RE: [ActiveDir] GC removal

[Eric Fleischman]

Perhaps I'm not being clear, sorry Daniel.
If you are running 2003 or SP4 on 2k, there is no QFE to be obtained.
You have rapid demotion on your GCs already. Just click the box and wait
for the process to finish. :)

~Eric


-Original Message-
From: Eric Fleischman 
Sent: Friday, July 16, 2004 11:50 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GC removal

Note that the article says 2k. The code path in question is in 2k03 out
of the fox.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 9:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

Thanks.  If I understand your reply correctly, since my GC is a W2K3
server
the removal/deletion should move along unless preempted.

If it is still in the removal process Monday morning, I will contact my
PSS
rep and see if I can't get the KB from them.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, July 16, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

In 2k03 we introduced rapid gc demotion.
Out of the box on 2k, we'll clean out 500 objects per KCC run. Since KCC
runs every 15 mins, that translates to 2000 objects per hour that are
cleaned out.

This was changed in 2k03 to be as fast as we can so long as we aren't
preempted, and this behavior was backported to 2k as of SP4. So if you
have SP4 on the GC, you will get the rapid demotion behavior.

There should be a KB on thisah here it is.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;325378

Oh look at that typoit says "slow to remove connection objects" when
it should be "slow to remove objects". I'll submit a change request to
get that fixed.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 16, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

:o)

Nod, the serious part was about Dean's previous post.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel
L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

C'mon Joe, I knew I could do that, I was trying to find a way to speed
up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force
objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GC removal

[Eric Fleischman]

Note that the article says 2k. The code path in question is in 2k03 out
of the fox.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 9:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

Thanks.  If I understand your reply correctly, since my GC is a W2K3
server
the removal/deletion should move along unless preempted.

If it is still in the removal process Monday morning, I will contact my
PSS
rep and see if I can't get the KB from them.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, July 16, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

In 2k03 we introduced rapid gc demotion.
Out of the box on 2k, we'll clean out 500 objects per KCC run. Since KCC
runs every 15 mins, that translates to 2000 objects per hour that are
cleaned out.

This was changed in 2k03 to be as fast as we can so long as we aren't
preempted, and this behavior was backported to 2k as of SP4. So if you
have SP4 on the GC, you will get the rapid demotion behavior.

There should be a KB on thisah here it is.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;325378

Oh look at that typoit says "slow to remove connection objects" when
it should be "slow to remove objects". I'll submit a change request to
get that fixed.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 16, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

:o)

Nod, the serious part was about Dean's previous post.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel
L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

C'mon Joe, I knew I could do that, I was trying to find a way to speed
up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force
objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Share creation permissions

[Steve Patrick]

You can indeed have a user be a power user - or even an admin, and remove
the ability to create shares.

Bruce already pointed out, if they are not power users or admins then they
already cannot create file\print shares.

There is a registry value called SrvsvcShareFileInfo under
\lanmanserver\DefaultSecurity which can be edited in order to remove the
"right".

This is covered in the security FAQ here..
http://www.microsoft.com/windowsserver2003/community/centers/security/security_faq.mspx


Share creation restrictions. Access to share operations such as creating a
share, changing share information, and deleting a share, are controlled by
security descriptors. On a server, administrators can decide who can/cannot
perform certain share operations. For example, on a file server,
administrators should be able to delegate or remove Power Users to create
file shares. The ability to create/delete shares is controlled by a ACE in
the security descriptor, where Power Users can be added/removed from the
security descriptor to allow or deny the ability.
The security descriptors are stored in the registry by SRV service, under
LanManServer\DefaultSecurity, as following: . SrvsvcShareFileInfo,
REG_BINARY: Permission to control access on file share operation.

  . SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on
print share operation.

  . SrvsvcShareAdminInfo, REG_BINARY




Keep in mind that this is really just security by obscurity, as the admin
can obviously just pop him\her self back in there. I guess I would need to
determine how smart my end users really were in this case :)


my .02
-steve


- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 16, 2004 3:10 PM
Subject: RE: [ActiveDir] Share creation permissions


> Make them normal users.
>
>
> Unfortunately that work is proxied through svchost so you can't lock down
by
> group other than what MS supplies by default.
>
> Yes, that is archaic and not very security minded.
>
>joe
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert
A
> Contr InDyne/Enterprise IT
> Sent: Friday, July 16, 2004 12:09 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Share creation permissions
>
> I have a proposed requirement to restrict the ability to create shares on
> the workstation to all but a few people within the domain.  Anyone have an
> idea as to how to do this?
>
>
>
> v/r
>
> RC
>
> Comments and concerns can be directed back to me, complaints can be
directed
> to /dev/null
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GC removal

[Daniel Gilbert]

Thanks.  If I understand your reply correctly, since my GC is a W2K3 server
the removal/deletion should move along unless preempted.

If it is still in the removal process Monday morning, I will contact my PSS
rep and see if I can't get the KB from them.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Friday, July 16, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

In 2k03 we introduced rapid gc demotion.
Out of the box on 2k, we'll clean out 500 objects per KCC run. Since KCC
runs every 15 mins, that translates to 2000 objects per hour that are
cleaned out.

This was changed in 2k03 to be as fast as we can so long as we aren't
preempted, and this behavior was backported to 2k as of SP4. So if you
have SP4 on the GC, you will get the rapid demotion behavior.

There should be a KB on thisah here it is.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;325378

Oh look at that typoit says "slow to remove connection objects" when
it should be "slow to remove objects". I'll submit a change request to
get that fixed.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 16, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

:o)

Nod, the serious part was about Dean's previous post.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel
L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

C'mon Joe, I knew I could do that, I was trying to find a way to speed
up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force
objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Linked Values & other good stuff

[Brian Desmond]

Yeah I have it set to view users, whatever as containers. Don't actually use it that 
often. I just discovered today that I can make template accounts with it. Wonders of 
GUI.
 
--Brian

-Original Message- 
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 4:32 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Linked Values & other good stuff



Keep in mind that ADUC treats computers and users as leaves by default for 
display but they are actually containers. You may have to check your settings. ADSI 
does it correctly right off though.

  joe

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 4:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

I'll have to look again. I thought that's what it was doing but I didn't see 
the objects.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org

v: 773.534.0034 x135
f: 773.534.0035



-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 15, 2004 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

Well look at that... I should look at the GUI occasionally. :o)

I just created one and it creates the volume object under the server 
container. So you can go look there or do a command line search for 
objectcategory=volume... A sample adfind query would be

Adfind -gc -b -f objectcategory=volume

If you just want the DNs you would do

Adfind -gc -b -f objectcategory=volume -dn




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

Huh. Never noticed it before. 2003 at least lets you auto publish when sharing 
via computer mgmt. Do you know where it stuffs the volume objects?

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org

v: 773.534.0034 x135
f: 773.534.0035



-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 15, 2004 11:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

http://support.microsoft.com/?kbid=234582

Shared folders are objectcategory (and objectclass) volume.

They are wherever you created them in the directory. It would be good to place 
them either in a single OU where you house all shared folders OR place them as 
subobjects to the servers where the share is published.

  joe



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 11:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

I want the LVs so this is as zero maintenance as possible. Printer gets 
unshared - computers automatically no longer get the map. I like the thought about 
doing the share folders too with LVs too. I just published a couple to the directory, 
but, I can't find where the data is stored, or the name of the class.

Thanks

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org

v: 773.534.0034 x135
f: 773.534.0035



-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 15, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

An aux class seems to make sense for this. Note with K3 you can link on the 
fly, with 2K you will have to statically link.

Whether or not you use LV attribs depends on your requirements. If you just 
want to look at a user or computer object and have an arbitrary string saying what to 
connect, then you don't need LV. If however you intend to have more than 850 values 
(for 2K or 1300 for K3) then you need to look at doing this through LV.

Additionally if you want to be able to query say a shared folder and find out 
what users are linked to it you would also use LV. The benefit there would be if the 
shared folder object got changed or renamed or whatever, your user/computer objects 

RE: [ActiveDir] OT:Signed Message for craig

[Brian Desmond]

Have you installed the Root Certs update from Windows Update?
 
--Brian

-Original Message- 
From: Craig Cerino [mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 3:42 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] OT:Signed Message for craig



 

âCan not open this item. Your Digital ID name can not be found by the 
underlying security systemâ

 

<>

RE: [ActiveDir] help finding proxyAddresses

[Michael B. Smith]

Ya know, patch management can be a real bear. :-)
 
I've come a long way since I started lurking around here. :-P



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 7/16/2004 5:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] help finding proxyAddresses


Hey that looks pretty smooth! That joeware stuff... I tell you...
 
BTW, upgrade your version, it is up to like 1.17 or so now... :o)
 
   joe



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, July 16, 2004 3:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] help finding proxyAddresses


C:\BRI>adfind -b dc=brnets,dc=local -f  [EMAIL PROTECTED] 
 local proxyaddresses
 
AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
 
Using server: orange.brnets.local
 
dn:CN=Michael B. Smith,CN=Users,DC=brnets,DC=local
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: SMTP:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: smtp:[EMAIL PROTECTED]
>proxyAddresses: X400:c=us;a= ;p=Blue Ridge Inter;o=Exchange;s=Smith;g=Michael;i=B;



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, July 16, 2004 3:19 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] help finding proxyAddresses


After lots of iterations using dsquery, dsget, and/or adfind, I still can't seem to 
produce "proxyAddresses" using a given UPN.  It's Friday afternoon, my brain hurts, 
and I sure would like to finish the week on a high note.  Any help is REALLY 
appreciated!  Thanks.
 
Mike Thommes 
<>

RE: [ActiveDir] GC removal

[Eric Fleischman]

In 2k03 we introduced rapid gc demotion.
Out of the box on 2k, we'll clean out 500 objects per KCC run. Since KCC
runs every 15 mins, that translates to 2000 objects per hour that are
cleaned out.

This was changed in 2k03 to be as fast as we can so long as we aren't
preempted, and this behavior was backported to 2k as of SP4. So if you
have SP4 on the GC, you will get the rapid demotion behavior.

There should be a KB on thisah here it is.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;325378

Oh look at that typoit says "slow to remove connection objects" when
it should be "slow to remove objects". I'll submit a change request to
get that fixed.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 16, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

:o)

Nod, the serious part was about Dean's previous post.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel
L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

C'mon Joe, I knew I could do that, I was trying to find a way to speed
up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force
objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Fw: perl-ldap with ADAM

[joe]

Well the permissions we are talking here are more of an AD 
and AD/AM thing than LDAP. LDAP itself doesn't know nor care about permissions. 
It is the engine beneath the LDAP that does the work with the permissions. You 
can do perms in most if not every LDAP implementation but that makes it harder 
to do things so you will find a lot of people set up their non-MS directories 
with full open anonymous access. Microsoft didn't like that, thought it was a 
bad idea (because they care so little for security like everyone says) and said 
by default by darn we are going to lock our directory 
down...
 
Here is a nice little article that gives you a baseline on 
the concepts.
 
http://www.mcpmag.com/columns/article.asp?EditorialsID=328
 
 
In 
Active Directory you have several tools for setting permissions. In AD/AM you 
pretty much have ADSI and dsacls and anything you can script 
yourself.
 
 
 joe
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, July 16, 2004 5:44 
PMTo: [EMAIL PROTECTED]Cc: 
[EMAIL PROTECTED]; 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Fw: 
perl-ldap with ADAM
Joe, Can you point me to more info on setting the permissions 
of users?  I've only just begun working with LDAP a few days ago and am 
working with an instance I installed and ldif files I wrote myself. 
Thanks, Sonya 

  
  
"joe" 
  <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
  07/16/2004 02:17 PM 
  


  
Please respond 
to[EMAIL PROTECTED]

  


  
To
  <[EMAIL PROTECTED]> 

  
cc
  

  
Subject
  RE: [ActiveDir] Fw: 
perl-ldap with ADAM
  


  
  Sounds like it is permissioning. If you don't bind with an ID 
you aren't going to see anything unless you crank down all of the permissions to 
nothing. Sounds like the ID you used had very little access. You should 
doublecheck what your permissions are set as.   To put it another 
way, if ADSIEDIT is seeing things which authenticates when it connects, but you 
can't see something with a raw LDAP API call, it is almost certainly 
authentication.     joe 

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, July 16, 2004 4:16 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Fw: 
perl-ldap with ADAMHello, I 
sent this help request to a perl-ldap list and it was indicated that the problem 
may be ADAM specific.  The detail are: I have set up a MS ADAM instance named cn=examplename,st=wv,c=us. 
 On install, the LostAndFound, Roles, and NTDS Quotas objects were 
created with dn's CN=LostAndFound,CN=examplename,ST=wv,C=us, CN=NTDS 
Quotas,CN=examplename,ST=wv,C=us, and CN=Roles,CN=examplename,ST=wv,C=us. 
This all displays successfully in ADAM ADSI Edit.I then added via 
importing an ldif file a couple of object instances with dn's 
CN=WVAdmin,CN=examplename,ST=wv,C=us and 
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These both also display 
successfully in ADAM ADSI Edit.So then I attempt to use perl-ldap to 
perform a search like this:use Net::LDAP;$ldap = new 
Net::LDAP('localhost') or die "$@";$ldap->bind( version => 3 
);$mesg = $ldap->search ( base => "C=us",      
                filter => 
"objectClass=*",                
    ) or die ("Failed on search.$!");foreach $entry 
($mesg->all_entries){ $entry->dump;}$ldap->unbind;The 
result is no entries.  I have also tried narrowing the base to 
CN=examplename,ST=wv,C=us with no benefit.   
Additionally, I tried binding to 
cn=WVAdmin,cn=examplename,st=wv,c=us which does return a single result with 
dn=examplename,st=wv,c=us. Note that all of the above search attempts resulted 
in a return code of 0 indicating success. Any ideas what could be the problem would be greatly 
appreciated. Thank 
you, Sonya - Forwarded by Sonya Lowry/stc on 07/16/2004 01:07 
PM - 

  
  
Chris Ridd 
  <[EMAIL PROTECTED]> 
  07/16/2004 10:55 AM 
  

  


  
To
  <[EMAIL PROTECTED]> 

  
cc
  <[EMAIL PROTECTED]> 

  
Subject
  Re: perl-ldap with 
ADAM
  


  
  On 16/7/04 6:13 pm, 
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:> 
Chris,> Thanks for your help.  Currently, I am binding with this 
line:> > 
$ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");You need to add 
the arguments:  password => 'something'to the bind, as 
otherwise you will be binding with a name and no password.Typically that 
will succeed, but it'll be considered the same as anonymous.However 
you're using MAD, which doesn't really implement LDAP in a verystandard way, 
so it might be doing things differently.> and the return code is 0 
which I understand indicates succes

RE: [ActiveDir] user/domain selection

[joe]

These are questions that you can start to find answers to with network
tracing and one of the reasons I like pushing people to do it. You learn a
ton and when you know how it works, troubleshooting gets a trifle easier.

