RE: [ActiveDir] Export of users includes computer accounts.
The reason for the unexpected result from your first search filter is because the object class computer is a sub class of the user object class. So when you search using the objectClass=user filter the search will include any sub-classes of user. If you look at the attributes of a computer object using, for example, LDP, you will see something like this. objectClass: top; person; organizationalPerson; user; computer; The computer object class has some attributes of its own, but also inherits all the attributes from the user object class. This means that you could (if you wanted to) assign, for example, emloyeeID and telephoneNumber attribute values for a computer object. Tony -- Original Message -- From: Mike Newell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 20 Nov 2003 15:34:45 -0800 That did it! Thanks Hunter, Mike -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 3:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Export of users includes computer accounts. Change your filter to something like ((objectClass=user)(objectCategory=person)) and give it a go. Hunter -Original Message- From: Mike Newell [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Export of users includes computer accounts. Hey all, I'm looking to export users to import into another forest as contacts. I run the command below to export users from my Windows 2000 AD. CSVDE -f contacts.csv -r ((objectClass=user)) -l objectClass,displayName,DN,mailNickname,proxyAddress,targetAddress,mail It exports all of the user info but it also includes the Computer accounts in the export. Anyone know why this export command would include Computer accounts? More curious as to what I'm doing wrong more than anything. Thanks, Mike. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export of users includes computer accounts.
That begs the inevitable question of Why? I'm guessing it is to support the concept of a computer account, but I'd still love to know the official reason. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 3:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Export of users includes computer accounts. The reason for the unexpected result from your first search filter is because the object class computer is a sub class of the user object class. So when you search using the objectClass=user filter the search will include any sub-classes of user. If you look at the attributes of a computer object using, for example, LDP, you will see something like this. objectClass: top; person; organizationalPerson; user; computer; The computer object class has some attributes of its own, but also inherits all the attributes from the user object class. This means that you could (if you wanted to) assign, for example, emloyeeID and telephoneNumber attribute values for a computer object. Tony -- Original Message -- From: Mike Newell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 20 Nov 2003 15:34:45 -0800 That did it! Thanks Hunter, Mike -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 3:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Export of users includes computer accounts. Change your filter to something like ((objectClass=user)(objectCategory=person)) and give it a go. Hunter -Original Message- From: Mike Newell [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Export of users includes computer accounts. Hey all, I'm looking to export users to import into another forest as contacts. I run the command below to export users from my Windows 2000 AD. CSVDE -f contacts.csv -r ((objectClass=user)) -l objectClass,displayName,DN,mailNickname,proxyAddress,targetAd dress,mail It exports all of the user info but it also includes the Computer accounts in the export. Anyone know why this export command would include Computer accounts? More curious as to what I'm doing wrong more than anything. Thanks, Mike. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [slightly OT] scripting add users
I think this is a basic question but I am really new to scripting... I'm adding users from a csv file and using an array to read the csv split into lines, then spitting each line into another array (split for commas) from the first array. Do I need to do something to the array#2 before I repopulate it with the next line? If this is confusing, this might help Array1 = Split(objFile, vbCrLf) For n = 1 to Ubound(Array1) '*** do something to Array2 here?? Array2 = Split(Array1(n), ,) 'Call populate users sub Next The reason I ask is I keep getting weird errors that don't seem to correlate to the data being read in (I was getting these when I was reading in one line at a time into Array2) errors like Subscript out of range, etc - and googling only showed things from ASP pages that didn't apply. Thanks for any help Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT? ADDING CONTACTS
Title: OT? ADDING CONTACTS Not sure if this question is off-track or not. I would not think so as it deals with AD attributes. But if it is deemed OT then my apologies to the list! If you add contacts into AD via CSVDE, you specify certain required attributes and you additionally specify certain attributes that you want populated with specific values and you additionally specify the OU into which the imported contacts will be placed OK, pretty much straight forward. If you add a contact manually in a specific OU AD wants to know the Associated Administrative Group that this contact is associated with OK, again pretty much straight forward. But wait, that was a different step from the CSVDE import! My question to the list What AD attribute is populated by selecting the Associated Administrative Group in the manual method as opposed to the import method? R/Bill
RE: [ActiveDir] [slightly OT] scripting add users
Rich, I think there are some easier ways to do this, including a script from MS that reads the data from an Excel file. You could create the Excel file from the csv you already have and go from there. See Clarence Washington's Win32Scripting site at http://cwashington.netreach.net for a number of good examples. Also, Microsoft's own Script Center is a good place to find pre-built scripts: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/Default.asp mc -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 9:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [slightly OT] scripting add users I think this is a basic question but I am really new to scripting... I'm adding users from a csv file and using an array to read the csv split into lines, then spitting each line into another array (split for commas) from the first array. Do I need to do something to the array#2 before I repopulate it with the next line? If this is confusing, this might help Array1 = Split(objFile, vbCrLf) For n = 1 to Ubound(Array1) '*** do something to Array2 here?? Array2 = Split(Array1(n), ,) 'Call populate users sub Next The reason I ask is I keep getting weird errors that don't seem to correlate to the data being read in (I was getting these when I was reading in one line at a time into Array2) errors like Subscript out of range, etc - and googling only showed things from ASP pages that didn't apply. Thanks for any help Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [slightly OT] scripting add users
