RE: [ActiveDir] Linking other GPO objects to Domain Controllers

[Darren Mar-Elia]

Oh get over it Joe. Don't be such a weenie. Live life on the edge and
use security group filtering on GPOs. Its good fun and good for you :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 6:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

Hey Michael, looks like you got an answer from Darren (though I dislike
processing GPOs based on group memberships). However, would it be ok to
ask WHY you would want to do this? Setting up DCs as one offs is usually
a great way to court a troubleshooting problem that is a pain in the
butt to resolve later. 

  joe 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, March 24, 2004 2:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

Related question:
Because of some testing we are doing in a production environment (yes, I
know - ahem, ah try a test environment; can't in this situation), we
would like to override the policy "Microsoft Network Server - digitally
sign communications (always)" that is set in the Default Domain
Controllers policy by using the local Domain Controller policy on a
particular DC.  But it appears not to be "overrideable".  Is this the
expected behavior?  If so, how could we accomplish this?  TIA!

Mike Thommes

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers


Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Wednesday, March 24, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

It's common practice to add other GPO links to the DC OU.

-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers


Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking
other GPO objects to the Domain Controllers OU in addition to the
Default Domain Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update
enabled for deploying approved updates from a central SUS server. When
an update is available, tested and if required, the GPO is linked to the
Domain Controllers OU and available for install depending on each DC's
detection cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are
pushed and importantly, if I would like to retract the updates unlinking
this 'other' GPO is easier and I believe safer than changing
configuration settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the
update would also be removed from the Windows Update folder on each
client (the

DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.

_
Find a broadband plan that fits. Great local deals on high-speed
Internet access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the completeness or accuracy of this
communication as it has been transmitted over a public network. Any
replies to this email may be monitored by the MCPS-PRS Alliance for
quality control and other purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info 

RE: [ActiveDir] DEC Chatter - Was something else...

[Bernard, Aric]

Seems that there was a little talk about
Longhorn.  Was anything said about an interim version of Windows before
Longhorn?  i.e. Windows 2005..6..7…

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004
6:47 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DEC Chatter -
Was something else...



 

DEC was indeed cool. I am not under NDA
for it that I am aware of. In fact I would expect Gil would like to hear people
chattering about the conference as it will drive more people to it. And again,
I don't do many conferences but this one is exceptionally good in terms of
anything I have been to. I heard a lot of chattering along the same lines and
that it was especially considerably better than the big MS conferences that
focus on all MS techs instead of just AD. So instead of AD being one topic of
hundreds it is THE topic. And honestly, this deserves to be THE topic. Why? Because
AD is the corner stone of your security if you are using it for your
authentication/authorization.

 

So why specifically was DEC cool? First
and foremost, I met a lot of people in person that I had previously chatted in
email and newsgroups with. That was very nice. Now everyone knows what I look
like and probably wonder how a guy 5' 2" and 105 lbs like me can be so
wicked and opinionated in email yet not utter a peep in person. Some of the
folks I met from this list are Gil Kirkpatrick, Guido "The Killer UG
Pimp", Robbie Allen, Todd Myrick, Hunter Coleman, Stuart Fuller, Alan
Isham and several others. Also got a chance to talk to and more importantly
listen to some of the MS folks such as Stuart Kwan, Paul Rich, Andreas
Luther, Sanjay Tandon, Robert DeLuca, and others. This face to face
chatter is invaluable. 

 

There was one cool session where there
were three teams broken out to solve three AD issues. These were some evil
little issues Gil dreamt up to see if people could work through them. Simple
configuration issues gone bad. I sat and watched Stuart lead a team working on
one of the problems. It was entertaining. I didn't sign up as I didn't think
solving a problem would be that much fun, heck I do that every day at work, why
go to a conference and do it in the evening, especially while drinking... I was
wrong however, it ended up being great fun. Interesting watching different
people troubleshoot issues. 

 

The presentations were generally quite
informative. Alan Isham had a great presentation on object lifetimes. This is a
topic that everyone really needs to start paying attention to. A lot of folks
are finishing up the get your ass into AD stage. Now they need to get AD
cleaned up. It brought up for myself and my manager (who was also there) the
whole idea of really having to have a known defined owner for EVERY object
in AD and if we don't know who it is, it is us. This is not what we liked to
think previously but I think we don't really have a choice in the matter
because the clutter mostly impacts us. 

 

The other Intel presentation (by John
Dunlop I think - don't have my DEC cheat book here with me) was about using
Virtual Server for restoring a forest. It was interesting as it was very close
to what we have been looking at and I have previously discussed here on the
list. Glad to see someone else thinking that way which lends credence to our
thoughts and direction. They had an interesting twist for getting all of the
DCs at all of the sites back up and running quickly via spinning up a backup VS
DC on every machine and then slowly going through rebuilding back to the
original physical setup. Overall there was a considerable amount of talk about
DR and lag/hot sites and data restoration. It seems to be a big topic on
everyone's mind.

 

There was a presentation by the US Army
which basically made me glad I wasn't trying to deploy in that environment. I
thought my environment was big and complex and politically charged and
underfunded... At least my people are mostly not carrying weapons. 

 

There was a presentation by Wook Lee from
HP (the Compaq side originally) which I can only say was... well you had to be
there. Let's just say he wore a faux Forest Ranger hat and had Smokey the Bear
slides and Burma Shave jingles. If that doesn't entice you into wanting to see
his presentation, well you are just not alive I guess. :op   I also
spoke with Wook Sunday night at the reception for an hour or so and that was
also quite entertaining and informative. Wook has seen some issues that I
wouldn't ever want to see. One of the side benefits of fully deploying beta and
RC code is what I would call it. 

 

Guido had a good presentation on forest
trust stuff. Had a couple of DLG vs UG jabs in there for me which I
appreciated. Several folks recognized them as such as well. It is all in good
fun and keeps life interesting. :op He ended up using a joeware tool (sectok)
in one of the slides to illustrate something so that was good too... push the
use of joeware for ef

RE: [ActiveDir] Remote Desktop Issue

[Daniel Gilbert]

Nothing appeared in the event logs.  I
was able to clear up the problem.  Do know why this worked but here is
what I did:

 

Added the new Enterprise Admin to the
Remote Desktop tab in SYSTEM properties.  Let him log in successfully, had
him log off, removed him from Remote Desktop tab, had him log in again.

 

I know, everyone is saying, “Wait a minute!
If the Remote Desktop tab is empty then Administrators can log in by default” 
Yep, I totally agree.  Don’t understand why this worked but it did.

 

BTW Joe, great write up on DEC.  I
was supposed to attend but we started a big Windows 2003 migration and I happen
to have the last Rubber Chicken Gil ever gave out at a DEC, got it in Ottawa.

 

DAn

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Saturday, March 27, 2004
7:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop Issue



 

That almost sounds like a disk space
or permissions issue... I.E. it is trying to create the local profile, failing,
and blowing the user off. Anything in the event logs?

 

 joe



 



-

http://www.joeware.net   (download joeware)

http://www.cafeshops.com/joewarenet  (wear joeware)

 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. Gilbert
Sent: Friday, March 26, 2004 12:48
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
Desktop Issue

No error message.  He gets the logon
prompt, logs on, the screen flashes “applying settings” then the
terminal session screen closes out.

 

Really weird.

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines
Sent: Thursday, March 25, 2004
12:35 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Remote
Desktop Issue



 



What error does he get when trying to connect using a
terminal session?






 







- Original Message - 





From: Gilbert, Daniel L Mr ANOSC/FCBS






To: ActiveDir
([EMAIL PROTECTED]) 





Sent: Thursday, March
25, 2004 1:58 PM





Subject: [ActiveDir] Remote
Desktop Issue





 



To All:

 

I have a Remote Desktop issue that is driving me nuts.  Servers
are Windows Server 2003.

 

I have a root domain spread across to two different sites, both
physically (East Coast and West Coast) and AD wise (AD East and AD West).

 

My two Enterprise Admins are members of a child domain (Child1) and
through security group membership; they are placed into the Enterprise Admins
security group in the root domain.

 

This structure has worked fine for the last year.  One of the
Enterprise Admins has moved on to a bigger and better job and I promoted one of
my Senior Admins to become a new Enterprise Admin.

 

Now the fun part begins.

 

The new Enterprise Admin can log on locally to the root DCs in the
physical site West Coast (the bulk of the root is here) from either the
keyboard or via Remote Desktop.

 

The new Enterprise Admin can log on locally to the root DCs in the
physical site East Coast (our COOP site) from the keyboard but he can not log
in via Remote Desktop.

 

I am sure his account has replicated from West Coast to East Coast
because he can log on from the keyboard and I have waited long enough for
replication to occur.

 

I checked the permissions on the RDP connection but it still at
default.

 

Any ideas where I can go for a clue?  My head is getting squishy
from beating it against the wall.

 

Daniel L. Gilbert,
Contractor

Senior Active
Directory Specialist

CONUS
Theater Network Operations and Security
 Center (CONUS-TNOSC)

(520)
533-6700 DSN: 821-6700

[EMAIL PROTECTED]

 

RE: [ActiveDir] permissions to only disable an AD user account

[Eric Fleischman]

Oh, I misunderstood you I think Joe. You mean when you update
msds-someotherattribute it does the userAccountControl for you as well
and vice-versa as well?
If so, yea, only DCs with a writable copy of the NC would need that
change you described as GCs that do not have a writeable copy of the NC
would be read-only anyway. However, we would probably want to add all of
these new attributes to the PAS ..that's a lot of churn if you
haven't gone 2k03 yet.

~Eric


-Original Message-
From: Eric Fleischman 
Sent: Saturday, March 27, 2004 9:33 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] permissions to only disable an AD user account

You "actually" agree? Yee of little faith! :)

The hotfix and schema update thing you toss in would need to be
forest-wide (of course schema is implicitly, but fix would need to be as
well) as userAccountControl is part of the PAS. It is, IMHO, not a
solution to this problem. Say we need to get rid of this attribute,
sure, but making it constructed isn't the way.

True, 24 hours back is safer, but if you're making the change on a
single dc if you bind to that dc and look at the time on it on RootDSE I
would think you are safe. I'd need to think about that a bit more
though, never thought about all of the caveats here.

~Eric




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 8:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Cool and I actually agree. 

The constructed causes all sorts of issues, breaks all sorts of legacy
code,
especially anything that would search. So doing the additional method
type
attribs that would update useraccountcontrol on the user's behalf should
be
something that could work though obviously it wouldn't be something you
could all of a sudden do on a current DC (2K or K3) without a handy
dandy
hotfix and schema update.

One note on the "now" perspective with the DC... That would be now in
one
TZ. May be 10 hours off for another. I would still recommend setting it
to
now-24 hours at the least. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, March 27, 2004 3:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

While I (personally, speaking in a position of no power over this) tend
to
agree that userAccountControl should be many attributes (IMHO anyway for
Joe's reason as well as others not cited in this thread), the concept of
having it as a constructed attribute (I assume that's what you mean when
you
say a "generated attribute"?) wouldn't be elegant here. Reason is,
interop
going forward will put you between a rock and a hard place. You'll drop
yourself in to one of two scenarios:
1) You have two dsa's (say w2k and w2k03 rtm) that show a different
userAccountControl for the same user. Reason is that the w2k03 rtm dsa
knows
of some additional logic for userAccountControl that reads
ms-DS-NewAttributeInW2K03RTM and takes that in to account whereas w2k
knows
nothing of it.
2) It is functional level dependent on the construction logic which is
too
bad. I don't like the idea of userAccountControl on CN=SomeUser being
123
until you change functional level when it changes to 456.
That'll drive people batty.

Also, you can get current time on the DSA off of RootDSE if you want to
set
it to "now" from the perspective of the DC.