So anyway, both of these are an answer of the proper info from the forest is
queried through a global catalog found via DNS lookup. Entire network in
that context really means domain stuff in the forest. 

WINS isn't used at all for this stuff for 2k+ in an AD domain. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, July 16, 2004 9:28 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] user/domain selection

what is the under the hood process that windows gets the user listing when
you add members to a group. I mean the drop down list where you select a
domain or entire directory? is that gotten from a gc via dns?

also, when you join a pc to a forest and suddenly all the domains appear in
the drop down list. how does it get that?
In network neighborhood in enitre network those domains also appear(i
thought "entire network" was netbios based and would use wins but our wins
servers in the forest are not configured to push/pull with each other and
still the domains appear)?
just curious. sorry if this sounds really basic or obvious.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Fw: perl-ldap with ADAM

[Eric Fleischman]

I can articulate one particular item that
is probably your major issue.

By default, users in ADAM can not access
much of anything. We ACL’d down as part of “secure by default”
so they can’t see many objects in the naming context.

For the sake of testing, go ahead and add
the ADAM user you have created to cn=readers,cn=roles,

Once the ADAM user is in that group, are
they able to see the objects you would like them to see?

If yes, well, that’s one way to do it. J That group will let them
see many objects within that naming context. If you wanted to ACL down further,
you could create your own groups, add the user to that custom group instead of
cn=readers, then acl the appropriate subtrees for that group.

 

~Eric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 16, 2004 4:44
PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fw:
perl-ldap with ADAM



 


Joe, 
Can
you point me to more info on setting the permissions of users?  I've only
just begun working with LDAP a few days ago and am working with an instance I
installed and ldif files I wrote myself. 
Thanks,

Sonya







 
  
  "joe"
  <[EMAIL PROTECTED]> 
  Sent
  by: [EMAIL PROTECTED] 
  07/16/2004 02:17 PM 
  
   

Please
respond to
[EMAIL PROTECTED]

   
  
  
  
  
  
   

To


<[EMAIL PROTECTED]>


   
   

cc


 

   
   

Subject


RE: [ActiveDir] Fw: perl-ldap with ADAM

   
  
   
  
   

 


 

   
  
  
  
 





Sounds like it is permissioning. If you don't
bind with an ID you aren't going to see anything unless you crank down all of
the permissions to nothing. Sounds like the ID you used had very little access.
You should doublecheck what your permissions are set as. 
  
To put it another way, if ADSIEDIT is seeing things which
authenticates when it connects, but you can't see something with a raw LDAP API
call, it is almost certainly authentication. 
  
  joe 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 16, 2004 4:16 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fw: perl-ldap with ADAM


Hello, 
I sent this help request to a perl-ldap list and it was indicated that the
problem may be ADAM specific.  The detail are: 

I have set up a MS ADAM instance named
cn=examplename,st=wv,c=us.  On 
install, the LostAndFound, Roles, and NTDS Quotas
objects were created 
with dn's CN=LostAndFound,CN=examplename,ST=wv,C=us,
CN=NTDS 
Quotas,CN=examplename,ST=wv,C=us, and
CN=Roles,CN=examplename,ST=wv,C=us. 
This all displays successfully in ADAM ADSI Edit.

I then added via importing an ldif file a couple
of object instances with 
dn's CN=WVAdmin,CN=examplename,ST=wv,C=us and 
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These
both also display 
successfully in ADAM ADSI Edit.

So then I attempt to use perl-ldap to perform a
search like this:

use Net::LDAP;

$ldap = new Net::LDAP('localhost') or die
"$@";
$ldap->bind( version => 3 );

$mesg = $ldap->search ( base =>
"C=us",
             
        filter => "objectClass=*",
             
      ) or die ("Failed on search.$!");

foreach $entry ($mesg->all_entries)
{
 $entry->dump;
}

$ldap->unbind;


The result is no entries.  I have also tried
narrowing the base to 
CN=examplename,ST=wv,C=us with no benefit.  


Additionally, I tried binding 
to cn=WVAdmin,cn=examplename,st=wv,c=us which does
return a single result 
with dn=examplename,st=wv,c=us.


Note that all of the above search attempts resulted in a return code of 0
indicating success. 
Any ideas what could be the problem would be greatly appreciated.

Thank you, 
Sonya 


- Forwarded by Sonya Lowry/stc on 07/16/2004 01:07 PM - 


 
  
  Chris Ridd <[EMAIL PROTECTED]> 
  07/16/2004 10:55 AM 
  
  
   
  
   

To


<[EMAIL PROTECTED]>


   
   

cc


<[EMAIL PROTECTED]> 

   
   

Subject


Re: perl-ldap with ADAM

   
  
   
  
   

 


 

   
  
  
  
 






On 16/7/04 6:13 pm, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:

> Chris,
> Thanks for your help.  Currently, I am
binding with this line:
> 
>
$ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");

You need to add the arguments:

  password => 'something'

to the bind, as otherwise you will be binding with
a name and no password.
Typically that will succeed, but it'll be
considered the same as anonymous.

However you're using MAD, which doesn't really
implement LDAP in a very
standard way, so it might be doing things
differently.

> and the return code is 0 which I understand
indicates success.  However,
> the search result is limited to the single
object
> 'cn=examplename,st=wv,c=us' despite the
presence of several objects with
> dn's like
cn=,cn=examplename,st=wv,c=us.
> 
> I've suspected that ma

RE: [ActiveDir] User changing account properties

[joe]

Yep I concur of course.

Post the ACL for a user object that this can be done to and we can peek at
it and tell you who can do what.

Use a command like


Dsacls cn=userid,cn=someou,dc=somedomain,dc=com




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Wednesday, July 14, 2004 3:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] User changing account properties

if this is normal or not really depends on the security you've set in your
AD or on the objects.  With the default permissions this doesn't work (i.e.
would it not be normal), since  a "normal" user can only edit specific
attributes on his own account object (everything that's granted to be
writable to SELF - which is actually more than 40 attributes, so it's quite
a lot)

The easiest way to find the difference to the default security is to know
the default security descriptor as it's set on newly created objects (either
check out on user-class in schema of newly installed AD or read the AD
Delegation WP
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-4
8fa-9730-dae7c0a1d6d3&DisplayLang=en)

Then compare to what permissions your objects have been granted - take
special care to check the permissions for Authenticated Users...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Mittwoch, 14. Juli 2004 20:18
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] User changing account properties

Users seem to be able to use the windows XP built in people search to change
other users AD attributes.

I assume this isn't normal. Is there a tool I can use to find differences
from the default AD attributes security. This is a windows 2000 AD.

Thank you
jb
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Transitive trusts between 2 forests

[joe]

I am really surprised to not see a Guido response here. He loves forest
trusts. Can talk for hours on the subject. :o)

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Thursday, July 15, 2004 11:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Transitive trusts between 2 forests

To establish a forest trust, the forests need to be in WIN2k3 functional
mode, so all of the domains in each forest need to be in Win2k3 mode, so all
of the DCs in each domain need to be Win2k3.

Also, the forest trusts between each pair of forest roots are not
transitive. If "Forest A" trusts "Forest B" and "Forest B" trusts "Forest
C", then all of the domains in "Forest A" have transitive trusts to all of
the domains in "Forest B" but they have no trust relationship at all with
the domains in "Forest C".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, July 15, 2004 7:25 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Transitive trusts between 2 forests

Quick question-
if i want a transitive trust between 2 forests(involving all child domains
in both forests), do all dc's in all domains need to be win2k3 or just both
roots?

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SP4

[joe]

Nah, Windows Server 2003 is. :oP

Heh.


  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 14, 2004 3:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SP4

Sure but it's still the best version of W2K so far.

ddh

> I'd read this-
> 
> 
http://www.winnetmag.com/Article/ArticleID/39584/39584.
html
> 
> 
> -Original Message-
> From: Salandra, Justin A. 
[mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 14, 2004 1:13 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] SP4
> 
> 
> So I guess it is safe to say that SP4 should be safe
to deploy since not
> to many people have posted problems with the SP here
on the list and I
> have not seen too many things written about problems
arising from it.?
> 
> Justin A. Salandra, MCSE
> Senior Network Engineer
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%
40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%
40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Signed message for Craig

[joe]

I'm too old to take tests. Plus the last time I tried to 
take a Transcender I failed miserably. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Friday, July 16, 2004 1:51 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Signed message for 
Craig


Test
 
--Brian 
Desmond
[EMAIL PROTECTED]
Payton on the 
Web! Http://www.wpcp.org
 
v: 
773.534.0034 x135
f: 
773.534.0035
 
 
 

RE: [ActiveDir] GC removal

[joe]

:o)

Nod, the serious part was about Dean's previous post.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gilbert, Daniel L
Mr ANOSC/FCBS
Sent: Friday, July 16, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

C'mon Joe, I knew I could do that, I was trying to find a way to speed up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Share creation permissions

[joe]

Make them normal users.  


Unfortunately that work is proxied through svchost so you can't lock down by
group other than what MS supplies by default.

Yes, that is archaic and not very security minded.

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A
Contr InDyne/Enterprise IT
Sent: Friday, July 16, 2004 12:09 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Share creation permissions

I have a proposed requirement to restrict the ability to create shares on
the workstation to all but a few people within the domain.  Anyone have an
idea as to how to do this?



v/r

RC

Comments and concerns can be directed back to me, complaints can be directed
to /dev/null

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Running DCDiag

[joe]

The first thing that says is watch your event logs and get some monitoring.
:o)

That aside event ID 0xC7FA is event 2042 which you can read at 

http://www.eventid.net/display.asp?eventid=2042&source=NTDS+Replication


Basically you have a DC that is way far out of sync and you need to find out
why your replication isn't working. You need to figure out if it is the
source machine or this machine that is the one that is out of sync with the
rest of the forest and then kill it. Of course if you have making updates to
the out of sync machine, you could lose some stuff but that is imminently
better than being inconsistent. 

 joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Friday, July 16, 2004 12:06 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Running DCDiag

Anyone know what this means when I do a DCDiag

Starting test: kccevent
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:50
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:50
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:50
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:50
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:51
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:51
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:51
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:51
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:51
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:51
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:53:25
  Event String: It has been too long since this machine last
   . SERVER01 failed test kccevent


***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] RDP and Domain Local Group

[joe]

Well it looks like it throws principals into the "remote desktop users"
group. In your shoes I would just try throwing a user from the domain into
that group that wouldn't otherwise have perms to connect and see if that
works, that means that is all that is done and you can just add dlg's
(assuming native mode) to the local group on the machines. This could very
possibly be a GUI error which isn't unheard of.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Active Dir
Sent: Wednesday, July 14, 2004 2:53 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] RDP and Domain Local Group


I am deploying and AD 2003 Domain and Windows XP client machines.  I created
a Domain Local group called "RDP Admins" for Remote Desktop Administration.

When I go to Windows XP ,System Properties ->Remote ->Remote Desktop, I can
only add "Domain Global" group I cannot add my "RDP Admins" domain local
group.  Is there anyway to fix this problem?

Thanks in advance!

_
Is your PC infected? Get a FREE online computer virus scan from McAfeeR
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] outlook / gc client discovery

[joe]

I like to put this most simply as

Use the GCs for the clients that the Exchange Servers are using. If you have
an Exchange Server in your local site using a local GC, use that GC, would
be silly to go across the WAN. However if your Exchange Server is across the
WAN, use the GC across the WAN as well. Comparatively the traffic is nothing
compared to Exchange AND you are less likely to be bitten by the "loosely
consistent" nature of Active Directory. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, July 14, 2004 2:46 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] outlook / gc client discovery

Sponsorship?  I have no idea what you mean 

"point taken about the size of the address book being small compared to but
my mind has been that we have servers there with the required directory
information, we might as well use them ???"  

Just because you can, doesn't mean you should.  They are two totally
different concepts to say the least.  The address book lookups is typically
very small.  Although I currently enjoy large network links, that has not
been the norm during my career.  I've made similar recommendations when
using 9.6 Kbps links, although that would arguably be a case for considering
putting in a local Exchange server else use avian packet carrier or cached
mode to at least give the illusion of usable performance.  
Generally speaking, wherever you put a site, you may also want to consider
putting an Exchange server and GC's.  They're not that different.  If you
instead decide to put the Exchange mailstores, where all the user data is
located, in a central location, then why would it make sense to put the GC
in a decentralized location?  It's a nice to have, but it's not a
requirement in most situations.  It becomes more of a requirement depending
on the links, but if you need to rely on it, you either have a
geographically dispersed network and want more finite control over user
traffic patterns (i.e. don't want the french mailbox users to have to use
the south american GC for address book lookups)else you have a penchant for
zeroing in on unimportant things.  I'll assume the previous in your case
because that would make a lot more sense. 

Bottom line is that there is no reason you wouldn't want to create a 5.5 -
like topology if centralizing.  You would create an active directory site,
put in as many GC's as you needed for Exchange servers/users, and for each
of those machines you'd hardcode the GC's DSProxy can hand out.  Or maybe
even create your own Exchange domain without users or your own domain forest
depending on requirements.  But to spend the time to reduce the smallest
amount of traffic seems counterproductive to me except in situations noted
above.  

My thoughts anyway.

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, July 14, 2004 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery

thanks both for post replies - helpful in the extreme

i do sense that the issue of GC and by implication dlist etc retrieval over
a WAN connection is not regarded as such as a major issue - can only assume
that you have the luxury of very well connected sites ??

point taken about the size of the address book being small compared to but
my mind has been that we have servers there with the required directory
information, we might as well use them ???

i take point about risk about client not being "intelligent" in its choice
of GC with respect to domainprep etc - suppose this is where Dsaccess has a
bit more intelligence than the client based discovery process - which it
seems we are not sure about

will be doing some capturing of the startup of outlook clients so hopefully
something will stick out here

thanks again for your help

i always wonder about the sponsorship owed by microsoft to this mailing list
??