Hi Rich This is an example script that reads in CSV File Contents and splits each line into an array. Hope it helps Cheers, Matty Example Inputfile.txt content: -- Old,New Old1,New1 Old2,New2 Old3,New3 Old4,New4 Old5,New5 Old6,New6 Script: '-- Option Explicit Const FSORead = 1 Const FSOWrite = 2 Const FSoAppend = 8 Dim scriptpath, fso, inputpath, inputFileContent Dim txtstream, txtFileContents, arrtxtFileContents 'Set the script path scriptpath = LEFT(WScript.ScriptFullName, LEN(WScript.ScriptFullName) - LEN(WScript.ScriptName)) Set fso = CreateObject(Scripting.FileSystemObject) inputpath = scriptpath inputfile.txt If not fso.FileExists(inputpath) Then Wscript.Echo (Input File doesn't exist inputpath) End If set inputFileContent = fso.GetFile(inputpath) set txtstream = inputFileContent.OpenAsTextStream(FSORead) txtFileContents = txtstream.ReadAll txtstream.Close arrtxtFileContents = split(txtFileContents, vbcrlf) Dim Line, Prop1, Prop2, arrtxtFileLine For each line in arrtxtFileContents arrtxtFileLine = split(line, ,) Prop1 = arrtxtFileLine(0) Prop2 = arrtxtFileLine(1) Wscript.Echo Property1: Prop1 | Property2: Prop2 Next Wscript.Echo Process Finished! '-- -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: 21 November 2003 14:23 To: [EMAIL PROTECTED] Subject: [ActiveDir] [slightly OT] scripting add users I think this is a basic question but I am really new to scripting... I'm adding users from a csv file and using an array to read the csv split into lines, then spitting each line into another array (split for commas) from the first array. Do I need to do something to the array#2 before I repopulate it with the next line? If this is confusing, this might help Array1 = Split(objFile, vbCrLf) For n = 1 to Ubound(Array1) '*** do something to Array2 here?? Array2 = Split(Array1(n), ,) 'Call populate users sub Next The reason I ask is I keep getting weird errors that don't seem to correlate to the data being read in (I was getting these when I was reading in one line at a time into Array2) errors like Subscript out of range, etc - and googling only showed things from ASP pages that didn't apply. Thanks for any help Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [slightly OT] scripting add users
I'm not sure about your specific problem, but you could simplify things a bit by dropping the second array. Do Until objFile.AtEndOfStream strNextLine = objTextFile.Readline Array1 = Split(strNextLine, ,) 'Call populate users sub Loop -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 7:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [slightly OT] scripting add users I think this is a basic question but I am really new to scripting... I'm adding users from a csv file and using an array to read the csv split into lines, then spitting each line into another array (split for commas) from the first array. Do I need to do something to the array#2 before I repopulate it with the next line? If this is confusing, this might help Array1 = Split(objFile, vbCrLf) For n = 1 to Ubound(Array1) '*** do something to Array2 here?? Array2 = Split(Array1(n), ,) 'Call populate users sub Next The reason I ask is I keep getting weird errors that don't seem to correlate to the data being read in (I was getting these when I was reading in one line at a time into Array2) errors like Subscript out of range, etc - and googling only showed things from ASP pages that didn't apply. Thanks for any help Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Using InstallShield in a Startup Script
Title: Message Maybe Im missing something here but how did you simulate the LocalSystem context accessing the Null Share path to ensure that part was working? If you decide to look at this again, I would suggest looking into that part of it just drop a few lines to create a text file, with what process its at: Echo creating temp path\text.txt md c:\temp Echo creating v5r2 path\text.txt md c:\temp\V5R2 echo copying files blah blah blah copy \\server\iseries\*.* c:\temp\v5r2 c:\temp\v5r2\setup -s -f1z:\iseriesv5r2.iss -f2c:\v5r2.log -SMS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Thursday, November 20, 2003 4:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Using InstallShield in a Startup Script I realized I goofed on that when I typed it earlier. I responded back right after that with the corrected line. My batch file does use complete paths. I've given up already and am using psexec to do it instead. Thanks for all the help Mike From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Using InstallShield in a Startup Script I'd agree with your 3) below - the reference to z:\ will fail because you've done nothing to map that drive. As douglas said, you need to use full paths - c:\temp\v5r2\setup -s -f1\\server\iseries\v5r2.iss -f2c:\v5r2.log -SMS or c:\temp\v5r2\setup -s -f1c:\temp\v5r2.iss -f2c:\v5r2.log -SMS should work. I think the admin rights is irrelevant here - the startup script is running as local system - but the other thing to look out for is that domain computers must have read access to the folder \\server\iseries. Steve -Original Message- From: Stefano Tufillaro [mailto:[EMAIL PROTECTED] Sent: 20 November 2003 13:21 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Using InstallShield in a Startup Script 1) No silent is not equal unattended. Silent means I'm logged my session, is active with my rights, access etc. AND I see anything. Unattended means that never the system ask to me an aswer by a click or a prompt or like situation. It's a boolean serie unattended but visible unattendedand visible visible and attended 2) What admion rights ? Admin domain rights? workstation rights ? RunAs Admin rights ? The logon process not automatically give the right combination immediately and the task where live the logon scripts when will can become 'administrating' ? 3) look at at yor 4th line. Probably the erroris there c:\temp\v5r2\setup -s -f1z:\iseriesv5r2.iss -f2c:\v5r2.log -SMS -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 11:41 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Using InstallShield in a Startup Script I tried this and it does the same thing. I have a script that lists all processes running on the machine and I can see setup.exe in there but it never does anything. I'm starting to think you can't use an InstallShield installer until you are logged in. I can see it copy the files down and the install starts but that's it. Also InstallShield never creates the log file either. Here's an example of the batch file: md c:\temp md c:\temp\V5R2 copy \\server\iseries\*.* c:\temp\v5r2 c:\temp\v5r2\setup -s -f1z:\iseriesv5r2.iss -f2c:\v5r2.log -SMS Mike From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Using InstallShield in a Startup Script If you are able to get to the share, but the script is not executing the .exe, try copying the file from the shareto the local machine (in your script) and then running setup.exe. Just make sure to use full paths in all instances
RE: [ActiveDir] [slightly OT] scripting add users