Finally, if you fire up ADAM you'll find that on ADAM users we have a
new
attribute msDS-UserAccountDisabled (among others
too.msds-UserDontExpirePassword, msDS-UserAccountAutoLocked, etc.).
We're getting there..

~Eric




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Cute solution to an MS Generated issue. Yes, MS, you shouldn't have put
everything into useraccountcontrol attribute like that... That should
have
been a generated attribute (or something else if you still needed it
there)
I think and the real info stuffed into other locations so it could be
delegated properly... Now we have to ask for bit-level delegation
capability
which, I doubt, will ever happen... Alternatively I guess we could ask
for
some ldap "method type" attributes on objects that you set and they in
the
background pop the appropriate bits on the objects. Say have an
attribute
called something like userAccountControlDisable and when that is set to
1 it
sets the appropriate BIT and when it is set to 0 clears the BIT. Think
about
the methods to move FSMO roles as to where I am going with that
suggestion.

Anyway, yes, this method should work. Note that just like when you
disable
an account it will ta

RE: [ActiveDir] DEC Chatter - Was something else...

[David Adner]

> 1. Caching Domain Controllers - basically a DC that did 
> 2. Multiple domain hosting from a single DC.

In combination, these would definitely be nice for larger environments that
have multiple Domain's with cutting down on hardware costs.  Although I
suppose individual DC's would need to be a bit beefier, at least there'd be
a decrease in physical space requirements and some efficiencies gained
somewhere.  It would also help for DR type scenarios, too.

> 3. Ability to stop/start Active Directory on the fly as a 
> normal service.

This has always been a big request of mine as having to reboot into a
special mode just to perform certain DS maintenance really annoys me.  Also,
if DNS is installed with AD integrated zones, the DNS server should go into
a caching mode while the DS service is temporarily offline.

> 7. Ability to have multiple password/lockout/complexity 
> policies per domain

A popular request, I'm sure.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] permissions to only disable an AD user account

[Eric Fleischman]

You "actually" agree? Yee of little faith! :)

The hotfix and schema update thing you toss in would need to be
forest-wide (of course schema is implicitly, but fix would need to be as
well) as userAccountControl is part of the PAS. It is, IMHO, not a
solution to this problem. Say we need to get rid of this attribute,
sure, but making it constructed isn't the way.

True, 24 hours back is safer, but if you're making the change on a
single dc if you bind to that dc and look at the time on it on RootDSE I
would think you are safe. I'd need to think about that a bit more
though, never thought about all of the caveats here.

~Eric




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 8:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Cool and I actually agree. 

The constructed causes all sorts of issues, breaks all sorts of legacy
code,
especially anything that would search. So doing the additional method
type
attribs that would update useraccountcontrol on the user's behalf should
be
something that could work though obviously it wouldn't be something you
could all of a sudden do on a current DC (2K or K3) without a handy
dandy
hotfix and schema update.

One note on the "now" perspective with the DC... That would be now in
one
TZ. May be 10 hours off for another. I would still recommend setting it
to
now-24 hours at the least. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, March 27, 2004 3:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

While I (personally, speaking in a position of no power over this) tend
to
agree that userAccountControl should be many attributes (IMHO anyway for
Joe's reason as well as others not cited in this thread), the concept of
having it as a constructed attribute (I assume that's what you mean when
you
say a "generated attribute"?) wouldn't be elegant here. Reason is,
interop
going forward will put you between a rock and a hard place. You'll drop
yourself in to one of two scenarios:
1) You have two dsa's (say w2k and w2k03 rtm) that show a different
userAccountControl for the same user. Reason is that the w2k03 rtm dsa
knows
of some additional logic for userAccountControl that reads
ms-DS-NewAttributeInW2K03RTM and takes that in to account whereas w2k
knows
nothing of it.
2) It is functional level dependent on the construction logic which is
too
bad. I don't like the idea of userAccountControl on CN=SomeUser being
123
until you change functional level when it changes to 456.
That'll drive people batty.

Also, you can get current time on the DSA off of RootDSE if you want to
set
it to "now" from the perspective of the DC.

Finally, if you fire up ADAM you'll find that on ADAM users we have a
new
attribute msDS-UserAccountDisabled (among others
too.msds-UserDontExpirePassword, msDS-UserAccountAutoLocked, etc.).
We're getting there..

~Eric




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Cute solution to an MS Generated issue. Yes, MS, you shouldn't have put
everything into useraccountcontrol attribute like that... That should
have
been a generated attribute (or something else if you still needed it
there)
I think and the real info stuffed into other locations so it could be
delegated properly... Now we have to ask for bit-level delegation
capability
which, I doubt, will ever happen... Alternatively I guess we could ask
for
some ldap "method type" attributes on objects that you set and they in
the
background pop the appropriate bits on the objects. Say have an
attribute
called something like userAccountControlDisable and when that is set to
1 it
sets the appropriate BIT and when it is set to 0 clears the BIT. Think
about
the methods to move FSMO roles as to where I am going with that
suggestion.

Anyway, yes, this method should work. Note that just like when you
disable
an account it will take until expiration of the kerberos certs for it to
actually do anything... I.E. If I have a cert to Server A and you
disable or
expire me my cert is STILL good until it expires and has to be
renewed... By
default those certs last 600 minutes aka 10 hours (too long IMO). If you
are
one of those folks who modified cert expiration times by extending them
to
crutch UNIX/LINUX kerberos clients who aren't doing cert renewal as
nicely
as MS was able to work out well then you have what I like to call... A
security issue. 

Now specifically, I haven't tested it either, but I don't think this
script
will work with a delegated ID. It is using the WinNT prov

RE: [ActiveDir] Server Membership

[Eric Fleischman]

Title: Server Membership








Also when you VPN in some VPN clients will
kick a pass reset as well. I forget what the process is (I’m so not a VPN
guy) but if memory serves me correctly it is only those that support an
interactive logon. Don’t quote me on that, and let me know if I should
get an official answer. I’m pretty sure that’s what you need to do
though (interactive logon that is).

 

~Eric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004
8:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Server
Membership



 

30 days (w2K+) but you can actually
go two password change periods and the machine will be ok so 60 days. NT is 7
days (and 14 days). Outside of that you can do a reset of the password and the
machine will be ok again. Alternatively you can disable the functionality or
change the frequency but you really shouldn't have to do that. 



 



-

http://www.joeware.net   (download joeware)

http://www.cafeshops.com/joewarenet  (wear joeware)

 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Strand,
Ted
Sent: Thursday, March 25, 2004
11:45 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Server
Membership

 Does
anyone know if a server is taken off the wire, how long before its machine
account is removed or out of synch with the domain?  We regularly break a
mirror of the OS when we do service packs and patches.  A drive may sit on
the shelf for a few days before we decide to "roll back".

Thanks in
advance. 

-Ted-

RE: [ActiveDir] disaster recovery

[joe]

Unfortunately no, no way to test in an isolated way like that without
bringing at least the root with you and probably any other domains.
 
I guess you need to find out how important this is. If it is truly critical
to know this will work in a disaster you need to do one of two things.
 
1. Get the folks with the Enterprise keys involved and do overall testing of
the whole solution.
2. Build your own forest and migrate to it and then set up trusts to the
other forest/domains that are needed.
 
I'm thinking honestly that the second answer is probably the right one
UNLESS the company is trying to collapse to a single IT group in which the
first option would be feasible. 
 
  joe
 
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Saturday, March 27, 2004 7:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


Guido and Joe,
 
First of all, thank you for all your advice and help.
 
You guys are absolutely right, we should have never gotten a domain if they
didn't trust us with Enterprise admin rights over the forest. I assume they
can't shake the Win NT view of domains yet.
However this was a mangement issue and decsion. I just inherited all the
problems and fall out of said issue. I suppose it was a technological
solution to a political problem.
 Now i was just trying to figure out of there was any hack to restore a
child domain without root connectivity.
In a real disaster, I'm sure common sense would prevail over politics and we
would all work together, kinda like i imagined IT to be when i first got
into it. Innocent boy that i was
 
In the interim I thought there might be some way to test a recovery without
the root.
Some reg key or dns record to copy over...
 
I guess not.
 
Than you both again for your help.

-Original Message- 
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 5:33 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Excellent post.
 
I just wanted to jump in and reemphasize that point.
 
Restoring a single domain of a forest in an isolated environment and
expecting it to work is unrealistic. I agree with Guido in that you never
should have been given admin rights into a domain of someone else's forest.
You should have had OU privileges or just had your own forest entirely. 
 
 
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Thursday, March 25, 2004 2:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


>>Ad is supposed to be a enterprise directory where most enterprises span
the globe and have multiple sister corps or corps they've merged with or
aquired. these corps have thier own domains and IT depts.<<
 
That's not how AD is supposed to be - that's merely how you'd like to use
it.  Not necessarily the same.  I agree that some companies may implement it
this way especially in the early days of AD, but not after they understood
that not the domain, but the forest is the security boundary.  
 
If you have no good working relationship with your mother corp and they're
not really too fond of you either, they should have never offered you your
own domain. You would have been a perfect candidate for a separate forest.
However, if they still wanted to fully integrate you into their forest
without trusting you to perform service-level operations (i.e. task that
require domain admin privileges), they would have merely required to grant
you management of one or a few OUs.
 
If you like it or not, recovery of AD - in case of the disaster you
describe, or in other disasters that go more towards deletion of objects -
is an forest level task that usually requires enterprise admin privileges.
I am not saying, that I don't think it would be nice if this wasn't the
case, but once you learn to treat a domain as an integral part of a forest
that should not be managed by a separate team of administrators, it doesn't
make a difference.
 
/Guido

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of
Kern, Tom
Sent: Donnerstag, 25. MÃrz 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


going to AD was something decided by the higher ups to merge my corp and our
sister corp into a smealess whole. The sister corp already had AD in place
and they own the root. our IT depts. don't exactly communicate or relate to
each other very well :)
i'm sure its like that in alot of places. before comming here, I was in a
Netware 6.0 enviorment and feel that directory is much more mature in terms
of configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD 

RE: [ActiveDir] Integrating UNIX accounts with AD via Kerberos & LDAP

[joe]

Title: Message



Hmmm did you do a reply instead of a 
forward?
 
Did Matt agree with your answers?
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
EyesSent: Monday, March 22, 2004 11:50 AMTo: 
[EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Integrating UNIX accounts with AD via Kerberos & 
LDAP

Matt,
 
See, I 
got takers
 
My 
answer to 1 is : cross AD domain seamlessly -- cross Kerb domain, no (further 
our discussion last week).
 
2: Can 
I say this behavior is per microsoft clients -- I guess this is something vascd 
would take care of?
 
dme
 
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Sunday, March 21, 2004 1:53 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Integrating UNIX accounts with AD via Kerberos & 
  LDAP
  Hey cool. Actually I believe someone from your company is 
  flying out to chat with some folks at the company I contract for (no need to 
  mention the company as I am not really allowed to) the first week of April. I 
  won't be around as I will be in Redmond that week which sucks as I wanted to 
  see your presentation.
   
  My biggest questions which possibly you can tackle right 
  now are:
   
  1. Does VAS handle cross realm seamlessly? I.E. I have a 
  machine that is in domain D1 and a user in domain D1 and it works fine but 
  then his buddy walks up and needs to log on and do something and tries to log 
  into domain D2. Does it work? Our UNIX Kerberos folks current setup will not 
  work in that situation.
   
  2. How does VAS handle kerberos ticket expiration, does 
  it autorenew in the background like Microsoft clients do? That is a serious 
  concern as we have machines running jobs that can take 2-3 weeks to complete 
  and obviously if they get a ticket the beginning, 10 hours later (assuming 
  defaults) the ticket isn't helping them anymore unless they keep renewing and 
  then get new tickets when the ticket can no longer be renewed. 
  