GT

-
- Original Message -
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 12, 2004 5:36 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


> Graham, that's a fairly common question actually, although usually in 
> the Exchange groups.  It still could be considered on topic here for 
> part of that data.
>
> FWIW, it's the dsproxy process that hands out GC's to clients to use.
That's
> because of the legacy restrictions the client brings to the equation (see:
>
http://www.microsoft.com/technet/prodtechnol/exchange/2000/deploy/upgrademig
> rate/series/planningguide/p_08_tt1.mspx and search for DSProxy)Note 
> that different versions of Outlook will respond differently to this 
> process
after
> the first contact is made an a GC is found.  DSProxy picks it's GC's 
> based on a number of criteria such as whether or not the domain it's 
> talking to
is
> domainprepped, how close to the Exchange machine the GC is (network), etc.
>
>
> In multi-domain envi

RE: [ActiveDir] GC removal

[Gilbert, Daniel L Mr ANOSC/FCBS]

C'mon Joe, I knew I could do that, I was trying to find a way to speed up
nature/evolution.

Dan

-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 16, 2004 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GC removal

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] outlook / gc client discovery

[joe]

Cool. Send me a URL when you get it up and going and I will pop by as soon
as I can. Sounds like Al will as well. I would bet there would be several
folks from the list interested. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Hogan
Sent: Wednesday, July 14, 2004 4:27 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Joe, we would consider facilitating an open sync project.  We have completed
a sync project for AD to Notes, so we have something of a framework to begin
with.

Cheers!
David

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: July 13, 2004 1:17 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

I agree on the scripting for configuration. But then the Exchange Service
guys will pick some DC that the AD Admins aren't aware of as being "IT" and
will decide one day to do something to it and then are wondering why they
need so much prep-h. If they are all in a single Exchange site, there is no
forgetting that. 

I completely understand your statement on the licensing of MIIS. I think we
had a good discussion of this back at the summit with the MS folks,
hopefully they will take the comments to heart. It is also why I was asking
if someone out there is working on a decent free project to do that
syncing... Obviously it can be done, it just isn't visibly being done yet. I
am seriously considering it but that is outside the realm of the normal
joeware type tools which are a quick little tool to do something for you
that isn't normally easily available. This wouldn't be a quick little tool
and probably take me away from doing a lot of the other tools I work on.
Also if I set up the open source piece of it, I would feel the same way in
terms of driving it plus not sure how many people want to do it with Borland
compilers because if I did it that is what it would use. If someone else was
doing it, I wouldn't mind popping in and giving suggestions on how to handle
things. That is easier than being the core developer or one of them and it
wouldn't compromise the other things I am doing.

But to make a long response longer, I hate MIIS'es dependence on SQL and the
idea that you have to maintain a SQL Server to make it work outright sucks.
I would be less hateful if it used ODBC and you could select your store or
SQL were free with MIIS for that use. But it would also have to completely
manage that instance as well transparently so someone who is an AD person
doesn't have to become a SQL expert to sync his/her directories. The way
MIIS works now is, in my head, almost like having an AD that you have the AD
program and you have to separately manage the DataBase behind it. This isn't
the case with AD and AD/AM, make it the same with MIIS or allow people to
select their own store mechanism. That is what ODBC was supposed to be all
about.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, July 13, 2004 1:06 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] outlook / gc client discovery

"hardcoding is always a pain to work with as someone will forget" ?  That's
what scripting is for, Joe ;0)

For me, I hate the amount of complexity required to get the solution usable
in a dedicated forest scenario.  If SQL were licensed with MIIS FP, then I
wouldn't have so much heartache about it outside of the additional skill set
required to make this reliable.  I think it's the licensing that turns me
off the solution more than anything.

-ajm



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 13, 2004 11:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Al has posted a ton of good info.

A couple of points to add.

Another thing to be concerned about with having the client find its own GC
is that in some orgs, the GCs that the Exchange servers are likely to hit
tend to be very well maintained (heck Exchange is using them, you are in for
deep doo doo if you don't...), more so even than regualar DC/GCs. Also you
may hit a GC that is out in the boonies that doesn't get replicated too as
often as one in the datacenter site with the Exchange Servers. I know that
to all good Admins, every DC/GC is equal to the next, however those that
have dealt with Exchange will often start to look at the Exchange GCs as
more equal right along with the PDC. You tend to have the monitors a little
more hair-trigger'ish with the Exchange GCs as most DCs can fail and have no
serious impact on the environment, an Exchange GC blows and you end up in
front of managers to start trying to explain how DC failover is supposed to
work and why they couldn't get their mail and why 50,500,5000,50,000 people
chewed them out and etc etc etc. 

On the second aspect of this, doing the 5.5 architecture. I would take it

RE: [ActiveDir] Fw: perl-ldap with ADAM

[Sonya_Lowry]

Joe,
Can you point me to more info on setting
the permissions of users?  I've only just begun working with LDAP
a few days ago and am working with an instance I installed and ldif files
I wrote myself.
Thanks,
Sonya







"joe" <[EMAIL PROTECTED]>

Sent by: [EMAIL PROTECTED]
07/16/2004 02:17 PM



Please respond to
[EMAIL PROTECTED]





To
<[EMAIL PROTECTED]>


cc



Subject
RE: [ActiveDir] Fw: perl-ldap
with ADAM








Sounds like it is permissioning.
If you don't bind with an ID you aren't going to see anything unless you
crank down all of the permissions to nothing. Sounds like the ID you used
had very little access. You should doublecheck what your permissions are
set as. 
 
To put it another way, if ADSIEDIT
is seeing things which authenticates when it connects, but you can't see
something with a raw LDAP API call, it is almost certainly authentication.
 
  joe


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 16, 2004 4:16 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fw: perl-ldap with ADAM


Hello, 
I sent this help request to a perl-ldap list and it was indicated that
the problem may be ADAM specific.  The detail are:


I have set up a MS ADAM instance named cn=examplename,st=wv,c=us.  On

install, the LostAndFound, Roles, and NTDS Quotas objects were created

with dn's CN=LostAndFound,CN=examplename,ST=wv,C=us, CN=NTDS 
Quotas,CN=examplename,ST=wv,C=us, and CN=Roles,CN=examplename,ST=wv,C=us.

This all displays successfully in ADAM ADSI Edit.

I then added via importing an ldif file a couple of object instances with

dn's CN=WVAdmin,CN=examplename,ST=wv,C=us and 
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These both also display 
successfully in ADAM ADSI Edit.

So then I attempt to use perl-ldap to perform a search like this:

use Net::LDAP;

$ldap = new Net::LDAP('localhost') or die "$@";
$ldap->bind( version => 3 );

$mesg = $ldap->search ( base => "C=us",
                    
  filter => "objectClass=*",
                    
) or die ("Failed on search.$!");

foreach $entry ($mesg->all_entries)
{
  $entry->dump;
}

$ldap->unbind;


The result is no entries.  I have also tried narrowing the base to

CN=examplename,ST=wv,C=us with no benefit.  


Additionally, I tried binding 
to cn=WVAdmin,cn=examplename,st=wv,c=us which does return a single result

with dn=examplename,st=wv,c=us. 

Note that all of the above search attempts resulted in a return code of
0 indicating success. 
Any ideas what could be the problem would be greatly appreciated.

Thank you, 
Sonya 


- Forwarded by Sonya Lowry/stc on 07/16/2004 01:07 PM -



Chris Ridd <[EMAIL PROTECTED]>

07/16/2004 10:55 AM






To
<[EMAIL PROTECTED]>



cc
<[EMAIL PROTECTED]>



Subject
Re: perl-ldap with ADAM










On 16/7/04 6:13 pm, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
wrote:

> Chris,
> Thanks for your help.  Currently, I am binding with this line:
> 
> $ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");

You need to add the arguments:

   password => 'something'

to the bind, as otherwise you will be binding with a name and no password.
Typically that will succeed, but it'll be considered the same as anonymous.

However you're using MAD, which doesn't really implement LDAP in a very
standard way, so it might be doing things differently.

> and the return code is 0 which I understand indicates success.  However,
> the search result is limited to the single object
> 'cn=examplename,st=wv,c=us' despite the presence of several objects
with
> dn's like cn=,cn=examplename,st=wv,c=us.
> 
> I've suspected that maybe I simply don't understand the search mechanism.
> I had assumed that the base of cn=examplename,st=wv,c=us would direct
the
> search through elements with dn's ending with the string '
> cn=examplename,st=wv,c=us' like
> cn=,cn=examplename,st=wv,c=us.  Is this a correct
assumption?

It isn't quite the right way to think about it, as there are ways for the
search to process other entries too (eg by following aliases).

Think of it like directories on a disk, except that DNs are written
little-endian whereas file paths are written big-endian. A subtree search
essentially searches subdirectories. (Unless there's a link inside somewhere
that points to another subdirectory somewhere.)

Cheers,

Chris

RE: [ActiveDir] Linked Values & other good stuff

[joe]

Keep in mind that ADUC treats computers and users as leaves by default for display but 
they are actually containers. You may have to check your settings. ADSI does it 
correctly right off though.

  joe 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 4:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

I'll have to look again. I thought that's what it was doing but I didn't see the 
objects.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 15, 2004 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

Well look at that... I should look at the GUI occasionally. :o)

I just created one and it creates the volume object under the server container. So you 
can go look there or do a command line search for objectcategory=volume... A sample 
adfind query would be

Adfind -gc -b -f objectcategory=volume

If you just want the DNs you would do

Adfind -gc -b -f objectcategory=volume -dn


 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

Huh. Never noticed it before. 2003 at least lets you auto publish when sharing via 
computer mgmt. Do you know where it stuffs the volume objects?

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 15, 2004 11:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

http://support.microsoft.com/?kbid=234582

Shared folders are objectcategory (and objectclass) volume. 

They are wherever you created them in the directory. It would be good to place them 
either in a single OU where you house all shared folders OR place them as subobjects 
to the servers where the share is published. 

  joe 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 11:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

I want the LVs so this is as zero maintenance as possible. Printer gets unshared - 
computers automatically no longer get the map. I like the thought about doing the 
share folders too with LVs too. I just published a couple to the directory, but, I 
can't find where the data is stored, or the name of the class.

Thanks

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 15, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linked Values & other good stuff

An aux class seems to make sense for this. Note with K3 you can link on the fly, with 
2K you will have to statically link.

Whether or not you use LV attribs depends on your requirements. If you just want to 
look at a user or computer object and have an arbitrary string saying what to connect, 
then you don't need LV. If however you intend to have more than 850 values (for 2K or 
1300 for K3) then you need to look at doing this through LV. 

Additionally if you want to be able to query say a shared folder and find out what 
users are linked to it you would also use LV. The benefit there would be if the shared 
folder object got changed or renamed or whatever, your user/computer objects would 
update as well. Note though that you won't be able to get one object and then have all 
the info you need, you will have to chase the links to get the info; i.e. get the user 
object, then enumerate through all of the linked shared folders and retrieve all of 
those objects. This adds complexity but *possibly* gives you more functionality and 
flexibility depending on your end goals.

If you want the former non-linked attribute, you will want to get a base OID, either 
for yourself, the school/business, or whatever (don't self-generate one...). You can 
go to MS to get one for free if you want in their space. Relatively painless, takes a 
couple of days. This will also register for you a schema prefix for instance I have a 
scheme prefix of joeware... You can also then register for unique linkids for yourself 
if you decide to do the LV. 

Also if the former I would recommend you set up one auxClass with some generic name 
and generic MV attribute - the brianwareAux Class with the brianwareExtMVAttr1 
attribute. Then use the same class/attribute for both the queue and the shared folder. 
I would also recommend coming up with some flexible format for the data in that 
attribute... Say something like SHAREDFOLDER=DRIVEL

RE: [ActiveDir] LDAP query string to identify Enabled vs Disabled User Account

[joe]

And if you are using adfind you can just say

Adfind -b whatever -bit -f
"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"  

i.e. you don't have to remember the control OIDs for AND or OR. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Friday, July 16, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] LDAP query string to identify Enabled vs Disabled
User Account

Hi Jerry

Enabled users
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113
556.1.4.803:=2))) 

Disabled users
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.11355
6.1.4.803:=2))

Tony

-- Original Message --
Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWF
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 16 Jul 2004 07:45:22 -0400

My poor old mind has seen this but lost it :) Can someone provide an LDAP
query string to identify when a User object is Enabled or Disabled in AD?
Thanks,
Jerry

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] help finding proxyAddresses

[joe]

I think dsquery does have you use -upn. 

 
Adfind isn't hardcoded for specific object types, it is 
pretty raw LDAP calls so you get to use the actual property 
names.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Friday, July 16, 2004 3:33 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] help finding 
proxyAddresses

Michael,
    Thank you!  I kept beating on the commands using 
"upn" instead of "userprincipalname".  I owe you a beer!  Thanks 
again!
 
Mike 
Thommes

  -Original Message-From: Michael B. Smith 
  [mailto:[EMAIL PROTECTED]Sent: Friday, July 16, 2004 2:25 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] help finding proxyAddresses
  C:\BRI>adfind 
  -b dc=brnets,dc=local -f [EMAIL PROTECTED]local 
  proxyaddresses
   
  AdFind 
  V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
   
  Using server: orange.brnets.local
   
  dn:CN=Michael B. 
  Smith,CN=Users,DC=brnets,DC=local>proxyAddresses: 
  smtp:[EMAIL PROTECTED]local>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  SMTP:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]local>proxyAddresses: X400:c=us;a= 
  ;p=Blue Ridge Inter;o=Exchange;s=Smith;g=Michael;i=B;
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
  Michael M.Sent: Friday, July 16, 2004 3:19 PMTo: Active 
  Directory Mailing List (E-mail)Subject: [ActiveDir] help finding 
  proxyAddresses
  
  After lots of 
  iterations using dsquery, dsget, and/or adfind, I still can't seem to produce 
  "proxyAddresses" using a given UPN.  It's Friday afternoon, my brain 
  hurts, and I sure would like to finish the week on a high note.  Any 
  help is REALLY appreciated!  Thanks.
   
