RE: [ActiveDir] DHCP authorization problem

[Charlie Kaiser]

1. Yes.
2. Yes.
3. Cisco 3640 and 2620s, with a 4006 core switch doing Layer 3 routing.
4. Cleanup on the configs, code updates, additional security; stuff like
that. We went over the configs this AM and everything looked fine, and
once I restarted DHCP, all the subnets got addresses just fine.
5. Yes. I check that one regularly. :-)

I don't even mind that the DHCP server unauthorized, but it would have
been nice if it could reauthorize, or at least show me something that
indicated it had unauthorized. When I looked in the MMC, it gave me an
option to unauthorize, so I assumed (I know) it was still authorized.
Made a stupid mistake, though; I didn't check the system log when I
realized we had a problem. Would have found it much faster.

Is the unauthorizing when DC comms go down behavior by design?

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Robert Rutherford
> Sent: Monday, November 01, 2004 3:45 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DHCP authorization problem
> 
> A few question completely firing in different directions 
> but may lead to a cause :-
>  
> 1) I take it your routers are relaying DHCP, not agents?
> 2) Is there a local DC in the same subnet as the DHCP server?
> 3) What are the routers? I've seen different routers play 
> games with DHCP relays.
> 4) What was the maintenance?
> 5) Are all your DCs running clean on DCDIAGS ( I know I 
> always ask that question, but identifies obvious config 
> issues at times)
>  
> Rob
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Charlie Kaiser
> Sent: Mon 01/11/2004 21:23
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DHCP authorization problem
> 
> 
> 
> I had an odd one over the weekend. We did some network 
> maintenance that
> included a core switch bounce. Down for about 5 minutes. We found out
> this morning that DHCP wasn't working on any subnets except 
> for the one
> that the DHCP server was on. We had made switch and router code and
> config changes, so we looked to that as a solution, but with 
> no success.
> I remembered something from a while back where I had a similar problem
> and restarted the DHCP service. This corrected the issue. Apparently,
> the DHCP server had lost authorization from AD when the core 
> switch went
> down. Event ID 1059; "The DHCP service failed to see a 
> directory server
> for authorization." I would have expected it to reauthorize once
> connectivity was restored, however. But it didn't. I had to 
> restart the
> service manually.
> Is this normal? I would expect that DHCP authorization would 
> be able to
> recover from a short loss of connectivity.
> Any pointers to a way to prevent this from happening again?
> Thanks!
> 
> **
> Charlie Kaiser
> MCSE, CCNA
> Systems Engineer
> Essex Credit / Brickwalk
> 510 595 5083
> **
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> ==
> =
>   Scanned for virus infection by Messagelabs
> ==
> =
> 
> 
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Write Cache Enabled

[jon.gimpel]

Title: [ActiveDir] Write Cache Enabled



 
It ultimately depends on your faith with the Array 
Controller.  We have been using Compaq (HP) Smartarrays (several thousand 
of them) since its inception back in 1997 (or 96?) and has always been 
positive.  Most of HP's SmartArrays are battery backed up to prevent lost 
write commits.  E.g. if a server suddenly loses power while the data is in 
cache, as soon as the server cycles back on, the data is immediately 
committed.  There are some versions of onboard arrays which do not have 
battery back up - like older 380's and 360s, if that is the case, I would 
definitely not use write caching without that added battery 
protection.
 
-Jon


From: Robert Rutherford 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert 
RutherfordSent: Monday, November 01, 2004 7:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Write Cache 
Enabled


I'm not an expert on 
storage, but I had this error on Compaq servers for years and never had an issue 
with them. I ran 30 plus domain controllers which generated the error on build 
but went quiet post.
 
Maybe someone else can give you an answer. In my experience it's no 
concern.
 
BR
Rob
 



From: 
[EMAIL PROTECTED] on behalf of Rodney GardinerSent: 
Mon 01/11/2004 23:46To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Write Cache 
Enabled

I keep getting an error on one of our DC's stating that Write 
Disk Cache isenabled and if there is a system failure data corruption may 
occur.I have informed that this should not be enabled on a DC.I 
checked out Tech Net on the various errors I receive in the Event Viewerand 
it states generally the error can be ignored and that there is a hotfixthat 
you must call Microsoft for to stop the error appearing.http://support.microsoft.com/default.aspx?scid=kb;en-us;830051I 
was also informed that taking off the option for Write Disk Cache wouldhave 
a big impact on the system performance. I understand it would have animpact 
but did not think it would be as big as I am being told.I was just after 
clarification as to whether it should be enabled on a DC ornot.Any 
help would be appreciated.It is an SCSI Controller with Adaptec System 
SCSI Disk Device. It is thedisk device that has Write Cache Enabled on it 
under its properties.Rodney-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of[EMAIL PROTECTED]Sent: Tuesday, 2 November 2004 
10:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] locked 
outRodney,this is a free download from ms 
under  account management tools. Searchunder MS, you will find 
it.+-+Regards,Sandy 
WuLADOTD  IT. Tech. SupportOffice: (225) 
379-1625Hrs:6:30AM-3:00PM Central 
TimeEmail:[EMAIL PROTECTED]+-+   
Rodney 
Gardiner   
 
