[ActiveDir] Members of a group in AD
Hello, I would like to know, if a user in a Workstation that is in a domain, could see the member of Active Directory's groups, for example in a command line or across windows interface. Thanks, Sergio Sánchez
RE: [ActiveDir] Members of a group in AD
All domain user have a read only access to AD database. So Answer to your question is "YES" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Thursday, February 03, 2005 1:39 PMTo: Lista ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] Members of a group in AD Hello, I would like to know, if a user in a Workstation that is in a domain, could see the member of Active Directory's groups, for example in a command line or across windows interface. Thanks, Sergio Sánchez This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] Members of a group in AD
Title: Message yeah... if u go to search active directory (under network tasks)from my network places, u can pull a list of all AD objects. This is inclusive of groups and shared resources -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Thursday, February 03, 2005 9:09 AMTo: Lista ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] Members of a group in AD Hello, I would like to know, if a user in a Workstation that is in a domain, could see the member of Active Directory's groups, for example in a command line or across windows interface. Thanks, Sergio Sánchez
RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder
Thanks.
I ran this tool and it solved my issue. All tests suggest that all is in
order.
Thanks to all who helped.
Regards
Adam
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 31 January 2005 17:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
FYI:
There is a Win2k version of this tool for re-creating the DDCP and DDP
here:
http://download.microsoft.com/download/6/1/8/618ecc9d-2edd-42fe-9a53-7f1
971154697/RecreateDefpol.EXE
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 8:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
Hi Adam,
you are right. DCGPOfix is only for Windows 2003.
In this case I would agree to the procedure Guido described.
If you have different domains you can copy the default domain policy from
any other domain (as long as you didn't modify this policy). You do not need
to create a new domain.
A new DC wouldn't recreate the default domain policy. It would just
replicate the current domain policies...
Volker
Hi Guido, thanks for you reply.
The target domain is a child from the root. I will build a lab domain
(as
root) and replicate the server name, then copy over the GPO folder.
Do you think that will be okay?
Would introducing a DC to this damaged domain recreate the default
domain gpo?
Regards
Adam
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: 31 January 2005 13:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
as this is a default GPO with a well-known ID, you can copy the
{6AC1786C-016F-11D2-945F-00C04fB984F9} folder from the SYSVOL of
another AD installation (e.g. from your test-lab or from virtual
machine etc.).
Just make sure, that source's GPO isn't configured with anything
specific to that domain.
The safest way would be to install a new single-domain AD forest in
your lab and then copy the folder from there to your production DC.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Monday, January 31, 2005 1:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
I have the KB for the security settings, but I cannot find anything on
actually regenerating the GPO other than a restore. Restore is not an
option.
Thanks
Adam
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 31 January 2005 12:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
IIRC there is a MS doc on recovering the default GPO and security
settings.
This might apply in this scenario?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: 31 January 2005 14:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
There is one more domain controller in this domain, and that too has
the files missing.
I will look at the file recovery, but I doubt very much that I will
recover it.
Thanks for your help so far.
Anyone else got any ideas?
Regards
Adam
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: 31 January 2005 12:15
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder
Do that domain has a replication partner.if yes can you check on
that server if you can copy that folder off...
others i can think of is the tool to restore the deleted items from
the harddisk - like File restore from winternals
On Mon, 31 Jan 2005 11:48:14 -, knighTslayer
[EMAIL PROTECTED] wrote:
The GPO GUID is missing from the sysvol directory. I understand your
suggestion about the permissions and I followed the KB which relates
to this, but simply, the object (folder) is missing from the sysvol
folder.
I am unable to edit it, because it is missing.
Adam
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra
Burra
Sent: 31 January 2005 11:36
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in
sysvol
folder
Adam.,
If i understood the problem correct -- you are able to c the GP In
the GPUC
-- but are not able to edit.
then can you confirm that the object exisit. Go to GPUC-- System --
Polocies and check for the GP SID u r mentionging.
If that exisits and you are not able to edit that GP then
RE: [ActiveDir] Members of a group in AD
I believe that is one purpose of any generallocal areanetwork. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Thursday, February 03, 2005 3:09 AMTo: Lista ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] Members of a group in AD Hello, I would like to know, if a user in a Workstation that is in a domain, could see the member of Active Directory's groups, for example in a command line or across windows interface. Thanks, Sergio Sánchez
[ActiveDir] Secondary NIC and Replication
Our domain consists of a 3 domain controllers, 2 of them locally and one remote. The administrator of the remote machine has access to one OU and nothing more. It is primarily used for Exchange purposes. This information is provided as nothing more of a brief summary of configuration. The problem is the remote DC has a second NIC that is used for backup's. The remote location is using a private network with a 10.10.*.* IP Address that is not routable from my location where the 2 DC's are located. I am noticing replication errors and I believe it to be because of that non-routable NIC on the remote DC. DNS has been updated to remove that NIC's IP Address from the server but AD keeps propagating the IP Address. Under the NIC Properties, we have unchecked Register this connection's addresses in DNS but with no affect. How can I prevent AD from propagating the secondary backup NIC on the server to DNS? Also, this has been going on for some time that the tombstone life has expired. So once completed, I will need to re-enable for the remote DC. I read the instructions within the error found within the Event Logs and it involves a registry edit. Anyone else have a better solution or have any problems with doing this? Thank you all for your replies, Edwin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain Controller replacement strategy?
It appears that we will be getting money this year to replace our Domain Controllers. While we currently have redundant DCs, they are not mirror images of each other. One holds the FSMO roles, another might host the AD-integrated DNS portion of our Unix/Windows DNS configuration, another might be the TS licensing server, bridgehead, etc. We are running Server 2003. Is there a consensus out there for the best way to bring new hardware onboard? With all of the current hardware up and running just fine, a DR strategy doesn't seem to apply. Any thoughts are certainly appreciated. Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Secondary NIC and Replication
Title: RE: [ActiveDir] Secondary NIC and Replication Hi, See: http://support.microsoft.com/kb/816592 (How To Configure DNS Dynamic Update in Windows 2003) http://support.microsoft.com/kb/q246804/ (How to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003) Try the following (To disable dynamic update for a specific interface!) to disable DNS registration of A and PTR records for the particular NIC Disable DNS Dynamic Update WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. By default, dynamic update is configured on Windows Server 2003-based clients. To disable dynamic update for all network interfaces: 1. Click Start, and then click Run. 2. In the Open box, type regedit. 3. In Registry Editor, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters 4. On the Edit menu, point to New and then click DWORD value. 5. Type DisableDynamicUpdate, and then press ENTER. 6. Press ENTER. 7. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK. 8. Quit Registry Editor. To disable dynamic update for a specific interface: 1. Click Start, and then click Run. 2. In the Open box, type regedit. 3. In Registry Editor, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\Interfaces\interface where interface is the device ID of the network adapter for the interface that you want to disable dynamic update for. 4. On the Edit menu, point to New, and then click DWORD value. 5. Type DisableDynamicUpdate, and then press ENTER. 6. Press ENTER. 7. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK. 8. Quit Registry Editor. Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Microsoft Infrastructure Consultant NOTES: * This posting is provided AS IS with no warranties and with no rights! * Allways test before implementing! __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of activedir Sent: Thursday, February 03, 2005 14:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secondary NIC and Replication Our domain consists of a 3 domain controllers, 2 of them locally and one remote. The administrator of the remote machine has access to one OU and nothing more. It is primarily used for Exchange purposes. This information is provided as nothing more of a brief summary of configuration. The problem is the remote DC has a second NIC that is used for backup's. The remote location is using a private network with a 10.10.*.* IP Address that is not routable from my location where the 2 DC's are located. I am noticing replication errors and I believe it to be because of that non-routable NIC on the remote DC. DNS has been updated to remove that NIC's IP Address from the server but AD keeps propagating the IP Address. Under the NIC Properties, we have unchecked Register this connection's addresses in DNS but with no affect. How can I prevent AD from propagating the secondary backup NIC on the server to DNS? Also, this has been going on for some time that the tombstone life has expired. So once completed, I will need to re-enable for the remote DC. I read the instructions within the error found within the Event Logs and it involves a registry edit. Anyone else have a better solution or have any problems with doing this? Thank you all for your replies, Edwin List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Domain Controller replacement strategy?
