RE: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Hello all, I managed to solve the following problem: "The system can not log you on due to the followingerror: No mapping between account names and securityIDs was done. Please try again or consult your systemadministrator." It's simply because I haven't added the user to list of users for the computer (",) I can now authenticateusing Kerberos Realm. Thanks for all who have replied to my mail, - lara - Lara Adianto [EMAIL PROTECTED] wrote: Thanks to Brent and Arden who have given me someinsights, though I'm not fully successful yet, but Ican see a progress...Apparently, my biggest problem was the DNS serversetup. I managed to come over the problem (phiughh)Now, the problem is when a client wants to login withthe domain set to Kerberos Realm (I use Heimdal):username: larapassword: passworddomain: MY_KERBEROS_REALM.COM (Kerberos Realm)the following windows login message pops up:The system can not log you on due to the followingerror: No mapping between account names and securityIDs was done. Please try again or consult your systemadministrator.With reference from the following resources: -http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp-http://www.pdc.kth.se/heimdal/heimdal.html (there'sone section about how to configure windows 2000 to usea Heimdal KDC)I have done the following steps:On W2K Server:1. Create a domain W2K_DOMAIN_REALM in my W2K server2. Add Inter-realm keys for W2K_DOMAIN_REALM (DomainTree Management Tool -- W2K_DOMAIN_REALM -- Truststab -- add MY_KERBEROS_REALM.COM on both directions)3. Create a user lara, and create account mappings to[EMAIL PROTECTED]4. Use Ksetup to add kdc:C: ksetup /addkdc MY_KERBEROS_REALM.COMkerberos.my_kerberos_realm.com5. Use Netdom.exe to make it transitive (I'm not surewhether this is needed actually)On KDC (Linux machine):1. Create a host principal in the kerberos realmshell% kadmin -l -r MY_KERBEROS_REALM.COMkadmin ank -p passwordhost/myhost.my_kerberos_realm.com(I'm not sure what's the purpose of creating this hostprincipal, bec the client seems to search for server:host/[EMAIL PROTECTED] for theauthentication)2. Add Inter-realm keys:kadmin addkrbtgt/[EMAIL PROTECTED]kadmin addkrbtgt/[EMAIL PROTECTED]3. Add [EMAIL PROTECTED]4. Kinit [EMAIL PROTECTED]3. Add host/CLIENT_MACHINE_NAME (If not, the clientauthentication failed, with the following error beinglogged: KDC_ERR_S_PRINCIPAL_UNKNOWN, for server:host/CLIENT_MACHINE_NAME)On W2K Client machine:1. Use ksetup:C: ksetup /setdomain MY_KERBEROS_REALM.COMC: ksetup /addkdc MY_KERBEROS_REALM.COMkerberos.my_kerberos_realm.comC: ksetup /setmachpassword passwordC: ksetup /mapuser [EMAIL PROTECTED] laraAnd I have rebooted the client machine everytime Imake changesWhat else can I miss ?Did I do the right things ? I will really appreciate if someone can give a briefexplanation how the authentication of W2K client usingMIT/Heimdal Kerberos KDC works. It seems to me that it's the client who contacts theKerberos Realm for authentication and not the W2Kserver...Is this the right way to go ?But if that's the way then when will the accountmapping for kerberos realm created in AD be used inthis authentication process ? What's the purpose ofhaving the trusted relationship between W2K andKerberos Realm ?Why does my client contact thehost/[EMAIL PROTECTED] forauthentication ?Hope somebody can help me,Lara--- Arden Pineda <[EMAIL PROTECTED]>wrote: Do you have the RealmFlags value set for the Kerberos domain on windows machines (DCs member machines)? I believe the ksetup utility does not have the option to set the realmflags setting, but I could be wrong. You need this setting, aside from the KpasswdNames and KdcNames, especially for non-MIT kerberos. In our environment, we have it set to 8. For more details, consult the regentry.chm file included in the Windows 2000 Resource Kit. I have included the list of Kerberos registry entries that you need below. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\Kerberos\Domains\EXAMPLE.COM] Key: RealmFlags Type: DWORD Value: 8 Key: KPasswdNames Type: MULTI_SZ Value: yourkpasswdserver.example.com Key: KdcNames Type: MULTI_SZ Value: yourkdc.example.com yourkdc2.example.com We used a custom adm to deploy these settings to all our machines. I hope this helps. Regards, Arden _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Tuesday, March 23, 2004 8:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??http://www.vintela.com/products/vas/does the job for you. _From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: Tuesday, March 23, 2004 9:01 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??Hmmm, sorry no experience with heimdal... did you follow
RE: [ActiveDir] _Msdcs.domain.com Zone Creation