vls.com.au>    
To 
Sent 
by:  
[EMAIL PROTECTED]    
[EMAIL PROTECTED]  
cc 
ail.activedir.org   
Subject   
RE: [ActiveDir] locked 
out  
11/01/2004 
04:16  
PM    
Please respond 
to 
[EMAIL PROTECTED]    
tivedir.org   Just 
curious as to where this lockedoutstatus.exe is 
kept?Rodney  _From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Randy WhiteSent: Tuesday, 2 November 2004 7:31 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] locked 
outThis is probably caused by a virus.  Use 
lockedoutstatus.exe to find outwhat where the lock outs are 
originating.  Then check the event log of thatDC to find out the 
perpetrating computer.  _From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of[EMAIL PROTECTED]Sent: Monday, November 01, 2004 
2:29 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] locked 
outAll gurus,Wonder if any of you have experienced 
this before.Suddently over the weekend, all domain accounts ( i mean all 
) are lockedout except the domain admin accounts. What could have caused 
this problem ?The only  clue that I had is this is the 

Re: FW: RE: [ActiveDir] AD Rep Mon TOOL

[Ravi Dogra]

Yes Thanks,

i will confirm n see what he wanted to ask.

Thanks Again.
Ravi




On Sun, 31 Oct 2004 Robert Rutherford wrote :
>
>
>
>
> From: Robert Rutherford
>Sent: Sat 30/10/2004 22:39
>To: Ravi Dogra
>Subject: RE: RE: [ActiveDir] AD Rep Mon TOOL
>
>
>His question doesn't really make sense. I would only ever link transport medium in IT 
>to something like data comms, i.e. fiber and copper are transport mediums.
>
>Perhaps he is unclear and means IP ports? I don't know, perhaps you should ask him to 
>elaborate. In what context did he ask you?
>
>BR
>
>Rob
>
>
>
> From: Ravi Dogra [mailto:[EMAIL PROTECTED]
>Sent: Sat 30/10/2004 22:33
>To: [EMAIL PROTECTED]
>Cc: Robert Rutherford
>Subject: Re: RE: [ActiveDir] AD Rep Mon TOOL
>
>
>
>Yes Rob,
>
>Thats what is confusing me. Somebody asked me about this and i was really thinking 
>just like u. any guess about what the gentelman wanted to ask me this is the same 
>phrase which he used.
>
>Ravi
>
>
>On Sun, 31 Oct 2004 Robert Rutherford wrote :
> >Hi Ravi,
> >
> >Where are you coming from with this? Could you rephrase the question?
> >
> >BR
> >
> >Rob
> >
> >
> >
> > From: [EMAIL PROTECTED] on behalf of Ravi Dogra
> >Sent: Sat 30/10/2004 22:18
> >To: [EMAIL PROTECTED]
> >Subject: [ActiveDir] AD Rep Mon TOOL
> >
> >
> >
> >
> >Hi All,
> >I want to know about is there anything like :-
> >
> >Active Directory Replication Monitoring Tool Transport Medium???
> >
> >I am a bit confused
> >
> >Thanks in advance.
> >
> >Ravi Dogra
> >
> >
> >
> >  
>
>
>
>
>  

RE: [ActiveDir] Write Cache Enabled

[Robert Rutherford]

I'm not an expert on storage, but I had this error on Compaq servers for years and 
never had an issue with them. I ran 30 plus domain controllers which generated the 
error on build but went quiet post.
 
Maybe someone else can give you an answer. In my experience it's no concern.
 
BR

Rob
 


From: [EMAIL PROTECTED] on behalf of Rodney Gardiner
Sent: Mon 01/11/2004 23:46
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Write Cache Enabled



I keep getting an error on one of our DC's stating that Write Disk Cache is
enabled and if there is a system failure data corruption may occur.

I have informed that this should not be enabled on a DC.

I checked out Tech Net on the various errors I receive in the Event Viewer
and it states generally the error can be ignored and that there is a hotfix
that you must call Microsoft for to stop the error appearing.

http://support.microsoft.com/default.aspx?scid=kb;en-us;830051

I was also informed that taking off the option for Write Disk Cache would
have a big impact on the system performance. I understand it would have an
impact but did not think it would be as big as I am being told.