Hi, In a nutshell: * Inventory first what roles/services each DC has/hosts and what the relationship is between each DC and between servers/clients/services and each DC. One relation might be servers/clients/DCs use a certain DC for DNS services. You just can't switch that box off until you have a replacement or you've taken some precautions to prevent loss of services! * For each DC create a plan for replacement * Replace the HW for each DC Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Microsoft Infrastructure Consultant NOTES: * This posting is provided AS IS with no warranties and with no rights! * Allways test before implementing! __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 03, 2005 15:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller replacement strategy? It appears that we will be getting money this year to replace our Domain Controllers. While we currently have redundant DCs, they are not mirror images of each other. One holds the FSMO roles, another might host the AD-integrated DNS portion of our Unix/Windows DNS configuration, another might be the TS licensing server, bridgehead, etc. We are running Server 2003. Is there a consensus out there for the best way to bring new hardware onboard? With all of the current hardware up and running just fine, a DR strategy doesn't seem to apply. Any thoughts are certainly appreciated. Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP and Win2003 Question
Based on the code presented, it looks more like a bug in .NET. That's exactly how the iadscontainer::getobject method is supposed to be used. If there is any order dependency, it's with .NET, but I would not have expected it to care about the order. I'd post this to a vb.net newsgroup and see what comes back. Unless Joe K. is around and sees something off the bat :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, February 02, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question We don't guarantee the order that a set of values in a given attribute is returned to the client. That said, if you depend on order, you'll have problems now or in the future. It's not a matter of if, only when. :) You want to make any code you have which relies on order become order insensitive. That should resolve this issue if I understand it correctly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elena Mananova (DSL AK) Sent: Wednesday, February 02, 2005 8:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP and Win2003 Question Hi In the current system we used to have business layer (accessing user details in LDAP) and LDAP running on two servers, both of which were Windows 2000. Recently we have migrated business layer server to Windows 2003 machine. Now we have problem. We can't access data of some of the users. The business layer code retrieving user details is written in VB and as follows: Dim oDS As IADs Dim sDN As String dim moUsers As IADsContainer sDN = LDAP://ldapserver:389/ou=users,o=abc,c=nz; Set oDS = GetObject(LDAP:) Set moUsers = oDS.OpenDSObject(sDN, cn=admin,o=abc,c=nz, Password, 0) Set oDS = Nothing Dim oPList As IADsPropertyList Dim oUser As User Set oPList = moUsers.GetObject(inetOrgPerson, cn=myUserName) If oPList Is Nothing Then RaiseError Else Set oUser = New User oUser.Initialise oPList Set GetUser = oUser Set oUser = Nothing End If When viewing user details in LDAP (we are using JXplorer tool) there is a minor difference between the way the users' data is displayed for those users that we can retrieve details for and those that we can't. Besides the standard object classes (top, person, organizationalPerson and inetOrgPerson) we also have custom classes. These are abcOrgPerson, abcOrgPerson2 and nxAccountInfo. The users that we can retrieve data for have these classes displayed in the following order: nxAccountInfo abcOrgPerson2 abcOrgPerson inetOrgPerson top person organizationalPerson For the non-working users this order is: inetOrgPerson nxAccountInfo abcOrgPerson2 abcOrgPerson top person organizationalPerson I have tried to manually change the class order but it did work. I am not quite sure why the order is different. The line of code that fails is Set oPList = moUsers.GetObject(inetOrgPerson, cn=myUserName) If I change inetOrgPerson parameter to abcOrgPerson2 then the non-working users' details can be retrieved but not the working users' details. So it seems that the class order matters for Windows 2003 (LDAP is still sitting on Wind2000 machine however). This same scenario runs without problems from the Win2000 business layer machine. If anyone can share any advice or ideas it will be highly appreciated. I have not had much experience with Active Directories and it's a mystery for me. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Secondary NIC and Replication
Thank you Jorge. I will try. Before I got this email, I also found an option within the DNS properties Snap-In. Open DNS Snap-In Right-Click on Domain Name Properties Under the interfaces tab, specify the IP Addresses that should publish themselves to DNS versus the default of All IP Addresses. -- Original Message -- From: Jorge de Almeida Pinto [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 3 Feb 2005 15:42:40 +0100 Hi, See: http://support.microsoft.com/kb/816592 http://support.microsoft.com/kb/816592 (How To Configure DNS Dynamic Update in Windows 2003) http://support.microsoft.com/kb/q246804/ http://support.microsoft.com/kb/q246804/ (How to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003) Try the following (To disable dynamic update for a specific interface!) to disable DNS registration of A and PTR records for the particular NIC Disable DNS Dynamic Update WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. By default, dynamic update is configured on Windows Server 2003-based clients. To disable dynamic update for all network interfaces: 1. Click Start, and then click Run. 2. In the Open box, type regedit. 3. In Registry Editor, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters 4. On the Edit menu, point to New and then click DWORD value. 5. Type DisableDynamicUpdate, and then press ENTER. 6. Press ENTER. 7. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK. 8. Quit Registry Editor. To disable dynamic update for a specific interface: 1. Click Start, and then click Run. 2. In the Open box, type regedit. 3. In Registry Editor, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\Interfaces\interface where interface is the device ID of the network adapter for the interface that you want to disable dynamic update for. 4. On the Edit menu, point to New, and then click DWORD value. 5. Type DisableDynamicUpdate, and then press ENTER. 6. Press ENTER. 7. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK. 8. Quit Registry Editor. Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Microsoft Infrastructure Consultant NOTES: * This posting is provided AS IS with no warranties and with no rights! * Allways test before implementing! __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of activedir Sent: Thursday, February 03, 2005 14:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secondary NIC and Replication Our domain consists of a 3 domain controllers, 2 of them locally and one remote. The administrator of the remote machine has access to one OU and nothing more. It is primarily used for Exchange purposes. This information is provided as nothing more of a brief summary of configuration. The problem is the remote DC has a second NIC that is used for backup's. The remote location is using a private network with a 10.10.*.* IP Address that is not routable from my location where the 2 DC's are located. I am noticing replication errors and I believe it to be because of that non-routable NIC on the remote DC. DNS has been updated to remove that NIC's IP Address from the server but AD keeps propagating the IP Address. Under the NIC Properties, we have unchecked Register this connection's addresses in DNS but with no affect. How can I prevent AD from propagating the secondary backup NIC on the server to DNS? Also, this has been going on for some time that the tombstone life has expired. So once completed, I will need to re-enable for the remote DC. I read the instructions within the error found within the Event Logs and it involves a registry edit. Anyone else have a better solution or have any problems with doing this? Thank you all for your replies, Edwin List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you
RE: [ActiveDir] Domain Controller replacement strategy?
Jorge basically mentioned the main points - some additional comments * when replacing a DC, some companies want to re-use IP + name (others give new IP/name to every new box). This will influence your strategy as to when you'll be able to introduce the new DC (i.e. the other one needs to be demoted and removed from the network). * don't forget Terminal Server licensing (this is stored on DCs by default) * same for Windows Licensing (not as critical, but you need to know which DC is configured to hold the licenses and apply these to the new box) * I often find DCs being used as DFS root-servers - if so, first need to move the root-target to another machine and then remove it from the old box, prior to shutting it down * if you use a SysMgmt system, you might have agents running on your DC (includes Virus Agents) - some mgmt systems don't behave well, if you don't first uninstall the Agent on the old box, prior to deploying the agent to the new box with the same name * before you shutdown the old server to take it off the network, rename it and change it's IP address (or set it to DHCP) - a safety measure quite worthwhile... and just to repeat what Jorge said, DNS settings are critical (which may force you to use the same IP address on the new box), sometimes you'll also have to take care of WINS. But most important: create a separate step-by-step plan for each DC. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, February 03, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller replacement strategy? Hi, In a nutshell: * Inventory first what roles/services each DC has/hosts and what the relationship is between each DC and between servers/clients/services and each DC. One relation might be servers/clients/DCs use a certain DC for DNS services. You just can't switch that box off until you have a replacement or you've taken some precautions to prevent loss of services! * For each DC create a plan for replacement * Replace the HW for each DC Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Microsoft Infrastructure Consultant NOTES: * This posting is provided AS IS with no warranties and with no rights! * Allways test before implementing! __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 03, 2005 15:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller replacement strategy? It appears that we will be getting money this year to replace our Domain Controllers. While we currently have redundant DCs, they are not mirror images of each other. One holds the FSMO roles, another might host the AD-integrated DNS portion of our Unix/Windows DNS configuration, another might be the TS licensing server, bridgehead, etc. We are running Server 2003. Is there a consensus out there for the best way to bring new hardware onboard? With all of the current hardware up and running just fine, a DR strategy doesn't seem to apply. Any thoughts are certainly appreciated. Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then Whistler/Blackcomb is not to be missed. IMHO it is simply the best, extraordinary, largest, most varied terrain, (insert your own gushing adjective here)... ski area in North America. Maybe Gil needs to organize a NetPro ski trip... -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, January 31, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, January 30, 2005 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Hi, I hope you don't mind asking this... I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that are also visiting DEC. Besides visiting DEC I'm staying a few days longer hopefully to see very nice things in the region. Does any of you know what's worth visiting/seeing in the region of Vancouver? Regards, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ ...OLE_Obj... LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven *
[ActiveDir] Cloning and SIDs
Does a machines SID change when it is added to a domain, or is the domain SID just appended to the current machines SID? I ask because I am creating desktop images and want to know if it is necessary to run Sysprep prior to imaging if the PC is not going to be joined to the domain until after imaging. In other words, I create the template installation and image it when the PC is still a workgroup member. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Loopback Adapter in WIndows
Does anyone know how to create a loopback interface on a windows box? Thanks Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
You guys scare me. Rick because he implies in his email that *he* wants to see me in shorts (no one else wants to to see you) and because you Guido, admit it outright. ;oP You all luck out. I couldn't think of a good topic to present at DEC so I don't expect I will be there. It was suggested I present the joeware tools but I have no clue what I would say... Well the joeware tools are just these tools you know... You can get them from www.joeware.net... and then stand woodenly on the podium for 25 minutes as people say Why don't they do this or that??? and I respond, They're FREE. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then Whistler/Blackcomb is not to be missed. IMHO it is simply the best, extraordinary, largest, most varied terrain, (insert your own gushing adjective here)... ski area in North America. Maybe Gil needs to organize a NetPro ski trip... -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, January 31, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff.
RE: [ActiveDir] Loopback Adapter in WIndows
Start the Add/Remove Hardware control panel applet (Start - Settings - Control Panel - Add/Remove Hardware). Click 'Add/Troubleshoot a device', and then click Next. Click 'Add a new device', and then click Next. Click 'No, I want to select the hardware from a list', and then click Next. Click 'Network adapters', and then click Next. In the Manufacturers box, click 'Microsoft'. In the Network Adapter box, click 'Microsoft Loopback Adapter', and then click Next. Click Finish. -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Thursday, February 03, 2005 10:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loopback Adapter in WIndows Does anyone know how to create a loopback interface on a windows box? Thanks Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] Loopback Adapter in WIndows
Use the add/remove hardware applet from the control panel to add a NIC. Specify Microsoft as the vendor and you should see the loopback adapter listed. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, February 03, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loopback Adapter in WIndows Does anyone know how to create a loopback interface on a windows box? Thanks Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
The IEEE-standard response to questions such as Why don't they do this or that??? is: Whadaya want for nothin'? I still think a session on the tools and creative ways to use them (how to use adfind to clean a clogged sink for instance) would be a fine DEC topic. But in any case, you should come. Its going to be an outstanding conference. Plus, we're having the late-night break-into-someones-AD competition. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada You guys scare me. Rick because he implies in his email that *he* wants to see me in shorts (no one else wants to to see you) and because you Guido, admit it outright. ;oP You all luck out. I couldn't think of a good topic to present at DEC so I don't expect I will be there. It was suggested I present the joeware tools but I have no clue what I would say... Well the joeware tools are just these tools you know... You can get them from www.joeware.net... and then stand woodenly on the podium for 25 minutes as people say Why don't they do this or that??? and I respond, They're FREE. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then
[ActiveDir] OT: Microsoft Outlook Mobile Manager
Anyone have a copy of this? I've used it in the past but I can't put it on my new machine. Microsoft discontinued it when Exchange 2003 was announced it would have these capabilities built in. It used to be a free download on Microsoft's site but it's gone now. If anyone has a copy of this or knows where I can get it, hit me up offline. Mike
RE: [ActiveDir] Cloning and SIDs
The membermachine SID and the machine's objectSID from AD are different things. The objectSID will be composed of the domain SID with a unique RID appended. The member machine's SID will stay constant through a domain change. If you clone machines, changing the machine SIDS is highly desirable. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, February 03, 2005 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cloning and SIDs Does a machines SID change when it is added to a domain, or is the domain SID just appended to the current machines SID? I ask because I am creating desktop images and want to know if it is necessary to run Sysprep prior to imaging if the PC is not going to be joined to the domain until after imaging. In other words, I create the template installation and image it when the PC is still a workgroup member. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
[ActiveDir] Customizing RIS
I am reading all of this great documentation on RIS but I do not find anything good specifically to the *.osc files. If I upate the files to ask for what I want, what do I do with it then? How do I get the variables? How do I use them? Thank you for your replies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Customizing RIS
There are some really good examples in Mark Minasi's Mastering Windows Server 2003. It's a little slack in covering how to do custom hardware driver installation, which the Microsoft KB is pretty good about. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of activedir Sent: Thursday, February 03, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Customizing RIS I am reading all of this great documentation on RIS but I do not find anything good specifically to the *.osc files. If I upate the files to ask for what I want, what do I do with it then? How do I get the variables? How do I use them? Thank you for your replies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the time
I was having a particularly hard time to get MS to admit to bugs so I never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S
Y)(A;;RPLCLORC;;;AU)
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultObjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
Then you create an object of this class
C:\tempadfind -default -f name=joeschematest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: joewarefromuser
cn: joeschematest
distinguishedName: CN=joeschematest,CN=Users,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181412.0Z
whenChanged: 20050203181412.0Z
uSNCreated: 70955
uSNChanged: 70956
name: joeschematest
objectGUID: {B13B6BFD-00D9-485A-94AB-41FA33768725}
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1862701446-4008382571-2198042679-6107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: joeschematest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
This object clearly has user in the set of objectclasses. You can further
prove it like this
C:\tempadfind -default -f (name=joeschematest)(objectclass=user) -dn
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
1 Objects returned
However if you run this simple script:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
You will fail with
C:\temp\test.vbs(2, 1) Active Directory: An unknown directory object was
requested
Interesting note on the return order, when looking at the return order of
objectclass I have always seen it returned from the DC in hierarchical order
of the classes. I.E. Top is always the top, anything derived directly from
top is directly under top, something derived further down the chain is under
the object type it is derived from, etc. The order being displayed below is
interesting, I expect if you did a coughnetwork trace/cough you would
see the order correctly and something else is tossing it around on you.
