Wireless & VPN improvements

Provisioning PKI credentials for host that don't support or participate in
AD natively has been a challenge.  Remember when I fired up Robbie at DEC.
That is because there is a need for better wireless security, and the
vendors are all trying to be innovative and come up with their own solution
to the problem and write RFC's etc, instead of just working together and
realizing that this solution is nothing more than strategic, and will not be
a revenue generator except to sell existing products.  I believe Cisco and
Microsoft have been working together to make integration between CISCO
hardware and AD much better.  I would like to believe it is because I told
Robbie I was unhappy.  Hehe

Robbie, maybe you can fill in the list on what some of the initiatives are
at play in CISCO related to Windows 2003 PKI.

Delta CRL's  This is a very important development because CRL's could take
time to publish through out the organization if it spanned multiple time
zones.  When you want to stop someone from accessing your network once you
revoke their credentials, DCRL is the way to do it by software.  I am sure
there are hardware solutions.

Hardware Improvements

I also believe the API's and the OS have better support for Security
hardware.  I would love to be able to use memory stick technology to keep my
certs off my user profile, or better yet, export my user profile, and My
Documents to a USB device or smart media.

More to come.

Todd Myrick

 

  

-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003 2:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Certificate Services (was Active Directory Cookbo
ok)

Certificate Services didn't make it into the AD Cookbook, but will in a
future book.  As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003.  There were quite a few
enhancements to Cert Services in 2003.  Here are a few links you may want to
take a look at (links may wrap)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp


http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp


Robbie Allen
http://www.rallenhome.com/


> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 24, 2003 4:18 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Active Directory Cookbook
> 
> 
> Thanks.  I can see I will have some reading to do this weekend.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> > From: [EMAIL PROTECTED]
> > Date: Fri, October 24, 2003 12:57 pm
> > To: [EMAIL PROTECTED]
> > 
> > While not a cookbook per se, I have found this link useful in my
> > understanding of PKI:
> > http://tinyurl.com/s8y1
> >  
> > HTH
> >  
> >  
> > Sincerely,
> > 
> > Dèjì Akómöláfé, MCSE MCSA MCP+I
> > www.akomolafe.com
> > www.iyaburo.com
> > Do you now realize that Toda

RE: [ActiveDir] Active Directory Cookbook

2003-10-25 Thread Myrick, Todd (NIH/CIT)

Title: Message









How about T-shirts or something nice then. 
It worked for David Cutler getting out Windows NT.  Read the book Showstopper
if you can find it.

 

You could have levels.  "Burger
Flipper", "Fry Cook", "Cook", "Chef",
"Master Chef", Then retirement to the Hall of Fame.  

 

The point is to have fun, and give
something for people to want to attain, Just like in the book Showstopper"

 

Thanks,

 

Todd Myrick

 

 

 

 

-Original Message-
From: Robbie Allen
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003
1:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Cookbook

 



And what have you been
drinking at 1am?? :-)  Good thought, but my guess is that
people who offer good suggestions probably already have a copy
of the book (since they know what's in there and what isn't).  FWIW,
I would be happy to mention in the acknowledgements section anyone who
suggests a recipe I include in the next edition.





 





Robbie Allen





http://www.rallenhome.com/





-Original
Message-
From: Myrick, Todd (NIH/CIT)
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003
12:54 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Cookbook

Hey Rob,

 

What about this
donate a cookbook a month for someone who comes up with a great idea for
additions to the next version of the cookbook.

 

Basically the submissions
have to follow the format of the book, and have to work.  

 

They would be judge based
on the following criteria.

 

The topic covered in
AD.  1-25 points (Existing topics with a spin get up to 12.5 points; new
topics getting up to 25 if worthy.)

The issues identified
within the topic 1-25 points.  (Each issue identified gets 2.5 points for
existing topics. Max 10)

The solutions that meet
the needs identified for each topic. 1-50 points.  (Each need that gets a
solution gets 5 points per solutions.  Solutions should identify any GUI,
CLI, and VB methods for automation.)