I was just after clarification as to whether it should be enabled on a DC or
not.

Any help would be appreciated.

It is an SCSI Controller with Adaptec System SCSI Disk Device. It is the
disk device that has Write Cache Enabled on it under its properties.

Rodney

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, 2 November 2004 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out





Rodney,

this is a free download from ms under  account management tools. Search
under MS, you will find it.

+-+
Regards,

Sandy Wu
LADOTD  IT. Tech. Support
Office: (225) 379-1625
Hrs:6:30AM-3:00PM Central Time
Email:[EMAIL PROTECTED]
+-+


  
 Rodney Gardiner  
 To
 Sent by:  [EMAIL PROTECTED]   
 [EMAIL PROTECTED]  cc
 ail.activedir.org
   Subject
   RE: [ActiveDir] locked out 
 11/01/2004 04:16 
 PM   
  
  
 Please respond to
 [EMAIL PROTECTED]
tivedir.org   
  
  




Just curious as to where this lockedoutstatus.exe is kept?

Rodney

  _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy White
Sent: Tuesday, 2 November 2004 7:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out



This is probably caused by a virus.  Use lockedoutstatus.exe to find out
what where the lock outs are originating.  Then check the event log of that
DC to find out the perpetrating computer.



  _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out




All gurus,

Wonder if any of you have experienced this before.

Suddently over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could have caused this problem ?
The only  clue that I had is this is the week to change the  summer time
back but we had this done every year, had never had this issue before. Could
this be a worm of some sort of virus. Looking into our security log it did
not show me nything out of norm ( faild security , locked out has been
turned on)

Any suggestions will be appreciated.


Regards,


Sandy

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive

[ActiveDir] Write Cache Enabled

[Rodney Gardiner]

I keep getting an error on one of our DC's stating that Write Disk Cache is
enabled and if there is a system failure data corruption may occur.

I have informed that this should not be enabled on a DC.

I checked out Tech Net on the various errors I receive in the Event Viewer
and it states generally the error can be ignored and that there is a hotfix
that you must call Microsoft for to stop the error appearing.

http://support.microsoft.com/default.aspx?scid=kb;en-us;830051

I was also informed that taking off the option for Write Disk Cache would
have a big impact on the system performance. I understand it would have an
impact but did not think it would be as big as I am being told.

I was just after clarification as to whether it should be enabled on a DC or
not.

Any help would be appreciated.

It is an SCSI Controller with Adaptec System SCSI Disk Device. It is the
disk device that has Write Cache Enabled on it under its properties.

Rodney

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, 2 November 2004 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out





Rodney,

this is a free download from ms under  account management tools. Search
under MS, you will find it.

+-+
Regards,

Sandy Wu
LADOTD  IT. Tech. Support
Office: (225) 379-1625
Hrs:6:30AM-3:00PM Central Time
Email:[EMAIL PROTECTED]
+-+


   
 Rodney Gardiner   
 To 
 Sent by:  [EMAIL PROTECTED]
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] locked out  
 11/01/2004 04:16  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




Just curious as to where this lockedoutstatus.exe is kept?

Rodney

  _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy White
Sent: Tuesday, 2 November 2004 7:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out



This is probably caused by a virus.  Use lockedoutstatus.exe to find out
what where the lock outs are originating.  Then check the event log of that
DC to find out the perpetrating computer.



  _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out




All gurus,

Wonder if any of you have experienced this before.

Suddently over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could have caused this problem ?
The only  clue that I had is this is the week to change the  summer time
back but we had this done every year, had never had this issue before. Could
this be a worm of some sort of virus. Looking into our security log it did
not show me nything out of norm ( faild security , locked out has been
turned on)

Any suggestions will be appreciated.


Regards,


Sandy

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP authorization problem

[Robert Rutherford]

A few question completely firing in different directions but may lead to a cause :-
 
1) I take it your routers are relaying DHCP, not agents?
2) Is there a local DC in the same subnet as the DHCP server?
3) What are the routers? I've seen different routers play games with DHCP relays.
4) What was the maintenance?
5) Are all your DCs running clean on DCDIAGS ( I know I always ask that question, but 
identifies obvious config issues at times)
 
Rob



From: [EMAIL PROTECTED] on behalf of Charlie Kaiser
Sent: Mon 01/11/2004 21:23
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DHCP authorization problem



I had an odd one over the weekend. We did some network maintenance that
included a core switch bounce. Down for about 5 minutes. We found out
this morning that DHCP wasn't working on any subnets except for the one
that the DHCP server was on. We had made switch and router code and
config changes, so we looked to that as a solution, but with no success.
I remembered something from a while back where I had a similar problem
and restarted the DHCP service. This corrected the issue. Apparently,
the DHCP server had lost authorization from AD when the core switch went
down. Event ID 1059; "The DHCP service failed to see a directory server
for authorization." I would have expected it to reauthorize once
connectivity was restored, however. But it didn't. I had to restart the
service manually.
Is this normal? I would expect that DHCP authorization would be able to
recover from a short loss of connectivity.
Any pointers to a way to prevent this from happening again?
Thanks!