That's what I was doing at first but I kept getting errors like the subscript out of range. I found that error on MSDN and maybe it's related to the fact I have about 8 properties in the sheet but some of them are blank for some records?? I'm trying a couple of things to fix it (like Dim Array2(10)). Is there anything obvious I might be missing on arrays, like does an array in vbscript fill up if you assign values to it too many times, or something like that?? I appreciate the scripts everyone's sending! I know however that there are easier ways to do this, except that for the PlumTree Portal and programs we're writing for it, certain fields have to be formatted in certain ways, there are store accounts and user accounts and they have to be treated differently, passwords have to be generated and logged for reference, and each separate CSV has to be put in its own group. It's good practice, and fun (in a perverse way). I think each day I have been doubling my scripting ability... have made some pretty cool scripts for the password expiration project. Anyway again thanks for all the help! Rich -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 8:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [slightly OT] scripting add users I'm not sure about your specific problem, but you could simplify things a bit by dropping the second array. Do Until objFile.AtEndOfStream strNextLine = objTextFile.Readline Array1 = Split(strNextLine, ,) 'Call populate users sub Loop -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 7:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [slightly OT] scripting add users I think this is a basic question but I am really new to scripting... I'm adding users from a csv file and using an array to read the csv split into lines, then spitting each line into another array (split for commas) from the first array. Do I need to do something to the array#2 before I repopulate it with the next line? If this is confusing, this might help Array1 = Split(objFile, vbCrLf) For n = 1 to Ubound(Array1) '*** do something to Array2 here?? Array2 = Split(Array1(n), ,) 'Call populate users sub Next The reason I ask is I keep getting weird errors that don't seem to correlate to the data being read in (I was getting these when I was reading in one line at a time into Array2) errors like Subscript out of range, etc - and googling only showed things from ASP pages that didn't apply. Thanks for any help Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] OT: Using InstallShield in a Startup Script
Title: Message I did that exact thing to simulate LocalSystem context. I created a batch file that would just create a text file on the remote null share and it works. Also the batch file was able to copy the files from the null share to the machine in the startup script. Thanks for the help though. Mike From: marcus [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Using InstallShield in a Startup Script Maybe I'm missing something here... but how did you simulate the LocalSystem context accessing the Null Share path to ensure that part was working? If you decide to look at this again, I would suggest looking into that part of it... just drop a few lines to create a text file, with what process it's at: Echo creating temp path\text.txt md c:\temp Echo creating v5r2 path\text.txtmd c:\temp\V5R2echo copying files blah blah blah... copy \\server\iseries\*.* c:\temp\v5r2c:\temp\v5r2\setup -s -f1z:\iseriesv5r2.iss -f2c:\v5r2.log -SMS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Thursday, November 20, 2003 4:02 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Using InstallShield in a Startup Script I realized I goofed on that when I typed it earlier. I responded back right after that with the corrected line. My batch file does use complete paths. I've given up already and am using psexec to do it instead. Thanks for all the help Mike From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 2:17 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Using InstallShield in a Startup Script I'd agree with your 3) below - the reference to z:\ will fail because you've done nothing to map that drive. As douglas said, you need to use full paths - c:\temp\v5r2\setup -s -f1\\server\iseries\v5r2.iss -f2c:\v5r2.log -SMS or c:\temp\v5r2\setup -s -f1c:\temp\v5r2.iss -f2c:\v5r2.log -SMS should work. I think the admin rights is irrelevant here - the startup script is running as local system - but the other thing to look out for is that "domain computers" must have read access to the folder \\server\iseries. Steve -Original Message-From: Stefano Tufillaro [mailto:[EMAIL PROTECTED] Sent: 20 November 2003 13:21To: [EMAIL PROTECTED]Subject: Re: [ActiveDir] OT: Using InstallShield in a Startup Script 1) No silent is not equal unattended. Silent means I'm logged my session, is active with my rights, access etc. AND I see anything. Unattended means that never the system ask to me an aswer by a click or a prompt or like situation. It's a boolean serie unattended but visible unattendedand visible visible and attended 2) What admion rights ? Admin domain rights? workstation rights ? RunAs Admin rights ? The logon process not automatically give the right combination immediately and the task where live the logon scripts when will can become 'administrating' ? 3) look at at yor 4th line. Probably the erroris there c:\temp\v5r2\setup -s -f1z:\iseriesv5r2.iss -f2c:\v5r2.log -SMS -Original Message-From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 11:41 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Using InstallShield in a Startup Script I tried this and it does the same thing. I have a script that lists all processes running on the machine and I can see setup.exe in there but it never does anything. I'm starting to think you can't use an InstallShield installer until you are logged in. I can see it copy the files down and the install starts but that's it. Also InstallShield never creates the log file either. Here's an example of the batch file: md c:\tempmd c:\temp\V5R2copy \\server\iseries\*.* c:\temp\v5r2c:\temp\v5r2\setup -s -f1z:\iseriesv5r2.iss -f2c:\v5r2.log -SMS Mike From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Using InstallShield in a Startup Script If you are able to get to the share, but the script is not executing the .exe, try copying the file from the shareto the local machine (in your script) and then running setup.exe. Just make sure to use full paths in all instances
[ActiveDir] Delegation best practices whitepaper
Looks like the long awaited delegation paper is out. Best Practices for Delegating Active Directory Administration: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa- 9730-dae7c0a1d6d3displaylang=en And the appendices: http://www.microsoft.com/downloads/details.aspx?familyid=29dbae88-a216-45f9- 9739-cb1fb22a0642displaylang=en List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [slightly OT] scripting add users