However, ~Eric is 1000% correct in you don't depend on order either of what
AD returns for objects (unless server side sort control specified) nor the
values in a single attribute. I wonder if the ADSI people are simply looking
at the last objectclass value? Otherwise, how can they say my object isn't a
user?
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, February 03, 2005 10:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Based on the code presented, it looks more like a bug in .NET. That's
exactly how the iadscontainer::getobject method is supposed to be used. If
there is any order dependency, it's with .NET, but I would not have expected
it to care about the order.
I'd post this to a vb.net newsgroup and see what comes back. Unless Joe K.
is around and sees something off the bat :)
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, February 02, 2005 11:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
We don't guarantee the order that a set of values in a given attribute is
returned to the client. That said, if you depend on order, you'll have
problems now or in the future. It's not a matter of if, only when. :)
You want to make any code you have
RE: [ActiveDir] Customizing RIS
Thanks Michael. I will try and stop by the bookstore on the way home from work but for now I am looking for an online resource. But at least I have a reference to look at. -- Original Message -- From: Michael B. Smith [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 3 Feb 2005 13:18:38 -0500 There are some really good examples in Mark Minasi's Mastering Windows Server 2003. It's a little slack in covering how to do custom hardware driver installation, which the Microsoft KB is pretty good about. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of activedir Sent: Thursday, February 03, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Customizing RIS I am reading all of this great documentation on RIS but I do not find anything good specifically to the *.osc files. If I upate the files to ask for what I want, what do I do with it then? How do I get the variables? How do I use them? Thank you for your replies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Members of a group in AD
I saw the other responses to this question and I think they may be a bit premature. The workstation is a member of the domain but is the user a domain user or a local user of the workstation? I.E. Where does the user exist, on the workstation or on the domain? If the latter, then yes, the domain user *should* generally be able to see members of AD groups, however that is completely predicated on permissions in the directory. If the former, most likely no, the user can not see objects in the AD through her own security context as they have no security context on the domain other than unauthenticated. If they are, however of sufficient power on the workstation to execute something with localsystem or networkservice permissions, they can enumerate AD objects through that channel from the workstation. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Thursday, February 03, 2005 3:09 AMTo: Lista ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] Members of a group in AD Hello, I would like to know, if a user in a Workstation that is in a domain, could see the member of Active Directory's groups, for example in a command line or across windows interface. Thanks, Sergio Sánchez
RE: [ActiveDir] proxy ldap and/or server
Well AD/AM isn't an LDAP proxy but agree that this is probably the best way to solve this as I don't know of any LDAP Proxies for Windows, especially any free ones. I wonder how hard that would be to write? I think the auth piece would be the hard part. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, February 02, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server AD/AM would be what you're looking for most likely. http:/www.microsoft.com/ad should have a link. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Wednesday, February 02, 2005 4:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] proxy ldap and/or server Hello I need to find and tto est a product (free-ware if it is possible) that in Windows Environment (not LINUX or other O.S.) works like a LDAP proxy. Specifically I need from outside (tunnelling by VPN) to interrogate the LDAP repository in Active Directory WITHOUT opening the ports directly to Domain Controllers (389, 3268 ec.). I should think to use an LDAP Server or likes that is installed on a computer that 'works' as a replicator or agent proxy LDAP. On this computer I could open those ports. Some suggestions ? Thanks PS: I cannot install Exchange on that computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD startup scripts problem
Title: Message I would concur but say use ethereal. Much easier generally to read the traces. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, February 01, 2005 8:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem Mark- If you put the problem computer, and your computer on a hub (not a switch), and use the version of netmon included with SMS, then you can run the trace. To make things easier, Id set a filter in Netmon to only capture traffic to/from the problem host. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Tuesday, February 01, 2005 4:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem How can I do a network trace whilst the computer is booting up ? When I have logged on as normal user the share and files are fully accessible. I looked at my bootup log (userenv.log) and can see that the GPO is called. But I just don't know what could prevent my startup script accessing the network share. Are there any other GPO settings that may be set in another GPO that could be blocking network accessing during the bootup ? As I say, using the batch after logging on causes absolutely no problems. This is really frustrating !! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Montag, 31. Januar 2005 17:57To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem Have you done a network trace yet? If you are getting an access denied, you will see it in the trace. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, MarkSent: Monday, January 31, 2005 4:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem Just to follow up on this problem, I would like to clarify my current situation : I have now determined the script is actually running during startup. The problem however remains that I am not able to run the executable from the network share location. Everything works fine if I re-code the batch command andput the EXE locally on the computer. But using UNC addresses in the batch does not work. On the network share and all sub-folders I have ensured that "Domain Computer" accounts have full access. If I log on to the computer with a normal domain user account and then run the batch file that is coded with UNC references, the whole process works wonderfully. So where can I look to see what has failed when I configure the script to run during startup and the batch file is using UNC paths ? I have looked in the standard places (event viewer) but dont see any error messages. Many thanks -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Freitag, 28. Januar 2005 17:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem Put it in SYSVOL RH ___ -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert RutherfordSent: Friday, January 28, 2005 11:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem the local computer's system account does process the script but here it looks likeit doesnt havepermissions toread the script on the 'servers' share From: [EMAIL PROTECTED] on behalf of Rocky HabeebSent: Fri 28/01/2005 16:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup scripts problem Correct me if I'm wrong, but doesn't the Local System account have fullcontrol of the entire boot operation? And isn't it responsible to processthe complete range of operations including network authentication and domainbased GPO processing? And if not who is? And if so, doesn't that mean itshould be processing this script?Rocky___-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Paul WilkinsonSent: Friday, January 28, 2005 10:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD startup scripts problemI *think* that you do actually have network access at the point thatcomputer startup scripts run. However, you'll have a security issuebecause the local system account
[ActiveDir] About an error in GPO editing
When i want to edit the Domain GP i start to get a lot of this messages: The following entry in the [string] section is too long and has been truncated. I just keep myself hitting "Ok" button but i don´t know exactly if there is something affecting the Domain GP Could any one tell me why i am receiving this kind of message??
Re: [ActiveDir] Customizing RIS
I think that I may have found my answer and I wanted to share it with everyone on the list. http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/acicc_ris_lslw.asp Thanks. -- Original Message -- From: activedir [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 3 Feb 2005 10:11:46 -0800 I am reading all of this great documentation on RIS but I do not find anything good specifically to the *.osc files. If I upate the files to ask for what I want, what do I do with it then? How do I get the variables? How do I use them? Thank you for your replies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] new 2003 domain controller in windows 200 forest.
I am going to throw a little monkey wrench at this one. :o) Mostly because I like harrassing Guido. Depending on what is meant by this being a DR site, it might be valuable for this to have its own forest and domain. The question is, define the disasters it is supposed to help with. If it is simply physical location disasters, same domain/forest is fine. But if it is to also help with the forest going toes up and you need something people can work in as fast as possible with that time being measured in minutes, then separate forest and domainis something to consider. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, January 31, 2005 5:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. ok - that puts a little different touch to your story. in this case (esp. asa DR site and on separate HW with physical security in place), you're fine to host a DC in that site. Yes, you can add it to your 2000 domain and you've already supplied the solution as well: you'll need to prepare the schema of the forest via ADPREP /forestprep and then prepare thedomain you'll join the DC to via ADPREP /domainprep. If you have Exchange 2000 first apply the E2k schema fix (read Q314649) Check here for all the details: http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_overview.asp But definitely don't start a new domain (for which you'd still need to upgrade the schema) - an OU is perfectly fine for your situation. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff KrausSent: Monday, January 31, 2005 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. physical security is not an issue. locked computer room only pt admin and manager has access. this office will eventully become a disaster recovery location housing a bunch of blade servers and replicated disk.The need fora domain controller is like you said -- network connectivity and access- thisoffice supports afewkey personel ( money makers !!) sothe cost of a few serversasome 2003licenses and an exchange server is not a big deal speed and relibility are more important. but i'm still dealing with the question of 1: we are planning to upgrade our headquarters the 2003 in about 3 -4 months.can we setup the newserver with 2003 as domain controllers so we won't have to upgrade them later ? if so anything special we need to do ? IE: forest prep ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ReijndersSent: Monday, January 31, 2005 3:50 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. Hi, I could not agree more with Guido! The security aspect is the most important reason to go for the suggested solution. However, there's one thing to keep in mind in this scenario namely the trustworthiness of your network. If you're not placing a DC in the remote location, network connectivity becomes a must to enable a user to do his/her work. Sure, there's a thing as cached credentials on a client, but logon on to a domain is important for a lot of services. Cheers! John Reijnders (soon to change his e-mail address into a MSFT one) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: maandag 31 januari 2005 21:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. definitely give them an OU and I'd also urgently suggest you don't make the machine in that remote office a DC at all = first of all it's not required for 15 folks - you'll need it for other things such as file/print (they should easily be able to authenticate to your main office; assuming NW connectivity - which you'd also need to setup replication...) = secondly, it's much more secure, as you will likely not have much physical security in an office of 15 people and if you're using the one box for everything it's unsecure from a delegation perspective /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff KrausSent: Monday, January 31, 2005 7:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] new 2003 domain controller in windows 200 forest. Hi, we are setting up a remote office if about 15 people that will be linked by a vpn. we are buying new servers that have win2003 on them. Ihave a coupe of questions,I hope you would indulge me with your opinions. 1: we are planning to upgrade our headquarters the 2003 in about 3 -4 months.can we setup the newserver with 2003 as domain controllers so we won't have to upgrade them later ? if so anything special we need to do ? IE: forest prep ? 2: We have araging debateweather to set them up as a domain or a org unit in their own site.
RE: [ActiveDir] proxy ldap and/or server
Maybe I misunderstood the requirement then. If you're thinking something like ISA as a proxy for LDAP, then ADAM isn't the ticket. If you want something that can be a projected LDAP store, then ADAM would do it. I wouldn't guess that a proxy would be too terribly difficult to write, but I'd have to wonder what the benefit would be vs. projecting the data to a store where the data is needed. What did you have in mind? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server Well AD/AM isn't an LDAP proxy but agree that this is probably the best way to solve this as I don't know of any LDAP Proxies for Windows, especially any free ones. I wonder how hard that would be to write? I think the auth piece would be the hard part. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, February 02, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server AD/AM would be what you're looking for most likely. http:/www.microsoft.com/ad should have a link. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Wednesday, February 02, 2005 4:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] proxy ldap and/or server Hello I need to find and tto est a product (free-ware if it is possible) that in Windows Environment (not LINUX or other O.S.) works like a LDAP proxy. Specifically I need from outside (tunnelling by VPN) to interrogate the LDAP repository in Active Directory WITHOUT opening the ports directly to Domain Controllers (389, 3268 ec.). I should think to use an LDAP Server or likes that is installed on a computer that 'works' as a replicator or agent proxy LDAP. On this computer I could open those ports. Some suggestions ? Thanks PS: I cannot install Exchange on that computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?