Hi Nathan, I prefer use this method: Install clean machine 2000, and after run dcpromo without dns. Thanks, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan CaseySent: quinta-feira, 25 de março de 2004 22:11To: [EMAIL PROTECTED]Subject: [ActiveDir] _Msdcs.domain.com Zone Creation I am setting a lab to test AD migration and have a question about _Msdcs.domain.com Zone Creation.dcpromo with DNS configured first:installed DNS and forward lookup zone (domain.gov). Server points to itself as primary DNS server and registered itself in the domain.gov zone.I then ran dcpromo. Dcpromo saw that DNS was already configured and continued with the install. After reboot, the _msdcs, _sites, _tcp, and _udp zones were created under the domain.gov zone. The forward lookup zone_Msdcs.domain.gov zone was not created.Dcpromo without DNS configured first:Server points to itself as primary DNS. DNS in not configured. I ran dcpromo. Dcpromo saw that DNS was not already configured and offered to install it for me which I chose to do. I set up domain.gov and continuedwith the install. After reboot, the _msdcs, _sites, _tcp, and _udp zones were created under the domain.gov zone. The forward lookup zone _Msdcs.domain.gov zone was also created. Why does the _Msdcs.domain.gov zone not install when dcpromo is run with DNS already configured. How can I create the _Msdcs.domain.gov zone. what is the best method for configuring DNS on first DC in forest root domain? configure DNS, then run dcpromo? or let the dcpromo process configure DNS? Thank you Nathan
RE: [ActiveDir] Possibly OT: Certificate Hierarchies and AD
Sorry, one other thing. If you created a standalone root ca, what did you expect to have happen in regards to publishing in Active Directory? Have you seen this as part of your research? http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/dssch_pki_zmrm.asp -Original Message- From: Barber, Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 8:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Possibly OT: Certificate Hierarchies and AD Sorry if this is slightly off topic, but documentation seems sparse out there. A little background. I have an Active Directory with both Windows 2000 and Windows 2003 DCs. We are attempting to build a Certificate Hierarchy that will provide certificates to Active Directory users (for Exchange Digital Signatures, S/MIME, etc) and also for outside users for web servers. Questions: We have read from Microsoft literature that you should create a Standalone Root CA, so that you can take it offline (ie not connected to the network) and store it safely. If this is the case, will a subordinate Enterprise CA automatically publish to the Active Directory? We have set up our current test this way, and don't see any changes to Active Directory. Also, the subordinate Enterprise CA seems to have Policies that are the basic (standalone) policies, and the policies do not have the publish to Active Directory options. As an alternative, could we establish a Enterprise Root CA, allow it to publish to Active Directory, then turn it off? Would this be considered an offline Enterprise Root CA? Is this even possible? Why is it that everyone out there who supposedly has information on CAs always installs an Enterprise Root CA? If you need to keep it online, isn't this a security risk? If we install an Enterprise Root CA, can we put a subordinate Enterprise CA under it, then allow both internal and external users to obtain certification from that server? Or would I have to install a subordinate stand-alone server as well? Any clarification would be appreciated. Thanks! -Tom List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Internet Explorer Connection Proxy Settings GPO I ssue
Enforced (GPMC) set to no for the domain level GPO, and other settings in that same domain level GPO get overridden by the OU policy.. From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 9:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue Do you have the no overide option on your deafult domain policy? I believe this wins in almost all cases. Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 9:41 AMTo: [EMAIL PROTECTED]Subject: Internet Explorer Connection Proxy Settings GPO Issue I have set up a GPO for IE proxy settings at my domain level in a GPOI use for "suggested" policies that I can later override with OU specific policies. I am now trying to apply a GPO setting for IE proxies on an OUwith a different proxy settingthan the default domain, among other settings. I have enabled loop back mode (merge) on this GPO, and all other settings thatshould be overridden for the computer and user settings are. I have tried Preference mode and enabling the computer \ administrative Templates \ internet explorer make proxy settings per computer, but the domain GPO still wins in application of this setting. Any Ideas? What am I missing? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada
[ActiveDir] Anyone ever convert dnsRecord attribute?
Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
You could always use the following command depending on your purporse: dnscmd ServerName /enumrecords ZoneName @ Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, March 26, 2004 10:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, Al Sent: Fri 26/03/2004 11:57 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue
i dont' think you're missing anything. i've seen this same behavior with a policy i had set for software restrictions at the domain level. it had blank proxy settings, and it was overriding the proxy settings i had set at the users level, and blanking out the proxy settings we had been using. it almost behaves like it's some security setting that is the boss. luckily, with our ou structure, i was able to just turn off the user settings on that domain level policy. pretty unexpected behavior though. i would guess that being as you're using a loopback though, that you don't have users and machines seperated into ou's as we do? you might just try it on replace mode, and see if that works that's a pretty strong setting for a policy. |-+-- | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/26/2004 08:40 AM| | | Please respond to | | | ActiveDir | | | | |-+-- | | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue | | I have set up a GPO for IE proxy settings at my domain level in a GPO I use for suggested policies that I can later override with OU specific policies. I am now trying to apply a GPO setting for IE proxies on an OU with a different proxy setting than the default domain, among other settings. I have enabled loop back mode (merge) on this GPO, and all other settings that should be overridden for the computer and user settings are. I have tried Preference mode and enabling the computer \ administrative Templates \ internet explorer make proxy settings per computer, but the domain GPO still wins in application of this setting. Any Ideas? What am I missing? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
As Al mentioned, why not convert the zone to Std. Primary and take a copy of the zone files that are written to disk. Then revert it back to ADI. I have done this before without incident to supply ourBIND unixservers copies (or pieces) of our zone files. I have done this in the past for stale PTR records as well. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of ADSent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
In that case, as the other poster mentioned DNS.cmd might be a better way. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
David, I am sure it will work but my DNS as over 45000+ objects and it is running on a production network. It scares me a little to do that. Y From: Chianese, David P.Sent: Fri 26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? As Al mentioned, why not convert the zone to Std. Primary and take a copy of the zone files that are written to disk. Then revert it back to ADI. I have done this before without incident to supply ourBIND unixservers copies (or pieces) of our zone files. I have done this in the past for stale PTR records as well. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of ADSent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
[ActiveDir] Domian VS Local
Does anyone know how to set an account expiration date on a local system saccount like you can with a domain accout? Thanks, Mike smime.p7s Description: S/MIME cryptographic signature
[ActiveDir] permissions to only disable an AD user account
I hope there is an easy answer to the following question: I would like to delegate authority to a group to be able to disable user accounts down in an OU. But I don't want to have to also give them the ability to create/delete user accounts. I've looked around the Delegation Wizard custom tasks, but really don't find anything to do this single purpose action. Anybody have an answer? Thanks! Mike Thommes
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Interesting problem. What specifically do you need out of the octet string, just the host name? Anyone have a map of what exactly is in octet string or what data should be in it even if you don't know the format? I would assume probably serial number and some other info? It isn't in MSDN that I see. dn:DC=0,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=comdnsRecord: 0B00 0C00 05F0 0200 0E10 0901 0762 6F62 7465 7374 00 dn:DC=1,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=comdnsRecord: 0C00 0C00 05F0 0300 0E10 0A01 0862 6F62 7465 7374 3200 From this it appears that the hostname starts at about the 13th dword. So above would be 0A01 0862 6F62 7465 7374 3200 and 0A01 0862 6F62 7465 7374 3200 for the names which would resolve into bobtest and bobtest2. This could be done fairly painlessly with perl I think... As for Al's question about why enumerate via LDAP? Because its there baby, that is the beauty of using LDAP. If you aren't going to do LDAP queries, might as well be using a SQL Server or flat file or something. Let me see what I can do with this. I just put the Disturbed CD in, feeling like doing some hacking. BTW, if you didn't go to the Directory Experts Conference, you missed a good time. NetPro did a good job and there was a lot of good discussions. Plus some of the stuff Stuart was talking about was pretty darn cool. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, March 26, 2004 3:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? David, I am sure it will work but my DNS as over 45000+ objects and it is running on a production network. It scares me a little to do that. Y From: Chianese, David P.Sent: Fri 26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? As Al mentioned, why not convert the zone to Std. Primary and take a copy of the zone files that are written to disk. Then revert it back to ADI. I have done this before without incident to supply ourBIND unixservers copies (or pieces) of our zone files. I have done this in the past for stale PTR records as well. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of ADSent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
[ActiveDir] Reboot behavior with SUS on DC's
Hi, I recently sent a post with regards to creating a seperate GPO for DC's to utilize SUS and Windows Updates. So far everything looks and works the way I want it to. The only thing I am trying to figure out is if there is a way to auto download and schedule the install but not reboot the system (there seems to be only one GPO setting for controlling reboot behavior while logged on) but not when the system is idle or left at the login prompt. My only fear with this behavior is what happens if there is a failed reboot or the system hangs or whatever, I would like to be able to control when the DC is rebooted either remotely or by a local administrator (and there's that, the org. operates in a centralized model with distributed administration including offices overseas) so a hanged reboot may mean 8am in Germany but 1 or 2 am in the Central Time Zone Your help is much appreciated. Thanks, _ Get tax tips, tools and access to IRS forms all in one place at MSN Money! http://moneycentral.msn.com/tax/home.asp List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Yep, I'm looking for the hostname. The hostname is not stored in a separate attribute that I can see. You definitely found the right attribute. Is that funky or what? I agree with you, LDAPall the way baby. Can a non perl person understand the perl code and convert it VBScript easily? I'm a vbscript person myself. I was at the conference lastyear, the one hosted in Ottawa. I believe this year it's in Washington.Has it happened yet?Plenty of good information there for sure. Thanks Yves From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 26, 2004 5:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Interesting problem. What specifically do you need out of the octet string, just the host name? Anyone have a map of what exactly is in octet string or what data should be in it even if you don't know the format? I would assume probably serial number and some other info? It isn't in MSDN that I see. dn:DC=0,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=comdnsRecord: 0B00 0C00 05F0 0200 0E10 0901 0762 6F62 7465 7374 00 dn:DC=1,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=comdnsRecord: 0C00 0C00 05F0 0300 0E10 0A01 0862 6F62 7465 7374 3200 From this it appears that the hostname starts at about the 13th dword. So above would be 0A01 0862 6F62 7465 7374 3200 and 0A01 0862 6F62 7465 7374 3200 for the names which would resolve into bobtest and bobtest2. This could be done fairly painlessly with perl I think... As for Al's question about why enumerate via LDAP? Because its there baby, that is the beauty of using LDAP. If you aren't going to do LDAP queries, might as well be using a SQL Server or flat file or something. Let me see what I can do with this. I just put the Disturbed CD in, feeling like doing some hacking. BTW, if you didn't go to the Directory Experts Conference, you missed a good time. NetPro did a good job and there was a lot of good discussions. Plus some of the stuff Stuart was talking about was pretty darn cool. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, March 26, 2004 3:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? David, I am sure it will work but my DNS as over 45000+ objects and it is running on a production network. It scares me a little to do that. Y From: Chianese, David P.Sent: Fri 26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? As Al mentioned, why not convert the zone to Std. Primary and take a copy of the zone files that are written to disk. Then revert it back to ADI. I have done this before without incident to supply ourBIND unixservers copies (or pieces) of our zone files. I have done this in the past for stale PTR records as well. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of ADSent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Ok sorry for the delay, one of my nano marine tanks (5 gallon)had a thermostat crack and blow up and it took out a circuit breaker (electrical device exposed in a tank of water, go figure). I am just hoping everything didn't get zilched out. I know the fish and hermit crabs survived, not so sure about the corrals and fan tails. Anyway, here is a quick and dirty script to do this ##* Anti-DSinAddr.PL *#*==*#* Author : Joe Richards ([EMAIL PROTECTED]) *#* Version: V01.00.00 *#* Modification History: *#* V01.00.00 2004.03.26 joe Original Version *#*--*#* This script pulls out host names out of an AD integrated reverse dns zone *#*--*#* Notes: *##* This script requires ADFIND to be available to do the queries... *# ##* Definitions: *#*--*#* $TRUE : Define True for testing. *#* $FALSE : Define False for testing. *#* $YES : Define Yes for testing. *#* $NO : Define No for testing. *#* $SCRIPTPATH : Path to script. *#$TRUE=1;$FALSE=0;$YES=1;$NO=0;($SCRIPTPATH)=($0=~/(^.*)\\.*$/); ## Display header#print "\nAnti-DSinAddr V01.00.00pl Joe Richards ([EMAIL PROTECTED]) March 2004\n\n"; ## Pull base and do initial dns zone search#my $base=shift;my $cmd="adfind -gc -b $base -f name=microsoftdns -dn";my @out=`$cmd 2nul`;my @rs=grep(/dn:/,@out);chomp @rs;map {s/^dn://} @rs; ## Go find reverse zones#print "Locating DNS in-addr arpa zones...\n";my @zones=();foreach $this(sort @rs){ print "$this\n"; $cmd="adfind -gc -b $this -f * -dn -s one"; @out=`$cmd 2nul`; @rs2=grep(/in-addr.arpa/,@out); chomp @rs2; map {s/^dn://} @rs2; push @zones,@rs2; @rs2=();} ## Loop through zones and pull info#foreach $thiszone (sort @zones){ print "Zone: $thiszone\n"; $cmd="adfind -b $thiszone -f \"(objectcategory=dnsnode)(dc=0)\" -s one dnsrecord"; @out=`$cmd 2nul`; chomp @out; $dn=""; foreach $thisline (@out) { if ($dn eq "") { ($dn)=($thisline=~/^dn:(.+)/); next; } if ($thisline=~/^dnsRecord: (.+)/) { push @records,$1; next; } if ($thisline!~/\w/) { next unless $dn; print DecodeRecord($dn,[EMAIL PROTECTED]); $dn=""; @records=(); next; } }} ##* Subs and Functions *#*--* #*--*#* Sub DecodeRecord *#*--*#* Input *#* Scalar DN of record *#* List Ref Reference to list with Hex Data for record *#* *#* Output *#* List List of decoded records for that DN (note this can be multiple) *#*--*sub DecodeRecord{ my @rs=(); my $dn=shift; my $refrecords=shift; my $hostip=join(".",($dn=~/DC=(\d{2,2}).(\d{2,2}).(\d{2,2})/)).".".($dn=~/^DC=(\d+),/)[0]; foreach $thisrecord (@$refrecords) { my $hostnamehex=substr(join("",split(/\s/,$thisrecord)),54); my $hostname=""; map {$hostname.=chr(hex($_))} ($hostnamehex=~/(..)/g); push @rs,"$hostip;$hostname\n"; } return @rs;} Here is what the output would look like [Fri 03/26/2004 19:12:59.47]F:\DEV\Perl\Anti-DSinAddranti-dsinaddr Anti-DSinAddr V01.00.00pl Joe Richards ([EMAIL PROTECTED]) March 2004 Locating DNS in-addr arpa zones...CN=MicrosoftDNS,CN=System,DC=joe,DC=comZone: DC=68.69.69.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joe,DC=com68.69.69.0;workstation068.69.69.1;workstation2Zone: DC=69.69.69.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joe,DC=com69.69.69.0;server0-a69.69.69.0;server069.69.69.1;server1 [Fri 03/26/2004 19:13:01.23]F:\DEV\Perl\Anti-DSinAddr Now this script was only tested in my little home test environment.I do not normally run AD integrated DNS at home and definitely don't do so at work or else I would do a little more testing on it. If it blows up, let me know. Note that the example above shows two host names for 69.69.69.0; this is correct output. I did it on purpose to make sure I would catch that case. The GUI allows that to be configured and obviously since dnsRecord is
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Title: Message *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. * Thanks, Joe. I for one find these things very useful. Maybe not today, maybe not tomorrow, but soon. JJ -Original Message-From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 4:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Ok sorry for the delay, one of my nano marine tanks (5 gallon)had a thermostat crack and blow up and it took out a circuit breaker (electrical device exposed in a tank of water, go figure). I am just hoping everything didn't get zilched out. I know the fish and hermit crabs survived, not so sure about the corrals and fan tails. Anyway, here is a quick and dirty script to do this ##* Anti-DSinAddr.PL *#*==*#* Author : Joe Richards ([EMAIL PROTECTED]) *#* Version: V01.00.00 *#* Modification History: *#* V01.00.00 2004.03.26 joe Original Version *#*--*#* This script pulls out host names out of an AD integrated reverse dns zone *#*--*#* Notes: *##* This script requires ADFIND to be available to do the queries... *# ##* Definitions: *#*--*#* $TRUE : Define True for testing. *#* $FALSE : Define False for testing. *#* $YES : Define Yes for testing. *#* $NO : Define No for testing. *#* $SCRIPTPATH : Path to script. *#$TRUE=1;$FALSE=0;$YES=1;$NO=0;($SCRIPTPATH)=($0=~/(^.