Yes, that's been my experience. However, if you're getting the Subscript out of range error, that's the first thing I would check. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 8:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [slightly OT] scripting add users Excel should do that automatically right? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 9:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [slightly OT] scripting add users Make sure that for each line in the sheet, you have the same number of fields even if some of the fields are blank. You might have to massage your input csv file to make sure that's the case. So if you have something like this: John,Doe,Sales,Houston,Texas Jane,Smith,Accounting,Arizona You would want to modify that to John,Doe,Sales,Houston,Texas Jane,Smith,Accounting,,Arizona -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 8:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [slightly OT] scripting add users That's what I was doing at first but I kept getting errors like the subscript out of range. I found that error on MSDN and maybe it's related to the fact I have about 8 properties in the sheet but some of them are blank for some records?? I'm trying a couple of things to fix it (like Dim Array2(10)). Is there anything obvious I might be missing on arrays, like does an array in vbscript fill up if you assign values to it too many times, or something like that?? I appreciate the scripts everyone's sending! I know however that there are easier ways to do this, except that for the PlumTree Portal and programs we're writing for it, certain fields have to be formatted in certain ways, there are store accounts and user accounts and they have to be treated differently, passwords have to be generated and logged for reference, and each separate CSV has to be put in its own group. It's good practice, and fun (in a perverse way). I think each day I have been doubling my scripting ability... have made some pretty cool scripts for the password expiration project. Anyway again thanks for all the help! Rich -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 8:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [slightly OT] scripting add users I'm not sure about your specific problem, but you could simplify things a bit by dropping the second array. Do Until objFile.AtEndOfStream strNextLine = objTextFile.Readline Array1 = Split(strNextLine, ,) 'Call populate users sub Loop -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 7:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [slightly OT] scripting add users I think this is a basic question but I am really new to scripting... I'm adding users from a csv file and using an array to read the csv split into lines, then spitting each line into another array (split for commas) from the first array. Do I need to do something to the array#2 before I repopulate it with the next line? If this is confusing, this might help Array1 = Split(objFile, vbCrLf) For n = 1 to Ubound(Array1) '*** do something to Array2 here?? Array2 = Split(Array1(n), ,) 'Call populate users sub Next The reason I ask is I keep getting weird errors that don't seem to correlate to the data being read in (I was getting these when I was reading in one line at a time into Array2) errors like Subscript out of range, etc - and googling only showed things from ASP pages that didn't apply. Thanks for any help Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] OT? ADDING CONTACTS
Tony, Appreciate the feedback - however, I do not understand the [your comment] use of the standard ADUC vice the Exchange version. Are you saying that the adds [manual and CSVDE] would be different if done on a DC that did not have E2K System Manager loaded? In this case, both the manual and CSV adds were done on the same DC and being as this is a test bed scenario - E2K is also running on the DC. Is there any way that this would affect replication in an exchange mixed mode environment? R/Bill -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:45 AM To: [EMAIL PROTECTED] Subject:Re: [ActiveDir] OT? ADDING CONTACTS Bill The difference is that your manual method uses the Exchange version of Active Directory Users and computers. If you select the option to mail-enable the contact then it adds a whole bunch of attributes to the contact object in AD. Compare the two extracts from LDP below, the first being a mail-enabled contact and the second not. Dn: CN=Alfred Contact,CN=Users,DC=root,DC=dom 1 cn: Alfred Contact; 1 displayName: Alfred; 1 mail: [EMAIL PROTECTED]; 1 givenName: Alfred; 1 instanceType: 0x4 = ( IT_WRITE ); 1 legacyExchangeDN: /o=VMEX2003/ou=First Administrative Group/cn=Recipients/cn=AlfredContact; 1 distinguishedName: CN=Alfred Contact,CN=Users,DC=root,DC=dom; 1 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=root,DC=dom; 4 objectClass: top; person; organizationalPerson; contact; 1 objectGUID: f84228a6-7a7d-41de-be42-8877591f1467; 2 proxyAddresses: SMTP:[EMAIL PROTECTED]; X400:c=US;a= ;p=VMEX2003;o=Exchange;s=Contact;g=Alfred;; 1 name: Alfred Contact; 2 showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=VMEX2003,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=root,DC=dom; CN=All Contacts,CN=All Address Lists,CN=Address Lists Container,CN=VMEX2003,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=root,DC=dom; 1 sn: Contact; 1 textEncodedORAddress: c=US;a= ;p=VMEX2003;o=Exchange;s=Contact;g=Alfred;; 1 uSNChanged: 20782; 1 uSNCreated: 20780; 1 whenChanged: 11/21/2003 16:36:17 W. Europe Standard Time W. Europe Daylight Time; 1 whenCreated: 11/21/2003 16:35:40 W. Europe Standard Time W. Europe Daylight Time; 1 internetEncoding: 1310720; 1 mailNickname: AlfredContact; 1 mAPIRecipient: FALSE; 1 targetAddress: SMTP:[EMAIL PROTECTED]; 1 msExchALObjectVersion: 21; 1 msExchPoliciesIncluded: {ECEFDA4D-8EEE-4CCF-A8DE-E8E00FAEE60B},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}; --- Dn: CN=Bobby Contact,CN=Users,DC=root,DC=dom 1 cn: Bobby Contact; 1 displayName: Bobby; 1 givenName: Bobby; 1 instanceType: 0x4 = ( IT_WRITE ); 1 distinguishedName: CN=Bobby Contact,CN=Users,DC=root,DC=dom; 1 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=root,DC=dom; 4 objectClass: top; person; organizationalPerson; contact; 1 objectGUID: 71b94639-99f6-44bb-a393-50eeec2f2b93; 1 name: Bobby Contact; 1 sn: Contact; 1 uSNChanged: 20786; 1 uSNCreated: 20786; 1 whenChanged: 11/21/2003 16:38:57 W. Europe Standard Time W. Europe Daylight Time; 1 whenCreated: 11/21/2003 16:38:57 W. Europe Standard Time W. Europe Daylight Time; --- If you use the standard version of ADUC (dsa.msc) you won't populate all the Exchange-related content. Tony -- Original Message -- From: Brown, Bill [contractor] [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 21 Nov 2003 09:34:24 -0500 Not sure if this question is off-track or not. I would not think so as it deals with AD attributes. But if it is deemed OT - then my apologies to the list! If you add contacts into AD via CSVDE, you specify certain required attributes and you additionally specify certain attributes that you want populated with specific values and you additionally specify the OU into which the imported contacts will be placed - OK, pretty much straight forward. If you add a contact manually in a specific OU - AD wants to know the Associated Administrative Group that this contact is associated with - OK, again pretty much straight forward. But wait, that was a different step from the CSVDE import! My question to the list - What AD attribute is populated by selecting the Associated Administrative Group in the manual method as opposed to the import method? R/Bill List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Delegation best practices whitepaper
Hunter, Thanks for the heads-up. I guarantee this paper is going to spur more discussion than anything that has come out in recent months. This is GREAT stuff! Enjoy, all! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 9:11 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation best practices whitepaper Looks like the long awaited delegation paper is out. Best Practices for Delegating Active Directory Administration: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-4 8fa- 9730-dae7c0a1d6d3displaylang=en And the appendices: http://www.microsoft.com/downloads/details.aspx?familyid=29dbae88-a216-4 5f9- 9739-cb1fb22a0642displaylang=en List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation best practices whitepaper