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


<>

RE: [ActiveDir] Replication - urgent triggers confirmation

[Fugleberg, David A]

Title: Message



I have 
not gotten an official verification, but my testing certainly bears it 
out.  I'm going to ping them again on it.
 
I 
agree 100% with your assessment of the brilliance of having those things 
replicate via both AD and FRS.
 
This 
original problem led us down a long and not-so-merry chase with PSS, during 
which one of the 'tests' they had us perform had some pretty nasty consequences 
that I don't want to discuss on-list right now...suffice it to say we have 
things pretty much put back together now.  They finally admitted that they 
were able to repro that issue, after telling us for a week that it couldn't 
possibly have caused the havoc that it did.  I'm hoping to get them to 
document it.
 
Dave

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, October 29, 2004 11:17 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Replication - urgent triggers confirmation

  Did you ever get verification from PSS on your 
  theory.
   
  I would back your theory. I've seen similar and had the 
  same theory. It can also be a pain if FRS is broken on one or two DCs. As you 
  will ping-pong forever until FRS is fixed. I have always thought having domain 
  policy that replicates both through FRS and AD replication is rather 
  unintelligent. If they wanted it to replicate through FRS, they should have 
  made the attributes non-replicating in AD. Of course then you have the ability 
  to make a DC have a different policy than the rest of the DCs by purposely 
  breaking FRS... So maybe these shouldn't be replicated in 
  FRS...
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, 
  David ASent: Wednesday, October 13, 2004 12:00 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication - 
  urgent triggers confirmation
  
  That's all correct, with one addition: if an account is locked out at a 
  DC other than the PDCE, it uses 'immediate replication' to tell the PDCE about 
  it.  This does not wait for any schedule; it just happens.  There's 
  a webcast transcript out there that details the various kinds of replication 
  wrt password changes, lockouts, etc: http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fservicedesks%2fwebcasts%2fen%2fwc022703%2fwct022703.asp
   
  Regarding 'side effects', I believe youre talking about Site Link 
  Notification.  If Notification is enabled on a site link, notifications 
  of changes are sent over that site link after the holdback period (5 min on 
  Win2K, 15 sec on W2K3), just like they're sent to intrasite replication 
  partners.  That definitely speeds up replication, but you lose any 
  benefit of scheduled replication.  This may or may not be a big deal for 
  you - depends on your available WAN bandwidth, change activity, etc.  
  
   
  We 
  had a situation that forced us into enabling notification on our site links 
  (single forest/single domain, hub/spoke topology) soon after we began 
  deploying AD.  It's a long story.  Anyhow, we left it that way 
  because we have no problems with it, and any changes to directory objects 
  replicate everywhere very quickly.  We've had it that way over three 
  years now.  Interestingly, we had MS come in and do a 'AD Health Check' 
  this summer, and before they even looked at anything they said "we can speed 
  up your AD replication convergence from hours to minutes!" When I asked what 
  they had in mind, they started telling me about notification.  I told 
  them we'd already been that way for 3 years, and they looked kind of 
  disappointed - apparently that revelation has been a big Wow for many other 
  accounts they've visited.  They have a tool that measures convergence 
  time of AD changes to all DCs, and they like to show people how it goes from 
  hours to minutes after they do their magic.
   
  Anyhow, through all that we did learn of one negative side 
  effect.  We had left the Site Link Interval at the default 180 minutes on 
  all site links, figuring that it was moot with notification enabled.  As 
  it turns out, FRS still obeys that interval, so changes to the SYSVOL can 
  still take hours to get everywhere.  This was no big deal until we 
  modified something in the Account Policies of the Default Domain Controllers 
  Policy.  Some of the settings there (Max Password Age for example) set 
  values for attributes on the Domain object.  When we changed this, we saw 
  that value 'ping-pong' between the old and new values on many DCs for 
  hours.  I theorized what was happening was that the new value on the 
  domain object replicated to all DCs quickly (due to notification), but many 
  DCs had the old value in their copy of the Default Domain Controllers Policy 
  GPT in the sysvol.  When they reapplied their security policy, the value 
  was set back, triggering another attribute value replication.  
  Eventually, once the sysvol on all DCs was 

RE: [ActiveDir] locked out

[SandyWu]

Rodney,

this is a free download from ms under  account management tools. Search
under MS, you will find it.