*)\\.*$/); ## Display header#print "\nAnti-DSinAddr V01.00.00pl Joe Richards ([EMAIL PROTECTED]) March 2004\n\n"; ## Pull base and do initial dns zone search#my $base=shift;my $cmd="adfind -gc -b $base -f name=microsoftdns -dn";my @out=`$cmd 2nul`;my @rs=grep(/dn:/,@out);chomp @rs;map {s/^dn://} @rs; ## Go find reverse zones#print "Locating DNS in-addr arpa zones...\n";my @zones=();foreach $this(sort @rs){ print "$this\n"; $cmd="adfind -gc -b $this -f * -dn -s one"; @out=`$cmd 2nul`; @rs2=grep(/in-addr.arpa/,@out); chomp @rs2; map {s/^dn://} @rs2; push @zones,@rs2; @rs2=();} ## Loop through zones and pull info#foreach $thiszone (sort @zones){ print "Zone: $thiszone\n"; $cmd="adfind -b $thiszone -f \"(objectcategory=dnsnode)(dc=0)\" -s one dnsrecord"; @out=`$cmd 2nul`; chomp @out; $dn=""; foreach $thisline (@out) { if ($dn eq "") { ($dn)=($thisline=~/^dn:(.+)/); next; } if ($thisline=~/^dnsRecord: (.+)/) { push @records,$1; next; } if ($thisline!~/\w/) { next unless $dn; print DecodeRecord($dn,[EMAIL PROTECTED]); $dn=""; @records=(); next; } }} ##* Subs and Functions *#*--* #*--*#* Sub DecodeRecord *#*--*#* Input *#* Scalar DN of record *#* List Ref Reference to list with Hex Data for record *#* *#* Output *#* List List of decoded records for that DN (note this can be multiple) *#*--*sub DecodeRecord{ my @rs=(); my $dn=shift; my $refrecords=shift; my $hostip=join(".",($dn=~/DC=(\d{2,2}).(\d{2,2}).(\d{2,2})/)).".".($dn=~/^DC=(\d+),/)[0]; foreach $thisrecord (@$refrecords) { my $hostnamehex=substr(join("",split(/\s/,$thisrecord)),54); my $hostname=""; map {$hostname.=chr(hex($_))} ($hostnamehex=~/(..)/g); push
RE: [ActiveDir] Changing ACLs via VBscript
Title: Message Hehe. Dead serious. Sometimes you just don't want anyone looking at the code... With a normal perl script you just keep breaking it up into smaller and smaller pieces, eventually it will make sense. If it is in morse code that is a little tougher. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, March 22, 2004 8:07 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Changing ACLs via VBscript "They also have fun stuff forobfuscating your scripts so it is tough for people to read them. I have seen packages that turn your script into piglatin, morse code, semi-random gibberesh, and the scripts still run fine. " You're kidding, right? I've seen well versed perl programmers look at code and go "WTF?!?!?!?!" Why would one want to obfuscate that more? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 19, 2004 10:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript You will like perl... I am a c guy myself. The first time I picked up KR I sat there going "of course" "of course" "of course" "of course" through the whole book. I had a precursor to that though that made it work so well for me... DEC Macro Assembler on a DEC PDP11 (34 and 84). Little things like the ++ came right straight from commands built into the Macro Assembler and DEC instructions. Actually if I could find my old Macro Asm stuff you would find macros/functions that I had written that made my ASM code very c-like before I actually saw c. Think of perl as c with really good string manipulation. It is actually easier than c and you don't tend to get bitten as easily nor as hard. And if you want, it isn't too bad to extend perl with c compiled code so if you have that 'thing" you just have to do in c, you can do it, and call it from perl. Probably the biggest gripe I have against perl that I liked in c was you ALWAYS have to enclose statement blocks in perl, where in c it was only good form. ;o) I.E. In perl if (some condition) {some action}; in c if (some condition) some action; If you reverse it the biggest gripe I have against c is that perl hasAWESOME regular _expression_ functionality. At first REGEX's scare people. Once you get into them you have a hard time doing without. They have some regex libraries for c but I haven't seen one I really liked yet, not as transparent as perl's regex capability. I missed the HASH (Associative Array) as well until I started getting decent with the STL mapstring,string. If you use the STL a lot then you will also like perl. Give it a try, you will be shocked I think. Oh btw, if you really start liking perl, check out the whole activestate site because they have res kits and gui dev environments and tools for compiling perl code to executable, etc. They also have fun stuff forobfuscating your scripts so it is tough for people to read them. I have seen packages that turn your script into piglatin, morse code, semi-random gibberesh, and the scripts still run fine. Anyone know if I can get on a plane with a backpack and a laptop backpack? If so I don't need to check baggage. It is the MVP backpack (smallish) and a Dell laptop backpack. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:38 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript Eh, andI wish everything worked with KR C. :-) 'Twas my primary language for 15 years, and it's still what I "think" in. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript See now this is why Microsoft should just install AS Perl by default. I don't want them to buy AS, they can fund them all they want though. I do not want Perl being turned into PerlBasic. I did like Basic at one point... I think that point was 1987 or maybe 1986. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 2:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
[ActiveDir] Quick question on ADMT
Title: Message Does anyone know the size of the agent ADMT puts on the client computer during conversion? Thanks Steve
Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue
David, From your description I can't see any problem, but these things are often more complex than you think. Maybe another policy is inadvertently setting it. I have just started marketing a program for interrogating Policy configurations and it should tell you exactly what is going on. Feel free to install it and give it a try. It still may be hard to sort out, so if you still can't figure it out, my program will dump all of your Policy information to a directory, you can send it to me and I will try to interpret it for you. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 1:40 AM Subject: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue I have set up a GPO for IE proxy settings at my domain level in a GPO I use for suggested policies that I can later override with OU specific policies. I am now trying to apply a GPO setting for IE proxies on an OU with a different proxy setting than the default domain, among other settings. I have enabled loop back mode (merge) on this GPO, and all other settings that should be overridden for the computer and user settings are. I have tried Preference mode and enabling the computer \ administrative Templates \ internet explorer make proxy settings per computer, but the domain GPO still wins in application of this setting. Any Ideas? What am I missing? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue
David, Another thought. Go through the registry key on your target machine and look in \current_user\Software\Microsoft\Windows\CurrentVersion\Group Policy\History. There should be a subkey for IE (I think it is {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} ) . You will find under that a list of keys, one for each policy applying IE settings. This shows the policies and the order they apply which may give you a hint. Also, you can get into a mess if you apply policies both via the IE extension and via the ADM extension Alan C - Original Message - From: SysPro Support [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 1:25 PM Subject: Re: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue David, From your description I can't see any problem, but these things are often more complex than you think. Maybe another policy is inadvertently setting it. I have just started marketing a program for interrogating Policy configurations and it should tell you exactly what is going on. Feel free to install it and give it a try. It still may be hard to sort out, so if you still can't figure it out, my program will dump all of your Policy information to a directory, you can send it to me and I will try to interpret it for you. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 1:40 AM Subject: [ActiveDir] Internet Explorer Connection Proxy Settings GPO Issue I have set up a GPO for IE proxy settings at my domain level in a GPO I use for suggested policies that I can later override with OU specific policies. I am now trying to apply a GPO setting for IE proxies on an OU with a different proxy setting than the default domain, among other settings. I have enabled loop back mode (merge) on this GPO, and all other settings that should be overridden for the computer and user settings are. I have tried Preference mode and enabling the computer \ administrative Templates \ internet explorer make proxy settings per computer, but the domain GPO still wins in application of this setting. Any Ideas? What am I missing? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] _Msdcs.domain.com Zone Creation