Ah RD. Evil Spawn. :op Oh wait that is marketing and legal... Not sure I understand why you need simultaneous access for kerberos Only one person on the console at once kind of thing, anyone else touching the box for other services should be connecting across the network with kerberized software (say kerberized telnet, ssh, etc) and already have their creds which should be trusted I think. The setup mentioned would be fun to troubleshoot, if you can, try to look at the centrify stuff, last I looked they were doing a lot in the way of unix application integration into the Windows kerberos environment. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Sunday, January 30, 2005 4:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? Why second forest ? We are RD, have to be special and love to push the technology to its limits ;) Now seriously... Being RD, we have some requirements that can not be provisioned using corporate forest both from the point of procedures and flexibility. While we do use user accounts from the corporate forest, we need to have control over the hosts and have environment flexible enough to host projects that require level of control that corporate forest can not provide us. The result is that we have our own forest for hosts and project related accounts. As for Kerberos, this is rather an issue, as we need to provide simultaneous access to users from different Kerberos realms, meaning that switching host's realm is not an option. As for 3rd party apps - those currently are not an option (sigh), so I came up with idea of collapsing/synching relevant user accounts (those RD folks) from multiple domains to a single LDAP partition the hosts will be pointed to. The intension is to use LDAPS for authentication. As I see it, this is much easier to provision: you do not need to join hosts to Kerberos realms and the end user can have his boxes be easily configured by following short instructions. The authentication chain is basically: [*nix host] = (LDAPS) = [OpenLDAP] = (Kerberos) = [DC in one of user account domains] In any case, I would be glad to hear what guys on this list think about this kind of setup. Thanks, Guy _ From: [EMAIL PROTECTED] on behalf of joe Sent: Sat 1/29/2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? I am trying to understand why you have a second forest for resources at all? Is it strictly to hold the non-MS kerberos princs? I understand the issue with the multiple realms with the current UNIX kerb implementations. They don't seem to be in a hurry to correct that shortcoming either from the talks I have heard about. One of the companies I admin'ed for previously had that issue for about 5000 UNIX hosts. It got to the point that they had a system set up where they scripted the process so they could quickly move UNIX machines to point from one realm to another in the event it was needed which wasn't terribly often. However, it took admin interaction. In the backend they had a little perl daemon they wrote on the machines that would get the keytab files as needed and manage that whole process. It would use sockets to communicate to a member server (one server in the whole forest was fine, but two offered failover) which it would call out to get the keytabs generated. They were thinking at one point about setting up a custom PAM to handle it so you could specify what domain/realm to auth the user in which would switch which sys files were used but the concern was writing the custom code for that as it would have had to work on Solaris, HPUX, DEC, various Linux blends, IRIX, and probably eventually mainframes, etc. Anything not smart enough to handle an Enterprise Kerberos implementation [1]. You might consider looking at the Centrify and Vintela solutions. They will get you far more than just auth. I know Centrify will handle multi-realm. joe [1] Let's face it, a single kerberos realm is small or medium centralized business or university class, it isn't enterprise class. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Saturday, January 29, 2005 2:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ? Hi Eric, Guess what google has come up with ? http://blogs.msdn.com/efleis/archive/2004/10/06/238850.aspx :-) Second paragraph from the bottom is exactly my scenario, so looks like I'm stuck with another directory. Will probably end up with OpenLDAP to make our Unix geeks happy, if this can not be done using the existing environment. Btw, it's quite interesting how OpenLDAP handles the simple bind authentication: the userPassword value contains the mechanism used to authenticate the account. For example: Dn:
RE: [ActiveDir] Any oppinions about LDAP warning 1216 - error situation 995
Title: Any oppinions about LDAP warning 1216 - error situation 995 Did the response ever go out? I didn't see it and was interested. It is highly possible my mail server ate it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Sunday, January 09, 2005 1:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any oppinions about LDAP warning 1216 - error situation 995 Im going to reply to the original thread on this, just to keep the thread history around, and Ill merge in joes reply. Sorry I didnt reply to that one sooner, Ive been behind on my dl reading. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 09, 2005 9:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any oppinions about LDAP warning 1216 - error situation 995 Well the description for error 995 is "The I/O operation has been aborted because of either a thread exit or an application request." The c06028b tells MS where in the source code the failure is occurring at in case they need to chase source code to figure it out. You actually should specify the OS and SP level for that to really be useful as line numbers can change in the various versions of the OS. I would start with a guess this is W2K SP3/4. If that is the case this error is being thrown from thesection of code used for reading/writing to TCP/IP connections. You could pretty much probably figure that from the error message above. At a guess it would seem the connection between the client andDChas broken, whether intentional or not I don't know if, nor think, that can be ascertained from the message. I expect the second part of the internal code is the internal client ID that the connection was broken for. I would tend to wonder how "bad" this is based on the fact that you had to crank up your logging level. If they were very serious, I expect they would show up at lower levels. I guess it could, if you have a lot of them - like hundreds or thousands, mean you have some network connectivity issues. I am sure ~Eric will be along with some more in depth info. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete ProcenkoSent: Sunday, January 09, 2005 6:20 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Any oppinions about LDAP warning 1216 - error situation 995 Hello! After turning on AD LDAP events logging to level 5 got a bunch of LDAP warnings 1216 like this : : NTDS LDAP : (16) : 1216 : 09.01.2005 : 14:02:21 : : MAINDC : LDAP - , 995. ( c06028b::9085). (Decription in english - The LDAP server has closed socket for client because of error situation 995 (internal code c06028b::9085) The right part of internal code - 9085 in this case - may differ, but the left one always the same - c06028b. This events are logged about 8-15 times per hour, there are successfully connection attempts too. Found some references about LDAP warning with id 1216 at microsoft 's site, but the error situation was different. There is an assumption, that it is related to exchange2000 ldap requests, about a year ago we had a main forest DC crush, but since then we did not get any exchange issues. This event is logged after connection attempt from our exchange server, but on exchange's side we dont have any errors. Any oppinions are welcome Pete. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] About an error in GPO editing
Hi Armando Your GPO was edited or created by an SP2 box. You either need to keep editing it from SP2 or apply the following patch. http://support.microsoft.com/default.aspx?kbid=842933 Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Armando González Macias [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] About an error in GPO editing tivedir.org 02/03/2005 02:54 PM EST Please respond to ActiveDir When i want to edit the Domain GP i start to get a lot of this messages: The following entry in the [string] section is too long and has been truncated. I just keep myself hitting Ok button but i don´t know exactly if there is something affecting the Domain GP Could any one tell me why i am receiving this kind of message?? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: exchange and temp folder
Hi. anyone know why my c:\winnt\temp folder would be filling up with emails(.eml files) on my exchange2k server? I found about 11 gig of them this morning alot dated from a month or so ago. strange. is this something related to EXIFS? i can open the mails in OE so they're not corrupted. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Account Cleanup
Well thanks Bob! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, January 26, 2005 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer Account Cleanup Crappy terminology on my part. I should have said 2003 functional level (he had already specified it was a 2003 domain) When the domain functional level has been set to Windows Server 2003, a new lastLogonTimestamp attribute is used to track the last logon time of a user or computer account...etc For this exercise, I'd toss dsquery in a heartbeat anyway and use OldCmp, it's orders of magnitude better. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Stingley Sent: Wednesday, January 26, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer Account Cleanup FWIW, I'm in native mode in a Win2k domain and I got the same error message. - Original Message - From: Free, Bob [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, January 26, 2005 1:13 PM Subject: RE: [ActiveDir] Computer Account Cleanup I'm pretty sure the domain needs to be in native mode or will throw that error. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, January 26, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer Account Cleanup I tried running this utility dsquery computer domainroot -inactive 4 and received the following error message on our Windows 2003 Domain. dsquery failed:The parameter is incorrect.:Windows could not run this query because you are connected to a domain that does not support this query. type dsquery /? for help. I did not find help to be that helpful in resolving the issue. Does anyone have any ideas? Thanks, S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Tuesday, January 11, 2005 8:40 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer Account Cleanup Joe's utility works for Windows 2000. I'm reading about it now. I don't think there is a MS utility to do this for windows 2000 but you could wrtie a script to query for pwdLastSet . I may have a copy of one but you probably be better off using Joe's tool. - Original Message - From: Aramide Adebanjo mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 11, 2005 11:23 AM Subject: RE: [ActiveDir] Computer Account Cleanup Hi all, Is there one for windows 2000? This is also an issue i have tried resolving. regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Tuesday, January 11, 2005 5:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer Account Cleanup In windows 2003 you can use dsquery computer -inactive or -stalepwd. Here is a link to the syntax. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa rd/proddocs/en-us/Defaultasp?url=/resources/documentation/WindowsServ/20 03/standard/proddocs/en-us/dsquery.asp http://www.microsoft.com/resources/documentation/WindowsServ/2003/stand ard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/ 2003/standard/proddocs/en-us/dsquery.asp - Original Message - From: Liz Vaibar mailto:[EMAIL PROTECTED] To: Active Directory Discussions (ActiveDir@mail.activedir.org) mailto:ActiveDir@mail.activedir.org) Sent: Tuesday, January 11, 2005 10:41 AM Subject: [ActiveDir] Computer Account Cleanup Is there a free MS utility that allows you to identify and cleanup old computer accounts within AD? Any suggestions would be appreciated. Thanks, Liz List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] About an error in GPO editing
This happens on non-XP SP2 machines when youradmin templates have been updated from an XP SP2 client. The following KB article has a fix: http://support.microsoft.com/default.aspx?kbid=842933 --Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Armando González MaciasSent: Thursday, February 03, 2005 13:54To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] About an error in GPO editing When i want to edit the Domain GP i start to get a lot of this messages: The following entry in the [string] section is too long and has been truncated. I just keep myself hitting "Ok" button but i don´t know exactly if there is something affecting the Domain GP Could any one tell me why i am receiving this kind of message??