+-+
Regards,

Sandy Wu
LADOTD  IT. Tech. Support
Office: (225) 379-1625
Hrs:6:30AM-3:00PM Central Time
Email:[EMAIL PROTECTED]
+-+


   
 Rodney Gardiner   
 To 
 Sent by:  [EMAIL PROTECTED]
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] locked out  
 11/01/2004 04:16  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




Just curious as to where this lockedoutstatus.exe is kept?

Rodney

  _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy White
Sent: Tuesday, 2 November 2004 7:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out



This is probably caused by a virus.  Use lockedoutstatus.exe to find out
what where the lock outs are originating.  Then check the event log of that
DC to find out the perpetrating computer.



  _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out




All gurus,

Wonder if any of you have experienced this before.

Suddently over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could have caused this problem
?  The only  clue that I had is this is the week to change the  summer
time back but we had this done every year, had never had this issue
before. Could this be a worm of some sort of virus. Looking into our
security log it did not show me nything out of norm ( faild security ,
locked out has been turned on)

Any suggestions will be appreciated.


Regards,


Sandy

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] locked out

[Rodney Gardiner]

Just curious as to where this lockedoutstatus.exe is kept?
 
Rodney

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Randy White
Sent: Tuesday, 2 November 2004 7:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] locked out



This is probably caused by a virus.  Use lockedoutstatus.exe to find out
what where the lock outs are originating.  Then check the event log of that
DC to find out the perpetrating computer.

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out

 


All gurus,

Wonder if any of you have experienced this before.

Suddently over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could have caused this problem
?  The only  clue that I had is this is the week to change the  summer
time back but we had this done every year, had never had this issue
before. Could this be a worm of some sort of virus. Looking into our
security log it did not show me nything out of norm ( faild security ,
locked out has been turned on)

Any suggestions will be appreciated.


Regards,


Sandy

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] locked out

[Rimmerman, Russ]

Was it a virus?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, November 01, 2004 3:52 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
locked out
Randy, Thanks for your tip,I was able to find out  the 
culprit. +-+Regards,  
 Sandy+-+ 


  
  
"Randy White" 
  <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
  11/01/2004 02:30 PM 
  


  
Please respond 
to[EMAIL PROTECTED]

  


  
To
  <[EMAIL PROTECTED]> 

  
cc
  

  
Subject
  RE: [ActiveDir] locked 
out
  


  
  This is probably caused by a virus.  Use lockedoutstatus.exe to find 
out what where the lock outs are originating.  Then check the event log of 
that DC to find out the perpetrating computer.   


From:[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED] Sent: Monday, 
November 01, 2004 2:29 PM To: 
[EMAIL PROTECTED] Subject: [ActiveDir] 
locked out   All gurus, Wonder if any of you 
have experienced this before. Suddently 
over the weekend, all domain accounts ( i mean all ) are locked 
out except the domain admin accounts. What could have 
caused this problem ?  The only  clue 
that I had is this is the week to change the  summer time back but we had this done every year, had never had this 
issue before. Could this be a worm of some sort 
of virus. Looking into our security log it did 
not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy 


~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~

RE: [ActiveDir] locked out

[SandyWu]

Randy,

Thanks for your tip,I was able to find
out  the culprit. 

+-+
Regards,
    
Sandy
+-+





"Randy White"
<[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
11/01/2004 02:30 PM



Please respond to
[EMAIL PROTECTED]





To
<[EMAIL PROTECTED]>


cc



Subject
RE: [ActiveDir] locked out










This is probably caused by a virus.  Use lockedoutstatus.exe
to find out what where the lock outs are originating.  Then check
the event log of that DC to find out the perpetrating computer.

 






From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: Monday, November 01, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out

 


All gurus,

Wonder if any of you have experienced this before.

Suddently over the weekend, all domain accounts (
i mean all ) are locked
out except the domain admin accounts. What could have
caused this problem
?  The only  clue that I had is this is
the week to change the  summer
time back but we had this done every year, had never
had this issue
before. Could this be a worm of some sort of virus.
Looking into our
security log it did not show me nything out of norm
( faild security ,
locked out has been turned on)

Any suggestions will be appreciated.


Regards,


Sandy

Re: [ActiveDir] login scripts

[Jordan Arendt]

I think I've got it working.  Thanks Al.