   
   
   
  -
  http://www.joeware.net   (download joeware)
  http://www.cafeshops.com/joewarenet  (wear joeware)
   
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  EyesSent: Saturday, March 20, 2004 11:05 PMTo: 
  [EMAIL PROTECTED]Cc: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Integrating UNIX accounts 
  with AD via Kerberos & LDAP
  
  Joe,
   
  If 
  you (or others here) are interested in following up with me here at 
  Vintela, I would be happy to try and put you in touch directly with some of 
  our customers.  Please contact me offline.
   
  David Eyes
  VAS 
  Product Mangement
  Vintela, Inc.
   
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 08, 2004 10:16 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Integrating 
UNIX accounts with AD via Kerberos & LDAP
Yeah I was looking this over the other 
day...
 
Has anyone been using the VAS product that is 
described. I would be curious to hear RW experiences.
 
Our UNIX Kerberos integration folks have been fighting 
with multirealm issues and cert expiration with chatter about possibly 
having us extend the expiration on certs where I would be more inclined to 
shorten the expiration for security reasons [1]. MS really did some good 
things with kerberos in these areas and it seems MIT isn't really looking at 
making their version any more friendly to give similar functionality (auto 
renew, realistic cross-realm) as the MS stuff has built 
in.
 
 
  joe
 
 
 
[1] Like for having tickets get reverified more often 
in case of disabled accounts, etc.
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Wednesday, March 03, 2004 3:29 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
Integrating UNIX accounts with AD via Kerberos & 
LDAP

Incredible timing Jackson.  Thanks for the 
guide!
 
Al


From: Jackson Shaw 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, March 
03, 2004 3:13 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Integrating UNIX 
accounts with AD via Kerberos & LDAP


I thought 
the list might be interested in the following:
 
The 
Microsoft Solutions for UNIX Team has released some new guidance that will 
help you get integrate UNIX accounts with Active Directory.  This is a 
new solution that covers building security and directory solutions for UNIX 
using the Windows Server 2003 Active 
Direct

RE: [ActiveDir] permissions to only disable an AD user account

[joe]

Cool and I actually agree. 

The constructed causes all sorts of issues, breaks all sorts of legacy code,
especially anything that would search. So doing the additional method type
attribs that would update useraccountcontrol on the user's behalf should be
something that could work though obviously it wouldn't be something you
could all of a sudden do on a current DC (2K or K3) without a handy dandy
hotfix and schema update.

One note on the "now" perspective with the DC... That would be now in one
TZ. May be 10 hours off for another. I would still recommend setting it to
now-24 hours at the least. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, March 27, 2004 3:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

While I (personally, speaking in a position of no power over this) tend to
agree that userAccountControl should be many attributes (IMHO anyway for
Joe's reason as well as others not cited in this thread), the concept of
having it as a constructed attribute (I assume that's what you mean when you
say a "generated attribute"?) wouldn't be elegant here. Reason is, interop
going forward will put you between a rock and a hard place. You'll drop
yourself in to one of two scenarios:
1) You have two dsa's (say w2k and w2k03 rtm) that show a different
userAccountControl for the same user. Reason is that the w2k03 rtm dsa knows
of some additional logic for userAccountControl that reads
ms-DS-NewAttributeInW2K03RTM and takes that in to account whereas w2k knows
nothing of it.
2) It is functional level dependent on the construction logic which is too
bad. I don't like the idea of userAccountControl on CN=SomeUser being 123
until you change functional level when it changes to 456.
That'll drive people batty.

Also, you can get current time on the DSA off of RootDSE if you want to set
it to "now" from the perspective of the DC.

Finally, if you fire up ADAM you'll find that on ADAM users we have a new
attribute msDS-UserAccountDisabled (among others
too.msds-UserDontExpirePassword, msDS-UserAccountAutoLocked, etc.).
We're getting there..

~Eric




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Cute solution to an MS Generated issue. Yes, MS, you shouldn't have put
everything into useraccountcontrol attribute like that... That should have
been a generated attribute (or something else if you still needed it
there)
I think and the real info stuffed into other locations so it could be
delegated properly... Now we have to ask for bit-level delegation capability
which, I doubt, will ever happen... Alternatively I guess we could ask for
some ldap "method type" attributes on objects that you set and they in the
background pop the appropriate bits on the objects. Say have an attribute
called something like userAccountControlDisable and when that is set to
1 it
sets the appropriate BIT and when it is set to 0 clears the BIT. Think about
the methods to move FSMO roles as to where I am going with that suggestion.

Anyway, yes, this method should work. Note that just like when you disable
an account it will take until expiration of the kerberos certs for it to
actually do anything... I.E. If I have a cert to Server A and you disable or
expire me my cert is STILL good until it expires and has to be renewed... By
default those certs last 600 minutes aka 10 hours (too long IMO). If you are
one of those folks who modified cert expiration times by extending them to
crutch UNIX/LINUX kerberos clients who aren't doing cert renewal as nicely
as MS was able to work out well then you have what I like to call... A
security issue. 

Now specifically, I haven't tested it either, but I don't think this script
will work with a delegated ID. It is using the WinNT provider which knows
less about delegation than the Exchange Dev guys. Almost everything doing
any anything in the WinNT provider falls back to some NET API call and they
almost without exception all require some level of builtin permissions to do
changes... Like Account Op, Sever Op, Admin, etc.

Recommendation would be to try and change it to the LDAP provider to see if
that works. I would say set the date to some time in the past, say 24 hours
ago or something like that then you don't have an TZ worries that could come
up with setting the exact current time.

   joe 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, March 27, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: 

RE: [ActiveDir] Linking other GPO objects to Domain Controllers

[joe]

Hey Michael, looks like you got an answer from Darren (though I dislike
processing GPOs based on group memberships). However, would it be ok to ask
WHY you would want to do this? Setting up DCs as one offs is usually a great
way to court a troubleshooting problem that is a pain in the butt to resolve
later. 

  joe 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, March 24, 2004 2:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

Related question:
Because of some testing we are doing in a production environment (yes, I
know - ahem, ah try a test environment; can't in this situation), we would
like to override the policy "Microsoft Network Server - digitally sign
communications (always)" that is set in the Default Domain Controllers
policy by using the local Domain Controller policy on a particular DC.  But
it appears not to be "overrideable".  Is this the expected behavior?  If so,
how could we accomplish this?  TIA!

Mike Thommes

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers


Agreed. Not much downside to this as long as you're not putting policies on
these other GPOs that conflict with any set in the DDC policy. Even in that
case, you just have to manage the conflicts. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Wednesday, March 24, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers

It's common practice to add other GPO links to the DC OU.

-Original Message-
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers


Hi all,

Question:

Has anyone experienced issues or know of any 'gotchas' with linking other
GPO objects to the Domain Controllers OU in addition to the Default Domain
Controllers Policy.

Rationale:

I would like to have a GPO ready that essentially has Windows Update enabled
for deploying approved updates from a central SUS server. When an update is
available, tested and if required, the GPO is linked to the Domain
Controllers OU and available for install depending on each DC's detection
cycle and configured parameters.

Why not modify the Default Domain Controllers Policy?

At least this way, I will have complete control of when updates are pushed
and importantly, if I would like to retract the updates unlinking this
'other' GPO is easier and I believe safer than changing configuration
settings on the Default Domain Controllers Policy.

Another nice feature would be that the by unlinking this policy the update
would also be removed from the Windows Update folder on each client (the

DC).

Your thoughts, suggestions and comments are as always, appreciated.

Thanks,
Devan.

_
Find a broadband plan that fits. Great local deals on high-speed Internet
access. 
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this information
by persons or entities other than the intended recipient is prohibited.  If
you are not the intended recipient of this transmission, please contact the
sender and delete the material from any computer. The sender is not
responsible for the completeness or accuracy of this communication as it has
been transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Mirror OU structure to Test

[joe]

This is very cool Darren, thanks for sharing. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, March 19, 2004 10:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test

I'll add one more to the mix. Not sure its much better than using an CSVDE
dump, but the GPMC comes with two scripts that are designed to create a test
domain that is a mirror of your production one. They are called:

CreateXMLFromEnvironment.wsf (dump production) CreateEnvironmentFromXML.wsf
(import into test)

They provide a few nice features like the ability to bring GPOs, GPO links,
OUs, users and groups over as well.  

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, March 19, 2004 2:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test

not to be confused: you don't need to upgrade your domains to 2003 - but
MIIS (or the free feature pack version) can only run on a 2003 Enterprise
Edition box. It can then sync from any AD forest to any other AD forest (or
ADAM instance). The AD forest can still be 2000.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega
Sent: Freitag, 19. März 2004 22:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test

Since the development domain is W2K3, and I'm going to be upgrading the
production domain to W2K3 shortly, I'll look into the "MIIS light" solution
you mentioned. Thanks! :)

r/
Lou


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, March 19, 2004 3:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test

certainly you'd only want it one way anyways and wouldn't want to spend a
fortune on real sync-tools (which could also be used).  If this is the case,
then you can continue to dump LDIF files from production and import them to
your test now and then to "sync" it one way (handling deletions would be a
little more difficult). LDIFDE allows to change existing objects, which
CSVDE doesn't.

If you're willing to spend a 2k3 box + SQL you could also use "MIIS light"
=> IIFP (Identity Integration Feature Pack or whatever it's called) which
will handle this easily.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega
Sent: Freitag, 19. März 2004 21:10
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test

This is an older thread - but I'm curious, what if you wanted a more ongoing
sync between a "development" domain and a "production" domain?

I've used the LDIFDE to "clone" a directory structure (OU's, groups, users)
before but it's always been a "one-shot" deal...is there an easier way to
keep the two in synch?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, November 21, 2003 3:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test

If you only need a one-time mirror (with no ongoing sync) then a simple
CSVDE dump will do the trick. 

1. dump current data:
   csvde -f OULIST.csv -r "(objectClass=OrganizationalUnit)" 
2. edit data as required in Excel (e.g. remove system-attributes and change
DN as needed) 3. import data to test-forest
   csvde -i -f OULIST.csv

/Guido

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED]
Sent: Freitag, 21. November 2003 21:32
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ActiveDir] Mirror OU structure to Test

Hi all,

I have an urgent need to mirror our production OU structure to our Test
Platform.   Is anyone aware of a script or tool where I can export and
import the structure?

If sowould they share? :)

I think I can write something, but if anyone has a pointer in the right
direction to an already existing one, that would help out alot!

Thanks,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.a

RE: [ActiveDir] OT: Web Admin not member of Administrators group on local machine - is this possible???

[joe]

Title: Message



This really isn't an AD issue so the proper expertise may 
not exist on this list. I would recommend going to the Microsoft Newsgroups and 
asking the question. Specifically the IIS groups. 
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
FlesherSent: Monday, March 22, 2004 1:57 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Web Admin not 
member of Administrators group on local machine - is this 
possible???

I have a stand-alone 
2003 server with IIS running on it. I don't want the web administrator to be in 
the local administrators group. However, some of the things that need to be done 
in order to administer IIS require administrator or delegation. Is there a white 
paper that explains what priveleges are needed up to giving the person 
administrator rights? Does someone know by experience how to do 
this?
 
Thanks in advance. 
This group is always extremely helpful.
 
Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477
 

RE: [ActiveDir] password gpo for a special group

[joe]

You guys have come a long way and have addressed every issue I came up with.