  Mike 
  Thommes 

RE: [ActiveDir] help finding proxyAddresses

[joe]

Hey that looks pretty smooth! That joeware stuff... I tell 
you...
 
BTW, upgrade your version, it is up to like 1.17 or so 
now... :o)
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Friday, July 16, 2004 3:25 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] help finding 
proxyAddresses

C:\BRI>adfind 
-b dc=brnets,dc=local -f [EMAIL PROTECTED]local 
proxyaddresses
 
AdFind 
V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) 
May 2003
 
Using 
server: orange.brnets.local
 
dn:CN=Michael B. 
Smith,CN=Users,DC=brnets,DC=local>proxyAddresses: 
smtp:[EMAIL PROTECTED]local>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
SMTP:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]local>proxyAddresses: X400:c=us;a= 
;p=Blue Ridge Inter;o=Exchange;s=Smith;g=Michael;i=B;


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Friday, July 16, 2004 3:19 PMTo: Active Directory 
Mailing List (E-mail)Subject: [ActiveDir] help finding 
proxyAddresses

After lots of 
iterations using dsquery, dsget, and/or adfind, I still can't seem to produce 
"proxyAddresses" using a given UPN.  It's Friday afternoon, my brain 
hurts, and I sure would like to finish the week on a high note.  Any 
help is REALLY appreciated!  Thanks.
 
Mike 
Thommes 

RE: [ActiveDir] GC removal

[joe]

The fastest method I have found is to demote the server. :o)

I seem to recall Dean posting something once upon a time to force objects to
get yanked out. Can't find it at the moment, check the archives.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Friday, July 16, 2004 4:00 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GC removal

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script out
there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DeForestation

[joe]

Title: RE: [ActiveDir] DeForestation



Nope, not doubting, I haven't been following most of the 
threads sorry, trying to catch up right now. I mentioned that it might be sticky 
but doable. Sorry if I seem to say other.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Friday, July 16, 2004 5:18 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
DeForestation

i thought using ms Idenity intergration feature pack and 
the PF sync tool as well as the owa solution proposed earlier and win2k3 
transtive trusts between 2 forests and dns conditional forwarding, this would be 
very possible.
 
 
Do you doubt that 
it's possible now?  If so, why?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, July 16, 2004 4:57 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation

Now that is an interesting configuration. I am guessing the 
secretary likes being in a different physical location than the boss, that can 
be handy.
 
I would expect with trusts most of that is solved... The 
sticky point would be the Exchange integration though I expect it is doable as 
well. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Wednesday, July 14, 2004 2:55 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation

no, 
the secretary is a member of our domain/forest. the manager(actually, ceo) is a 
member of the source domain/forest and will stay there. The ceo is in a diff. 
geographical location as well.
Essentaily, these are 2 equal companies which have merged but alas for 
political reasons and otherwise(such as not getting enterprise admin access), 
the 2 IT dept. don't see eye to eye.
so my 
CIO is considering seriously to seperate the forest though with as little 
discomfort to the end users as possible.
we 
still need to share resources(files primarily) and access to the corporate 
intranet site and ms content manager service and the gal,free/busy,limited 
mailbox access cross forest.
also 
when some visiting manager comes to our site, he should be able to access his 
resources in his home forest etc. since we can't seem to share mangement of our 
forest we would like 2 seperate forests but still provide the same resources as 
1 forest.
hence, 
my pickle.
 
i 
thought using ms Idenity intergration feature pack and the PF sync tool as well 
as the owa solution proposed earlier and win2k3 transtive trusts between 2 
forests and dns conditional forwarding, this would be very 
possible.

  -Original Message-From: joe 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, July 14, 2004 1:39 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] DeForestation
  On the Secretary issue, move the boss and secretary at 
  the same time together. We always treated those folks as a single entity. If 
  you got high enough up into the chain where a single manager had multiple 
  secretaries or assistants they all got moved in one shot. Even if it was 
  simply moving mailboxes from one Exchange server to another. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
  TomSent: Wednesday, July 14, 2004 11:54 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  DeForestation
  
  do 
  you have a link to the docs?
   
  also, if i give the secretaries access to a mailbox in another 
  forest/org, an account and mailbox has to be created for them in the other 
  forest and they would have to chose from a seperate outlook profile if 
  they wanted to update that mailbox. Correct?
   
  Also, i assume intranet sites that use ntlm auth will work in a trust 
  relationship between 2 forests?
  Do 
  the root dc's have to be at a certain functional level for the trust to be 
  transitive among all the child domains fo 2 forests?
   
   
  thanks alot!
  
-Original Message-From: Mulnick, Al 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, July 14, 2004 
11:36 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] DeForestation
You might also check with Microsoft to see that they 
have a PFInterOrg tool that will let you synch the F/B data.  It's in 
the multi-forest deployment docs how it works and what's needed. 

 
You might offer those secretaries an alternative 
method, such as OWA to update calendars for people.  That's user 
education and thought change vs. a technical issue.  You might also 
grant them rights on the calendar and let them open it that way.  
There's a list of things you can and cannot do in multi-forest scenarios in 
that same document. :)
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Wednesday, July 14, 2004 10:28 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation


You might check 
with Quest.  They have an Exchange Migration tool that is supposed to 
be able to sync free/busy info. 

RE: [ActiveDir] Fw: perl-ldap with ADAM

[Mulnick, Al]

Casual observation?  Where's the password listed and 
what are you binding as? 
 
How about turning up the logging during the bind and search 
and ensure that you are binding as an authenticated user and that your search 
string is being passed the way you think it is?
 
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, July 16, 2004 4:16 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Fw: 
perl-ldap with ADAM
Hello, I sent this help request to a perl-ldap list and it was 
indicated that the problem may be ADAM specific.  The detail are: 
I have set up a MS ADAM instance named 
cn=examplename,st=wv,c=us.  On install, the LostAndFound, Roles, and 
NTDS Quotas objects were created with dn's 
CN=LostAndFound,CN=examplename,ST=wv,C=us, CN=NTDS 
Quotas,CN=examplename,ST=wv,C=us, and CN=Roles,CN=examplename,ST=wv,C=us. 
This all displays successfully in ADAM ADSI Edit.I then added via 
importing an ldif file a couple of object instances with dn's 
CN=WVAdmin,CN=examplename,ST=wv,C=us and 
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These both also display 
successfully in ADAM ADSI Edit.So then I attempt to use perl-ldap to 
perform a search like this:use Net::LDAP;$ldap = new 
Net::LDAP('localhost') or die "$@";$ldap->bind( version => 3 
);$mesg = $ldap->search ( base => "C=us",      
                 filter => 
"objectClass=*",                
     ) or die ("Failed on search.$!");foreach $entry 
($mesg->all_entries){  
$entry->dump;}$ldap->unbind;The result is no 
entries.  I have also tried narrowing the base to 
CN=examplename,ST=wv,C=us with no benefit.   Additionally, I tried binding to 
cn=WVAdmin,cn=examplename,st=wv,c=us which does return a single result with 
dn=examplename,st=wv,c=us. Note 
that all of the above search attempts resulted in a return code of 0 indicating 
success. Any ideas what could be the 
problem would be greatly appreciated. Thank you, Sonya 
- Forwarded by Sonya 
Lowry/stc on 07/16/2004 01:07 PM - 

  
  
Chris Ridd 
  <[EMAIL PROTECTED]> 
  07/16/2004 10:55 AM 

  


  
To
  <[EMAIL PROTECTED]> 

  
cc
  <[EMAIL PROTECTED]> 

  
Subject
  Re: perl-ldap with 
ADAM
  


  
  On 16/7/04 6:13 pm, [EMAIL PROTECTED] 
<[EMAIL PROTECTED]> wrote:> Chris,> Thanks for 
your help.  Currently, I am binding with this line:> > 
$ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");You need to add 
the arguments:   password => 'something'to the 
bind, as otherwise you will be binding with a name and no password.Typically 
that will succeed, but it'll be considered the same as anonymous.However 
you're using MAD, which doesn't really implement LDAP in a verystandard way, 
so it might be doing things differently.> and the return code is 0 
which I understand indicates success.  However,> the search result 
is limited to the single object> 'cn=examplename,st=wv,c=us' despite the 
presence of several objects with> dn's like 
cn=,cn=examplename,st=wv,c=us.> > I've suspected that 
maybe I simply don't understand the search mechanism.> I had assumed that 
the base of cn=examplename,st=wv,c=us would direct the> search through 
elements with dn's ending with the string '> cn=examplename,st=wv,c=us' 
like> cn=,cn=examplename,st=wv,c=us.  Is this a correct 
assumption?It isn't quite the right way to think about it, as there are 
ways for thesearch to process other entries too (eg by following 
aliases).Think of it like directories on a disk, except that DNs are 
writtenlittle-endian whereas file paths are written big-endian. A subtree 
searchessentially searches subdirectories. (Unless there's a link inside 
somewherethat points to another subdirectory 
somewhere.)Cheers,Chris

RE: [ActiveDir] Fw: perl-ldap with ADAM

[joe]

Sounds like it is permissioning. If you don't bind with an 
ID you aren't going to see anything unless you crank down all of the permissions 
to nothing. Sounds like the ID you used had very little access. You should 
doublecheck what your permissions are set as. 
 
To put it another way, if ADSIEDIT is seeing things which 
authenticates when it connects, but you can't see something with a raw LDAP API 
call, it is almost certainly authentication.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, July 16, 2004 4:16 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Fw: 
perl-ldap with ADAM
Hello, I sent this help request to a perl-ldap list and it was 
indicated that the problem may be ADAM specific.  The detail are: 
I have set up a MS ADAM instance named 
cn=examplename,st=wv,c=us.  On install, the LostAndFound, Roles, and 
NTDS Quotas objects were created with dn's 
CN=LostAndFound,CN=examplename,ST=wv,C=us, CN=NTDS 
Quotas,CN=examplename,ST=wv,C=us, and CN=Roles,CN=examplename,ST=wv,C=us. 
This all displays successfully in ADAM ADSI Edit.I then added via 
importing an ldif file a couple of object instances with dn's 
CN=WVAdmin,CN=examplename,ST=wv,C=us and 
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These both also display 
successfully in ADAM ADSI Edit.So then I attempt to use perl-ldap to 
perform a search like this:use Net::LDAP;$ldap = new 
Net::LDAP('localhost') or die "$@";$ldap->bind( version => 3 
);$mesg = $ldap->search ( base => "C=us",      
                 filter => 
"objectClass=*",                
     ) or die ("Failed on search.$!");foreach $entry 
($mesg->all_entries){  
$entry->dump;}$ldap->unbind;The result is no 
entries.  I have also tried narrowing the base to 
CN=examplename,ST=wv,C=us with no benefit.   Additionally, I tried binding to 
cn=WVAdmin,cn=examplename,st=wv,c=us which does return a single result with 
dn=examplename,st=wv,c=us. Note 
that all of the above search attempts resulted in a return code of 0 indicating 
success. Any ideas what could be the 
problem would be greatly appreciated. Thank you, Sonya 
- Forwarded by Sonya 
Lowry/stc on 07/16/2004 01:07 PM - 

  
  
Chris Ridd 
  <[EMAIL PROTECTED]> 
  07/16/2004 10:55 AM 

  


  
To
  <[EMAIL PROTECTED]> 

  
cc
  <[EMAIL PROTECTED]> 

  
Subject
  Re: perl-ldap with 
ADAM
  


  
  On 16/7/04 6:13 pm, [EMAIL PROTECTED] 
<[EMAIL PROTECTED]> wrote:> Chris,> Thanks for 
your help.  Currently, I am binding with this line:> > 
$ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");You need to add 
the arguments:   password => 'something'to the 
bind, as otherwise you will be binding with a name and no password.Typically 
that will succeed, but it'll be considered the same as anonymous.However 
you're using MAD, which doesn't really implement LDAP in a verystandard way, 
so it might be doing things differently.> and the return code is 0 
which I understand indicates success.  However,> the search result 
is limited to the single object> 'cn=examplename,st=wv,c=us' despite the 
presence of several objects with> dn's like 
cn=,cn=examplename,st=wv,c=us.> > I've suspected that 
maybe I simply don't understand the search mechanism.> I had assumed that 
the base of cn=examplename,st=wv,c=us would direct the> search through 
elements with dn's ending with the string '> cn=examplename,st=wv,c=us' 
like> cn=,cn=examplename,st=wv,c=us.  Is this a correct 
assumption?It isn't quite the right way to think about it, as there are 
ways for thesearch to process other entries too (eg by following 
aliases).Think of it like directories on a disk, except that DNs are 
writtenlittle-endian whereas file paths are written big-endian. A subtree 
searchessentially searches subdirectories. (Unless there's a link inside 
somewherethat points to another subdirectory 
somewhere.)Cheers,Chris

RE: [ActiveDir] DeForestation

[Mulnick, Al]

Title: RE: [ActiveDir] DeForestation



i thought using ms Idenity intergration feature pack and 
the PF sync tool as well as the owa solution proposed earlier and win2k3 
transtive trusts between 2 forests and dns conditional forwarding, this would be 
very possible.
 
 
Do you doubt that 
it's possible now?  If so, why?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, July 16, 2004 4:57 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation

Now that is an interesting configuration. I am guessing the 
secretary likes being in a different physical location than the boss, that can 
be handy.
 
I would expect with trusts most of that is solved... The 
sticky point would be the Exchange integration though I expect it is doable as 
well. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Wednesday, July 14, 2004 2:55 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation

no, 
the secretary is a member of our domain/forest. the manager(actually, ceo) is a 
member of the source domain/forest and will stay there. The ceo is in a diff. 
geographical location as well.
Essentaily, these are 2 equal companies which have merged but alas for 
political reasons and otherwise(such as not getting enterprise admin access), 
the 2 IT dept. don't see eye to eye.
so my 
CIO is considering seriously to seperate the forest though with as little 
discomfort to the end users as possible.
we 
still need to share resources(files primarily) and access to the corporate 
intranet site and ms content manager service and the gal,free/busy,limited 
mailbox access cross forest.
also 
when some visiting manager comes to our site, he should be able to access his 
resources in his home forest etc. since we can't seem to share mangement of our 
forest we would like 2 seperate forests but still provide the same resources as 
1 forest.
hence, 
my pickle.
 
i 
thought using ms Idenity intergration feature pack and the PF sync tool as well 
as the owa solution proposed earlier and win2k3 transtive trusts between 2 
forests and dns conditional forwarding, this would be very 
possible.