On Mon, 1 Nov 2004 16:42:54 -0500, Mulnick, Al <[EMAIL PROTECTED]> wrote:
> What did you find in the logging?  Have you enabled logging to see what's
> happening at logon?
> 
> Al
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt
> Sent: Monday, November 01, 2004 3:36 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] login scripts
> 
> We've recently upgraded from NT 4 to 2K3.  Our logon scripts have stoppped
> running on clients.  Logon scripts are specified in ADUC in the profile tab
> of each user.  When I logon to my XP machine the scripts do not run.  When I
> logon to a server through RDP, they do run.  I was thinking GPO, but only
> the default domain policy is currently applied, and it is applied to both
> the servers OU and the OU my PC is in.
> 
> I've looked at the following:
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;329709 (this is not
> the case, my netlogon shares point to the correct place)
> 
> and
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;302104
> 
> I made the suggested changes, to no avail.
> 
> Anyone have any suggestions?
> 
> Thanks in Advance.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO SYSVOL permissions

[Nathan Casey]

Do you have the XP SP2 info and hotfix link?
Thanks


>>> [EMAIL PROTECTED] 11/1/2004 12:31:44 PM >>>
This happens if someone connected to your GPO's and they
were running XP
SP2.  There is a hotfix for this.

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of
Nathan Casey
Sent: Monday, November 01, 2004 2:20 PM
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] GPO SYSVOL permissions

Today for the first time I am receiving the following GPMC
message when I click either Default Domain Policy or
Default
Domain Controllers Policy:  
The permissions for this GPO in the SYSVOL folder are
inconsistent with those in Active Directory. It is
recommended that these permissions be consistent. To
change
the permissions in SYSVOL to those in Active Directory,
click OK

The DC's are all Windows 2003. Any ideas why I am now
getting this message? Nothing in the domain has changed
anytime recently. Should I click OK as the message
suggests?

The message also includes a link to the following article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828760



Thanks
Nathan

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] login scripts

[Mulnick, Al]

What did you find in the logging?  Have you enabled logging to see what's
happening at logon?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt
Sent: Monday, November 01, 2004 3:36 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] login scripts

We've recently upgraded from NT 4 to 2K3.  Our logon scripts have stoppped
running on clients.  Logon scripts are specified in ADUC in the profile tab
of each user.  When I logon to my XP machine the scripts do not run.  When I
logon to a server through RDP, they do run.  I was thinking GPO, but only
the default domain policy is currently applied, and it is applied to both
the servers OU and the OU my PC is in.

I've looked at the following:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329709 (this is not
the case, my netlogon shares point to the correct place)

and

http://support.microsoft.com/default.aspx?scid=kb;en-us;302104

I made the suggested changes, to no avail.

Anyone have any suggestions?

Thanks in Advance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DHCP authorization problem

[Charlie Kaiser]

I had an odd one over the weekend. We did some network maintenance that
included a core switch bounce. Down for about 5 minutes. We found out
this morning that DHCP wasn't working on any subnets except for the one
that the DHCP server was on. We had made switch and router code and
config changes, so we looked to that as a solution, but with no success.
I remembered something from a while back where I had a similar problem
and restarted the DHCP service. This corrected the issue. Apparently,
the DHCP server had lost authorization from AD when the core switch went
down. Event ID 1059; "The DHCP service failed to see a directory server
for authorization." I would have expected it to reauthorize once
connectivity was restored, however. But it didn't. I had to restart the
service manually.
Is this normal? I would expect that DHCP authorization would be able to
recover from a short loss of connectivity.
Any pointers to a way to prevent this from happening again?
Thanks!

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] login scripts

[Jordan Arendt]

We've recently upgraded from NT 4 to 2K3.  Our logon scripts have
stoppped running on clients.  Logon scripts are specified in ADUC in
the profile tab of each user.  When I logon to my XP machine the
scripts do not run.  When I logon to a server through RDP, they do
run.  I was thinking GPO, but only the default domain policy is
currently applied, and it is applied to both the servers OU and the OU
my PC is in.

I've looked at the following:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329709 (this
is not the case, my netlogon shares point to the correct place)

and

http://support.microsoft.com/default.aspx?scid=kb;en-us;302104

I made the suggested changes, to no avail.

Anyone have any suggestions?

Thanks in Advance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO SYSVOL permissions

[Randy White]

This happens if someone connected to your GPO's and they were running XP
SP2.  There is a hotfix for this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Monday, November 01, 2004 2:20 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO SYSVOL permissions

Today for the first time I am receiving the following GPMC
message when I click either Default Domain Policy or Default
Domain Controllers Policy:  
The permissions for this GPO in the SYSVOL folder are
inconsistent with those in Active Directory. It is
recommended that these permissions be consistent. To change
the permissions in SYSVOL to those in Active Directory,
click OK

The DC's are all Windows 2003. Any ideas why I am now
getting this message? Nothing in the domain has changed
anytime recently. Should I click OK as the message
suggests?