Us Admins can't expect every product from every vendor to be perfect out of
the gate. We should expect though that vendors listen and help find
solutions (and make corrections) when we find issues. When I find vendors
that are like that I would be amiss to not advertise that fact in hopes that
more vendors do the same. 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, March 20, 2004 9:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] password gpo for a special group

Joe - thanks for the note of confidence.  :-)

It's true - we put the actual complexity code on a separate server, which
does provide lots of other functions: synchronization, self-service reset,
user enrollment, etc. etc.

We can enforce all sorts of password policy rules, and it is possible to
enforce different rules for different user populations (though that isn't
the default behaviour).

Most of that functionality is probably beyond the scope of this list, so
perhaps we should move this discussion off-line?

On Fri, 19 Mar 2004, joe wrote:

> There are several companies that put out password filters. I can't say 
> that PSYNCH is the best as I never did a comprehensive study on who is 
> doing what in that area however we do use PSYNCH for a fairly large 
> corporation and it works well. Nota Bene we most use the product for 
> syncing passwords across multiple platforms, we do not use any special 
> complexity filtering. However I do have confidence in their ability to do
so.
>
> PSYNCH does use an extra server to do the work though, it isn't 
> completely enclosed functionality in a single DLL that goes on your 
> Domain Controllers unless they have made changes that I am unaware of
(quite possible).
>
>
> -
> http://www.joeware.net   (download joeware)
> http://www.cafeshops.com/joewarenet  (wear joeware)
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sieber R., DP 
> ITS, FII, DD
> Sent: Friday, March 19, 2004 12:44 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] password gpo for a special group
>
> Hi Idan,
>
> does psynch really does what we are looking for?
>
> Does anybody have expieriences with such a software.
> There are another software out there?
>
> Robert
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > [EMAIL PROTECTED]
> > Sent: Friday, March 19, 2004 5:27 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] password gpo for a special group
> >
> >
> > Robert,
> >
> > This can be done with the password filter DLL installed on DCs.  It 
> > requires either programming (be very very careful!  mistakes in this 
> > DLL will crash your DC's operating system), or a product that looks 
> > after password management in general, and password policy 
> > enforcement in particular (same technology, somebody else has 
> > already done the QA).
> >
> > If you are interested in pursuing the product route, please visit 
> > http://psynch.com/.
> >
> > Good luck!
> >
> > -- Idan
> >
> >
> > On Thu, 18 Mar 2004, Sieber R., DP ITS, FII, DD wrote:
> >
> > > Hello all,
> > >
> > > i've a little problem :-)
> > >
> > > I want to relize a different password policy for one group of users.
> > > So the password settings are computer settings I'm a little bit 
> > > confused how to relize this.
> > >
> > > Anyone a idea?
> > >
> > >
> > > sincerly yours
> > >
> > > Robert Sieber
> > >
> > > --
> > > Deutsche Post ITSolutions GmbH
> > > it-systems / infrastructur
> > >
> > > Gerokstr. 18-20
> > > D-01307 Dresden
> > >
> > >
> > > Phone:+49 (351) 4567 762
> > > Fax:  +49 (351) 4567 709
> > >
> > > eMail:mailto:[EMAIL PROTECTED]
> > > web:  http://dp-itsolutions.de
> > >
> > > List info   : http://www.activedir.org/mail_list.htm
> > > List FAQ: http://www.activedir.org/list_faq.htm
> > > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activ

RE: [ActiveDir] Reboot behavior with SUS on DC's

[joe]

I'm still trying to get over your desire to do a mass update to all of your
DCs at once. You are much braver than I am and much braver than many I have
spoken with. For the most part people consider DCs to be special and not to
be automatically patched en masse like that. The reason being if there is
something you missed in testing, you could knock everything down in one fell
swoop. Even if I had the world's greatest patch system and could patch all
DCs in short order like that I still wouldn't do it. 

An example I have of a good reason not to do the mass patching... We started
to deploy some SP. I think it was SP2. There was a bug in SP2 where if there
was a certain bad value in, I think if I recall correctly, a site link, that
if it was encountered the SP2 DC would crash, reboot, repeat. Now visualize
what would have happened had we mass launched SP2 to all DCs at once via
super deployment method #4... 400 DCs crashing over and over again. 


My DC patching tends to go like this

Test patch in multiple labs.

Test patch on a couple of "non-critical" DCs. Watch for a couple of days or
at least a couple of hours. 

If all is well, send patch to all DCs but do not execute.

Execute in small batches. Watching closely for issues. 


  joe

-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Friday, March 26, 2004 5:23 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Reboot behavior with SUS on DC's

Hi,

I recently sent a post with regards to creating a seperate GPO for DC's to
utilize SUS and Windows Updates.

So far everything looks and works the way I want it to. The only thing I am
trying to figure out is if there is a way to auto download and schedule the
install but not reboot the system (there seems to be only one GPO setting
for controlling reboot behavior while logged on) but not when the system is
idle or left at the login prompt.

My only fear with this behavior is what happens if there is a failed reboot
or the system hangs or whatever, I would like to be able to control when the
DC is rebooted either remotely or by a local administrator (and there's
that, the org. operates in a centralized model with distributed
administration including offices overseas) so a hanged reboot may mean 8am
in Germany but 1 or 2 am in the Central Time Zone

Your help is much appreciated.

Thanks,

_
Get tax tips, tools and access to IRS forms - all in one place at MSN Money!

http://moneycentral.msn.com/tax/home.asp

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server Membership

[joe]

Title: Server Membership



30 days (w2K+) but you can actually go two password 
change periods and the machine will be ok so 60 days. NT is 7 days (and 14 
days). Outside of that you can do a reset of the password and the machine will 
be ok again. Alternatively you can disable the functionality or change the 
frequency but you really shouldn't have to do that. 
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Strand, 
TedSent: Thursday, March 25, 2004 11:45 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Server 
Membership

 Does anyone know if a server is taken off the wire, how 
long before its machine account is removed or out of synch with the 
domain?  We regularly break a mirror of the OS when we do service packs and 
patches.  A drive may sit on the shelf for a few days before we decide to 
"roll back".
Thanks in advance. 
-Ted- 

RE: [ActiveDir] Remote Desktop Issue

[joe]

That almost sounds like a disk space or permissions 
issue... I.E. it is trying to create the local profile, failing, and blowing the 
user off. Anything in the event logs?
 
 joe
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. 
GilbertSent: Friday, March 26, 2004 12:48 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop 
Issue


No error message.  
He gets the logon prompt, logs on, the screen flashes “applying settings” then 
the terminal session screen closes out.
 
Really 
weird.
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tim HinesSent: Thursday, March 25, 2004 12:35 
PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Remote Desktop 
Issue
 

What error does he get when trying 
to connect using a terminal session?

 

  
  - Original Message - 
  
  
  From: Gilbert, Daniel L Mr 
  ANOSC/FCBS 
  
  To: ActiveDir 
  ([EMAIL PROTECTED]) 
  
  Sent: Thursday, 
  March 25, 2004 1:58 PM
  
  Subject: 
  [ActiveDir] Remote Desktop Issue
  
   
  To All:
   
  I have a Remote Desktop issue that is driving me 
  nuts.  Servers are Windows Server 2003.
   
  I have a root domain spread across to two different 
  sites, both physically (East Coast and West Coast) and AD wise (AD East and AD 
  West).
   
  My two Enterprise Admins are members of a child domain 
  (Child1) and through security group membership; they are placed into the 
  Enterprise Admins security group in the root 
  domain.
   
  This structure has worked fine for the last 
  year.  One of the Enterprise Admins has moved on to a bigger and better 
  job and I promoted one of my Senior Admins to become a new Enterprise 
  Admin.
   
  Now the fun part begins.
   
  The new Enterprise Admin can log on locally to the 
  root DCs in the physical site West Coast (the bulk of the root is here) from 
  either the keyboard or via Remote Desktop.
   
  The new Enterprise Admin can log on locally to the 
  root DCs in the physical site East Coast (our COOP site) from the keyboard but 
  he can not log in via Remote Desktop.
   
  I am sure his account has replicated from West Coast 
  to East Coast because he can log on from the keyboard and I have waited long 
  enough for replication to occur.
   
  I checked the permissions on the RDP connection but it 
  still at default.
   
  Any ideas where I can go for a clue?  My head is 
  getting squishy from beating it against the wall.
   
  Daniel L. Gilbert, 
  Contractor
  Senior Active 
  Directory Specialist
  CONUS Theater 
  Network Operations and Security 
  Center 
  (CONUS-TNOSC)
  (520) 533-6700 
  DSN: 821-6700
  [EMAIL PROTECTED]
   

RE: [ActiveDir] Server up/downtime

[joe]

Title: Message



Alex has a forum you can use to get help, he is very 
responsive. I like the product, he has done a good job with 
it.
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, 
Lynden - Revios TorontoSent: Monday, March 22, 2004 4:15 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Server up/downtime


Thanks
 
Just having a little trouble configuring 
alerts
 

 
Lynden 




From: 
Rutherford, Robert [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 22, 2004 
10:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Server 
up/downtime
 

This is a good 
product... cheap 2  http://www.ks-soft.net/hostmon.eng/

  -Original 
  Message-From: 
  Philadelphia, Lynden - Revios Toronto [mailto:[EMAIL PROTECTED] 
  Sent: 22 March 2004 
  15:42To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Server 
  up/downtime
  This might not be the right forum, but I will ask 
  anyway.  Does anyone have a spreadsheet or database that tracks server 
   down/uptime? 
   
  Need to produce a report for the management on a 
  monthly basis.
   
  Lynden 
   
The information transmitted is intended only for the 
person or entityto which it is addressed and may contain confidential 
and/orprivileged material. Any use (including retransmission or 
copying)of this information by persons or entities other than the 
intendedrecipient is prohibited. If you are not the intended recipient of 
thistransmission, please contact the sender and delete the materialfrom 
any computer. The sender is not responsible for the completeness or accuracy 
of this communication as it has beentransmitted over a public network. Any 
replies to this email may bemonitored by the MCPS-PRS Alliance for quality 
control and other purposes.

RE: [ActiveDir] Server up/downtime

[joe]

I have a general comment for this and kind of curious what 
people are doing in this area...
 
Most products check for availability of the server via 
pinging and agents that scrape events and report availability of servers in 
terms of whether the server returns a ping or not. This is obviously a good 
start but quite honestly, pretty worthless. It doesn't say anything about 
whether the server is truly functioning and able to respond to client calls 
(ditto for agents running on the server themselves). 
 
What are people doing to get realistic uptime/availability 
numbers out of their systems? Do you have monitoring that pretends to be a 
client and use the normal client hooks?
 
For example, we monitor our DCs all centrally via perl 
scripts that act like they are users...
 
For instance, one test is a WINS name resolution test. It 
basically does Domain 1C record lookups via NMBLOOKUP/NBLOOKUP type calls which 
emulate clients. Another test tries to read the netlogon shares (which also 
tests authentication on the DC). Another test does some NET API calls against a 
DC. An LDAP lookup test also exists. Another checks time on DCs. Again all of 
these work remotely, they do not run on the DCs themselves. In this way we have 
a pretty good idea of what is truly available versus just up. I would like 
to go a step better and actually do this central monitoring from several points 
around the globe and then centralize the 
results.  
 
Our company's main outlook on Servers is uptime via ping 
response with no consideration for application level availability or 
degradation. The main reason being how hard it is really to do accurately. So 
say an Exchange Server that is responding to pings but isn't handling mail at 
all or not very well is considered UP for availability numbers. I obviously 
don't agree with that approach and did something different. I am curious as to 
how many others are doing things that way. 
 
  joe
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, 
Lynden - Revios TorontoSent: Monday, March 22, 2004 10:42 
AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] 
Server up/downtime


This might not be the right forum, but I will ask 
anyway.  Does anyone have a spreadsheet or database that tracks server 
 down/uptime? 
 