Thanks, Hunter. I just got them. Be aware that the Best Practices whitepaper is 206 pages and the Appendix (with all the task/permissions tables) is 223 pages. (Printer is still smokin'.) Guess I know what I will be doing this weekend! Mike Thommes -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 9:11 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation best practices whitepaper Looks like the long awaited delegation paper is out. Best Practices for Delegating Active Directory Administration: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa- 9730-dae7c0a1d6d3displaylang=en And the appendices: http://www.microsoft.com/downloads/details.aspx?familyid=29dbae88-a216-45f9- 9739-cb1fb22a0642displaylang=en List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Delegation Whitepaper now available on web
Finally - the AD Delegation Whitepaper is available on the web! There are two parts to it - the main whitepaper explaining how delegation really works. And second the really important appendices, which go into the details of which permissions need to be set to which object/attribute to perform a certain task, default permissionsetc. Best Practices for Delegating Active Directory Administration (2.7 MB)http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en Best Practices for Delegating Active Directory Administration Appendices (4.2 MB)http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en A few people on this list have extensively reviewed this paper - and I am sure you'll really like it. Enjoy ;-) /Guido
RE: [ActiveDir] Managing Sites in Forest with Empty Root
As John already said: it's not really wise to try to delegate everything, as otherwise you're giving away the keys to the kingdom afterall... And if this is your only reason for creating that extra empty root domain, then you might as well stick to a clean single-domain-forest model: as soon as you give domain admin rights to someone else in your child domain, you've basically passed out these precious keys.It's a simple thing for a domain admin to work himself up the tree and become Enterprise Admin - not necessarily what you'd expect, but that's the way it is. MS is finally being public about this - check out the AD Security Whitepaper that was released a while ago. It's best to keep a very small team with EA+DA rights and delegate other tasks on the OU level only.If you still want to delegate site-administration (even in a single-domain-forest) you'll have to grant numerous permissions on various objects to make this happen - but depending on what you really want to delegate, you may only need a few. Here is a sample from the upcoming AD Delegation Whitepaper from Microsoft (only 5 more days...): Task Permissions Required to Perform Task Create a Site / Add a Site CC on cn=Sites, cn=Configuration, dc=ForestRootDomain (to create obejcts of class Site) Rename a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the common-name attribute Specify the location of a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the Location attribute Associate a Group Policy with a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the GP-Link attribute Modify Site Group Policy Options WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the GP-Options attribute Move a Domain Controller between sites WP on the Server object being moved to modify Common-Name attributeDC on the object cn=Servers, cn=Current-Site, cn=Sites, cn=Configuration, dc=forestRootDomain (to delete objects of class Server)CC on the object cn=Servers, cn=New-Site, cn=Sites, cn=Configuration, dc=forestRootDomain (to create objects of class Server)/Guido-Original Message-From: John Reijnders [mailto:[EMAIL PROTECTED]]Sent: Donnerstag, 20. November 2003 20:40To: 'Ravdal, Stig '; '[EMAIL PROTECTED] 'Subject: RE: [ActiveDir] Managing Sites in Forest with Empty RootIf you want to delegate the rights to manage the stuff handled with AD SSyou need to delegate the "manage replication topology" to the right group.Site management is a task performed at forest level so delegating this rightmeans delegating the rights for the complete forest.Thinking about it ... you could try to limit the role of creating sites tolimited number of users/groups and the give specific admins only the rightsto manage these specific objects (i.e. attaching subnets to this site).However !!! be really conservative with the delagtion of this right. Doingthe wrong stuff can screw up your complete AD (in all domains within theforest). I personally prefer limiting this task to a very limited amount ofpeople.Cheers!John-Original Message-From: Ravdal, StigTo: [EMAIL PROTECTED]Sent: 20-11-2003 18:17Subject: [ActiveDir] Managing Sites in Forest with Empty RootHi all,I'm a newbie to the forum and I think that this is the right place forthis question.I have setup new forest using an empty forest root (first domain/tree inforest). In the forest I have an operational domain the second domain inthe forest (and the first of three such single domain/single trees thatwill reside in the forest in addition to the empty forest root).What I would like to do is allow the first operational domain to managesites services. I do not want the empty forest root to do anyadministrative tasks beyond holding the "keys to the kingdom" No usersor computers will reside in the empty forest root domain.How can I delegate the control of the Sites and Services?Also can I delegate the control of sites and services such that eachdomain/tree in the forest can do their own site management?Thanks,Stig___This message contains information that may be privileged orconfidentialand is the property of the Cap Gemini/Ernst Young Group. It isintendedonly for the person to whom it is addressed. If you are not theintendedrecipient, you are not authorized to read, print, retain, copy,disseminate, distribute, or use this message or
[ActiveDir] AD Delegation Whitepaper now available on web
Finally - the AD Delegation Whitepaper is available on the web! There are two parts to it - the main whitepaper explaining how delegation really works. And second the really important appendices, which go into the details of which permissions need to be set to which object/attribute to perform a certain task, default permissionsetc. Best Practices for Delegating Active Directory Administration (2.7 MB)http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en Best Practices for Delegating Active Directory Administration Appendices (4.2 MB)http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en A few people on this list have extensively reviewed this paper - and I am sure you'll really like it. Enjoy ;-) /Guido
[ActiveDir] How to move DFS Replica
Help. We have a DFS share that includes a replica pointing to a share on our domain controller. Unfortunately, this share is filling up the C: drive of our domain controller. How do I move this share to another fileserver so I can get it off of the DC? It's all our roaming profile directories. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Accounts not being unlocked automatically????