The message also includes a link to the following article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828760


Thanks
Nathan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] locked out

[Randy White]

This is probably caused by a virus.  Use
lockedoutstatus.exe to find out what where the lock outs are originating.  Then
check the event log of that DC to find out the perpetrating computer.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, November 01, 2004
2:29 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] locked out



 


All
gurus,

Wonder if
any of you have experienced this before.

Suddently
over the weekend, all domain accounts ( i mean all ) are locked
out except the domain admin accounts. What could
have caused this problem
?  The only  clue that I had is this is
the week to change the  summer
time back but we had this done every year, had
never had this issue
before. Could this be a worm of some sort of
virus. Looking into our
security log it did not show me nything out of
norm ( faild security ,
locked out has been turned on)

Any
suggestions will be appreciated.


Regards,


Sandy

[ActiveDir] locked out

[SandyWu]

All gurus,

Wonder if any of you have experienced this before.

Suddently over the weekend, all domain accounts (
i mean all ) are locked
out except the domain admin accounts. What could have caused this problem
?  The only  clue that I had is this is the week to change the
 summer
time back but we had this done every year, had never had this issue
before. Could this be a worm of some sort of virus. Looking into our
security log it did not show me nything out of norm ( faild security ,
locked out has been turned on)

Any suggestions will be appreciated.


Regards,


Sandy

[ActiveDir] GPO SYSVOL permissions

[Nathan Casey]

Today for the first time I am receiving the following GPMC
message when I click either Default Domain Policy or Default
Domain Controllers Policy:  
The permissions for this GPO in the SYSVOL folder are
inconsistent with those in Active Directory. It is
recommended that these permissions be consistent. To change
the permissions in SYSVOL to those in Active Directory,
click OK

The DC's are all Windows 2003. Any ideas why I am now
getting this message? Nothing in the domain has changed
anytime recently. Should I click OK as the message
suggests?

The message also includes a link to the following article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828760


Thanks
Nathan

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] easiest way to move Distribution Lists across dom ains. hoping for quick response ;)

[Mulnick, Al]

Right. If you're concerned about the limitations of ADMT, look to the third
party migrators.  Quest for example.

Using a script or .NET application could also do it.  

No point whatsoever in even guessing until you've assessed the situation in
more detail :: "although I do not know yet if these DL's contain nested
groups, or if that is even possible."   

If they don't contain nested groups, then off you go.  If they do, it's
likely they contain nested groups in the same domain which would later move
anyway.  Since they're not USG's, they're only purpose is as DL/DG's so
recreating the one's with nested groups wouldn't be too tough at this point.

Do your analysis and feel free to drop a note if you need some more help
after that.  I'm sure Microsoft likely told you same, but...


Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of CoCoKola
Sent: Sunday, October 31, 2004 11:41 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] easiest way to move Distribution Lists across
domains. hoping for quick response ;)

"Group Membership Is Not Maintained for Nested Groups Group membership
within other groups is not maintained for interforest migrations "
We would need to retain nested groups if they exist, although I do not know
yet if these DL's contain nested groups, or if that is even possible.


On Sun, 31 Oct 2004 22:25:56 -0600, Brian Desmond
<[EMAIL PROTECTED]> wrote:
> ADMT should work too.
> 
> Thanks.
>  
> --Brian Desmond
> [EMAIL PROTECTED]
> Payton on the web! www.wpcp.org
>  
> v - 773.534.0034 x135
> f - 773.534.8101
> 
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of CoCoKola
> > Sent: Sunday, October 31, 2004 10:18 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] easiest way to move Distribution Lists across
> > domains. hoping for quick response ;)
> >
> > I hope this is on-topic  ;)
> >
> > Domain A is AD 2000 mixed mode, soon to be native mode (exchange 5.5
> > box to be retired soon.)
> > Domain B is AD 2000 Native mode.
> > Domain A has an OU with 100's of distribution lists
> > Users in Domain B are unable to update Distribution Lists after
> > upgrading to XP & office 2003.  simple solution: move the DLs to
> > Domain B which contains the user accounts that need to modify the DL.
> > Side note: We've been working with Microsoft on this issue.. long
> > story I'll omit.
> >
> >
> > Now, the question:  What is the easiest way to move DLs from one
> > domain to another?
> >
> > Possible options:
> > Movetree.exe
> > Create a VBscript to enumerate and re-create the object in domain B.
> > I'm not sure the feasibility.
> >
> > Has anyone done this previously?   Pointers, "Gotchas"?
> >
> > Any assistance is appreciated in advance!
> >
> > Rob
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Problems Adding Computers to AD

[Jacob Walker]

I have tried and tried to get a dsacls dump.  But, our OU's have spaces and 
some dashes in them, and I cannot figure out how to make dsacls access the 
object path.  I have tried all different combinations with quotes in 
multiple locations, and it won't work.