 

To make things interesting
if it takes off,  If one of the vendors (CoughNETPRO, CoughAELITA,
Cough.Quest, Cough..BV) was willing to support this contest, it would
be really interesting.

 

Just an Idea at 1AM...

 

Toddler

 

 

 

-Original Message-
From: Robbie Allen
[mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003
12:43 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active
Directory Cookbook

 



Thanks
for all of the positive feedback about the book.  I give the credit to my all-star
cast of reviewers :-)  





 





My main
goal was to produce a reference that would help AD admins get their job
done quicker and easier.  There is just too much stuff AD admins have to
remember and that's why I thought the O'Reilly cookbook format would work
especially well in this case.





 





If you
have the book (or even if you don't), be sure to check out the following web
site, which has all of the code in the book and any corrections: http://www.rallenhome.com/books/adcookbook/code.html





 





Keep the
feedback coming





 





Regards,





Robbie
Allen





-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2003
11:51 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [ActiveDir] Active
Directory Cookbook


Agreed - I got mine yesterday from Amazon and I must say that this
should be on the shelf of every AD administrator. Period. 

Michael
Parent MCSE MCT
Analyst I - Web Services 
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456 


 
  
   
  
  
  "Lou Vega"
  <[EMAIL PROTECTED]> 
  Sent
  by: [EMAIL PROTECTED] 
  10/24/2003
  10:37 AM 
  Please
  respond to ActiveDir 
  
  
          
   
        To:      
   <[EMAIL PROTECTED]> 
   
        cc:         
   
        Subject:        [ActiveDir] Active
  Directory Cookbook
  
 





Received my very own copy of Mr. Robbie Allen's "Tuna" book
last night from Amazon.com - in the first night's reading the book is already
proving it's worth as I see how to do certain things much simpler than I had
done them before (with regards to the VBScripts included), as well as learn new
things I didn't realize could be done (in both AD2K and AD2K3). The book will
be very handy as I continue to stand up my development Windows 2003 domain.

  
To
anyone else on this list who hasn't gotten it yet...it's a worthwhile addition
to your Active Directory library. 
  
To
Robbie (and all the others who assisted him!) - thanks for a great resource!

  
r/

Lou

[ActiveDir] auto password reset

2003-10-25 Thread Thommes, Michael M.

Hi All,
Since Joe mentioned those magic words "auto password reset", I wonder what kind of 
recommendations are out there.  This was an idea I presented 6 months ago to 
management and was abruptly shot down.  Now it has come back up again as maybe a 
worthwhile tool.  I'd like to hear your experiences with this type of software, cost, 
installation effort, how well it hooks into complex password settings, etc.  Thanks!
 
Mike Thommes
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domains in a Forest

2003-10-25 Thread Joe




That 
is simply a new tree in your forest, pretty basic. It doesn't have to be 
disjoint (neither netbios to AD name nor AD domain name to machine 
domain suffix). 
 
If you 
want true admin level security boundaries though, you are talking separate 
forests. 
 
My 
running recommendation for AD is you have one set of Admins for all domains. No 
such thing as splitting up a forest securely among admins for different 
domains.
 
  
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lou 
VegaSent: Friday, October 24, 2003 1:25 PMTo: 
[EMAIL PROTECTED]

Let's say I have a domain 
called DomainA.com and now my organization is talking with another organization 
who would like to have DomainB.com. Management at both organizations would like 
"pretty seamless" access to each other's resources while maintaining their own 
identities...i.e, DomainB does not want to be DomainB.DomainA.com.
 
My first thoughts are to have a forest with both 
domains in it (Forest containing DomainA.com and DomainB.com)...but how 
easy/hard is that to implement when DomainA.com already exists and you need to 
create/add DomainB.com to the forest?
 