Need to produce a report for the management on a monthly 
basis.
 
Lynden 
 

RE: [ActiveDir] Windows 95 clients mapping drives to Win2003 member server and GPO's

[joe]

If you have Sign Comm Always enabled you will not be able to talk to that
server with a downlevel client. You can disable that policy and in fact
anyone running legacy clients almost always does disable that if they can't
just kill all of the legacy clients in one fell swoop.

We actually have disbled that setting and "Domain Member: digitally encrypt
or sign secure channel data (always)" in our domain controllers policy and
it works fine that way. That would align with doing it to an OU or site GPO.


  joe


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Thursday, March 25, 2004 6:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Windows 95 clients mapping drives to Win2003 member
server and GPO's

I'm troubleshooting win95 clients that have to map a drive to a windows
2003 member server in AD 2003.  The win95 clients login locally with an
account called Generic  The win95 are terminals and aren't in the domain. To
get around mapping to the w2k3 member server share, we created a guest user
locally on the windows 2003 server with the same credentials.  We have one
windows 2003 server that gives an error 31 and
won't let Win95 clients map to the share.   We also have win 3.1
machines mapping to this share without any issues.I understand my
method of driving mapping isn't the best solution having the same id and
password on an workgroup client mapping to a domain server but that is my
only option(its the way the application works). 

I discovered in the Default Domain Policy a setting enabled called Microsoft
network server: Digitally sign communications (always)  Value
= EnabledThis was one setting of many that had to do with digital
signing appears to enabled or causing issues with legacy client drive
mappings and general communication to the Win2k3 servers.I'd want to
create a domain level GPO to disable these settings that interfere with
legacy clients communicating to the member server.  Anyone have experiences
with GPO settings and legacy clients and seen similiar errors like this
above.

Steve Schofield - MCP, CCA
[EMAIL PROTECTED]
Windows Server Architecture
Ext - (616)-791-3773 Int - 13773



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DEC Chatter - Was something else...

[joe]

DEC was indeed cool. I am not under NDA for it that I 
am aware of. In fact I would expect Gil would like to hear people chattering 
about the conference as it will drive more people to it. And again, I don't do 
many conferences but this one is exceptionally good in terms of anything I have 
been to. I heard a lot of chattering along the same lines and that it was 
especially considerably better than the big MS conferences that focus on all MS 
techs instead of just AD. So instead of AD being one topic of hundreds it is THE 
topic. And honestly, this deserves to be THE topic. Why? Because AD is the 
corner stone of your security if you are using it for your 
authentication/authorization.
 
So why specifically was DEC cool? 
First and foremost, I met a lot of people in person that I had previously chatted in email and newsgroups 
with. That was very nice. Now everyone knows what I look like and probably 
wonder how a guy 5' 2" and 105 lbs like me can be so wicked and opinionated in 
email yet not utter a peep in person. Some of the folks I met from this list are 
Gil Kirkpatrick, Guido "The Killer UG Pimp", Robbie Allen, Todd Myrick, Hunter 
Coleman, Stuart Fuller, Alan Isham and several others. Also got a chance to talk 
to and more importantly listen to some of the MS folks such as Stuart Kwan, Paul 
Rich, Andreas Luther, Sanjay Tandon, Robert DeLuca, and others. This 
face to face chatter is invaluable. 
 
There was one cool session where there were three teams 
broken out to solve three AD issues. These were some evil little issues Gil 
dreamt up to see if people could work through them. Simple configuration issues 
gone bad. I sat and watched Stuart lead a team working on one of the problems. 
It was entertaining. I didn't sign up as I didn't think solving a problem would 
be that much fun, heck I do that every day at work, why go to a conference and 
do it in the evening, especially while drinking... I was wrong however, it ended 
up being great fun. Interesting watching different people troubleshoot issues. 

 
The presentations were generally quite informative. 
Alan Isham had a great presentation on object lifetimes. This is a topic that 
everyone really needs to start paying attention to. A lot of folks are finishing 
up the get your ass into AD stage. Now they need to get AD cleaned up. It 
brought up for myself and my manager (who was also there) the whole idea of 
really having to have a known defined owner for EVERY object in AD and if 
we don't know who it is, it is us. This is not what we liked to think previously 
but I think we don't really have a choice in the matter because the clutter 
mostly impacts us. 
 
The other Intel presentation (by John Dunlop I think - 
don't have my DEC cheat book here with me) was about using Virtual Server for 
restoring a forest. It was interesting as it was very close to what we have been 
looking at and I have previously discussed here on the list. Glad to see someone 
else thinking that way which lends credence to our thoughts and direction. They 
had an interesting twist for getting all of the DCs at all of the sites back up 
and running quickly via spinning up a backup VS DC on every machine and then 
slowly going through rebuilding back to the original physical setup. Overall 
there was a considerable amount of talk about DR and lag/hot sites and data 
restoration. It seems to be a big topic on everyone's 
mind.
 
There was a presentation by the US Army which basically 
made me glad I wasn't trying to deploy in that environment. I thought my 
environment was big and complex and politically charged and underfunded... At 
least my people are mostly not carrying weapons. 

 
There was a presentation by Wook Lee from HP (the 
Compaq side originally) which I can only say was... well you had to be there. 
Let's just say he wore a faux Forest Ranger hat and had Smokey the Bear slides 
and Burma Shave jingles. If that doesn't entice you into wanting to see his 
presentation, well you are just not alive I guess. :op   
I also spoke with Wook Sunday night at the 
reception for an hour or so and that was also quite entertaining and 
informative. Wook has seen some issues that I wouldn't ever want to see. One of 
the side benefits of fully deploying beta and RC code is what I would call it. 

 
Guido had a good presentation on forest trust stuff. 
Had a couple of DLG vs UG jabs in there for me which I appreciated. Several 
folks recognized them as such as well. It is all in good fun and keeps life 
interesting. :op He ended up using a joeware tool (sectok) in one of the slides 
to illustrate something so that was good too... push the use of joeware for 
effective admining and information discovery. 
:o)
 
It was interesting to hear from Andreas concerning the 
direction of MIIS. Apparently it is being driven towards being your one stop 
provisioning system. Sounds like AutoGroup is going to be completely bundled 
into that versus off on its own. AutoGroup, if

[ActiveDir] Why is it important that people on this list know when I delete there mail?

[Joe L. Casale]

Why in all the zillion lists I am on do people on this list turn that
notification on? Really curious, thinking I might be off my boat
somehow?

Thanks,
jlc


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] disaster recovery

[Kern, Tom]

Guido and Joe,
 
First of all, thank you for all your advice and help.
 
You guys are absolutely right, we should have never gotten a domain if they didn't 
trust us with Enterprise admin rights over the forest. I assume they can't shake the 
Win NT view of domains yet.
However this was a mangement issue and decsion. I just inherited all the problems and 
fall out of said issue. I suppose it was a technological solution to a political 
problem.
 Now i was just trying to figure out of there was any hack to restore a child domain 
without root connectivity.
In a real disaster, I'm sure common sense would prevail over politics and we would all 
work together, kinda like i imagined IT to be when i first got into it. Innocent boy 
that i was
 
In the interim I thought there might be some way to test a recovery without the root.
Some reg key or dns record to copy over...
 
I guess not.
 
Than you both again for your help.

-Original Message- 
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 5:33 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Excellent post.
 
I just wanted to jump in and reemphasize that point.
 
Restoring a single domain of a forest in an isolated environment and expecting 
it to work is unrealistic. I agree with Guido in that you never should have been given 
admin rights into a domain of someone else's forest. You should have had OU privileges 
or just had your own forest entirely. 
 
 
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Thursday, March 25, 2004 2:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


>>Ad is supposed to be a enterprise directory where most enterprises span the 
globe and have multiple sister corps or corps they've merged with or aquired. these 
corps have thier own domains and IT depts.<<
 
That's not how AD is supposed to be - that's merely how you'd like to use it.  
Not necessarily the same.  I agree that some companies may implement it this way 
especially in the early days of AD, but not after they understood that not the domain, 
but the forest is the security boundary.  
 
If you have no good working relationship with your mother corp and they're not 
really too fond of you either, they should have never offered you your own domain. You 
would have been a perfect candidate for a separate forest. However, if they still 
wanted to fully integrate you into their forest without trusting you to perform 
service-level operations (i.e. task that require domain admin privileges), they would 
have merely required to grant you management of one or a few OUs.
 
If you like it or not, recovery of AD - in case of the disaster you describe, 
or in other disasters that go more towards deletion of objects - is an forest level 
task that usually requires enterprise admin privileges.  I am not saying, that I don't 
think it would be nice if this wasn't the case, but once you learn to treat a domain 
as an integral part of a forest that should not be managed by a separate team of 
administrators, it doesn't make a difference.
 
/Guido

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Donnerstag, 25. MÃrz 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


going to AD was something decided by the higher ups to merge my corp and our 
sister corp into a smealess whole. The sister corp already had AD in place and they 
own the root. our IT depts. don't exactly communicate or relate to each other very 
well :)
i'm sure its like that in alot of places. before comming here, I was in a 
Netware 6.0 enviorment and feel that directory is much more mature in terms of 
configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go 
away to the dr site and want to recreate most of our infrastructure from back up, etc, 
its fursttrating to have to go to our sister corp IT dept and ask them for the Domain 
admin or enterpris admin password or a copy of thier root role holding master dc on a 
laptop or vmware just to practise recovery of our domain and exchange2k.
it seems MS made it so you can't recover a child domain without connectivity 
to the root. that kinda stinks.
i can understand losing some functionality but still be up and running. 
how

RE: [ActiveDir] Exchange 2003 DL

[joe]

They need WP (Write Property) on the member attribute of the group.  

Assuming the following

OU: GroupTestOU
Delegated Admin Group: joe\TestOU-GroupTestOU-GrpAdmin


You can use the following DSACLS command on the OU to delegate the ability
to change membership to all groups within the OU.  

dsacls OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:S /G
joe\TestOU-GroupTestOU-GrpAdmin:WP;member;group

Note I highly recommend doing the delegation on the OUs versus on individual
groups as it tends to be easier to track down later. 

If you wanted it on one specific group the command would be like 

dsacls cn=testou-grouptestou-dl1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:P
/G joe\TestOU-GroupTestOU-GrpAdmin:WP;member;



Note that if you have multiple domains and especially GCs from multiple
domains in the site with the Exchange Servers you will almost certainly run
into issues modifying group memberships through Outlook. It is all FUBAR
right now and being looked at to be corrected - look for previous posts from
me in the archives concerning the issues. If you have a single domain
deployment you will be fine. 

If you have multiple domains, I don't even recommend using Outlook to do the
management. Use the Find Person dialogs or use ADUC or a custom web site.

  joe



-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, March 25, 2004 12:18 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Exchange 2003 DL

I have a issue here that I am struggling with.  On Exchange 5.5, I was able
to add people to be able to modify the membership of DL through outlook
without them having to be the Manager or owner of the DL.

Now that I am on Exchange 2003, what permissions do groups or user accounts
need to have in order to modify the groups through outlook?


Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange 2003 and Firewalls

[joe]

In addition to all the great questions and suggestions so far I would ask,
if only one person is trying to do something does it work ok or is it ALWAYS
slow no matter what?

If it gets slower and slower with more people you could be dealing with a
variety of network issues with a start being the firewall getting
overwhelmed. 

As Al pointed out, a network trace would probably be handy to get. Do it
from the client side, see what packets are getting responses and what the
timing of the responses are. 

The outlook/exchange is a pretty complicated dance so there are many
different places issues could be cropping up. 