I do see this in the security event log on the DC the computer is trying to 
talk to when attempting to add it to the domain, but I'm not certain what it 
is telling me.  Also, this is why I asked about the 'Add Workstation' user 
right:

Source:  Security
Category:  Privilege Use
Type:  Failure Aud
Event ID:  577
Description:
Privileged Service Called:
Server: Security Account Manager
Service:Security Account Manager
Primary User Name:  BONHAD01$
Primary Domain: CORP
Primary Logon ID:   (0x0,0x3E7)
Client User Name:   testcbp9
Client Domain:  CORP
Client Logon ID:(0x0,0x499DA7A9)
Privileges: SeMachineAccountPrivilege
From: "joe" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Problems Adding Computers to AD
Date: Fri, 29 Oct 2004 15:48:59 -0400
Nope, you do not have to give them the "right".
That should be working if everything is as you describe.
Could you give a dsacls dump of the computer object?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
Sent: Friday, October 29, 2004 2:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Problems Adding Computers to AD
Well, I gave it full control, and it still cannot add the computer to the
domain.  Even though all of the delegated rights are there, and the 
computer
object is already created, do you also have to modify the group policy to
allow your 'computer add' groups the right to add computers to the domain?
We don't want them adding computer objects anywhere other than where they
have been granted delegated rights, though.  And, we don't want them adding
to the default Computer container.  Do we have to do that?

>From: "joe" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: <[EMAIL PROTECTED]>
>Subject: RE: [ActiveDir] Problems Adding Computers to AD
>Date: Thu, 28 Oct 2004 16:30:12 -0400
>
>Yeah the issue I saw was specific to disjoint namespaces and the new
>functionality in K3 AD that was verifying the domain names of the hosts.
>
>I would be curious though, just for test, not for final solution if you
>went back to the created object and gave the group you mention FC of
>the computer object and see if it allows the join ok.
>
>   joe
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
>Sent: Thursday, October 28, 2004 3:54 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [ActiveDir] Problems Adding Computers to AD
>
>Actually, we don't have a disjointed namespace.  They are specifying a
>group to which their userid is a member.  Then, they go to the PC to
>change it's domain.
>
> >From: "joe" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: <[EMAIL PROTECTED]>
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >Date: Thu, 28 Oct 2004 15:15:07 -0400
> >
> >Do you have a disjoint namespace?
> >
> >When they create the objects, what do they specify for who can join?
> >
> >
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
> >Sent: Thursday, October 28, 2004 1:18 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >
> >Thank you, Joe.  We are implementing Windows Server 2003 AD.  Here
> >are the permissions we have assigned.  Any clue as to what critical
> >permission could be missing?
> >
> >This object and all child objects:
> >Create Computer Objects
> >
> >Computer Objects:
> >List Contents
> >Read All Properties
> >Write All Properties
> >Read Permissions
> >
> >-Original Message-
> >From: joe [mailto:[EMAIL PROTECTED]
> >Sent: Thursday, October 28, 2004 11:50 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >
> >I have seen that with Windows Server 2003 AD if there aren't enough
> >permissions delegated to the person/group actually doing the join in
> >a disjointed namespace environment.
> >
> >   joe
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
> >Sent: Thursday, October 28, 2004 11:37 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: [ActiveDir] Problems Adding Computers to AD
> >
> >Thanks, but nothing there really seems to help.  It's strange.  When
> >we look at the computer account in the domain, it also ends up
> >disabling it.
> >
> >-Original Message-
> >From: Jacob Walker [mailto:[EMAIL PROTECTED]
> >Sent: Tuesday, October 26, 2004 4:34 PM
> >To: [EMAIL PROTECTED]
> >Subject: [ActiveDir] Problems Adding Computers to AD
> >
> >We've delegate the permission to add comput

RE: [ActiveDir] Adfind and spreadsheets

[joe]

This would be the CSV option we are talking about. The issue comes down to
displaying a whole object when that object contains attributes that have
multiple values. Think of outputting say a group or a user.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Saturday, October 30, 2004 9:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Adfind and spreadsheets

Hi Joe!
Some days ago there was a discussion about enhancing your most wonderful
tool "adfind" to be able to create a spreadsheet.  Working with it
yesterday, I wondered if you could easily meet this need by having an option
to put everything from a single queury on one line?
The attribute names with values are produced currently are on separate lines
and prefixed by a ">", e.g.,

Default:
>cn: DFS
>operatingSystem: Windows Server 2003

Optional:
>cn: DFS>operatingSystem: Windows Server 2003

The ">" could be used as the delimiter for importing into a spreadsheet.
Just a thought.  Have a good weekend!

Mike Thommes



 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/