Simple answer: It is by design. In windows 2003, if you have a DNS zone, the DCPROMO process wont create a _msdcs.domain.com. You have to manually create it. To create a _msdcs.domain.com after the DCPROMO, create a new forward lookup zone called _msdcs.domain.com and restart the Netlogon service. It will automatically move all the _msdcs subzone to newly created _msdcs.domain.com zone. And the _msdcs subzone will become a delegated zone. My recommendation: Create a DNS zone first and make sure everything ok before do the DCPROMO. I dont like the fancy DCPOMO+DNS method. Santhosh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Thursday, March 25, 2004 7:11 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] _Msdcs.domain.com Zone Creation I am setting a lab to test AD migration and have a question about _Msdcs.domain.com Zone Creation. dcpromo with DNS configured first: installed DNS and forward lookup zone (domain.gov). Server points to itself as primary DNS server and registered itself in the domain.gov zone. I then ran dcpromo. Dcpromo saw that DNS was already configured and continued with the install. After reboot, the _msdcs, _sites, _tcp, and _udp zones were created under the domain.gov zone. The forward lookup zone _Msdcs.domain.gov zone was not created. Dcpromo without DNS configured first: Server points to itself as primary DNS. DNS in not configured. I ran dcpromo. Dcpromo saw that DNS was not already configured and offered to install it for me which I chose to do. I set up domain.gov and continued with the install. After reboot, the _msdcs, _sites, _tcp, and _udp zones were created under the domain.gov zone. The forward lookup zone _Msdcs.domain.gov zone was also created. Why does the _Msdcs.domain.gov zone not install when dcpromo is run with DNS already configured. How can I create the _Msdcs.domain.gov zone. what is the best method for configuring DNS on first DC in forest root domain? configure DNS, then run dcpromo? or let the dcpromo process configure DNS? Thank you Nathan
RE: [ActiveDir] Domian VS Local
Actually, if you want to set local user account expiration date, this isn't a policy option, but rather an attribute on the local SAM account. You can set it using a script like this: Set usr = GetObject("WinNT://machinename/darren")usr.AccountExpirationDate = "06/06/2005"usr.SetInfo From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro SupportSent: Friday, March 26, 2004 6:17 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Domian VS Local I think you can go in to Local Group policy on the machine and set it. However, if the machine is on the domain, you will need to take steps to ensure the global policy doesn't override it (e.g. make the machine a member ofa group and then make the group No Apply for the Domain policy) I haven't tried it, but give it a go AlanC - Original Message - From: Mike Hogenauer To: [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 8:41 AM Subject: [ActiveDir] Domian VS Local Does anyone know how to set an account expiration date on a local system saccount like you can with a domain accout? Thanks, Mike
RE: [ActiveDir] Reboot behavior with SUS on DC's
Title: RE: [ActiveDir] Reboot behavior with SUS on DC's HI Devan, Yep there is a way where you can stop the reboot and set it as MANUAL REBOOT. Here you go; In the Windows Update setting in the Group Policy, Enable the 4th option as enabled.If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer to complete the installation. Cheers, Athif -Original Message- From: Devan Pala [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 27, 2004 1:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Reboot behavior with SUS on DC's Hi, I recently sent a post with regards to creating a seperate GPO for DC's to utilize SUS and Windows Updates. So far everything looks and works the way I want it to. The only thing I am trying to figure out is if there is a way to auto download and schedule the install but not reboot the system (there seems to be only one GPO setting for controlling reboot behavior while logged on) but not when the system is idle or left at the login prompt. My only fear with this behavior is what happens if there is a failed reboot or the system hangs or whatever, I would like to be able to control when the DC is rebooted either remotely or by a local administrator (and there's that, the org. operates in a centralized model with distributed administration including offices overseas) so a hanged reboot may mean 8am in Germany but 1 or 2 am in the Central Time Zone Your help is much appreciated. Thanks, _ Get tax tips, tools and access to IRS forms - all in one place at MSN Money! http://moneycentral.msn.com/tax/home.asp List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. -