I have my domain level GP set to unlock a locked user account 10 minutes after it has been locked out, but it is not unlocking the account. Any ideas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts not being unlocked automatically????
It won't uncheck the account locked out box, but if you try to logon with the correct password after the 10 minutes is up, it'll let you login, and the box will then be unchecked. I was confused by that as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas M. Long Sent: Friday, November 21, 2003 12:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accounts not being unlocked automatically I have my domain level GP set to unlock a locked user account 10 minutes after it has been locked out, but it is not unlocking the account. Any ideas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Managing Sites in Forest with Empty Root
thought you might be interested in this -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]Sent: Thursday, November 20, 2003 2:06 PMTo: [EMAIL PROTECTED]; 'Ravdal, Stig 'Subject: RE: [ActiveDir] Managing Sites in Forest with Empty Root As John already said: it's not really wise to try to delegate everything, as otherwise you're giving away the keys to the kingdom afterall... And if this is your only reason for creating that extra empty root domain, then you might as well stick to a clean single-domain-forest model: as soon as you give domain admin rights to someone else in your child domain, you've basically passed out these precious keys.It's a simple thing for a domain admin to work himself up the tree and become Enterprise Admin - not necessarily what you'd expect, but that's the way it is. MS is finally being public about this - check out the AD Security Whitepaper that was released a while ago. It's best to keep a very small team with EA+DA rights and delegate other tasks on the OU level only.If you still want to delegate site-administration (even in a single-domain-forest) you'll have to grant numerous permissions on various objects to make this happen - but depending on what you really want to delegate, you may only need a few. Here is a sample from the upcoming AD Delegation Whitepaper from Microsoft (only 5 more days...): Task Permissions Required to Perform Task Create a Site / Add a Site CC on cn=Sites, cn=Configuration, dc=ForestRootDomain (to create obejcts of class Site) Rename a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the common-name attribute Specify the location of a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the Location attribute Associate a Group Policy with a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the GP-Link attribute Modify Site Group Policy Options WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the GP-Options attribute Move a Domain Controller between sites WP on the Server object being moved to modify Common-Name attributeDC on the object cn=Servers, cn=Current-Site, cn=Sites, cn=Configuration, dc=forestRootDomain (to delete objects of class Server)CC on the object cn=Servers, cn=New-Site, cn=Sites, cn=Configuration, dc=forestRootDomain (to create objects of class Server)/Guido-Original Message-From: John Reijnders [mailto:[EMAIL PROTECTED]]Sent: Donnerstag, 20. November 2003 20:40To: 'Ravdal, Stig '; '[EMAIL PROTECTED] 'Subject: RE: [ActiveDir] Managing Sites in Forest with Empty RootIf you want to delegate the rights to manage the stuff handled with AD SSyou need to delegate the "manage replication topology" to the right group.Site management is a task performed at forest level so delegating this rightmeans delegating the rights for the complete forest.Thinking about it ... you could try to limit the role of creating sites tolimited number of users/groups and the give specific admins only the rightsto manage these specific objects (i.e. attaching subnets to this site).However !!! be really conservative with the delagtion of this right. Doingthe wrong stuff can screw up your complete AD (in all domains within theforest). I personally prefer limiting this task to a very limited amount ofpeople.Cheers!John-Original Message-From: Ravdal, StigTo: [EMAIL PROTECTED]Sent: 20-11-2003 18:17Subject: [ActiveDir] Managing Sites in Forest with Empty RootHi all,I'm a newbie to the forum and I think that this is the right place forthis question.I have setup new forest using an empty forest root (first domain/tree inforest). In the forest I have an operational domain the second domain inthe forest (and the first of three such single domain/single trees thatwill reside in the forest in addition to the empty forest root).What I would like to do is allow the first operational domain to managesites services. I do not want the empty forest root to do anyadministrative tasks beyond holding the "keys to the kingdom" No usersor computers will reside in the empty forest root domain.How can I delegate the control of the Sites and Services?Also can I delegate the
[ActiveDir] Memory Dump Error!
On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Memory Dump Error!
Look for the dump file, that would be a good start. Also look through the event logs. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 2:24 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] Memory Dump Error! On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Memory Dump Error!
I'll make the potentially bad assumption that you don't mean how do I prevent the blue screen, but more the countdown as it dumps the entire contents of memory to a .dmp file. I could make a lot more money for telling you how to prevent the blue screen, given the information that I have in front of me! ;-) As to the countdown - if you have no intent to make use of a dump file, you can reduce what is saved to a kernel dump or a mini dump or eliminate it completely. On Windows 2000, you would go to My Computer - Properties - Advanced then the Startup and Recovery button. Choose which type of memory dump you want, or choose None to eliminate it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Memory Dump Error! On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Memory Dump Error!