RE: [ActiveDir] Loopback Adapter in WIndows
Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, February 03, 2005 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Loopback Adapter in WIndows Use the add/remove hardware applet from the control panel to add a NIC. Specify Microsoft as the vendor and you should see the loopback adapter listed. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, February 03, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Loopback Adapter in WIndows Does anyone know how to create a loopback interface on a windows box? Thanks Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] Legal Question
You aren't twins? Could have fooled me. The first time I saw you I walked up and said Hi Deji and didn't have a clue and I knew Deji back when he could barely spell NT (could thing they renamed it!!!). Seriously though, thanks for all of the responses. There was no specific reason I needed it. I was just curious because of all the work put into stamping those things on the messages and it is so, seemingly to me, obviously impossible to really do anything about it if the message is indeed sent to someone who uses it badly. Personally, I do not feel bound one iota by any disclaimer at the bottom of a message that I didn't get to until I read the rest of the content. I wasn't asked if I agree to the terms. I would think for this to be truly binding, you would have to agree to the disclaimer prior to being able to see the content in any way shape or form which implies some form of message encryption and an intelligent mechanism for asserting the agreement. To put it another way, if I am walking down the street and I walk through a wide open door of a building and see all sorts of interesting things and as I leave someone comes up to me and says, btw, everything you saw in there you are bound to not disclose I would laugh my fool head off at them. Anyway, it amazes me how much time and effort and wasted disk space is dedicated to these things, especially if there is no real proof they will actually help with anything. The one place I can see them kind of having any kind of influence is by people within the same company who already have agreements to not disclose corporate information and this is just a reminder that you shouldn't be thinking this isn't something exempt from that agreement. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 24, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question You'd be surprised how similar alike we are. In fact, in public, most would think we're twins except that he hasn't received his cafeteria MVP award yet ;) seriously Either way, I am interested to hear what you get back from the legal-beagles. /seriously -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Monday, January 24, 2005 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question Sorry I mistyped and meant you (Al) and not Deji - my bad. I finished reading one of his posts before I sent this out and had his name on my mind. I think those educators are rubbing off on me. Brian -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, January 24, 2005 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question I missed Deji's post but I'd be interested to hear the legal team's response to the intended recipient issue if you could post that back. More of a curiuosity issue, but I'm insanely curious about things ;) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Monday, January 24, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question Well I am no lawyer either but the disclaimer was attached at the request (directive) of our legal team. They also came up with the content of the message. I have not been following the specifics behind it but I was told (legal term - hearsay) that it was a direct result of some litigation and recent legislation here in CA. Again I have no specifics but will do a little checking. It also had something to do with showing due diligence since we are in public education and a lot of correspondence with parents, colleagues, and the state/feds happen via e-mail. Educators have been known to not be the most technical bunch and are often sending email to the wrong person (not sure how the intended recipient falls into that like Deji points out). However, the thought has been that if the recipient is clearly not the intended recipient that they do the right thing and delete the message instead of forwarding it on for some other gain. There are a lot of people critical of public education that would love to get information on a student's IEP and show the tax payer's money at work. Other than that it is just more overhead on our messaging environment as far as I am concerned causing our help desk to receive more calls about this both from the sender (confused because they never typed this in) or the recipient wondering if they should keep the message or not. I do see more and more law firms and government agencies that we deal with that attach these disclaimers which is why we started doing it in the first place - monkey see, monkey do. Brian From: joe [mailto:[EMAIL PROTECTED] Sent: Saturday, January 22, 2005 12:59 PM To: ActiveDir@mail.activedir.org Subject:
RE: [ActiveDir] proxy ldap and/or server
Not sure what the OP has in mind, but I was thinking about exposing a directory without exposing any additional surface area for possible exploitation without the overhead of syncing data. Eventually I could see the proxy even refusing certain types or sizes of operations. Say you don't allow any modify ops or searching with specific attributes or result returns of x size can be stopped, etc. It could also proxy the access rights even. You call it anonymously, it calls the real directory with creds and only returns things that the anonymous person should see but doesn't require you to open the real directory up for anonymous access in fear you do something wrong. Another thing that would be interesting is multidirectory integration. I.E. You can use one proxy that can route to several different directories without need of referrals. So that the proxy knows where to look for something in certain ranges. That would start getting very complicated though. Just thunking... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 03, 2005 1:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server Maybe I misunderstood the requirement then. If you're thinking something like ISA as a proxy for LDAP, then ADAM isn't the ticket. If you want something that can be a projected LDAP store, then ADAM would do it. I wouldn't guess that a proxy would be too terribly difficult to write, but I'd have to wonder what the benefit would be vs. projecting the data to a store where the data is needed. What did you have in mind? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server Well AD/AM isn't an LDAP proxy but agree that this is probably the best way to solve this as I don't know of any LDAP Proxies for Windows, especially any free ones. I wonder how hard that would be to write? I think the auth piece would be the hard part. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, February 02, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server AD/AM would be what you're looking for most likely. http:/www.microsoft.com/ad should have a link. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Wednesday, February 02, 2005 4:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] proxy ldap and/or server Hello I need to find and tto est a product (free-ware if it is possible) that in Windows Environment (not LINUX or other O.S.) works like a LDAP proxy. Specifically I need from outside (tunnelling by VPN) to interrogate the LDAP repository in Active Directory WITHOUT opening the ports directly to Domain Controllers (389, 3268 ec.). I should think to use an LDAP Server or likes that is installed on a computer that 'works' as a replicator or agent proxy LDAP. On this computer I could open those ports. Some suggestions ? Thanks PS: I cannot install Exchange on that computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] About an error in GPO editing
Ok, i will try your suggestion and let you know. Best Regards - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Sent: Thursday, February 03, 2005 2:03 PM Subject: Re: [ActiveDir] About an error in GPO editing Hi Armando Your GPO was edited or created by an SP2 box. You either need to keep editing it from SP2 or apply the following patch. http://support.microsoft.com/default.aspx?kbid=842933 Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Armando González Macias [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] About an error in GPO editing tivedir.org 02/03/2005 02:54 PM EST Please respond to ActiveDir When i want to edit the Domain GP i start to get a lot of this messages: The following entry in the [string] section is too long and has been truncated. I just keep myself hitting Ok button but i don´t know exactly if there is something affecting the Domain GP Could any one tell me why i am receiving this kind of message?? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
Good response. I need it more and more lately. Someone will tell me how great some tool is and how it is better than anything out there that they could buy to do the same. Then say I should do this or that which is orders of magnitude more complex and involved and generally very specific to their environment. I then respond that I will take it under advisement and put it on the list of possible features down the road but that it is unlikely I will do it as it is involved and if I made something like that I would probably charge for it. After that I usually get, oh that is ok, thanks anyway, keep up the good work. But more and more I get back some mean response and how this stuff should all be free and since I know how to do it, I should make it available for everyone. My response to that is usually Ctrl^D. Gil, I haven't put the unclog sink option into ADFIND yet! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 03, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada The IEEE-standard response to questions such as Why don't they do this or that??? is: Whadaya want for nothin'? I still think a session on the tools and creative ways to use them (how to use adfind to clean a clogged sink for instance) would be a fine DEC topic. But in any case, you should come. Its going to be an outstanding conference. Plus, we're having the late-night break-into-someones-AD competition. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada You guys scare me. Rick because he implies in his email that *he* wants to see me in shorts (no one else wants to to see you) and because you Guido, admit it outright. ;oP You all luck out. I couldn't think of a good topic to present at DEC so I don't expect I will be there. It was suggested I present the joeware tools but I have no clue what I would say... Well the joeware tools are just these tools you know... You can get them from www.joeware.net... and then stand woodenly on the podium for 25 minutes as people say Why don't they do this or that??? and I respond, They're FREE. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.com
Re: [ActiveDir] About an error in GPO editing
Return Receipt Your Re: [ActiveDir] About an error in GPO editing document : was Ricardo Konno/SCI received by: at: 03/02/2005 17:45:24 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Legal Question
So I did hear a new legal spin on this today from our attorney's. There take on disclaimers from a legal perspective is that if you are the intended recipient such that it was sent to you by the sender whether this was a mistake or not, there is no legal ground to stand on. They do feel the disclaimer shows some due diligence in the case of sending to the wrong person but no legal foundation. However, the disclaimer is potentially helpful in the event that e-mail is hijacked or sniffed by someone who is not the intended recipient. We were advised by our attorney's to include disclaimers given the fact that a lot of correspondence is sent across the Internet with confidential or potentially damaging information if it got in the wrong hands. Has this been tested in court - I have no idea. So this has us discussing encrypting all email now. I did find an interesting albeit useless site on disclaimers. www.emaildisclaimers.com Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 03, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question You aren't twins? Could have fooled me. The first time I saw you I walked up and said Hi Deji and didn't have a clue and I knew Deji back when he could barely spell NT (could thing they renamed it!!!). Seriously though, thanks for all of the responses. There was no specific reason I needed it. I was just curious because of all the work put into stamping those things on the messages and it is so, seemingly to me, obviously impossible to really do anything about it if the message is indeed sent to someone who uses it badly. Personally, I do not feel bound one iota by any disclaimer at the bottom of a message that I didn't get to until I read the rest of the content. I wasn't asked if I agree to the terms. I would think for this to be truly binding, you would have to agree to the disclaimer prior to being able to see the content in any way shape or form which implies some form of message encryption and an intelligent mechanism for asserting the agreement. To put it another way, if I am walking down the street and I walk through a wide open door of a building and see all sorts of interesting things and as I leave someone comes up to me and says, btw, everything you saw in there you are bound to not disclose I would laugh my fool head off at them. Anyway, it amazes me how much time and effort and wasted disk space is dedicated to these things, especially if there is no real proof they will actually help with anything. The one place I can see them kind of having any kind of influence is by people within the same company who already have agreements to not disclose corporate information and this is just a reminder that you shouldn't be thinking this isn't something exempt from that agreement. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 24, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question You'd be surprised how similar alike we are. In fact, in public, most would think we're twins except that he hasn't received his cafeteria MVP award yet ;) seriously Either way, I am interested to hear what you get back from the legal-beagles. /seriously -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Monday, January 24, 2005 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question Sorry I mistyped and meant you (Al) and not Deji - my bad. I finished reading one of his posts before I sent this out and had his name on my mind. I think those educators are rubbing off on me. Brian -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, January 24, 2005 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question I missed Deji's post but I'd be interested to hear the legal team's response to the intended recipient issue if you could post that back. More of a curiuosity issue, but I'm insanely curious about things ;) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Monday, January 24, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question Well I am no lawyer either but the disclaimer was attached at the request (directive) of our legal team. They also came up with the content of the message. I have not been following the specifics behind it but I was told (legal term - hearsay) that it was a direct result of some litigation and recent legislation here in CA. Again I have no specifics but will do a little checking. It also had something to do with showing due diligence since we are in public education and a lot of correspondence with parents, colleagues, and the state/feds happen via e-mail. Educators have been known to not be
Re: [ActiveDir] About an error in GPO editing
Return Receipt Your Re: [ActiveDir] About an error in GPO editing document: wasJustin Leney/US/DCI received by: at:02/03/2005 03:14:04 PM This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Legal Question
Interesting. I think the website makes some leaps in areas. For example, saying that a postmaster is not the intended recipient is technically inaccurate IMHO. It's a standard best practice (documented in the RFC's) that you should include a postmaster, abuse, etc alias for your domain name. It's also a defacto standard that when all else fails or in the event of failure, send a copy to the postmaster. That applies with messages sent from your domain (even if faked) to another. In that case, as an authorized user (postmaster) I am entitled to see the message and it's contents. Does that mean I am the intended recipient? I would argue yes in this case. About the only useful information on that site was the part about an email policy. I can understand your legal beagles' concept of putting the disclaimer on the message to prohibit misuse by network sniffing people, but I would argue to them about the appropriate use of technology. Something about how they weren't really trying to protect anything if they sent it plain text through Joe-the-isp's garage. Any network technician with a problem they're trying to fix would have access and would be the intended recipient in that case. Encryption is the answer to that in my opinion. If you only want the intended recipient to have access to the contents, then you should take appropriate and reasonable measures to ensure that the person reading the contents is the intended recipient. That technology exists and is reasonable (although I'm sure there's some dissenting opinions). Should be fun to watch one of these cases come to court though. -ajm P.S. I'm the evil twin. Deji's the good one. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Thursday, February 03, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question So I did hear a new legal spin on this today from our attorney's. There take on disclaimers from a legal perspective is that if you are the intended recipient such that it was sent to you by the sender whether this was a mistake or not, there is no legal ground to stand on. They do feel the disclaimer shows some due diligence in the case of sending to the wrong person but no legal foundation. However, the disclaimer is potentially helpful in the event that e-mail is hijacked or sniffed by someone who is not the intended recipient. We were advised by our attorney's to include disclaimers given the fact that a lot of correspondence is sent across the Internet with confidential or potentially damaging information if it got in the wrong hands. Has this been tested in court - I have no idea. So this has us discussing encrypting all email now. I did find an interesting albeit useless site on disclaimers. www.emaildisclaimers.com Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 03, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question You aren't twins? Could have fooled me. The first time I saw you I walked up and said Hi Deji and didn't have a clue and I knew Deji back when he could barely spell NT (could thing they renamed it!!!). Seriously though, thanks for all of the responses. There was no specific reason I needed it. I was just curious because of all the work put into stamping those things on the messages and it is so, seemingly to me, obviously impossible to really do anything about it if the message is indeed sent to someone who uses it badly. Personally, I do not feel bound one iota by any disclaimer at the bottom of a message that I didn't get to until I read the rest of the content. I wasn't asked if I agree to the terms. I would think for this to be truly binding, you would have to agree to the disclaimer prior to being able to see the content in any way shape or form which implies some form of message encryption and an intelligent mechanism for asserting the agreement. To put it another way, if I am walking down the street and I walk through a wide open door of a building and see all sorts of interesting things and as I leave someone comes up to me and says, btw, everything you saw in there you are bound to not disclose I would laugh my fool head off at them. Anyway, it amazes me how much time and effort and wasted disk space is dedicated to these things, especially if there is no real proof they will actually help with anything. The one place I can see them kind of having any kind of influence is by people within the same company who already have agreements to not disclose corporate information and this is just a reminder that you shouldn't be thinking this isn't something exempt from that agreement. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 24, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question You'd be
RE: [ActiveDir] Domain Controller replacement strategy?