I also agree with Robbie's suggestion of dropping the firewall for the
purpose of the testing. If they are being assinine about it you can say...
Well thanks, the performance from our side is great, if you guys would like
to work out your performance issues, you know what needs to be done. 

  joe


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, March 25, 2004 9:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls

We are trying that route, however they can be very stubborn some times.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford, Robert
Sent:   Wednesday, March 24, 2004 3:41 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

It wont be a port issue as you wouldn't gain connectivity at all... If it is
a very old firewall then chances are that it may be causing issues Will
they drop it for a testing period to see if it makes a difference? If it is
for their benefit, i.e. their clients then they may? At least that way you
could say it's their firewall and they need to update it to gain
performance?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 19:01
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


No it is a private T1, point to point.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford,
Robert
Sent:   Tuesday, March 23, 2004 1:26 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

I take it this is a public T1 over the internet, comms via a VPN?

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 17:35
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 and Firewalls


Physically the two orgs are connected by a T1 Line.

 -Original Message-
From:   [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]  On Behalf Of Rutherford,
Robert
Sent:   Tuesday, March 23, 2004 11:16 AM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Exchange 2003 and Firewalls

Is this on the same physical site? 

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 14:58
To: ActiveDir (E-mail)
Subject: [ActiveDir] Exchange 2003 and Firewalls


I have a facilities that insists on having a very old 3Com Firewall
between our organizations.  On his side of the firewall is has 400 +
outlook clients, on my side I have the Exchange 2003 server and the
Global Catalog Servers.  Clients are taking an extremely long time to
connect to mail and access resources.  None of my other 9 facilities
have this problems and the only thing different is that none of the
others have a firewall between our two organizations.

What ports do they have to open to allow proper communications between
their clients and my servers?


Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this
information by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient of this transmission,
please contact the sender and delete the material from any computer. The
sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.ac

RE: [ActiveDir] Domian VS Local

[joe]

Check out accexp on www.joeware.net on the free c++ win32 tools 
page
 
 
[Sat 03/27/2004 
17:35:28.94]F:\DEV\cpp\AccExp>accexp
 
AccExp V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) 
August 2002
 
Usage: AccExp user date [/s 
machine]
 
   
user  User ID to 
view/modify   
date  Date in US format 
mm/dd/yy or 
mm/dd/ 
Value of NEVER clears the expiration   
machine   Machine to make the change 
at
 
  Ex1:    AccExp 
test  View expiration date of account test on 
local machine
 
  Ex2:    AccExp test /s 
testmachine  View expiration date of account 
test on server testmachine
 
  Ex3:    AccExp test 
1/30/02  Change expiration date of account t0 
1/30/2002 for user test
 
  Ex4:    AccExp test 
never  Set test to never 
expire
 
 
 
 This software is Freeware. Use it as you 
wish at your own risk. If you have improvement ideas, bugs, or just 
wish to say Hi, I receive email 24x7 and read it in a semi-regular 
timeframe. You can usually find me at [EMAIL PROTECTED]
 
[Sat 03/27/2004 
17:35:30.36]F:\DEV\cpp\AccExp>
 
 
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Friday, March 26, 2004 4:41 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Domian VS 
Local

Does anyone know how to set an account expiration date on a local system 
saccount like you can with a domain accout? 
 
Thanks, 
 
Mike
 

 

RE: [ActiveDir] disaster recovery

[joe]

Title: [ActiveDir] disaster recovery
ï


Excellent post.
 
I just wanted to jump in and reemphasize that 
point.
 
Restoring a single domain of a forest in an isolated 
environment and expecting it to work is unrealistic. I agree with Guido in that 
you never should have been given admin rights into a domain of someone else's 
forest. You should have had OU privileges or just had your own forest entirely. 

 
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 25, 2004 
2:51 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] disaster recovery

>>Ad is supposed to be a enterprise 
directory where most enterprises span the globe and have multiple sister corps 
or corps they've merged with or aquired. these corps have thier own domains and 
IT depts.<<
 
That's not how AD is supposed to be - that's merely how 
you'd like to use it.  Not necessarily the same.  I agree that some 
companies may implement it this way especially in the early days of AD, but not 
after they understood that not the domain, but the forest is the security 
boundary.  
 
If you have no good working relationship with your mother 
corp and they're not really too fond of you either, they should have never 
offered you your own domain. You would have been a perfect candidate for a 
separate forest. However, if they still wanted to fully integrate you into their 
forest without trusting you to perform service-level operations (i.e. task that 
require domain admin privileges), they would have merely required to grant you 
management of one or a few OUs.
 
If you like it or not, recovery of AD - in case of the 
disaster you describe, or in other disasters that go more towards deletion of 
objects - is an forest level task that usually requires enterprise admin 
privileges.  I am not saying, that I don't think it would be nice if this 
wasn't the case, but once you learn to treat a domain as an integral part of a 
forest that should not be managed by a separate team of administrators, it 
doesn't make a difference.
 
/Guido


From: Kern, Tom 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Donnerstag, 25. MÃrz 2004 18:56To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

going to AD was something decided by the higher ups to merge my corp and 
our sister corp into a smealess whole. The sister corp already had AD in place 
and they own the root. our IT depts. don't exactly communicate or relate to each 
other very well :)
i'm sure its like that in alot of places. before comming here, I was in a 
Netware 6.0 enviorment and feel that directory is much more mature in terms of 
configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go 
away to the dr site and want to recreate most of our infrastructure from back 
up, etc, its fursttrating to have to go to our sister corp IT dept and ask them 
for the Domain admin or enterpris admin password or a copy of thier root role 
holding master dc on a laptop or vmware just to practise recovery of our domain 
and exchange2k.
it seems MS made it so you can't recover a child domain without 
connectivity to the root. that kinda stinks.
i can understand losing some functionality but still be up and running. 
however to make it impossible to get up at all without the root fsmo dc is I 
think something that needs to be addressed.
in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and 
want to recover them OR you lost the entire forest. they really don't address 
losing a child domain. 
Ad is supposed to be a enterprise directory where most enterprises span the 
globe and have multiple sister corps or corps they've merged with or aquired. 
these corps have thier own domains and IT depts. If one corp goes down, in MS's 
implementation, this corp has to get in touch with the IT dept of the root, be 
allowed high access to the forest OR have someone from that other IT dept free 
enough to come down for security reasons and log in himself as enterprise admin. 
also some physical connectivity is implied...
All in the middel of a disaster OR just to  test and practice for said 
disaster.
thats asking for alot of any large company.
MS should know how unrealistic this is more than anyone.
 
my pointless two cents.
thanks for reading and replying before

  -Original Message- From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED] Sent: Thu 3/25/2004 10:20 AM 
  To: '[EMAIL PROTECTED]' Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  Just out of curiousity, why did you deploy a forest root 
  structure?  Why didn't you go with a single domain 
  structure?
   
  Otherwise, Who manages the schema without the root?  
  Who manages the domain naming master in yo

RE: [ActiveDir] Anyone ever convert dnsRecord attribute?

[joe]

Hmm. Can a non-perl person understand the perl code... 
Depends on the non-perl person I guess. That perl that makes up that script is 
not the easiest to convert to vbscript. If vbscript would have been easy to do 
this in, I probably would have gone that way, overall though I have to say that 
I don't much like vbscript. It isn't that I don't code in it, just don't prefer 
to. Whereas perl makes difficult things easy, vbscript seems to like to make 
some difficult things impossible and easy things merely difficult. Vbscript's 
strong point is not text manipulation. 
 
You don't need to know perl to use that script, simply 
download perl (preferably from activestate.com) and load it and run the script. 
It should work from any 2K+ machine just fine. You most certainly should be able 
to tweak it around to make it display the info differently etc. 

 
Yes DEC did occur, it was last week. Very good conference. 

 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ADSent: Friday, March 26, 2004 7:19 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
convert dnsRecord attribute?

Yep, I'm looking for the hostname. The hostname is not 
stored in a separate attribute that I can see. You definitely found the right 
attribute. Is that funky or what?
I agree with you, 
LDAP all the way baby. Can a non perl person understand the perl code and 
convert it VBScript easily? I'm a vbscript person myself.
 
I was at the 
conference last year, the one hosted in Ottawa. I believe this year it's in 
Washington. Has it happened yet? Plenty of good information there for sure.
 
Thanks
 
Yves
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, March 26, 2004 5:22 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
convert dnsRecord attribute?

Interesting problem. 
 
What specifically do you need out of the octet string, just 
the host name?
 
Anyone have a map of what exactly is in octet string or 
what data should be in it even if you don't know the format? I would assume 
probably serial number and some other info? It isn't in MSDN that I see. 

 
dn:DC=0,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=com>dnsRecord: 
0B00 0C00 05F0  0200   0E10     0901 0762 6F62 7465 
7374 00
 
dn:DC=1,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=com>dnsRecord: 
0C00 0C00 05F0  0300   0E10     0A01 0862 6F62 7465 
7374 3200
 
From this it appears that the hostname starts at about the 
13th dword. So above would be 0A01 0862 6F62 7465 7374 3200 and 0A01 0862 6F62 
7465 7374 3200 for the names which would resolve into bobtest and bobtest2. 

 
This could be done fairly painlessly with perl I think... 

 
 
As for Al's question about why enumerate via LDAP? Because 
its there baby, that is the beauty of using LDAP. If you aren't going to do LDAP 
queries, might as well be using a SQL Server or flat file or something. 

 
Let me see what I can do with this. I just put the 
Disturbed CD in, feeling like doing some hacking. 
 
 
BTW, if you didn't go to the Directory Experts Conference, 
you missed a good time. NetPro did a good job and there was a lot of good 
discussions. Plus some of the stuff Stuart was talking about was pretty darn 
cool. 
 
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ADSent: Friday, March 26, 2004 3:18 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
convert dnsRecord attribute?


David,
 
I am sure it will work but my DNS as over 
45000+ objects and it is running on a production network. It scares me a little 
to do that.
 
Y


From: Chianese, David P.Sent: Fri 
26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?

As Al 
mentioned, why not convert the zone to Std. Primary and take a copy of the zone 
files that are written to disk.  Then revert it back to ADI.  I have 
done this before without incident to supply our BIND unix servers 
copies (or pieces) of our zone files.  I have done this in the past for 
stale PTR records as well.
 
 
Regards,
 
Dave

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  ADSent: Friday, March 26, 2004 2:30 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
  convert dnsRecord attribute?
  
  I am looking for duplicate 
  registrations in the reverse lookup zone. I am hoping to export everything to 
  txt (4+ objects) file so I can parse using excel. I actually found the 
  article you mention but the I have to install the WMI provider on the DC. I am 
  hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some 
  sort of 

RE: [ActiveDir] AD disaster recovery

[joe]

Hey Tom.

Something I have discussed on this list previously and was a topic for one
of the presentations at DEC by Intel is the idea of using Virtual Server or
VMWare for Virtual DCs. Then you can pick up the virtual disk image and take
it anywhere...

For example, always have a Virtual DC (for every domain) running on your
production network. Put it in an isolated site with all of the proper
registry entries set to prevent publishing in the directory (except the GUID
CNAME record so that replication isn't impacted) and the site link cost
cranked way up. Let it just sit and replicate on some schedule (some want it
up to date, some want it staggered as a lag site, up to you and your goals).
Then once per day (or whatever depending on replication cycle and your
goals) have the VM shut down and back up the file and then spin the VM back
up. 

Now this file (files if multiple DCs) you can pick up and take with you to a
DR site to recover with. Recovery is simply the act of spinning up a server
with VMWARE or Virtual Server and telling it to use the virtual disk (or
disks if multiple domains) and start the machines up. Next step though not
strictly unnecessary would be to chop out all of the DCs that aren't at that
site out of the directory. If you expect to be at the site for a while and
dependent on load capability needed I would consider spinning up one or more
physical DCs off the virtuals.  