  -Original Message-From: joe 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, July 14, 2004 1:39 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] DeForestation
  On the Secretary issue, move the boss and secretary at 
  the same time together. We always treated those folks as a single entity. If 
  you got high enough up into the chain where a single manager had multiple 
  secretaries or assistants they all got moved in one shot. Even if it was 
  simply moving mailboxes from one Exchange server to another. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
  TomSent: Wednesday, July 14, 2004 11:54 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  DeForestation
  
  do 
  you have a link to the docs?
   
  also, if i give the secretaries access to a mailbox in another 
  forest/org, an account and mailbox has to be created for them in the other 
  forest and they would have to chose from a seperate outlook profile if 
  they wanted to update that mailbox. Correct?
   
  Also, i assume intranet sites that use ntlm auth will work in a trust 
  relationship between 2 forests?
  Do 
  the root dc's have to be at a certain functional level for the trust to be 
  transitive among all the child domains fo 2 forests?
   
   
  thanks alot!
  
-Original Message-From: Mulnick, Al 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, July 14, 2004 
11:36 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] DeForestation
You might also check with Microsoft to see that they 
have a PFInterOrg tool that will let you synch the F/B data.  It's in 
the multi-forest deployment docs how it works and what's needed. 

 
You might offer those secretaries an alternative 
method, such as OWA to update calendars for people.  That's user 
education and thought change vs. a technical issue.  You might also 
grant them rights on the calendar and let them open it that way.  
There's a list of things you can and cannot do in multi-forest scenarios in 
that same document. :)
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Wednesday, July 14, 2004 10:28 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation


You might check 
with Quest.  They have an Exchange Migration tool that is supposed to 
be able to sync free/busy info.  You have to go ORG to ORG I think 
though.
 
Todd
 




From: Kern, 
Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 7:01 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
DeForestation
 
Actually, the migration may not happen 
now.
The 
sticking point is not being able to synch free/bus

RE: [ActiveDir] 2000 -> 2003 dit size clarification

[joe]

That stamping is done during the domainprep phase, you will note that after
you do domainprep but before you promote a K3 and make it a PDC you will
have some unresolvable SIDs on AD objects. So once you do the forest and
domain preps you should see the growth. When you actually upgrade a 2K to K3
I don't believe you will see a growth in the DIT but I also do not believe
you will see a shrinkage. You would either need to promote a fresh new K3 DC
up or do an offline defrag to see the space reduction. 

When I promoted up a fresh K3 DC and then made it a GC I saw a GC DIT on 2K
machines of about 8GB shrunk to about 4.5GB on the K3 DC. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, July 14, 2004 8:07 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] 2000 -> 2003 dit size clarification

I thought I remembered reading something waaay back regarding some sort of
scenario during which the ntds.dit actually grows in size as part of a 2000
-> 2003 migration.  After hunting through my archives, I think I found 
-> the
relevant conversation...

If I understand this correctly, after adprep is run, the 2000 DC's might
actually see a dit size increase from the additional ACL's applied to
certain objects.  If true, I assume once they go to 2003, single instance
store (among other optimizations) will drop the size of the dit (after an
offline defrag).

If I directly upgrade a server's OS from 2000 to 2003 (not something I plan,
but just for personal knowledge), would that DC's DIT immediately show up as
larger or smaller?  Or would it just stay mostly the same and shrink after
an offline defrag?

Also, is the 15-20% increase a pretty good estimate?

>From the infamous Guido...
"You do have to calculate an additional 15-20% of DIT-space on your 2000 DCs
during the upgrade of a forest to 2003 (assuming the current 2000 DIT
doesn't contain a load of whitespace).  This is mainly due to the fact, that
ADPREP adds various additional permissions on objects in AD, and as 2000
doesn't support single instance store for the security descriptors, the ACEs
get stamped on every object in the namespace...  This increase in ACEs will
result in a noticibly larger DIT size on your existing 2000 DCs in the
forest."

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:Signed Message for craig

[Craig Cerino]

Title: OT: Exchange 2000 SPAM Filtering








 

“Can
not open this item. Your Digital ID name can not be found by the underlying
security system”

 

RE: [ActiveDir] Summer Maintenance

[Brian Desmond]

Title: RE: [ActiveDir] Summer Maintenance








Things
really slow down when multicasting to a load of computers where I am (all Cisco
2900XL series switches with fiber links to a 4005 series backbone switch). The multicast
slows to a crawl, as does other network traffic.

 



--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org

 

v: 773.534.0034
x135

f: 773.534.0035

 

 











From: Doug M. Long
[mailto:[EMAIL PROTECTED] On
Behalf Of Doug M. Long
Sent: Friday, July 16, 2004 1:07
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance



 





If your multicasting, network congestion
shouldnt be an issue (assuming that you are putting the same image on all
machines), right? Or am I missing something here? 







 







From:
[EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer
Maintenance







You got it Steve. I don't know if you've ever done this before, but be
prepared to have a handful of them screw up and need reimaging with a floppy
disk. Also, don't think of doing em all at once. 100 - 150 is enough to
saturate your network.





 





--Brian







-Original
Message- 
From: Steve Rochford
[mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer
Maintenance



I love
comments like  "The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away."

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED]]
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2) Regardless of how you image the computers, using sysprep is the
*only* supported way of using imaged workstations on a network.  Look
into it if you haven't used it.  I find it quite simple to use and
extrememly
effective.   The sysprep process can be automated.  I typically
find it
most
useful to automate all of the mini-setup answers except for computer
name.
The result is that as the imaged computers are powered up, the admin
will type in each unique computer name and walk away.

You can also join a domain during the sysprep process (automated or
not).
One caveat here is the default 10-computer limit each user account can
create in AD ("but it worked fine when we tested it!").  The
suggested
method is to create a designated account for Sysprep imaging and
delegate the appropriate rights to your Computer OU's.

If joining the computer to the domain during sysprep doesn't work for
you, you can also script the process.  Technet gives an example script
here:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31
.msp
x
but MSDN actually documents the WMI method here:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup
_met
hod_in_class_win32_computersystem.asp
Particularly helpful is the AccountOU parameter, as it will allow you to
specify the OU in which to place the computer object to further ease
your post-deployment admin tasks.

[The script method works wonders in large deployments when you can't
join a domain during the Sysprep process, for example, if this
particularly vexing, poorly documented, almost-12-month-old and
as-yet-unfixed "issue" plagues your environment like the spawn of
Satan:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm
No, I'm not bitter.  Not one bit.]

-Brad

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/












smime.p7s
Description: S/MIME cryptographic signature

[ActiveDir] Fw: perl-ldap with ADAM

[Sonya_Lowry]

Hello,
I sent this help request to a perl-ldap
list and it was indicated that the problem may be ADAM specific.  The
detail are:

I have set up a MS ADAM instance named cn=examplename,st=wv,c=us.
 On 
install, the LostAndFound, Roles, and NTDS Quotas objects were created

with dn's CN=LostAndFound,CN=examplename,ST=wv,C=us, CN=NTDS 
Quotas,CN=examplename,ST=wv,C=us, and CN=Roles,CN=examplename,ST=wv,C=us.

This all displays successfully in ADAM ADSI Edit.

I then added via importing an ldif file a couple of object instances with

dn's CN=WVAdmin,CN=examplename,ST=wv,C=us and 
CN=WVAdmin2,CN=examplename,ST=wv,C=us.  These both also display 
successfully in ADAM ADSI Edit.

So then I attempt to use perl-ldap to perform a search like this:

use Net::LDAP;

$ldap = new Net::LDAP('localhost') or die "$@";
$ldap->bind( version => 3 );

$mesg = $ldap->search ( base => "C=us",
                    
   filter => "objectClass=*",
                    
 ) or die ("Failed on search.$!");

foreach $entry ($mesg->all_entries)
{
   $entry->dump;
}

$ldap->unbind;


The result is no entries.  I have also tried narrowing the base to

CN=examplename,ST=wv,C=us with no benefit.  

Additionally, I tried binding 
to cn=WVAdmin,cn=examplename,st=wv,c=us which does return a single result

with dn=examplename,st=wv,c=us.

Note that all of the above search attempts
resulted in a return code of 0 indicating success.
Any ideas what could be the problem
would be greatly appreciated.
Thank you,
Sonya


- Forwarded by Sonya
Lowry/stc on 07/16/2004 01:07 PM -



Chris Ridd <[EMAIL PROTECTED]>

07/16/2004 10:55 AM




To
<[EMAIL PROTECTED]>


cc
<[EMAIL PROTECTED]>


Subject
Re: perl-ldap with ADAM








On 16/7/04 6:13 pm, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
wrote:

> Chris,
> Thanks for your help.  Currently, I am binding with this line:
> 
> $ldap->bind("cn=WVAdmin,cn=examplename,st=wv,c=us");

You need to add the arguments:

    password => 'something'

to the bind, as otherwise you will be binding with a name and no password.
Typically that will succeed, but it'll be considered the same as anonymous.

However you're using MAD, which doesn't really implement LDAP in a very
standard way, so it might be doing things differently.

> and the return code is 0 which I understand indicates success.  However,
> the search result is limited to the single object
> 'cn=examplename,st=wv,c=us' despite the presence of several objects
with
> dn's like cn=,cn=examplename,st=wv,c=us.
> 
> I've suspected that maybe I simply don't understand the search mechanism.
> I had assumed that the base of cn=examplename,st=wv,c=us would direct
the
> search through elements with dn's ending with the string '
> cn=examplename,st=wv,c=us' like
> cn=,cn=examplename,st=wv,c=us.  Is this a correct
assumption?

It isn't quite the right way to think about it, as there are ways for the
search to process other entries too (eg by following aliases).

Think of it like directories on a disk, except that DNs are written
little-endian whereas file paths are written big-endian. A subtree search
essentially searches subdirectories. (Unless there's a link inside somewhere
that points to another subdirectory somewhere.)

Cheers,

Chris

RE: [ActiveDir] Summer Maintenance

[Bruce Clingaman]

When I ghost 30 or 40 of my clients my network comes to a hault.

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long
Sent: Friday, July 16, 2004 1:07 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance


? 
If your multicasting, network congestion shouldnt be an issue (assuming that
you are putting the same image on all machines), right? Or am I missing
something here? 

  _  

From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance


You got it Steve. I don't know if you've ever done this before, but be
prepared to have a handful of them screw up and need reimaging with a floppy
disk. Also, don't think of doing em all at once. 100 - 150 is enough to
saturate your network.
 
--Brian

-Original Message- 
From: Steve Rochford [mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer Maintenance



I love comments like  "The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away."

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED]
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2) Regardless of how you image the computers, using sysprep is the
*only* supported way of using imaged workstations on a network.  Look
into it if you haven't used it.  I find it quite simple to use and
extrememly
effective.   The sysprep process can be automated.  I typically find it
most
useful to automate all of the mini-setup answers except for computer
name.
The result is that as the imaged computers are powered up, the admin
will type in each unique computer name and walk away.

You can also join a domain during the sysprep process (automated or
not).
One caveat here is the default 10-computer limit each user account can
create in AD ("but it worked fine when we tested it!").  The suggested
method is to create a designated account for Sysprep imaging and
delegate the appropriate rights to your Computer OU's.

If joining the computer to the domain during sysprep doesn't work for
you, you can also script the process.  Technet gives an example script
here:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31
.msp
x
but MSDN actually documents the WMI method here:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup
_met
hod_in_class_win32_computersystem.asp
Particularly helpful is the AccountOU parameter, as it will allow you to
specify the OU in which to place the computer object to further ease
your post-deployment admin tasks.

[The script method works wonders in large deployments when you can't
join a domain during the Sysprep process, for example, if this
particularly vexing, poorly documented, almost-12-month-old and
as-yet-unfixed "issue" plagues your environment like the spawn of Satan:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm
No, I'm not bitter.  Not one bit.]

-Brad

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

[ActiveDir] GC removal

[Daniel Gilbert]

Is there a way to speed up the process for Global Catalog removal?

I know the proper Microsoft steps, but I was hoping there was a script
out there to speed up the process.

Dan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] help finding proxyAddresses

[Thommes, Michael M.]

Michael,
    Thank you!  I kept beating on the commands using 
"upn" instead of "userprincipalname".  I owe you a beer!  Thanks 
again!
 
Mike 
Thommes

  -Original Message-From: Michael B. Smith 
  [mailto:[EMAIL PROTECTED]Sent: Friday, July 16, 2004 2:25 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] help finding proxyAddresses
  C:\BRI>adfind 
  -b dc=brnets,dc=local -f [EMAIL PROTECTED]local 
  proxyaddresses
   
  AdFind 
  V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
   
  Using server: orange.brnets.local
   
  dn:CN=Michael B. 
  Smith,CN=Users,DC=brnets,DC=local>proxyAddresses: 
  smtp:[EMAIL PROTECTED]local>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  SMTP:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]>proxyAddresses: 
  smtp:[EMAIL PROTECTED]local>proxyAddresses: X400:c=us;a= 
  ;p=Blue Ridge Inter;o=Exchange;s=Smith;g=Michael;i=B;
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
  Michael M.Sent: Friday, July 16, 2004 3:19 PMTo: Active 
  Directory Mailing List (E-mail)Subject: [ActiveDir] help finding 
  proxyAddresses
  
  After lots of 
  iterations using dsquery, dsget, and/or adfind, I still can't seem to produce 
  "proxyAddresses" using a given UPN.  It's Friday afternoon, my brain 
  hurts, and I sure would like to finish the week on a high note.  Any 
  help is REALLY appreciated!  Thanks.
   
  Mike 
  Thommes 

RE: [ActiveDir] help finding proxyAddresses

[Michael B. Smith]

C:\BRI>adfind 
-b dc=brnets,dc=local -f [EMAIL PROTECTED]local 
proxyaddresses
 
AdFind 
V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) 
May 2003
 
Using 
server: orange.brnets.local
 
dn:CN=Michael B. 
Smith,CN=Users,DC=brnets,DC=local>proxyAddresses: 
smtp:[EMAIL PROTECTED]local>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
SMTP:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]>proxyAddresses: 
smtp:[EMAIL PROTECTED]local>proxyAddresses: X400:c=us;a= 
;p=Blue Ridge Inter;o=Exchange;s=Smith;g=Michael;i=B;


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Friday, July 16, 2004 3:19 PMTo: Active Directory 
Mailing List (E-mail)Subject: [ActiveDir] help finding 
proxyAddresses

After lots of 
iterations using dsquery, dsget, and/or adfind, I still can't seem to produce 
"proxyAddresses" using a given UPN.  It's Friday afternoon, my brain 
hurts, and I sure would like to finish the week on a high note.  Any 
help is REALLY appreciated!  Thanks.
 