Ok how do I prevent the blue screen :-) ? Also... Where might the dump file be stored? On Nov 21, 2003, at 11:39 AM, Kingslan, Rick T. wrote: I'll make the potentially bad assumption that you don't mean how do I prevent the blue screen, but more the countdown as it dumps the entire contents of memory to a .dmp file. I could make a lot more money for telling you how to prevent the blue screen, given the information that I have in front of me! ;-) As to the countdown - if you have no intent to make use of a dump file, you can reduce what is saved to a kernel dump or a mini dump or eliminate it completely. On Windows 2000, you would go to My Computer - Properties - Advanced then the Startup and Recovery button. Choose which type of memory dump you want, or choose None to eliminate it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Memory Dump Error! On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Memory Dump Error!
Ok better question... I found the MEMORY.DMP file in my system root but how do I open a 255mb file into a text editor? Which text editor should I use? On Nov 21, 2003, at 11:23 AM, Richard Sumilang wrote: On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Managing Sites in Forest with Empty Root
Hi Guido, Thanks for the info. I am aware of the security hole so this may really boil down to perception. The client has a requirement that two of their business units operate with greater autonomy - to the point of being able to be spun off entirely should that be the best for business. They frequently aquire new companies and divest smaller organizations and that is what led to the model ofa forest of trees (single domains)with an empty forest root (tree/domain). As far as the EA rights are concerned it may be possible for an admin in any tree in the forest to elevate his/her privileges, butit is somewhat unlikely in this organization - the clinets main business unit/companyhas outsourced all administration to a very large outsourcing company and they have a paper-based procedure for everything - quite bureaucratic really. That is not to say that there couldn't be some disgruntled empoyee that causes trouble down the road. Thanks for the response Guido, I'll also look for the whitepapers. Cheers, Stig -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]Sent: Thursday, November 20, 2003 12:06 PMTo: [EMAIL PROTECTED]; Ravdal, StigSubject: RE: [ActiveDir] Managing Sites in Forest with Empty Root As John already said: it's not really wise to try to delegate everything, as otherwise you're giving away the keys to the kingdom afterall... And if this is your only reason for creating that extra empty root domain, then you might as well stick to a clean single-domain-forest model: as soon as you give domain admin rights to someone else in your child domain, you've basically passed out these precious keys.It's a simple thing for a domain admin to work himself up the tree and become Enterprise Admin - not necessarily what you'd expect, but that's the way it is. MS is finally being public about this - check out the AD Security Whitepaper that was released a while ago. It's best to keep a very small team with EA+DA rights and delegate other tasks on the OU level only.If you still want to delegate site-administration (even in a single-domain-forest) you'll have to grant numerous permissions on various objects to make this happen - but depending on what you really want to delegate, you may only need a few. Here is a sample from the upcoming AD Delegation Whitepaper from Microsoft (only 5 more days...): Task Permissions Required to Perform Task Create a Site / Add a Site CC on cn=Sites, cn=Configuration, dc=ForestRootDomain (to create obejcts of class Site) Rename a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the common-name attribute Specify the location of a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the Location attribute Associate a Group Policy with a Site WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the GP-Link attribute Modify Site Group Policy Options WP on the corresponding site object, cn=Site, cn=Sites, cn=Configuration, dc=forestRootDomain to modify the GP-Options attribute Move a Domain Controller between sites WP on the Server object being moved to modify Common-Name attributeDC on the object cn=Servers, cn=Current-Site, cn=Sites, cn=Configuration, dc=forestRootDomain (to delete objects of class Server)CC on the object cn=Servers, cn=New-Site, cn=Sites, cn=Configuration, dc=forestRootDomain (to create objects of class Server)/Guido-Original Message-From: John Reijnders [mailto:[EMAIL PROTECTED]]Sent: Donnerstag, 20. November 2003 20:40To: 'Ravdal, Stig '; '[EMAIL PROTECTED] 'Subject: RE: [ActiveDir] Managing Sites in Forest with Empty RootIf you want to delegate the rights to manage the stuff handled with AD SSyou need to delegate the "manage replication topology" to the right group.Site management is a task performed at forest level so delegating this rightmeans delegating the rights for the complete forest.Thinking about it ... you could try to limit the role of creating sites tolimited number of users/groups and the give specific admins only the rightsto manage these specific objects (i.e. attaching subnets to this site).However !!! be really conservative with the delagtion of this right. Doingthe wrong stuff can screw up your complete AD (in all domains within
RE: [ActiveDir] Memory Dump Error!
While someone is answering that question below ('cause I don't know how either) can someone say what you look for in a dump file Is there a reference out there? -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Memory Dump Error! Ok better question... I found the MEMORY.DMP file in my system root but how do I open a 255mb file into a text editor? Which text editor should I use? On Nov 21, 2003, at 11:23 AM, Richard Sumilang wrote: On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Mirror OU structure to Test
Hi all, I have an urgent need to mirror our production OU structure to our Test Platform. Is anyone aware of a script or tool where I can export and import the structure? If sowould they share? :) I think I can write something, but if anyone has a pointer in the right direction to an already existing one, that would help out alot! Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Memory Dump Error!