I would love to hear any thoughts, procedures, pitfalls etc regarding the first bullet below, especially This will influence your strategy as to when you'll be able to introduce the new DC. We are getting ready to do exactly that in a few weeks and it's not something I have ever done before or am likely to do again any time soon. Single Forest- Empty Root- Single Child Domain environment. We have 8 W2K DC's in our child domain to upgrade/replace with 2003 on new hardware reusing IP + name. The new hardware is currently burned in, patched up, running as 2003 member servers. The 2 root DC's were upgraded to 2003 in place and the hardware replacement there will occur after we are finished with the child. The Exchange work is done. Our DNS is all BIND. I have accounted for the TSLicensing already. If any one has any advice to share I'd be very grateful. /Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller replacement strategy? Jorge basically mentioned the main points - some additional comments * when replacing a DC, some companies want to re-use IP + name (others give new IP/name to every new box). This will influence your strategy as to when you'll be able to introduce the new DC (i.e. the other one needs to be demoted and removed from the network). * don't forget Terminal Server licensing (this is stored on DCs by default) * same for Windows Licensing (not as critical, but you need to know which DC is configured to hold the licenses and apply these to the new box) * I often find DCs being used as DFS root-servers - if so, first need to move the root-target to another machine and then remove it from the old box, prior to shutting it down * if you use a SysMgmt system, you might have agents running on your DC (includes Virus Agents) - some mgmt systems don't behave well, if you don't first uninstall the Agent on the old box, prior to deploying the agent to the new box with the same name * before you shutdown the old server to take it off the network, rename it and change it's IP address (or set it to DHCP) - a safety measure quite worthwhile... and just to repeat what Jorge said, DNS settings are critical (which may force you to use the same IP address on the new box), sometimes you'll also have to take care of WINS. But most important: create a separate step-by-step plan for each DC. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, February 03, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller replacement strategy? Hi, In a nutshell: * Inventory first what roles/services each DC has/hosts and what the relationship is between each DC and between servers/clients/services and each DC. One relation might be servers/clients/DCs use a certain DC for DNS services. You just can't switch that box off until you have a replacement or you've taken some precautions to prevent loss of services! * For each DC create a plan for replacement * Replace the HW for each DC Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Microsoft Infrastructure Consultant NOTES: * This posting is provided AS IS with no warranties and with no rights! * Allways test before implementing! __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 03, 2005 15:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller replacement strategy? It appears that we will be getting money this year to replace our Domain Controllers. While we currently have redundant DCs, they are not mirror images of each other. One holds the FSMO roles, another might host the AD-integrated DNS portion of our Unix/Windows DNS configuration, another might be the TS licensing server, bridgehead, etc. We are running Server 2003. Is there a consensus out there for the best way to bring new hardware onboard? With all of the current hardware up and running just fine, a DR strategy doesn't seem to apply. Any thoughts are certainly appreciated. Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info :
RE: [ActiveDir] new 2003 domain controller in windows 200 forest.
gee joe, that sounds like a really good way to cause a lot of work.Or to harass me ;-) I wouldn't really want to go down that road for DR purposes - I'drather have a good way of ensuring delayed replication and a fast recovery option for the existing forest.Adding another forest _for this purpose_ won't necessarily allow users from the production forest to "easily" continue work if that one's gone for some reason (i.e. even if you get so far as to sync users, groups andpasswords, you'd still have loads of issuesdue to missing ACLsand Entitlements for Filesystems and Apps etc.) Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, February 03, 2005 7:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. I am going to throw a little monkey wrench at this one. :o) Mostly because I like harrassing Guido. Depending on what is meant by this being a DR site, it might be valuable for this to have its own forest and domain. The question is, define the disasters it is supposed to help with. If it is simply physical location disasters, same domain/forest is fine. But if it is to also help with the forest going toes up and you need something people can work in as fast as possible with that time being measured in minutes, then separate forest and domainis something to consider. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, January 31, 2005 5:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. ok - that puts a little different touch to your story. in this case (esp. asa DR site and on separate HW with physical security in place), you're fine to host a DC in that site. Yes, you can add it to your 2000 domain and you've already supplied the solution as well: you'll need to prepare the schema of the forest via ADPREP /forestprep and then prepare thedomain you'll join the DC to via ADPREP /domainprep. If you have Exchange 2000 first apply the E2k schema fix (read Q314649) Check here for all the details: http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_overview.asp But definitely don't start a new domain (for which you'd still need to upgrade the schema) - an OU is perfectly fine for your situation. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff KrausSent: Monday, January 31, 2005 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. physical security is not an issue. locked computer room only pt admin and manager has access. this office will eventully become a disaster recovery location housing a bunch of blade servers and replicated disk.The need fora domain controller is like you said -- network connectivity and access- thisoffice supports afewkey personel ( money makers !!) sothe cost of a few serversasome 2003licenses and an exchange server is not a big deal speed and relibility are more important. but i'm still dealing with the question of 1: we are planning to upgrade our headquarters the 2003 in about 3 -4 months.can we setup the newserver with 2003 as domain controllers so we won't have to upgrade them later ? if so anything special we need to do ? IE: forest prep ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ReijndersSent: Monday, January 31, 2005 3:50 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. Hi, I could not agree more with Guido! The security aspect is the most important reason to go for the suggested solution. However, there's one thing to keep in mind in this scenario namely the trustworthiness of your network. If you're not placing a DC in the remote location, network connectivity becomes a must to enable a user to do his/her work. Sure, there's a thing as cached credentials on a client, but logon on to a domain is important for a lot of services. Cheers! John Reijnders (soon to change his e-mail address into a MSFT one) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: maandag 31 januari 2005 21:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain controller in windows 200 forest. definitely give them an OU and I'd also urgently suggest you don't make the machine in that remote office a DC at all = first of all it's not required for 15 folks - you'll need it for other things such as file/print (they should easily be able to authenticate to your main office; assuming NW connectivity - which you'd also need to setup replication...) = secondly, it's much more secure, as you will likely not have much physical security in an office of 15 people and if you're using the one box for everything it's unsecure
[ActiveDir] RouterIdentity object
Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
where do you see that? i don't see it under my win2ksp4 RRAS server. is that via adsiedit? thanks -Original Message-From: Free, Bob [mailto:[EMAIL PROTECTED]Sent: Thursday, February 03, 2005 4:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] OT: exchange and temp folder
I wouldn't think exifs. I would think anti-virus or conversion files that would use the temp space. What do you have loaded on the machine? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, February 03, 2005 2:05 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: exchange and temp folder Hi. anyone know why my c:\winnt\temp folder would be filling up with emails(.eml files) on my exchange2k server? I found about 11 gig of them this morning alot dated from a month or so ago. strange. is this something related to EXIFS? i can open the mails in OE so they're not corrupted. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RouterIdentity object
Thanks Bob, I was trying to help an agency out who cloned a bunch of machines that all ended up with the router identity object and ran into the "I can't delete the workstation object" problem. Do you know if you need both the Remote Access Connection Manager services and Routing and Remote Access service turned up to have this show up in AD or just RRAS??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 2:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
You can expand and see the objects present underneath a computer in ADUC by checking "View Users,Groups and Computers as containers" under the view menu. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Thursday, February 03, 2005 1:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object where do you see that? i don't see it under my win2ksp4 RRAS server. is that via adsiedit? thanks -Original Message-From: Free, Bob [mailto:[EMAIL PROTECTED]Sent: Thursday, February 03, 2005 4:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] RouterIdentity object
Flip your view in ADUC to "Users, Groups, and Computers as containers". Then expand your RRAS server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Thursday, February 03, 2005 2:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object where do you see that? i don't see it under my win2ksp4 RRAS server. is that via adsiedit? thanks -Original Message-From: Free, Bob [mailto:[EMAIL PROTECTED]Sent: Thursday, February 03, 2005 4:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
[ActiveDir] Login/Logoff
Title: Login/Logoff In trying to track user activity, I am parsing the security logs using EventCombMT. It finds the 538/540 events just fine but the problem is that it finds far too many. I am seeing groups of consecutive logon events, which I presume is attachments to network resources, but then I immediately see logoff events too. Perhaps an hour goes by and more of these occur. In fact, it occurs throughout the day. I suspect that perhaps the first in the series is the user logging on Then more occur with resource connection (mapped drives, printers, etc. Some of those log out. Further login/logoff events occur as resources are requested during the day. Final logoff for the day is the actual user doing so. Q: If the above is a correct assessment of the situation, is there a better event id or filter to see the actual user netlogon timing rather than resource attachment? * Pete Carstensen [EMAIL PROTECTED] So many of our dreams at first seem impossible, then they seem improbable, and then, when we summon the will, they soon become inevitable. -- Christopher Reeve
RE: [ActiveDir] AD startup scripts problem
I once tried to figure out how to use that damn thing. Netmon has the UI factor that I need g. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2/3/2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I would concur but say use ethereal. Much easier generally to read the traces. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 01, 2005 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Mark- If you put the problem computer, and your computer on a hub (not a switch), and use the version of netmon included with SMS, then you can run the trace. To make things easier, I'd set a filter in Netmon to only capture traffic to/from the problem host. Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, February 01, 2005 4:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem How can I do a network trace whilst the computer is booting up ? When I have logged on as normal user the share and files are fully accessible. I looked at my bootup log (userenv.log) and can see that the GPO is called. But I just don't know what could prevent my startup script accessing the network share. Are there any other GPO settings that may be set in another GPO that could be blocking network accessing during the bootup ? As I say, using the batch after logging on causes absolutely no problems. This is really frustrating !! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 31. Januar 2005 17:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Have you done a network trace yet? If you are getting an access denied, you will see it in the trace. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 31, 2005 4:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Just to follow up on this problem, I would like to clarify my current situation : I have now determined the script is actually running during startup. The problem however remains that I am not able to run the executable from the network share location. Everything works fine if I re-code the batch command and put the EXE locally on the computer. But using UNC addresses in the batch does not work. On the network share and all sub-folders I have ensured that Domain Computer accounts have full access. If I log on to the computer with a normal domain user account and then run the batch file that is coded with UNC references, the whole process works wonderfully. So where can I look to see what has failed when I configure the script to run during startup and the batch file is using UNC paths ? I have looked in the standard places (event viewer) but dont see any error messages. Many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Freitag, 28. Januar 2005 17:47 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Put it in SYSVOL RH ___ -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Friday, January 28, 2005 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem the local computer's system account does process the script but here it looks like it doesnt have permissions to read the script on the 'servers' share From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Fri 28/01/2005 16:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem
RE: [ActiveDir] Login/Logoff
Put what in there? I suspect you are thinking adding a flag record or something to an audit text file. We have 6 DC's in 4 locations. To save crossing over, it would have to parse the netlogon DC and point the flag record append to a specific directory there. I can see several problems with that. Is there a simpler way? * Pete Carstensen, MCSE Senior LAN Engineer CSK Auto, Inc. 645 E. Missouri Ave. Phoenix, AZ 85012 (602) 631-7176 [EMAIL PROTECTED] So many of our dreams at first seem impossible, then they seem improbable, and then, when we summon the will, they soon become inevitable. -- Christopher Reeve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, February 03, 2005 3:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Login/Logoff Put it in the Logon and LogOff Scripts... -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:13:35 -0700, Carstensen, Pete [EMAIL PROTECTED] wrote: In trying to track user activity, I am parsing the security logs using EventCombMT. It finds the 538/540 events just fine but the problem is that it finds far too many. I am seeing groups of consecutive logon events, which I presume is attachments to network resources, but then I immediately see logoff events too. Perhaps an hour goes by and more of these occur. In fact, it occurs throughout the day. I suspect that perhaps the first in the series is the user logging on Then more occur with resource connection (mapped drives, printers, etc. Some of those log out. Further login/logoff events occur as resources are requested during the day. Final logoff for the day is the actual user doing so. Q: If the above is a correct assessment of the situation, is there a better event id or filter to see the actual user netlogon timing rather than resource attachment? * Pete Carstensen [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
Gil, I haven't put the unclog sink option into ADFIND yet! I've been meaning to write you and tell you how much I love oldcmp, but, adfind is so far up on the suck scale - at least until you add this feature. I can't believe you haven't yet! When you put in the unclog sink option in, you're also going to need to detect the functional mode of my sink. Not everyone is running in p-trap mode on their sink, after all. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2/3/2005 1:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Good response. I need it more and more lately. Someone will tell me how great some tool is and how it is better than anything out there that they could buy to do the same. Then say I should do this or that which is orders of magnitude more complex and involved and generally very specific to their environment. I then respond that I will take it under advisement and put it on the list of possible features down the road but that it is unlikely I will do it as it is involved and if I made something like that I would probably charge for it. After that I usually get, oh that is ok, thanks anyway, keep up the good work. But more and more I get back some mean response and how this stuff should all be free and since I know how to do it, I should make it available for everyone. My response to that is usually Ctrl^D. Gil, I haven't put the unclog sink option into ADFIND yet! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 03, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada The IEEE-standard response to questions such as Why don't they do this or that??? is: Whadaya want for nothin'? I still think a session on the tools and creative ways to use them (how to use adfind to clean a clogged sink for instance) would be a fine DEC topic. But in any case, you should come. Its going to be an outstanding conference. Plus, we're having the late-night break-into-someones-AD competition. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada You guys scare me. Rick because he implies in his email that *he* wants to see me in shorts (no one else wants to to see you) and because you Guido, admit it outright. ;oP You all luck out. I couldn't think of a good topic to present at DEC so I don't expect I will be there. It was suggested I present the joeware tools but I have no clue what I would say... Well the joeware tools are just these tools you know... You can get them from www.joeware.net... and then stand woodenly on the podium for 25 minutes as people say Why don't they do this or that??? and I respond, They're FREE. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL
Re: [ActiveDir] Login/Logoff
Have every machine write the data locally to a hidden folder, then send the data to a central file share. This logonscript actually has an example of that: http://www.ultratech-llc.com/KB/Scripts/?File=LogOn.BAT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:44:39 -0700, Carstensen, Pete [EMAIL PROTECTED] wrote: Put what in there? I suspect you are thinking adding a flag record or something to an audit text file. We have 6 DC's in 4 locations. To save crossing over, it would have to parse the netlogon DC and point the flag record append to a specific directory there. I can see several problems with that. Is there a simpler way? * Pete Carstensen, MCSE Senior LAN Engineer CSK Auto, Inc. 645 E. Missouri Ave. Phoenix, AZ 85012 (602) 631-7176 [EMAIL PROTECTED] So many of our dreams at first seem impossible, then they seem improbable, and then, when we summon the will, they soon become inevitable. -- Christopher Reeve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, February 03, 2005 3:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Login/Logoff Put it in the Logon and LogOff Scripts... -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:13:35 -0700, Carstensen, Pete [EMAIL PROTECTED] wrote: In trying to track user activity, I am parsing the security logs using EventCombMT. It finds the 538/540 events just fine but the problem is that it finds far too many. I am seeing groups of consecutive logon events, which I presume is attachments to network resources, but then I immediately see logoff events too. Perhaps an hour goes by and more of these occur. In fact, it occurs throughout the day. I suspect that perhaps the first in the series is the user logging on Then more occur with resource connection (mapped drives, printers, etc. Some of those log out. Further login/logoff events occur as resources are requested during the day. Final logoff for the day is the actual user doing so. Q: If the above is a correct assessment of the situation, is there a better event id or filter to see the actual user netlogon timing rather than resource attachment? * Pete Carstensen List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RouterIdentity object
It's the SCP (Service Connection Point) for RRAS so I'm pretty sure that it's just RRAS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Thanks Bob, I was trying to help an agency out who cloned a bunch of machines that all ended up with the router identity object and ran into the "I can't delete the workstation object" problem. Do you know if you need both the Remote Access Connection Manager services and Routing and Remote Access service turned up to have this show up in AD or just RRAS??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 2:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object Before I fat-fingered send I meant to say RRAS installation will create arRASAdministrationConnectionPoint attached to that computer that shows up in ADUC as "RouterIdentity"and the dialog it throws freaks people out when they go to delete the computer account :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, February 03, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RouterIdentity object RRAS installation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, February 03, 2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] RouterIdentity object Does anyone know how, whyand/or what is the process that happens whena "RouterIdentity" object gets created under a normal workstation (2000 or XP) object in Active Directory?? Thanks, Stuart Fuller
RE: [ActiveDir] AD startup scripts problem
Get the latest version of ethereal, it has a windows kind of mode now. Just select that package on the install. Either way, spend a couple of hours with it and you will work it out pretty quickly. It is worth it for the follow stream function all by itself where you click on a packet and tell it to filter everything but that stream. But the filtering overall smokes netmon and the decoding of packets is at least an order of magnitude better from what I have seen. I have also been very happy in that every single trace someone has sent me regardless of what tool was used to generate the trace, ethereal has been able to open and translate for me. I was just looking at the nomas tool and scanning the trace thinking, man this doesn't look very efficient. I did a resync on my test lab domain of like 30 users and I saw binds strewn all through the trace. So then I go into the filters, tell it to only show me LDAP binds, bam, I all of a sudden just have LDAP binds on the screen. How many you ask? 43 I can't for the life of me understand why a program that only needs one bind or at most one bind per thread if it is multithreaded to bind 43 times for 30 users. I won't go into the searches other than to say I think the DN for one of the stores was retrieved a good 20+ times as well. I am going to write up everything I see that doesn't seem quite right and send it to PSS. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, February 03, 2005 5:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I once tried to figure out how to use that damn thing. Netmon has the UI factor that I need g. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 _ From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2/3/2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I would concur but say use ethereal. Much easier generally to read the traces. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 01, 2005 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Mark- If you put the problem computer, and your computer on a hub (not a switch), and use the version of netmon included with SMS, then you can run the trace. To make things easier, I'd set a filter in Netmon to only capture traffic to/from the problem host. Thanks. --Brian Desmond mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Payton on the web! http://www.wpcp.org www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, February 01, 2005 4:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem How can I do a network trace whilst the computer is booting up ? When I have logged on as normal user the share and files are fully accessible. I looked at my bootup log (userenv.log) and can see that the GPO is called. But I just don't know what could prevent my startup script accessing the network share. Are there any other GPO settings that may be set in another GPO that could be blocking network accessing during the bootup ? As I say, using the batch after logging on causes absolutely no problems. This is really frustrating !! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 31. Januar 2005 17:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Have you done a network trace yet? If you are getting an access denied, you will see it in the trace. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 31, 2005 4:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Just to follow up on this problem, I would like to clarify my current situation : I have now determined the script is actually running during startup. The problem however remains that I am not able to run the executable from the network share location. Everything works fine if I re-code the batch command and put the EXE locally on the computer. But using UNC addresses in the batch does not work. On the network share and all sub-folders I have ensured that Domain Computer accounts have full access. If I log on to the computer with a normal domain user account and then run the batch file that is coded with UNC references, the whole process works wonderfully. So where can I look to see what has failed when I configure the script to run during startup and the batch file is using UNC paths ? I have looked in the standard places (event viewer) but dont see any error messages. Many thanks -Original
RE: [ActiveDir] Legal Question