Mike 
Thommes 

[ActiveDir] help finding proxyAddresses

[Thommes, Michael M.]

After lots of 
iterations using dsquery, dsget, and/or adfind, I still can't seem to produce 
"proxyAddresses" using a given UPN.  It's Friday afternoon, my brain 
hurts, and I sure would like to finish the week on a high note.  Any 
help is REALLY appreciated!  Thanks.
 
Mike 
Thommes 

RE: [ActiveDir] Summer Maintenance

[Doug M. Long]

?
If your multicasting, network congestion shouldnt be an issue (assuming that you are 
putting the same image on all machines), right? Or am I missing something here? 



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 7/16/2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance


You got it Steve. I don't know if you've ever done this before, but be prepared to 
have a handful of them screw up and need reimaging with a floppy disk. Also, don't 
think of doing em all at once. 100 - 150 is enough to saturate your network.
 
--Brian

-Original Message- 
From: Steve Rochford [mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer Maintenance



I love comments like  "The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away."

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED]
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2) Regardless of how you image the computers, using sysprep is the
*only* supported way of using imaged workstations on a network.  Look
into it if you haven't used it.  I find it quite simple to use and
extrememly
effective.   The sysprep process can be automated.  I typically find it
most
useful to automate all of the mini-setup answers except for computer
name.
The result is that as the imaged computers are powered up, the admin
will type in each unique computer name and walk away.

You can also join a domain during the sysprep process (automated or
not).
One caveat here is the default 10-computer limit each user account can
create in AD ("but it worked fine when we tested it!").  The suggested
method is to create a designated account for Sysprep imaging and
delegate the appropriate rights to your Computer OU's.

If joining the computer to the domain during sysprep doesn't work for
you, you can also script the process.  Technet gives an example script
here:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31
.msp
x
but MSDN actually documents the WMI method here:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup
_met
hod_in_class_win32_computersystem.asp
Particularly helpful is the AccountOU parameter, as it will allow you to
specify the OU in which to place the computer object to further ease
your post-deployment admin tasks.

[The script method works wonders in large deployments when you can't
join a domain during the Sysprep process, for example, if this
particularly vexing, poorly documented, almost-12-month-old and
as-yet-unfixed "issue" plagues your environment like the spawn of Satan:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm
No, I'm not bitter.  Not one bit.]

-Brad

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

[ActiveDir] Signed message for Craig

[Brian Desmond]

Test

 

--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org

 

v: 773.534.0034
x135

f: 773.534.0035

 

 

 








smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[deji]

Thanks, Steve.
 
Individual customization and decision IS one of the main selling points of
the Sybari (and my) solutions. Almost-zero admin after deployment is another.
The fact that you don't have to TEACH it (aka Bayesian) and that it's
content-independent (not susceptible to embedded images and HTML tricks) is a
huge advantage, in our opinion. I'm surprised at your 69%-94% finding, but
I'm not questioning it. I'm just thinking that you may have unintentionally
reversed the result :). 94-97% is the range in all the tests we've
participated in to date.
 
Mind if we take this offline privately? I don't want to clutter the list with
a back-and-forth. Yeah, I know I started it by asking you for specifics, but
I have a feeling that Tony will be coming at me with a big stick very shortly
:)
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Steve Shaff
Sent: Fri 7/16/2004 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering



We did a 30 day demo of Sybari's add-on to the AV and it only caught about
69% verses the 94% that Mailfrontier is providing.  Also, the Mailfrontier
gateway is individually customable by each individual user.  So, if an
end-user wants to get spam, so be it.  They can just turn their filter off.
Individuals can allow or block individual companies and email address that
will not affect the whole company.  They have really great support.  The AV
engine is running McAfee, which would not stop a golf-ball. (I am very
anti-McAfee)

 

Sybari's AV has a possible 7 engines (which you pay for).  We have never had
a virus infection transmitted through email. (not to boast) The support is
fantastic, even on those stupid questions. The AV software can be totally
customizable for content, speed/reliability, forbidden email address, etc...
They have a GREAT AV product, but their SPAM filter leaves something to be
desired.  It is not very customizable at the individual level and it did not
do a great job stopping the unwanted email.

 

That is why I feel that both do a great job in their own realm.  I would have
to recommend both for each task, not have on over the other.

 

And this is just my opinion; take it for what it is worth.

 

*

Steve Shaff

Active Directory / Exchange Administrator

Corillian Corporation

(W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 

 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Steve Shaff]

Title: OT: Exchange 2000 SPAM Filtering








We did a 30 day demo of Sybari’s
add-on to the AV and it only caught about 69% verses the 94% that Mailfrontier
is providing.  Also, the Mailfrontier gateway is individually customable by
each individual user.  So, if an end-user wants to get spam, so be it.  They can
just turn their filter off.  Individuals can allow or block individual
companies and email address that will not affect the whole company.  They have
really great support.  The AV engine is running McAfee, which would not stop a
golf-ball. (I am very anti-McAfee)

 

Sybari’s AV has a possible 7 engines
(which you pay for).  We have never had a virus infection transmitted through
email. (not to boast) The support is fantastic, even on those stupid questions.
The AV software can be totally customizable for content, speed/reliability,
forbidden email address, etc… They have a GREAT AV product, but their
SPAM filter leaves something to be desired.  It is not very customizable at the
individual level and it did not do a great job stopping the unwanted email.

 

That is why I feel that both do a great
job in their own realm.  I would have to recommend both for each task, not have
on over the other.

 

And this is just my opinion; take it for
what it is worth.

 



*

Steve
Shaff

Active Directory / Exchange Administrator

Corillian
Corporation

(W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
Sent: Friday, July 16, 2004 9:40
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Exchange 2000 SPAM Filtering



 





Steve said:





>>>But,
it really does not compete with Mailfrontier’s gateway. 





 





Then I said:





Steve, 





 





is there anything specifically that makes
you think Mailfrontier is superior to Sybari's? I am really interested because
I'd hate to play second fiddle to anyone in this realm. If there's anything you
think Sybari is missing that makes it inferior to Mailfrontier, I'd be highly
interested in knowing and closing that gap.





 











 





Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I





Microsoft MVP - Directory Services





www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday?  -anon

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Cotter, Paul M.]

Title: OT: Exchange 2000 SPAM Filtering



Nice spelling mistake Al ;-)
 
BTW - has anyone written an Event Sink yet for SP1 that 
allows someone to define arbitrary keywords to look for in either the SMTP 
headers or subject line then set the SCL appropriately?
 
For example, we actually use SpamAss(ass)in to set a 
"FailedSpamCheck: yes" header in Spam messages as well as modifying the subject 
line with the prefix {FAILED SC}.  I would like to look for either of these 
terms in a message and set the SCL to 10 (which I think is the highest 
level).  This would allow us to set up the auto-delete rules etc. 
appropriately without involving a server-side rule like we do 
now.
 
 
Paul 
Cotter
Microsoft MVP - 
MIIS 2003
 
 
~nodisc.
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
  AlSent: Friday, July 16, 2004 11:04 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Exchange 
  2000 SPAM Filtering
  
  If you're going to go that route, you may also want to 
  check out spamassin as a possible product. You'd want something that 
  handles anti-virus to compliment the product.
   
  al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Steve 
  RochfordSent: Friday, July 16, 2004 9:00 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Exchange 
  2000 SPAM Filtering
  
  I'm using MailScanner (http://www.mailscanner.info/) running 
  on FreeBSD (http://www.freebsd.org/) You 
  need a bit of Unix experience to set it up (but not too much) and it's working 
  very well for us. A (sort of) diary of how I did it is at http://techinfo.cnwl.ac.uk/MailScanner%20on%20FreeBSD/
   
  Steve
  
  
  From: Burkes, Jeremy [Contractor] 
  [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 
  13:50To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] OT: Exchange 2000 SPAM Filtering
  
  Our organization is running Exchange 2000.  We 
  recently put up an SMTP Gateway between our firewall and Exchange 2000 Email 
  Gateway to fend off SPAM and viruses giving us a good choke point for 
  both.  We are using Symantec Mail Security for SMTP which does not 
  require Exchange 2000 to run on.  It is a very good product by Symantec 
  but we remain unimpressed as it gives no automated reporting or performance 
  monitoring.  Does anyone have a product that combats viruses and SPAM 
  while providing automated reporting and performance monitoring, preferably one 
  that does not require Exchange 2000 to run?  We want to stay away from 
  having to maintain another Exchange server if we can help it as we would not 
  put any user mailboxes on it.  Thanks in advance and sorry for the OT 
  discussion if it offends anyone.
  Jeremy 
  - Jeremy Burkes SSP 
  MIS Department [EMAIL PROTECTED] PH: 
  202-764-1270 

RE: [ActiveDir] Share creation permissions

[Bruce Clingaman]

I think only power users can create shares. If they are not power users or
higher then the solution may already be in place.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A
Contr InDyne/Enterprise IT
Sent: Friday, July 16, 2004 11:09 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Share creation permissions

I have a proposed requirement to restrict the ability to create shares on
the workstation to all but a few people within the domain.  Anyone have an
idea as to how to do this?



v/r

RC

Comments and concerns can be directed back to me, complaints can be directed
to /dev/null

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Possibly OT: Flash Media Detection

[Raymond McClinnis]

Title: Message








I
was looking for a solution a while back and found this.

 

http://www.simplescripts.de/usb-port-security-tool.htm

 

It’s
pretty much a VBScript that you run as a service.  It checks against a “white
list” and shuts down the computer, or whatever you want it to do. 

 



Thanks,

Raymond McClinnis
Network Administrator
Provident Credit Union
650-508-0300 X2557
800-632-4600 X2557



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Friday, July 16, 2004 5:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly OT: Flash Media Detection



 

There is a 3rd party whose name I forget who have some
security software that does precisely this. I’ll try and remember the
name

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Oppermann
Sent: 14 July 2004 23:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly OT: Flash Media Detection



 

Oh
no, don’t disable USB hardware – that would break a ton of stuff
(keyboards, mice, printers, scanners, etc.).

 

It
seems to me that anything a user can access, the user can copy onto some
medium.  Even if you were to magically prevent removable media, that
wouldn’t preclude printing content out and stuffing the paper into a
briefcase, or even taking a picture of the screen with a cell phone camera.

 

In
my opinion, the right away to handle these situations is to have proper
security controls in place for content.  

 



Charles
Oppermann, [EMAIL PROTECTED],  http://weblogs.asp.net/chuckop/



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Wednesday, July 14, 2004 1:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly OT: Flash Media Detection



 



As
far as I can remember.. not really





 





I'd
need to have a play as it's been a while since I've played around with such
things A few things I would look at:





 





1)
Set policy so that users can only see specific drives and not map others. This
isn't the greatest method as it can be bypassed but will stop the
average user :-





 





The
gpo is:
USER\Administrative Templates\Windows Components\Windows Explorer\Prevent
access to drives from My Computer





2)
If you are using XP then :- http://support.microsoft.com/default.aspx?scid=kb;en-us;823732





2)
http://www.protect-me.com/dl/





3)
Could disable USB in the h/w profile





4)
Disable USB in BIOS and password protect it





 





Admin
rights are of course a factor and you'd need to test the majority of the
options above with your users rights on their machines.





 





BR





 





Rob





-Original Message-
From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED] 
Sent: 13 July 2004 23:05
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Possibly OT: Flash Media Detection





Hello,

Is there a group policy restricting use of
flash media (USB drives, iPods, camera cards, etc.) and/or any third party
detection tools for use in a network environment?

Thank
you,

Mitchell D.
Lawrence

Director,
Network Administrator

IT&S
Department

North Bay Hospital

1711 W. Wheeler Ave

Aransas Pass, TX
 78336

ph: (361)
758-0580

fx: (361)
758-0581

pg: (361)
270-0421

[EMAIL PROTECTED]

[EMAIL PROTECTED] (home)

**< Good
| Cheap | Fast > (Pick Two)**

This
email and any files transmitted with it may contain PRIVILEGED and/or
CONFIDENTIAL information and may only be read and/or used by the intended
recipient. If you are not the intended recipient of this email and/or any
attachments, please be advised that you have received this email in error and
that any use, dissemination, distribution, forwarding, printing, or copying of
this email and/or any attached files is strictly prohibited. If you have
received this email and/or any attachments in error, please reply or
contact the sender explaining that you have received this email
and/or any attachments in error and that you have purged this email and/or any
attachments from your system.




This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the sender
immediately and delete the material from any computer. Unless you are the
intended recipient, you should not copy this e-mail for any purpose, or
disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst the
MCPS-PRS Alliance monitors all communications for potential viruses, we accept
no responsibility for any loss or damage caused by this e-mail and the
information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England un

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Deji Akomolafe]

Title: OT: Exchange 2000 SPAM Filtering



Steve said:
>>>But, it really does not compete with Mailfrontier’s gateway. 
 
Then I said:
Steve, 
 
is there anything specifically that makes you think Mailfrontier is superior to Sybari's? I am really interested because I'd hate to play second fiddle to anyone in this realm. If there's anything you think Sybari is missing that makes it inferior to Mailfrontier, I'd be highly interested in knowing and closing that gap.
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Steve Shaff]

Title: OT: Exchange 2000 SPAM Filtering








I would have to recommend the Mailfrontier
Spam Gateway.  It is a product that is relatively cheap and really does a great
job on the SPAM portion.  They also have an add-on for doing AV screening at
the gateway, but it uses MacAfee.  Which is crap, in my humble opinion.  For AV
software, I really like Sybari’s product.  But, they too have a SPAM
add-on for their AV software.  But, it really does not compete with Mailfrontier’s
gateway.  Two great products in their own realm.

 

S

 



*

Steve
Shaff

Active Directory / Exchange Administrator

Corillian
Corporation

(W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, July 16, 2004 9:04
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT:
Exchange 2000 SPAM Filtering



 

If you're going to go that route, you may
also want to check out spamassin as a possible product. You'd want
something that handles anti-virus to compliment the product.