On Windows 2000, you would go to My Computer - Properties - Advanced * then the Startup and Recovery button. This should show you. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 3:02 PM To: [EMAIL PROTECTED] Subject:Re: [ActiveDir] Memory Dump Error! Ok how do I prevent the blue screen :-) ? Also... Where might the dump file be stored? On Nov 21, 2003, at 11:39 AM, Kingslan, Rick T. wrote: I'll make the potentially bad assumption that you don't mean how do I prevent the blue screen, but more the countdown as it dumps the entire contents of memory to a .dmp file. I could make a lot more money for telling you how to prevent the blue screen, given the information that I have in front of me! ;-) As to the countdown - if you have no intent to make use of a dump file, you can reduce what is saved to a kernel dump or a mini dump or eliminate it completely. On Windows 2000, you would go to My Computer - Properties - Advanced then the Startup and Recovery button. Choose which type of memory dump you want, or choose None to eliminate it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Memory Dump Error! On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Memory Dump Error!
I believe there is a Q article that can walk you though it. http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/q192/4/63.aspNoWebContent=1 This will let you find out what type of exception code occurred and then you can do a search on that code and see what you find out -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 3:11 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Memory Dump Error! While someone is answering that question below ('cause I don't know how either) can someone say what you look for in a dump file Is there a reference out there? -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Memory Dump Error! Ok better question... I found the MEMORY.DMP file in my system root but how do I open a 255mb file into a text editor? Which text editor should I use? On Nov 21, 2003, at 11:23 AM, Richard Sumilang wrote: On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mirror OU structure to Test
http://support.microsoft.com/?kbid=237677 has an example of how to do this with LDIFDE. Very easy and fast Hunter -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:32 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] Mirror OU structure to Test Hi all, I have an urgent need to mirror our production OU structure to our Test Platform. Is anyone aware of a script or tool where I can export and import the structure? If sowould they share? :) I think I can write something, but if anyone has a pointer in the right direction to an already existing one, that would help out alot! Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Memory Dump Error!
Search the KB for dumpchk there are some good articles on how to extract the basic info you need from the dmp file (without needing access to the symbol files to do really indepth debugging) There was a really good webcast on it a couple years ago by one of the Premier guys, called Basic STOP Error (Blue Screen) Troubleshooting I don't remember if it was premiere only or not since I just kept a hard copy of the slides but I've seen copies of the presentation on the web -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Memory Dump Error! While someone is answering that question below ('cause I don't know how either) can someone say what you look for in a dump file Is there a reference out there? -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Memory Dump Error! Ok better question... I found the MEMORY.DMP file in my system root but how do I open a 255mb file into a text editor? Which text editor should I use? On Nov 21, 2003, at 11:23 AM, Richard Sumilang wrote: On my Windows 2k Server for the first time I got a blue screen of death that reported a memory dump error with a countdown. The countdown seemed like it went on forever so I just had to forcefully restart the computer and so far it looks fine however I would like to know what caused that and is there a way to prevent that? Perhaps third part software or something? Thanks, Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mirror OU structure to Test
Hunter, Awesome! I was just looking at the syntax for LDIFDE too, but this was easy! :) Jef Original Message: From: Coleman, Hunter [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mirror OU structure to Test Date: Fri, 21 Nov 2003 14:00:43 -0700 http://support.microsoft.com/?kbid=237677 has an example of how to do this with LDIFDE. Very easy and fast Hunter -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:32 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] Mirror OU structure to Test Hi all, I have an urgent need to mirror our production OU structure to our Test Platform. Is anyone aware of a script or tool where I can export and import the structure? If sowould they share? :) I think I can write something, but if anyone has a pointer in the right direction to an already existing one, that would help out alot! Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts not being unlocked automatically????
Thank you Russ. I can't believe I didnt even think to try logging on, even though the check was still there. Anyways...thanks again -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas M. Long Sent: Friday, November 21, 2003 1:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accounts not being unlocked automatically I have my domain level GP set to unlock a locked user account 10 minutes after it has been locked out, but it is not unlocking the account. Any ideas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export of users includes computer accounts.
Thanks for the explanation, makes sense now. Well... It makes sense why I was getting the computer accounts in the export anyway. Thanks again, Mike. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 12:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Export of users includes computer accounts. The reason for the unexpected result from your first search filter is because the object class computer is a sub class of the user object class. So when you search using the objectClass=user filter the search will include any sub-classes of user. If you look at the attributes of a computer object using, for example, LDP, you will see something like this. objectClass: top; person; organizationalPerson; user; computer; The computer object class has some attributes of its own, but also inherits all the attributes from the user object class. This means that you could (if you wanted to) assign, for example, emloyeeID and telephoneNumber attribute values for a computer object. Tony -- Original Message -- From: Mike Newell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 20 Nov 2003 15:34:45 -0800 That did it! Thanks Hunter, Mike -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 3:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Export of users includes computer accounts. Change your filter to something like ((objectClass=user)(objectCategory=person)) and give it a go. Hunter -Original Message- From: Mike Newell [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Export of users includes computer accounts. Hey all, I'm looking to export users to import into another forest as contacts. I run the command below to export users from my Windows 2000 AD. CSVDE -f contacts.csv -r ((objectClass=user)) -l objectClass,displayName,DN,mailNickname,proxyAddress,targetAddress,mail It exports all of the user info but it also includes the Computer accounts in the export. Anyone know why this export command would include Computer accounts? More curious as to what I'm doing wrong more than anything. Thanks, Mike. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts not being unlocked automatically????
Check out unlock from www.joeware.net on the free win32 tools page, it will always show you the proper info for accounts as to whether they are locked or not. The issue is that it isn't a simple thing in W2K AD to determine the locked status of an account using LDAP. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, November 21, 2003 5:36 PM To: [EMAIL PROTECTED] Thank you Russ. I can't believe I didnt even think to try logging on, even though the check was still there. Anyways...thanks again -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Douglas M. Long Sent: Friday, November 21, 2003 1:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accounts not being unlocked automatically I have my domain level GP set to unlock a locked user account 10 minutes after it has been locked out, but it is not unlocking the account. Any ideas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/