Using the virtuals just clears so many issues out of the way it isn't funny
because you will have fully functioning DCs you are bringing along. And it
is much better than just spinning up on a laptop on your production network.


Now if you are doing serious DR work, you would actually take the images you
back up every day from production and either copy them across the network to
your remote DR site (preferably in another city, country, continent,
planet...) and it would always be there waiting. Alternatively you could
send to physical media (DVD, CD, Tape, etc) and ship to some archives
location or DR Site. 

  joe


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, March 22, 2004 9:51 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] AD disaster recovery

We're doing a DR test run of AD. We go to another location and try to
restore our network from tape backup(Veritas 8.6).
Each time we've run into serious issues when restoring AD to different
hardware(this is all our DR site provides) and have never been able to get
up and running.
So this time, I want to put AD on a laptop, give it a few days to replicate
with our network, then take the laptop with me to the DR site, force a
transfer of all the FSMO roles, and restore that way.
Also, for the other DC's, I just want to set up new domain controllers with
the same names and not restore the system state, i,e; AD. Just app specfic
stuff and home directories.
Does anyone see a problem with this?
Will I run into issues with GUID's not matching or USN's?
We are also planning on restoring an Exchange 2k server.
Any help or advice, war stories,  would be greatly appreciated.
Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] permissions to only disable an AD user account

[Eric Fleischman]

While I (personally, speaking in a position of no power over this) tend
to agree that userAccountControl should be many attributes (IMHO anyway
for Joe's reason as well as others not cited in this thread), the
concept of having it as a constructed attribute (I assume that's what
you mean when you say a "generated attribute"?) wouldn't be elegant
here. Reason is, interop going forward will put you between a rock and a
hard place. You'll drop yourself in to one of two scenarios:
1) You have two dsa's (say w2k and w2k03 rtm) that show a different
userAccountControl for the same user. Reason is that the w2k03 rtm dsa
knows of some additional logic for userAccountControl that reads
ms-DS-NewAttributeInW2K03RTM and takes that in to account whereas w2k
knows nothing of it.
2) It is functional level dependent on the construction logic which is
too bad. I don't like the idea of userAccountControl on CN=SomeUser
being 123 until you change functional level when it changes to 456.
That'll drive people batty.

Also, you can get current time on the DSA off of RootDSE if you want to
set it to "now" from the perspective of the DC.

Finally, if you fire up ADAM you'll find that on ADAM users we have a
new attribute msDS-UserAccountDisabled (among others
too.msds-UserDontExpirePassword, msDS-UserAccountAutoLocked, etc.).
We're getting there..

~Eric




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Cute solution to an MS Generated issue. Yes, MS, you shouldn't have put
everything into useraccountcontrol attribute like that... That should
have
been a generated attribute (or something else if you still needed it
there)
I think and the real info stuffed into other locations so it could be
delegated properly... Now we have to ask for bit-level delegation
capability
which, I doubt, will ever happen... Alternatively I guess we could ask
for
some ldap "method type" attributes on objects that you set and they in
the
background pop the appropriate bits on the objects. Say have an
attribute
called something like userAccountControlDisable and when that is set to
1 it
sets the appropriate BIT and when it is set to 0 clears the BIT. Think
about
the methods to move FSMO roles as to where I am going with that
suggestion.

Anyway, yes, this method should work. Note that just like when you
disable
an account it will take until expiration of the kerberos certs for it to
actually do anything... I.E. If I have a cert to Server A and you
disable or
expire me my cert is STILL good until it expires and has to be
renewed... By
default those certs last 600 minutes aka 10 hours (too long IMO). If you
are
one of those folks who modified cert expiration times by extending them
to
crutch UNIX/LINUX kerberos clients who aren't doing cert renewal as
nicely
as MS was able to work out well then you have what I like to call... A
security issue. 

Now specifically, I haven't tested it either, but I don't think this
script
will work with a delegated ID. It is using the WinNT provider which
knows
less about delegation than the Exchange Dev guys. Almost everything
doing
any anything in the WinNT provider falls back to some NET API call and
they
almost without exception all require some level of builtin permissions
to do
changes... Like Account Op, Sever Op, Admin, etc.

Recommendation would be to try and change it to the LDAP provider to see
if
that works. I would say set the date to some time in the past, say 24
hours
ago or something like that then you don't have an TZ worries that could
come
up with setting the exact current time.

   joe 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, March 27, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Mike,

I haven't tested this out, but I suppose that one could do as you
suggest
and run a script similar to the following:

Dim User
Dim UserName
Dim UserDomain
Dim AccountExpirationDate
UserDomain = "Target_User_Domain"
UserName = "Target_User_Name"
Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user")
AccountExpirationDate = #Date on which to expire [today / yesterday?]#
'format is #mm/dd/# - at least for us US folks
User.AccountExpirationDate = AccountExpirationDate User.SetInfo 

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Saturday, March 27, 2004 10:25 AM

RE: [ActiveDir] permissions to only disable an AD user account

[joe]

Cute solution to an MS Generated issue. Yes, MS, you shouldn't have put
everything into useraccountcontrol attribute like that... That should have
been a generated attribute (or something else if you still needed it there)
I think and the real info stuffed into other locations so it could be
delegated properly... Now we have to ask for bit-level delegation capability
which, I doubt, will ever happen... Alternatively I guess we could ask for
some ldap "method type" attributes on objects that you set and they in the
background pop the appropriate bits on the objects. Say have an attribute
called something like userAccountControlDisable and when that is set to 1 it
sets the appropriate BIT and when it is set to 0 clears the BIT. Think about
the methods to move FSMO roles as to where I am going with that suggestion.

Anyway, yes, this method should work. Note that just like when you disable
an account it will take until expiration of the kerberos certs for it to
actually do anything... I.E. If I have a cert to Server A and you disable or
expire me my cert is STILL good until it expires and has to be renewed... By
default those certs last 600 minutes aka 10 hours (too long IMO). If you are
one of those folks who modified cert expiration times by extending them to
crutch UNIX/LINUX kerberos clients who aren't doing cert renewal as nicely
as MS was able to work out well then you have what I like to call... A
security issue. 

Now specifically, I haven't tested it either, but I don't think this script
will work with a delegated ID. It is using the WinNT provider which knows
less about delegation than the Exchange Dev guys. Almost everything doing
any anything in the WinNT provider falls back to some NET API call and they
almost without exception all require some level of builtin permissions to do
changes... Like Account Op, Sever Op, Admin, etc.

Recommendation would be to try and change it to the LDAP provider to see if
that works. I would say set the date to some time in the past, say 24 hours
ago or something like that then you don't have an TZ worries that could come
up with setting the exact current time.

   joe 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, March 27, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Mike,

I haven't tested this out, but I suppose that one could do as you suggest
and run a script similar to the following:

Dim User
Dim UserName
Dim UserDomain
Dim AccountExpirationDate
UserDomain = "Target_User_Domain"
UserName = "Target_User_Name"
Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user")
AccountExpirationDate = #Date on which to expire [today / yesterday?]#
'format is #mm/dd/# - at least for us US folks
User.AccountExpirationDate = AccountExpirationDate User.SetInfo 

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Saturday, March 27, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Hi Rick,
Thanks for the feedback!  That's exactly what I thought would happen but
I needed an expert's view!  I was thinking instead I could achieve roughly
the same affect by giving the group read/write access over the User Account
propery named "AccountExpires" and set it to the current timestamp.  Is this
thinking also flawed?
 
Mike Thommes

-Original Message- 
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 10:06 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] permissions to only disable an AD user
account


Mike,
 
The property that you're looking to delegate is the 'Write
userAccountControl'.  However, that does open up an interesting can of
worms.  The userAccountControl proerty, as you may well know, is a series of
flags that control a number of aspects of the user account - enable (flag
value 512) and disable (flag value 514) being only two.  Look here for more
info.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
 
So, if you delegate the ability to disable an account, you're also
going to, by association, delegate quite a bit more - which you may not want
to do, which means it really can't be done - directly.  You of course, can
script or provide a compiled tool called, e.g. 'accountdisable.exe' which
would do nothing more.  But, the risk is that the property is well
documented and someon

RE: [ActiveDir] OU/Computer accounts reorganization

[joe]

Howdy all, reviving this chain for a moment...

Someone contacted me on this via email when I came back from DEC so I
whipped up the joeware tool to do the address to subnet/site name mapping...
You can find it on the joeware site with all of the other free tools on the
Free Win32 C++ Tools page. It is called ATSN (Address To Subnet/Site
Name).

Looks sort of like this...

[Sat 03/27/2004 13:49:54.87]
F:\DEV\cpp\ATSN>atsn 192.168.1.1 192.168.2.1 192.168.0.2

ATSN V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) March 2004

IP Count: 3
>192.168.0.2;Default-First-Site-Name;192.168.0.2/32
>192.168.1.1;Default-First-Site-Name;(null)
>192.168.2.1;Default-First-Site-Name;(null)

The command completed successfully.


[Sat 03/27/2004 13:50:23.79]
F:\DEV\cpp\ATSN>


Will also take input from a file and output to a file. You can also specify
a DC to use for the resolution instead of letting the machine find the
default LDAP (AD) server. 





-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, February 22, 2004 3:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU/Computer accounts reorganization

Assuming you have 

A. All of your subnets for these machines properly defined to subnets B.
Proper DNS entries for all of these machines C. An easy way to map site to
OU

I would do the following


1. Generate in memory table of all machine names, machine's ou, current
site, dns host name via AD query.
2. Loop through all machines 
3.   Retrieve the IP address from the dnshostname (nslookup or ip lookup in
perl)
4.   Do something that calls DsAddressToSiteNames to get the site name for
that IP address
5.   Check ou name / site name map for the machine's OU name to verify in
the right OU
6. If different, move to new OU defined by the OU Name / Site Name map
7. End Loop

All of that is readily available except to my knowledge something that lets
you do the DsAddressToSiteNames. If you want to go down this road and can't
find something that does that (or someone on the list isn't aware of
something) send a note to joe at joeware.net and ask for it (this goes for
anyone) and there is a programmer guy over there (or at least he likes to
pretend to be one sometimes) who could whip up a little tool that takes an
IP address and kicks out a site. 

Note that I have seen a couple of scripts that try to "fake" finding the
site for an IP address. I haven't seen one that worked right yet. The method
used has to be a btree to find the best match and all of the ones I have
seen are doing simple string matching and if you had a hierarchical subnet
to site layout it could fail to properly give you a site. Ex: You define
some top level subnets and some lower level subnets but for only some of
them...

Ex:

136.0.0.0/8  - Site MainSite
136.124.234.0/24 - Site WAN Site 1
136.124.192.0/24 - Site WAN Site 2

Then if you send in 136.220.198.24 it returns nothing matching or returns
MainSite for everything including 136.124.234.45. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J0mb
Sent: Friday, February 20, 2004 9:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OU/Computer accounts reorganization

Good morning,
We work in a native windows 2000 AD Architecture, with a single domain and 4
sites.
Computer accounts have been organized into OUs according to which site they
belong to.
Unfortunately the reorganization wasn't performed well. We have cases of
machines that were placed in the wrong Ous with subsequent problems with
group policies which, in many cases, are linked to the Organizational units.

There are Thousands of Pc accounts, unfortunately machine names do not help
to determine their site.

Anybody might want to suggest the best strategy to reorganize the PC
accounts (maybe a script, or a commercial tool)?

Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] permissions to only disable an AD user account

[Rick Kingslan]

Mike,

I haven't tested this out, but I suppose that one could do as you suggest
and run a script similar to the following:

Dim User  
Dim UserName
Dim UserDomain
Dim AccountExpirationDate
UserDomain = "Target_User_Domain"
UserName = "Target_User_Name"
Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user")
AccountExpirationDate = #Date on which to expire [today / yesterday?]#
'format is #mm/dd/# - at least for us US folks
User.AccountExpirationDate = AccountExpirationDate
User.SetInfo 

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Saturday, March 27, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] permissions to only disable an AD user account

Hi Rick,
Thanks for the feedback!  That's exactly what I thought would happen but
I needed an expert's view!  I was thinking instead I could achieve roughly
the same affect by giving the group read/write access over the User Account
propery named "AccountExpires" and set it to the current timestamp.  Is this
thinking also flawed?
 
Mike Thommes

-Original Message- 
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 10:06 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] permissions to only disable an AD user
account


Mike,
 
The property that you're looking to delegate is the 'Write
userAccountControl'.  However, that does open up an interesting can of
worms.  The userAccountControl proerty, as you may well know, is a series of
flags that control a number of aspects of the user account - enable (flag
value 512) and disable (flag value 514) being only two.  Look here for more
info.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
 
So, if you delegate the ability to disable an account, you're also
going to, by association, delegate quite a bit more - which you may not want
to do, which means it really can't be done - directly.  You of course, can
script or provide a compiled tool called, e.g. 'accountdisable.exe' which
would do nothing more.  But, the risk is that the property is well
documented and someone with half a brain could figure out that they have
more than what was intended.  They then will be able to create their own
scripts and have a good old time playing with the properties of the users in
their delegated area.
 
Hope this answers what you are looking for.
 
Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
  

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, March 26, 2004 4:00 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] permissions to only disable an AD user account


I hope there is an easy answer to the following question: I would
like to delegate authority to a group to be able to disable user accounts
down in an OU.  But I don't want to have to also give them the ability to
create/delete user accounts.  I've looked around the Delegation Wizard
custom tasks, but really don't find anything to do this single purpose
action.  Anybody have an answer?  Thanks!
 
Mike Thommes

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] permissions to only disable an AD user account

[Thommes, Michael M.]

Hi Rick,
Thanks for the feedback!  That's exactly what I thought would happen but I needed 
an expert's view!  I was thinking instead I could achieve roughly the same affect by 
giving the group read/write access over the User Account propery named 
"AccountExpires" and set it to the current timestamp.  Is this thinking also flawed?
 
Mike Thommes

-Original Message- 
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 10:06 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] permissions to only disable an AD user account


Mike,
 
The property that you're looking to delegate is the 'Write 
userAccountControl'.  However, that does open up an interesting can of worms.  The 
userAccountControl proerty, as you may well know, is a series of flags that control a 
number of aspects of the user account - enable (flag value 512) and disable (flag 
value 514) being only two.  Look here for more info.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
 
So, if you delegate the ability to disable an account, you're also going to, 
by association, delegate quite a bit more - which you may not want to do, which means 
it really can't be done - directly.  You of course, can script or provide a compiled 
tool called, e.g. 'accountdisable.exe' which would do nothing more.  But, the risk is 
that the property is well documented and someone with half a brain could figure out 
that they have more than what was intended.  They then will be able to create their 
own scripts and have a good old time playing with the properties of the users in their 
delegated area.
 
Hope this answers what you are looking for.
 
Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
  

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
Michael M.
Sent: Friday, March 26, 2004 4:00 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] permissions to only disable an AD user account


I hope there is an easy answer to the following question: I would like to 
delegate authority to a group to be able to disable user accounts down in an OU.  But 
I don't want to have to also give them the ability to create/delete user accounts.  
I've looked around the Delegation Wizard custom tasks, but really don't find anything 
to do this single purpose action.  Anybody have an answer?  Thanks!
 
Mike Thommes

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Used to be - Anyone ever convert dnsRecord attribute?

[Rick Kingslan]

"BTW, if you 
didn't go to the Directory Experts Conference, you missed a good time. NetPro 
did a good job and there was a lot of good discussions. Plus some of the stuff 
Stuart was talking about was pretty darn cool. "
 
Firstly, just rub it 
in.  Secondly, are you under NDA?  Cut loose with some specifics, 
man!
 

Rick Kingslan  MCSE, MCSA, MCT, CISSPMicrosoft 
MVP:Windows Server / Directory ServicesWindows Server / Rights 
ManagementAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzoneWebLog - 
www.msmvps.com/willhack4food  



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, March 26, 2004 4:22 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
convert dnsRecord attribute?

Interesting problem. 
 
What specifically do you need out of the octet string, just 
the host name?
 
Anyone have a map of what exactly is in octet string or 
what data should be in it even if you don't know the format? I would assume 
probably serial number and some other info? It isn't in MSDN that I see. 

 
dn:DC=0,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=com>dnsRecord: 
0B00 0C00 05F0  0200   0E10     0901 0762 6F62 7465 
7374 00
 
dn:DC=1,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=com>dnsRecord: 
0C00 0C00 05F0  0300   0E10     0A01 0862 6F62 7465 
7374 3200
 
From this it appears that the hostname starts at about the 
13th dword. So above would be 0A01 0862 6F62 7465 7374 3200 and 0A01 0862 6F62 
7465 7374 3200 for the names which would resolve into bobtest and bobtest2. 

 
This could be done fairly painlessly with perl I think... 

 
 
As for Al's question about why enumerate via LDAP? Because 
its there baby, that is the beauty of using LDAP. If you aren't going to do LDAP 
queries, might as well be using a SQL Server or flat file or something. 

 
Let me see what I can do with this. I just put the 
Disturbed CD in, feeling like doing some hacking. 
 
 
BTW, if you didn't go to the Directory Experts Conference, 
you missed a good time. NetPro did a good job and there was a lot of good 
discussions. Plus some of the stuff Stuart was talking about was pretty darn 
cool. 
 
 
-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ADSent: Friday, March 26, 2004 3:18 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
convert dnsRecord attribute?


David,
 
I am sure it will work but my DNS as over 
45000+ objects and it is running on a production network. It scares me a little 
to do that.
 
Y


From: Chianese, David P.Sent: Fri 
26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?

As Al 
mentioned, why not convert the zone to Std. Primary and take a copy of the zone 
files that are written to disk.  Then revert it back to ADI.  I have 
done this before without incident to supply our BIND unix servers 
copies (or pieces) of our zone files.  I have done this in the past for 
stale PTR records as well.
 
 
Regards,
 
Dave

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  ADSent: Friday, March 26, 2004 2:30 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
  convert dnsRecord attribute?
  
  I am looking for duplicate 
  registrations in the reverse lookup zone. I am hoping to export everything to 
  txt (4+ objects) file so I can parse using excel. I actually found the 
  article you mention but the I have to install the WMI provider on the DC. I am 
  hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some 
  sort of OctetString converter.
   
   
  Y 
  
  
  
  
  From: Mulnick, AlSent: 
  Fri 26/03/2004 1:04 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever 
  convert dnsRecord attribute?
  
  You mean like a zone transfer?
   
  DNS.CMD could be useful, scripting could be useful such 
  as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx (note 
  the requirements).
  DNSLINT might have some value for you as 
  well.
  Heck, Nslookup in a loop might be useful but you'd have 
  to know what you're going after.  
   
  Saying all of that, you could transfer the zone to a 
  non-integrated instance and parse the zone file if you really wanted 
  to. 
   
  I'd opt for the script, but that's 
me.
   
   
   
  Al
  
  
  From: AD [mailto:[EMAIL PROTECTED] 
  Sent: Friday, March 26, 2004 1:00 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever 
  convert dnsRecord attribute?
  
  
  Hi Al,
   
  Can you elaborate how I can export the 
  entire zone via DNS.
   
  Thanks
   
  Yves
  
  
  From: Mulnick, AlSent: Fri 
  26/03/2004 11:57 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever 
  convert dnsRecord at

RE: [ActiveDir] permissions to only disable an AD user account

[Rick Kingslan]

Mike,
 
The property that you're looking to delegate is the 'Write 
userAccountControl'.  However, that does open up an interesting can of 
worms.  The userAccountControl proerty, as you may well know, is a series 
of flags that control a number of aspects of the user account - enable (flag 
value 512) and disable (flag value 514) being only two.  Look here for more 
info.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
 
So, if you delegate the ability to disable an account, 
you're also going to, by association, delegate quite a bit more - which you may 
not want to do, which means it really can't be done - directly.  You of 
course, can script or provide a compiled tool called, 
e.g. 'accountdisable.exe' which would do nothing more.  But, the risk 
is that the property is well documented and someone with half a brain could 
figure out that they have more than what was intended.  They then will be 
able to create their own scripts and have a good old time playing with the 
properties of the users in their delegated area.
 
Hope this answers what you are looking 
for.
 
Rick 
Kingslan  MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / 
Directory ServicesWindows Server / Rights ManagementAssociate 
ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - 
www.msmvps.com/willhack4food  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Friday, March 26, 2004 4:00 PMTo: Active Directory 
Mailing List (E-mail)Subject: [ActiveDir] permissions to only disable 
an AD user account

I hope there is an 
easy answer to the following question: I would like to delegate authority to a 
group to be able to disable user accounts down in an OU.  But I don't want 
to have to also give them the ability to create/delete user accounts.  I've 
looked around the Delegation Wizard custom tasks, but really don't find anything 
to do this single purpose action.  Anybody have an answer?  
Thanks!
 
Mike 
Thommes

RE: [ActiveDir] _Msdcs.domain.com Zone Creation

[Nathan Casey]

Thanks for the reply..your answer I was I was thinking was best 
method.
Nathan
 
Nathan CaseyNetwork AnalystWGS-ISD County of Sonoma[EMAIL PROTECTED](707) 
565-3519>>> [EMAIL PROTECTED] 03/26/04 07:09PM 
>>>





Simple answer: It is by 
design.  In windows 2003, if you have a DNS zone, the DCPROMO process won’t 
create a _msdcs.domain.com.  You have to manually create it.  To 
create a _msdcs.domain.com after the DCPROMO, create a new forward lookup zone 
called _msdcs.domain.com and restart the Netlogon service.  It will 
automatically move all the _msdcs subzone to newly created _msdcs.domain.com 
zone.  And the _msdcs subzone will become a delegated 
zone.
My recommendation: 
Create a DNS zone first and make sure everything ok before do the DCPROMO.  
I don’t like the fancy DCPOMO+DNS method.
Santhosh




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Nathan 
CaseySent: Thursday, March 25, 
2004 7:11 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] _Msdcs.domain.com Zone 
Creation
 

I am setting a lab to test AD 
migration and have a question about _Msdcs.domain.com Zone 
Creation.dcpromo with DNS configured 
first:installed DNS and forward lookup zone 
(domain.gov). Server points to itself as primary DNS server and registered 
itself in the domain.gov zone.I then ran dcpromo. Dcpromo saw that DNS 
was already configured and continued with the install. After reboot, the _msdcs, 
_sites, _tcp, and _udp zones were created under the domain.gov zone. The forward 
lookup zone_Msdcs.domain.gov zone was not created.Dcpromo without DNS configured 
first:Server points to itself as primary DNS. DNS 
in not configured. I ran dcpromo. Dcpromo saw that DNS was not already 
configured and offered to install it for me which I chose to do. I set up 
domain.gov and continuedwith the install. After reboot, the _msdcs, _sites, 
_tcp, and _udp zones were created under the domain.gov zone. The forward lookup 
zone _Msdcs.domain.gov zone was also created.

Why does the _Msdcs.domain.gov zone 
not install when dcpromo is run with DNS already configured. How can I create 
the _Msdcs.domain.gov zone.

 

what is the best method for 
configuring DNS on first DC in forest root domain? configure DNS, then run 
dcpromo? or let the dcpromo process configure 
DNS?

 

Thank 
you

Nathan