 
I'm stepping into new territory here and would 
appreciate any suggestions, comments etc. concerning this. I'm researching this 
on the web and I know from past discussions on this list that I'm bound to learn 
something new here! If you need more info, let me know.
 
r/
Lou

RE: [ActiveDir] One computer is fine, one has "can't find domain controller" errors

2003-10-25 Thread Joe

LOL. Keep NetMon handy... 

  joe 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
Sent: Thursday, October 23, 2003 8:58 AM
To: [EMAIL PROTECTED]

Joe wrote:
> This is the perfect case of when to break out a network monitor and 
> watch the traffic. Do what it is you are trying to do and see what the 
> network is doing.

Well.  As a final followup to this, I can't reproduce the problem at all any
more.  The computer that was doing it is not any longer, it now behaves
exactly like the one right next to it.  I can't detect anything out of the
ordinary with any of the tools anyone suggested to me.

Unless someone has a better guess, I'm going to assume that there was some
transient network or hardware glitch (gremlins?  solar flares?  The Hand of
Fate?) that is now gone.

Thanks to everyone who responded with assistance.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
> Sent: Saturday, October 18, 2003 2:05 PM
> To: [EMAIL PROTECTED]
> 
> Hello all,
> 
> I posted earlier concerning Windows XP machines not allowing any 
> scripts to run and presenting no clue as to why.
> 
> After additional discussion with other techs, as well as multiple 
> searches on the 'net, we decided to completely reinstall the two 
> machines.  This solved the IE problem.
> 
> However, we are getting error messages on 1 machine, but not on the other.
> 
> The one machine claims it can not contact the domain server. (which is 
> ridiculous because it's mounting shared drives from it, and those 
> shares function properly)  Event ID 5719.
> 
> These two machines are identical in every way.  Same hardware.  Same 
> software and versions of software.  Plugged in side by side to the 
> same switch.
> 
> The ONLY difference we can imagine, is that the one with the problem 
> was configured for a workgroup during install, and then joined to the 
> domain afterwards (just the tech clicking without thinking) while the 
> one that works was joined to the domain during the initial install.
> 
> I'm putting this out for two reasons: 1 -> to see if anyone has any 
> insight as to what's happening. 2 -> to have this information made 
> public, so if others come across it they can see they're not alone.
> 
> Perhaps someone with some time and a lab available could test to see 
> if the problem I describe is, in fact, caused by the install process 
> described, or if it's just coincidence.
> 
> Both machines appear to function properly aside from the errors.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] documenting servers

RE: [ActiveDir] OT? - You guys rock

RE: [ActiveDir] Do you have a development (DEV) forest?

RE: [ActiveDir] Active Directory Cookbook

RE: [ActiveDir] Active Directory Cookbook

RE: [ActiveDir] Do you have a development (DEV) forest?

RE: [ActiveDir] Active Directory Cookbook

[ActiveDir] Robbie Allen DEC Presentation - LDAP Searching and Profiling

RE: [ActiveDir] Do you have a development (DEV) forest?

[ActiveDir] Do you have a development (DEV) forest?

RE: [ActiveDir] You guys amaze me!

RE: [ActiveDir] You guys amaze me!

RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network

RE: [ActiveDir] You guys amaze me!

RE: [ActiveDir] Active Directory Cookbook

RE: [ActiveDir] Active Directory Cookbook

RE: [ActiveDir] You guys amaze me!

RE: [ActiveDir] Silly Question probably....

RE: [ActiveDir] Active Directory Cookbook

RE: [ActiveDir] auto password reset

RE: [ActiveDir] OT? - You guys rock

RE: [ActiveDir] OT? - You guys rock

RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)

RE: [ActiveDir] Active Directory Cookbook

[ActiveDir] auto password reset

RE: [ActiveDir] Domains in a Forest

RE: [ActiveDir] One computer is fine, one has "can't find domain controller" errors

27 matches

Site Navigation

Mail list logo

Footer information