 

al

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Friday, July 16, 2004 9:00
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Exchange 2000 SPAM Filtering

I'm using MailScanner (http://www.mailscanner.info/) running
on FreeBSD (http://www.freebsd.org/) You
need a bit of Unix experience to set it up (but not too much) and it's working
very well for us. A (sort of) diary of how I did it is at http://techinfo.cnwl.ac.uk/MailScanner%20on%20FreeBSD/

 

Steve

 







From: Burkes,
Jeremy [Contractor] [mailto:[EMAIL PROTECTED] 
Sent: 15 July 2004 13:50
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Exchange
2000 SPAM Filtering

Our
organization is running Exchange 2000.  We recently put up an SMTP Gateway
between our firewall and Exchange 2000 Email Gateway to fend off SPAM and
viruses giving us a good choke point for both.  We are using Symantec Mail
Security for SMTP which does not require Exchange 2000 to run on.  It is a
very good product by Symantec but we remain unimpressed as it gives no
automated reporting or performance monitoring.  Does anyone have a product
that combats viruses and SPAM while providing automated reporting and
performance monitoring, preferably one that does not require Exchange 2000 to
run?  We want to stay away from having to maintain another Exchange server
if we can help it as we would not put any user mailboxes on it.  Thanks in
advance and sorry for the OT discussion if it offends anyone.

Jeremy


-

Jeremy
Burkes 
SSP

MIS
Department 
[EMAIL PROTECTED]

PH:
202-764-1270 

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Deji Akomolafe]

Title: OT: Exchange 2000 SPAM Filtering



OK, now that Al (Hi, Al :)) and others have chimed in , would it still be considered rude IF I pitch my own solution in contribution to this thread?
 
Paging Tony..
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon


From: Mulnick, AlSent: Fri 7/16/2004 9:03 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

If you're going to go that route, you may also want to check out spamassin as a possible product. You'd want something that handles anti-virus to compliment the product.
 
al


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Friday, July 16, 2004 9:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

I'm using MailScanner (http://www.mailscanner.info/) running on FreeBSD (http://www.freebsd.org/) You need a bit of Unix experience to set it up (but not too much) and it's working very well for us. A (sort of) diary of how I did it is at http://techinfo.cnwl.ac.uk/MailScanner%20on%20FreeBSD/
 
Steve


From: Burkes, Jeremy [Contractor] [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 13:50To: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Exchange 2000 SPAM Filtering

Our organization is running Exchange 2000.  We recently put up an SMTP Gateway between our firewall and Exchange 2000 Email Gateway to fend off SPAM and viruses giving us a good choke point for both.  We are using Symantec Mail Security for SMTP which does not require Exchange 2000 to run on.  It is a very good product by Symantec but we remain unimpressed as it gives no automated reporting or performance monitoring.  Does anyone have a product that combats viruses and SPAM while providing automated reporting and performance monitoring, preferably one that does not require Exchange 2000 to run?  We want to stay away from having to maintain another Exchange server if we can help it as we would not put any user mailboxes on it.  Thanks in advance and sorry for the OT discussion if it offends anyone.
Jeremy 
- Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 

[ActiveDir] Running DCDiag

[rmcdonald]

Return Receipt
   
Your  [ActiveDir] Running DCDiag   
document   
:  
   
was   Ryan McDonald/bankersbank
received   
by:
   
at:   07/16/2004 12:13:41 PM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Share creation permissions

[Carpenter Robert A Contr InDyne/Enterprise IT]

I have a proposed requirement to restrict the ability to create shares on
the workstation to all but a few people within the domain.  Anyone have an
idea as to how to do this?



v/r

RC

Comments and concerns can be directed back to me, complaints can be directed
to /dev/null

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Running DCDiag

[Rosales, Mario]

Anyone know what this means when I do a DCDiag

Starting test: kccevent
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:50
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:50
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:50
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:50
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:51
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:51
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:51
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:51
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:50:51
  Event String: It has been too long since this machine last
   An Warning Event occured.  EventID: 0x8785
  Time Generated: 07/16/2004   10:50:51
  Event String: The attempt to establish a replication link for
   An Error Event occured.  EventID: 0xC7FA
  Time Generated: 07/16/2004   10:53:25
  Event String: It has been too long since this machine last
   . SERVER01 failed test kccevent


*** 
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  
*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Mulnick, Al]

Title: OT: Exchange 2000 SPAM Filtering



If you're going to go that route, you may also want to 
check out spamassin as a possible product. You'd want something that 
handles anti-virus to compliment the product.
 
al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
RochfordSent: Friday, July 16, 2004 9:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Exchange 
2000 SPAM Filtering

I'm using MailScanner (http://www.mailscanner.info/) running on 
FreeBSD (http://www.freebsd.org/) You need 
a bit of Unix experience to set it up (but not too much) and it's working very 
well for us. A (sort of) diary of how I did it is at http://techinfo.cnwl.ac.uk/MailScanner%20on%20FreeBSD/
 
Steve


From: Burkes, Jeremy [Contractor] 
[mailto:[EMAIL PROTECTED] Sent: 15 July 2004 
13:50To: [EMAIL PROTECTED]Subject: [ActiveDir] 
OT: Exchange 2000 SPAM Filtering

Our organization is running Exchange 2000.  We 
recently put up an SMTP Gateway between our firewall and Exchange 2000 Email 
Gateway to fend off SPAM and viruses giving us a good choke point for 
both.  We are using Symantec Mail Security for SMTP which does not require 
Exchange 2000 to run on.  It is a very good product by Symantec but we 
remain unimpressed as it gives no automated reporting or performance 
monitoring.  Does anyone have a product that combats viruses and SPAM while 
providing automated reporting and performance monitoring, preferably one that 
does not require Exchange 2000 to run?  We want to stay away from having to 
maintain another Exchange server if we can help it as we would not put any user 
mailboxes on it.  Thanks in advance and sorry for the OT discussion if it 
offends anyone.
Jeremy 
- Jeremy Burkes SSP 
MIS Department [EMAIL PROTECTED] PH: 
202-764-1270 

RE: [ActiveDir] Possibly OT: Flash Media Detection

[Free, Bob]

The one I see mentioned often used to be called SecureNT, now Sanctuary
Device Control. Covers a very broad range of I/O devices and integrates
with AD.

http://www.securewave.com/turcana/securewave/sanctuary_DC.jsp

HTH



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Friday, July 16, 2004 5:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly OT: Flash Media Detection



There is a 3rd party whose name I forget who have some security software
that does precisely this. I'll try and remember the name

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Oppermann
Sent: 14 July 2004 23:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly OT: Flash Media Detection

 

Oh no, don't disable USB hardware - that would break a ton of stuff
(keyboards, mice, printers, scanners, etc.).

 

It seems to me that anything a user can access, the user can copy onto
some medium.  Even if you were to magically prevent removable media,
that wouldn't preclude printing content out and stuffing the paper into
a briefcase, or even taking a picture of the screen with a cell phone
camera.

 

In my opinion, the right away to handle these situations is to have
proper security controls in place for content.  

 

Charles Oppermann, [EMAIL PROTECTED]
 ,  http://weblogs.asp.net/chuckop/
 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Wednesday, July 14, 2004 1:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly OT: Flash Media Detection

 

As far as I can remember.. not really

 

I'd need to have a play as it's been a while since I've played around
with such things A few things I would look at:

 

1) Set policy so that users can only see specific drives and not map
others. This isn't the greatest method as it can be bypassed but will
stop the average user :-

 

The gpo is:
USER\Administrative Templates\Windows Components\Windows
Explorer\Prevent access to drives from My Computer

2) If you are using XP then :-
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

2) http://www.protect-me.com/dl/

3) Could disable USB in the h/w profile

4) Disable USB in BIOS and password protect it

 

Admin rights are of course a factor and you'd need to test the majority
of the options above with your users rights on their machines.

 

BR

 

Rob

-Original Message-
From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED] 
Sent: 13 July 2004 23:05
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Possibly OT: Flash Media Detection

Hello,

Is there a group policy restricting use of flash media (USB
drives, iPods, camera cards, etc.) and/or any third party detection
tools for use in a network environment?

Thank you,

Mitchell D. Lawrence

Director, Network Administrator

IT&S Department

North Bay Hospital

1711 W. Wheeler Ave

Aransas Pass, TX 78336

ph: (361) 758-0580

fx: (361) 758-0581

pg: (361) 270-0421

[EMAIL PROTECTED] 


[EMAIL PROTECTED]   (home)

**< Good | Cheap | Fast > (Pick Two)**

This email and any files transmitted with it may contain
PRIVILEGED and/or CONFIDENTIAL information and may only be read and/or
used by the intended recipient. If you are not the intended recipient of
this email and/or any attachments, please be advised that you have
received this email in error and that any use, dissemination,
distribution, forwarding, printing, or copying of this email and/or any
attached files is strictly prohibited. If you have received this email
and/or any attachments in error, please reply or contact the sender
explaining that you have received this email and/or any attachments in
error and that you have purged this email and/or any attachments from
your system.


This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS Alliance Limited is

RE: [ActiveDir] Summer Maintenance

[Brian Desmond]

You got it Steve. I don't know if you've ever done this before, but be prepared to 
have a handful of them screw up and need reimaging with a floppy disk. Also, don't 
think of doing em all at once. 100 - 150 is enough to saturate your network.
 
--Brian

-Original Message- 
From: Steve Rochford [mailto:[EMAIL PROTECTED] 
Sent: Fri 7/16/2004 8:08 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Summer Maintenance



I love comments like  "The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away."

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED]
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2) Regardless of how you image the computers, using sysprep is the
*only* supported way of using imaged workstations on a network.  Look
into it if you haven't used it.  I find it quite simple to use and
extrememly
effective.   The sysprep process can be automated.  I typically find it
most
useful to automate all of the mini-setup answers except for computer
name.
The result is that as the imaged computers are powered up, the admin
will type in each unique computer name and walk away.

You can also join a domain during the sysprep process (automated or
not).
One caveat here is the default 10-computer limit each user account can
create in AD ("but it worked fine when we tested it!").  The suggested
method is to create a designated account for Sysprep imaging and
delegate the appropriate rights to your Computer OU's.

If joining the computer to the domain during sysprep doesn't work for
you, you can also script the process.  Technet gives an example script
here:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31
.msp
x
but MSDN actually documents the WMI method here:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup
_met
hod_in_class_win32_computersystem.asp
Particularly helpful is the AccountOU parameter, as it will allow you to
specify the OU in which to place the computer object to further ease
your post-deployment admin tasks.

[The script method works wonders in large deployments when you can't
join a domain during the Sysprep process, for example, if this
particularly vexing, poorly documented, almost-12-month-old and
as-yet-unfixed "issue" plagues your environment like the spawn of Satan:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm
No, I'm not bitter.  Not one bit.]

-Brad

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] OT: Active Directory Browser History Files

[Steve Rochford]

Are you using a proxy server? If so then configure it to log to a SQL 
database and query that. Both ISA server and MS Proxy server can easily be 
configured to do this and you can then generate reports of use by user, size of 
download, time of download etc.
 
You may generate a lot of data - our ISA logs are roughly 2Gb per 
day...
 
Steve


From: Edwin [mailto:[EMAIL PROTECTED] 
Sent: 15 July 2004 15:44To: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Active Directory 
Browser History Files


In our domain we use roaming 
profiles.  What I would like to know is if there is an easy way to monitor 
the web sites that end users are looking at while at their workstations.  
We have users that are going to site that may offend others and this needs to be 
addressed.
 
I am aware of reviewing the Firewall 
logs but I was hoping that there would be an easier way since all the machines 
are connected to the domain.
 
Thank you all for your 
replies.
 
Edwin 

Re: [ActiveDir] dcpromo replication

[Graham Turner]

thats what i thought but we had one funny dcpromo - the dcpromo.log told us
it had sourced the domain info from a site that networking / site / site
link wise is miles (or should i now say km's !!) away from it

hence the question

this then begs the behaviour wr.t retry if the "closest" one it gets from
the directory is not available - does it do the AD pings that the logon
server discovery process does ??

GT

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 16, 2004 2:52 PM
Subject: RE: [ActiveDir] dcpromo replication


> By site and sitelink metric, there is no other way it could do it until MS
> has the DCs smartest enough to talk to routers and get routing info out of
> them to autodiscover topology. And even still... The complexity would be
> rather high going that route.
>
>   joe
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Friday, July 16, 2004 9:22 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] dcpromo replication
>
> can anyone confirm the mechanism by which dcpromo being run discovers the
> source of domain information on the initial dc promotion.
>
> i know we doing this unattended you can hardcode a source into the script
> file but how does it find a source when left to its own devices ??
>
> q223757 tells us "the closest domain controller from the domain being
> replicated will be selected. " - is this by site defintion ?
>
>
> GT
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] dcpromo replication

[joe]

By site and sitelink metric, there is no other way it could do it until MS
has the DCs smartest enough to talk to routers and get routing info out of
them to autodiscover topology. And even still... The complexity would be
rather high going that route. 

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 16, 2004 9:22 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] dcpromo replication 

can anyone confirm the mechanism by which dcpromo being run discovers the
source of domain information on the initial dc promotion.

i know we doing this unattended you can hardcode a source into the script
file but how does it find a source when left to its own devices ??

q223757 tells us "the closest domain controller from the domain being
replicated will be selected. " - is this by site defintion ?


GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] user/domain selection

[Kern, Tom]

what is the under the hood process that windows gets the user listing when you add 
members to a group. I mean the drop down list where you select a domain or entire 
directory? is that gotten from a gc via dns?

also, when you join a pc to a forest and suddenly all the domains appear in the drop 
down list. how does it get that?
In network neighborhood in enitre network those domains also appear(i thought "entire 
network" was netbios based and would use wins but our wins servers in the forest are 
not configured to push/pull with each other and still the domains appear)?
just curious. sorry if this sounds really basic or obvious.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] dcpromo replication

[Rutherford, Robert]

Yes

-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED] 
Sent: 16 July 2004 14:22
To: [EMAIL PROTECTED]
Subject: [ActiveDir] dcpromo replication 


can anyone confirm the mechanism by which dcpromo being run discovers
the source of domain information on the initial dc promotion.

i know we doing this unattended you can hardcode a source into the
script file but how does it find a source when left to its own devices
??

q223757 tells us "the closest domain controller from the domain being
replicated will be selected. " - is this by site defintion ?


GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] dcpromo replication

[Graham Turner]

can anyone confirm the mechanism by which dcpromo being run discovers the
source of domain information on the initial dc promotion.

i know we doing this unattended you can hardcode a source into the script
file but how does it find a source when left to its own devices ??

q223757 tells us "the closest domain controller from the domain being
replicated will be selected. " - is this by site defintion ?


GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC selection for source of dcpromo

[Rutherford, Robert]

I'm not 100% sure what you are asking

DNS details where and who the relevant DC's are via SRV records, which
servers are GC's, who is the PDC Emulator, etc. 

This is how a server being Dcpromo'd knows who holds DC roles.

BR

Rob

-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED] 
Sent: 16 July 2004 13:54
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DC selection for source of dcpromo


can anyone confirm the mechanism by which dcpromo being run discovers
the source of domain information.

i know we doing this unattended you can hardcode a source into the
script file but how does it find a source when left to its own devices
??

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be privileged. If 
you have received this e-mail in error please notify the sender immediately and delete 
the material from any computer. Unless you are the intended recipient, you should not 
copy this e-mail for any purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this 
communication as it has been transmitted over a public network. Whilst the MCPS-PRS 
Alliance monitors all communications for potential viruses, we accept no 
responsibility for any loss or damage caused by this e-mail and the information it 
contains.
It is the recipient's responsibility to scan this e-mail and any attachments for 
viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality 
control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company 
number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 
3AB.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Summer Maintenance

[Steve Rochford]

I love comments like  "The result is that as the imaged computers are
powered up, the admin will type in each unique computer name and walk
away." 

We're re-imaging about 1000 student computers this summer and I'm not
intending to go anywhere near most of them so typing in anything is a
no-no! As others have said, Ghost will happily rename and join to the
domain and it will also work with sysprep so you can have the best of
both worlds :-)

Steve

-Original Message-
From: Brad Corob [mailto:[EMAIL PROTECTED] 
Sent: 15 July 2004 05:00
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Summer Maintenance

2) Regardless of how you image the computers, using sysprep is the
*only* supported way of using imaged workstations on a network.  Look
into it if you haven't used it.  I find it quite simple to use and
extrememly
effective.   The sysprep process can be automated.  I typically find it
most
useful to automate all of the mini-setup answers except for computer
name.
The result is that as the imaged computers are powered up, the admin
will type in each unique computer name and walk away.

You can also join a domain during the sysprep process (automated or
not).
One caveat here is the default 10-computer limit each user account can
create in AD ("but it worked fine when we tested it!").  The suggested
method is to create a designated account for Sysprep imaging and
delegate the appropriate rights to your Computer OU's.

If joining the computer to the domain during sysprep doesn't work for
you, you can also script the process.  Technet gives an example script
here:
http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31
.msp
x
but MSDN actually documents the WMI method here:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/joindomainorworkgroup
_met
hod_in_class_win32_computersystem.asp
Particularly helpful is the AccountOU parameter, as it will allow you to
specify the OU in which to place the computer object to further ease
your post-deployment admin tasks.

[The script method works wonders in large deployments when you can't
join a domain during the Sysprep process, for example, if this
particularly vexing, poorly documented, almost-12-month-old and
as-yet-unfixed "issue" plagues your environment like the spawn of Satan:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10086130.htm
No, I'm not bitter.  Not one bit.]

-Brad

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP query string to identify Enabled vs Disabled User Account

[Jerry Welch]

Tony,
Thanks much !
Jerry

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Friday, July 16, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] LDAP query string to identify Enabled vs
Disabled User Account


Hi Jerry

Enabled users
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113
556.1.4.803:=2)))

Disabled users
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.11355
6.1.4.803:=2))

Tony

-- Original Message --
Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWF
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 16 Jul 2004 07:45:22 -0400

My poor old mind has seen this but lost it :)
Can someone provide an LDAP query string to identify when a User object is
Enabled or Disabled in AD?
Thanks,
Jerry

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/







Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange 2000 SPAM Filtering

[Steve Rochford]

Title: OT: Exchange 2000 SPAM Filtering



I'm using MailScanner (http://www.mailscanner.info/) running on 
FreeBSD (http://www.freebsd.org/) You need 
a bit of Unix experience to set it up (but not too much) and it's working very 
well for us. A (sort of) diary of how I did it is at http://techinfo.cnwl.ac.uk/MailScanner%20on%20FreeBSD/
 
Steve


From: Burkes, Jeremy [Contractor] 
[mailto:[EMAIL PROTECTED] Sent: 15 July 2004 
13:50To: [EMAIL PROTECTED]Subject: [ActiveDir] 
OT: Exchange 2000 SPAM Filtering

Our organization is running Exchange 2000.  We 
recently put up an SMTP Gateway between our firewall and Exchange 2000 Email 
Gateway to fend off SPAM and viruses giving us a good choke point for 
both.  We are using Symantec Mail Security for SMTP which does not require 
Exchange 2000 to run on.  It is a very good product by Symantec but we 
remain unimpressed as it gives no automated reporting or performance 
monitoring.  Does anyone have a product that combats viruses and SPAM while 
providing automated reporting and performance monitoring, preferably one that 
does not require Exchange 2000 to run?  We want to stay away from having to 
maintain another Exchange server if we can help it as we would not put any user 
mailboxes on it.  Thanks in advance and sorry for the OT discussion if it 
offends anyone.
Jeremy 
- Jeremy Burkes SSP 
MIS Department [EMAIL PROTECTED] PH: 
202-764-1270 

[ActiveDir] DC selection for source of dcpromo

[Graham Turner]

can anyone confirm the mechanism by which dcpromo being run discovers the
source of domain information.

i know we doing this unattended you can hardcode a source into the script
file but how does it find a source when left to its own devices ??

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Possibly OT: Flash Media Detection

[Peter Johnson]

Title: Message








There is a 3rd party whose name
I forget who have some security software that does precisely this. I’ll
try and remember the name

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Oppermann
Sent: 14 July 2004 23:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly
OT: Flash Media Detection



 

Oh no, don’t disable
USB hardware – that would break a ton of stuff (keyboards, mice,
printers, scanners, etc.).

 

It seems to me that anything
a user can access, the user can copy onto some medium.  Even if you were
to magically prevent removable media, that wouldn’t preclude printing
content out and stuffing the paper into a briefcase, or even taking a picture
of the screen with a cell phone camera.

 

In my opinion, the right
away to handle these situations is to have proper security controls in place
for content.  

 



Charles Oppermann, [EMAIL PROTECTED],  http://weblogs.asp.net/chuckop/



 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Wednesday, July 14, 2004
1:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Possibly
OT: Flash Media Detection



 



As far as I can
remember.. not really





 





I'd need to have a play
as it's been a while since I've played around with such things A few things
I would look at:





 





1) Set policy so that
users can only see specific drives and not map others. This isn't the greatest
method as it can be bypassed but will stop the average user :-





 





The gpo is:
USER\Administrative Templates\Windows Components\Windows Explorer\Prevent
access to drives from My Computer





2) If you are using XP
then :- http://support.microsoft.com/default.aspx?scid=kb;en-us;823732





2) http://www.protect-me.com/dl/





3) Could disable USB in
the h/w profile





4) Disable USB in BIOS
and password protect it





 





Admin rights are of course
a factor and you'd need to test the majority of the options above with your
users rights on their machines.





 





BR





 





Rob





-Original
Message-
From: DL.ActiveDirectory
[mailto:[EMAIL PROTECTED] 
Sent: 13 July 2004 23:05
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Possibly OT:
Flash Media Detection





Hello,

Is there a group policy restricting use of flash media
(USB drives, iPods, camera cards, etc.) and/or any third party detection tools
for use in a network environment?

Thank you,

Mitchell D. Lawrence

Director, Network Administrator

IT&S Department

North Bay Hospital

1711 W. Wheeler Ave

Aransas Pass, TX 78336

ph: (361) 758-0580

fx: (361) 758-0581

pg: (361) 270-0421

[EMAIL PROTECTED]

[EMAIL PROTECTED] (home)

**< Good | Cheap |
Fast > (Pick Two)**

This
email and any files transmitted with it may contain PRIVILEGED and/or
CONFIDENTIAL information and may only be read and/or used by the intended
recipient. If you are not the intended recipient of this email and/or any
attachments, please be advised that you have received this email in error and
that any use, dissemination, distribution, forwarding, printing, or copying of
this email and/or any attached files is strictly prohibited. If you have
received this email and/or any attachments in error, please reply or
contact the sender explaining that you have received this email
and/or any attachments in error and that you have purged this email and/or any
attachments from your system.




This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the sender
immediately and delete the material from any computer. Unless you are the
intended recipient, you should not copy this e-mail for any purpose, or
disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst the
MCPS-PRS Alliance monitors all communications for potential viruses, we accept
no responsibility for any loss or damage caused by this e-mail and the
information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners
  Street, London, W1T 3AB.

RE: [ActiveDir] OT: Active Directory Browser History Files

[Peter Johnson]

We are very impressed with the MailMarshal
solution we’ve deployed. 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: 15 July 2004 17:06
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT:
Active Directory Browser History Files



 

You can look at the users
"Local Settings\History" or "Local Settings\Temporary Internet
Files".  However these two folders may not be replicating with your
roaming profiles from the local workstations.  That depends on how you
have the roaming profile settings configured.

 

Have you thought about
something like SurfControl (http://www.surfcontrol.com/)? 
This may be a better/easier/more flexible solution than parsing through
everyone's roaming or local profiles.  It will also catch those users
that are smart enough to delete both the IE history and the temp files.  

 

-Stuart Fuller

 







From:
Edwin [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 15, 2004 8:44
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Active
Directory Browser History Files

In our domain we use roaming profiles.  What I
would like to know is if there is an easy way to monitor the web sites that end
users are looking at while at their workstations.  We have users that are
going to site that may offend others and this needs to be addressed.

 

I am aware of reviewing the Firewall logs but I was
hoping that there would be an easier way since all the machines are connected
to the domain.

 

Thank you all for your replies.

 

Edwin 

RE: [ActiveDir] DNS Name resolution issues

[Peter Johnson]

Might this not be related to the node type being issued? I remember the
node controlling the name resolution order but don't remember the
specifics.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 15 July 2004 23:49
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DNS Name resolution issues

I work in the desktop area and we see some peculiar things around DNS
name
resolution. When I ask our server guys, I get some answers that don't
seem
to make sense.

We are running Windows 2003 servers with Wins and my problems are:-

1. Duplicate IP entries in DNS. I have a program that gets a list of all
workstations in Active Directory, then does a DNS lookup on them. I find
multiple workstations with the same IP address. I assume that one of the
machines is an old machine that no longer exists. If DHCP is so smart
that
it tells DNS when it assigns an address to a workstation, why doesn't it
also tell DNS when it deassigns it? The lecturer at a course last week
said
we should "Turn on Scavenging" to delete the old ones. My server guys
say
they tried that, but it deleted all of the Static IP Addresses for
printers.

2. Inconsistent responses with Reverse lookup. If my program does a
reverse
lookup on an IP address, sometimes I get a fully qualified name
(presumably
resolved in DNS) and sometimes just the nodename (presumably resolved in
Wins). Now the latter would make sense if I had an IP Address that was
defined in Wins but not in DHCP, but if I try and resolve the same IP
address multiple times, sometimes I get the Full name, sometimes the
short
name. My Server guys tell me this is a feature of 2003. It sometimes
tries
Wins first, sometimes tries DNS first. Sounds a bit dodgey to me! Is it
true
and if so, is there a way to override this behaviour, ie direct the
reverse
lookup to:-
- only use DNS
- only use Wins
- or only try Wins if DNS fails?

Alan Cuthbertson

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LDAP query string to identify Enabled vs Disabled User Account

[Tony Murray]

Hi Jerry

Enabled users 
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
 

Disabled users
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Tony

-- Original Message --
Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWF
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 16 Jul 2004 07:45:22 -0400

My poor old mind has seen this but lost it :)
Can someone provide an LDAP query string to identify when a User object is
Enabled or Disabled in AD?
Thanks,
Jerry

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LDAP query string to identify Enabled vs Disabled User Account

[Jerry Welch]

My poor old mind has seen this but lost it :)
Can someone provide an LDAP query string to identify when a User object is
Enabled or Disabled in AD?
Thanks,
Jerry

Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Brian Desmond's Posts

[Craig Cerino]

Title: Brian Desmond's Posts








Usually something about the digital
signature - - I do not remember off hand - - I normally delete them after I am
denied. Post a fresh thread - - I’ll tell you what it says

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 9:36
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Brian
Desmond's Posts



 

Does it
say the cert is invalid or…

 



--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org

 

v: 773.534.0034
x135

f: 773.534.0035

 

 











From: Craig Cerino
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 15, 2004 4:40
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Brian
Desmond's Posts



 

2K3 here too

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Thursday, July 15, 2004 2:36
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Brian
Desmond's Posts



 

How odd.
What email clients are ya’ll using?

 

I use
Outlook 2003, the cert is a Thawte email cert which has my name on that and
everything…

 

I’ll
try and make a habit of not sending any signed email to this list. Outlook does
it automatically, so, I sometimes forget.

 



--Brian Desmond

[EMAIL PROTECTED]

Payton on the
Web! Http://www.wpcp.org

 

v: 773.534.0034
x135

f: 773.534.0035

 

 











From: Craig Cerino [mailto:[EMAIL PROTECTED]

Sent: Thursday, July 15, 2004
12:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Brian
Desmond's Posts



 

No – you are not

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Thursday, July 15, 2004
12:13 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Brian
Desmond's Posts



 

Am
I the only person who can't open Brian Desmond's mails due to PKI issues I
guess? 


This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the sender
immediately and delete the material from any computer. Unless you are the
intended recipient, you should not copy this e-mail for any purpose, or
disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst the
MCPS-PRS Alliance monitors all communications for potential viruses, we accept
no responsibility for any loss or damage caused by this e-mail and the
information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.

The MCPS-PRS Alliance Limited is a limited company registered in England under
company number 03444246 whose registered office is at c/o 29-33 Berners Street, London,
 W1T 3AB.