I would have to concur with evil Deji twin here. If you send clear text into the ether (or into the token if on tokenring snicker), the intended recipient is anyone who sees it. It would be like shouting at a crowded public beach and the only one allowed to listen is the person you are looking at and getting mad because someone else heard it. The whole networking thing is based on the old school trick, pass it on. You write your note, you fold it up and put a name on the top, then give it to the person in front of you and tell them to pass it forward to the addressee. Anyone can open that and look at the contents and ascertain and distribute the message along the way. That is your fault due to using that delivery mechanism without any other compensating controls such as writing in piglatin or ferretlatin or at the very least sealing it in a real seal envelope. Writing you suck if you read this and you aren't the person I wanted to read this on the bottom of the note doesn't help a lot. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 03, 2005 3:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question Interesting. I think the website makes some leaps in areas. For example, saying that a postmaster is not the intended recipient is technically inaccurate IMHO. It's a standard best practice (documented in the RFC's) that you should include a postmaster, abuse, etc alias for your domain name. It's also a defacto standard that when all else fails or in the event of failure, send a copy to the postmaster. That applies with messages sent from your domain (even if faked) to another. In that case, as an authorized user (postmaster) I am entitled to see the message and it's contents. Does that mean I am the intended recipient? I would argue yes in this case. About the only useful information on that site was the part about an email policy. I can understand your legal beagles' concept of putting the disclaimer on the message to prohibit misuse by network sniffing people, but I would argue to them about the appropriate use of technology. Something about how they weren't really trying to protect anything if they sent it plain text through Joe-the-isp's garage. Any network technician with a problem they're trying to fix would have access and would be the intended recipient in that case. Encryption is the answer to that in my opinion. If you only want the intended recipient to have access to the contents, then you should take appropriate and reasonable measures to ensure that the person reading the contents is the intended recipient. That technology exists and is reasonable (although I'm sure there's some dissenting opinions). Should be fun to watch one of these cases come to court though. -ajm P.S. I'm the evil twin. Deji's the good one. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stockbrugger, Brian L. Sent: Thursday, February 03, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question So I did hear a new legal spin on this today from our attorney's. There take on disclaimers from a legal perspective is that if you are the intended recipient such that it was sent to you by the sender whether this was a mistake or not, there is no legal ground to stand on. They do feel the disclaimer shows some due diligence in the case of sending to the wrong person but no legal foundation. However, the disclaimer is potentially helpful in the event that e-mail is hijacked or sniffed by someone who is not the intended recipient. We were advised by our attorney's to include disclaimers given the fact that a lot of correspondence is sent across the Internet with confidential or potentially damaging information if it got in the wrong hands. Has this been tested in court - I have no idea. So this has us discussing encrypting all email now. I did find an interesting albeit useless site on disclaimers. www.emaildisclaimers.com Brian -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 03, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Legal Question You aren't twins? Could have fooled me. The first time I saw you I walked up and said Hi Deji and didn't have a clue and I knew Deji back when he could barely spell NT (could thing they renamed it!!!). Seriously though, thanks for all of the responses. There was no specific reason I needed it. I was just curious because of all the work put into stamping those things on the messages and it is so, seemingly to me, obviously impossible to really do anything about it if the message is indeed sent to someone who uses it badly. Personally, I do not feel bound one iota by any disclaimer at the bottom of a message that I didn't get to until I read the rest of the content. I wasn't asked if I agree to the terms. I
RE: [ActiveDir] OT: exchange and temp folder
Mulnick, Al wrote: I wouldn't think exifs. I would think anti-virus or conversion files that would use the temp space. i don't run AV on exchange What do you have loaded on the machine? all i have on that box is exchange and backup exec. i posted earlier about having scsi time out issues and i never resloved them. its an active/passive exchange2k cluster with an HP MSA 500 storage box ultra3 scsi. the scsi driver spits out timeout errors and occansionally the cluster fails over. when i ran perfmon, all the bottlenecks were disk related. no mem,cpu,or network issues. it runs 2 info stores. each store is about 30gig with 500 mailboxes overall. also backupexec writes its catolog files to the shared array as well. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, February 03, 2005 2:05 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: exchange and temp folder Hi. anyone know why my c:\winnt\temp folder would be filling up with emails(.eml files) on my exchange2k server? I found about 11 gig of them this morning alot dated from a month or so ago. strange. is this something related to EXIFS? i can open the mails in OE so they're not corrupted. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC Unattended Restart
Dell DRAC and RAC as well as IBM RSA will do similar funtions - as well as shut it off cold, and start it up - remotely. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, January 31, 2005 3:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Unattended Restart Shutdown -r -t 5 -m \\mydc that will reboot mydc in five seconds using the interactive user's credentials. The utility is inc w/ 2003, in the 2k res kit. It needs to be on teh client machine, not the server. If you want to cold boot it, and you have Compaq hardware, you can do this with the iLo board. Not sure if the Dell DRAC or other vendors have a similiar facility. --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of Kevin GentSent: Mon 1/31/2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC Unattended Restart Is there any way to schedule an unattended restart, warm or cold boot,of a DC ? smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
Well, I'm going to be there, you're going to be thereI guess all we need now is joe, a Snow Board, Whistler, and SHORTS! ;p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then Whistler/Blackcomb is not to be missed. IMHO it is simply the best, extraordinary, largest, most varied terrain, (insert your own gushing adjective here)... ski area in North America. Maybe Gil needs to organize a NetPro ski trip... -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, January 31, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum. I'm sure anyone who's lived in BC longer than I did will be able to tell you more stuff. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, January 30, 2005 3:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Hi, I hope you don't mind asking this... I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that are also visiting DEC. Besides visiting DEC I'm staying a few days longer hopefully to see very nice
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
You guys scare me. Yeah, so what else is new? I couldn't think of a good topic to present at DEC Oh for cripes sake! Yeah, how about those joeware tools? Joe, you could do hours on what you've written... The better way to use them, how to t/s this, how to dive into that, what Exchange really is/isn't... And why. If there is anyone that could talk intelligently on about anything, it would be you. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 11:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada You guys scare me. Rick because he implies in his email that *he* wants to see me in shorts (no one else wants to to see you) and because you Guido, admit it outright. ;oP You all luck out. I couldn't think of a good topic to present at DEC so I don't expect I will be there. It was suggested I present the joeware tools but I have no clue what I would say... Well the joeware tools are just these tools you know... You can get them from www.joeware.net... and then stand woodenly on the podium for 25 minutes as people say Why don't they do this or that??? and I respond, They're FREE. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list into a ski slope Joe :) Whistler is hands down one of the best ski areas in North America, I've spent a lot of time skiing and Whistler is the best place that I have ever skied. Even if you aren't a skier it's worth going and checking out, even if it is just for the views. A sunny day at the top of Whistler is pretty incredible. Did I hear someone mention geeks skiing? That sounds like fun ;) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, January 31, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada If you are a skier then
RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
If there is anyone that could talk intelligently on about anything, it would be you. Rick, you were very very very very drunk when we hung out at the summit last April and at the security summit last fall. I am now quite sure of that. What exactly was in that Mexican beer your drank at that taco place in Redmond? :o) You should have used a network sniffer when you met me to find out what was really going on. LOL. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 8:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada You guys scare me. Yeah, so what else is new? I couldn't think of a good topic to present at DEC Oh for cripes sake! Yeah, how about those joeware tools? Joe, you could do hours on what you've written... The better way to use them, how to t/s this, how to dive into that, what Exchange really is/isn't... And why. If there is anyone that could talk intelligently on about anything, it would be you. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 11:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada You guys scare me. Rick because he implies in his email that *he* wants to see me in shorts (no one else wants to to see you) and because you Guido, admit it outright. ;oP You all luck out. I couldn't think of a good topic to present at DEC so I don't expect I will be there. It was suggested I present the joeware tools but I have no clue what I would say... Well the joeware tools are just these tools you know... You can get them from www.joeware.net... and then stand woodenly on the podium for 25 minutes as people say Why don't they do this or that??? and I respond, They're FREE. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 03, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada come on Rick - I'd really enjoy watching Joe race down the Whistler mountain on a snowboard _with shorts on_ ;-)) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, February 03, 2005 2:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada However, there is one small problem - no one else wants to to see you _WITH SHORTS ON_! :p -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 31, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada I broke my leg one year, a wrist another year, and sprained an ankle really bad yet another year when skiing when I was young and more dumb and thought I was invincible. I have since learned that the best part of skiing is sitting about 5 feet from the fire with some nice smooth alcoholic beverage and talking to the snow bunnies. My overall preference though is to be somewhere where snow is not. Growing up in Northern Lower Michigan I had seen far more than enough snow by the time I was 10. If going down a hill at high speed I rather it be on a mountain bike with shorts on. If fishing I rather it be on a nice big boat with shorts on. If snowmobiling, I rather do it in a videogame while sitting on a beach with shorts on. A perfect day for me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the boonies With shorts on. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 31, 2005 11:47 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada Didn't all geeks grow up on skateboards, and then graduate to snowboards in a desperate attempt to fit in? Snowboards on the X-Box I mean of course. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Renouf, Phil [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org es.comcc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada [EMAIL PROTECTED] tivedir.org 01/31/2005 11:34 AM EST Please respond to ActiveDir Sorry for turning the list
RE: [ActiveDir] LDAP and Win2003 Question
Late to the party. :) I'm pretty sure there is no .NET in here. This is VB6. I'm pretty sure Eric's diagnosis was correct though. Otherwise, I probably wouldn't know. I don't really use IADsContainer or its .NET version. I search for everything. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 03, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Based on the code presented, it looks more like a bug in .NET. That's exactly how the iadscontainer::getobject method is supposed to be used. If there is any order dependency, it's with .NET, but I would not have expected it to care about the order. I'd post this to a vb.net newsgroup and see what comes back. Unless Joe K. is around and sees something off the bat :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, February 02, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question We don't guarantee the order that a set of values in a given attribute is returned to the client. That said, if you depend on order, you'll have problems now or in the future. It's not a matter of if, only when. :) You want to make any code you have which relies on order become order insensitive. That should resolve this issue if I understand it correctly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elena Mananova (DSL AK) Sent: Wednesday, February 02, 2005 8:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP and Win2003 Question Hi In the current system we used to have business layer (accessing user details in LDAP) and LDAP running on two servers, both of which were Windows 2000. Recently we have migrated business layer server to Windows 2003 machine. Now we have problem. We can't access data of some of the users. The business layer code retrieving user details is written in VB and as follows: Dim oDS As IADs Dim sDN As String dim moUsers As IADsContainer sDN = LDAP://ldapserver:389/ou=users,o=abc,c=nz; Set oDS = GetObject(LDAP:) Set moUsers = oDS.OpenDSObject(sDN, cn=admin,o=abc,c=nz, Password, 0) Set oDS = Nothing Dim oPList As IADsPropertyList Dim oUser As User Set oPList = moUsers.GetObject(inetOrgPerson, cn=myUserName) If oPList Is Nothing Then RaiseError Else Set oUser = New User oUser.Initialise oPList Set GetUser = oUser Set oUser = Nothing End If When viewing user details in LDAP (we are using JXplorer tool) there is a minor difference between the way the users' data is displayed for those users that we can retrieve details for and those that we can't. Besides the standard object classes (top, person, organizationalPerson and inetOrgPerson) we also have custom classes. These are abcOrgPerson, abcOrgPerson2 and nxAccountInfo. The users that we can retrieve data for have these classes displayed in the following order: nxAccountInfo abcOrgPerson2 abcOrgPerson inetOrgPerson top person organizationalPerson For the non-working users this order is: inetOrgPerson nxAccountInfo abcOrgPerson2 abcOrgPerson top person organizationalPerson I have tried to manually change the class order but it did work. I am not quite sure why the order is different. The line of code that fails is Set oPList = moUsers.GetObject(inetOrgPerson, cn=myUserName) If I change inetOrgPerson parameter to abcOrgPerson2 then the non-working users' details can be retrieved but not the working users' details. So it seems that the class order matters for Windows 2003 (LDAP is still sitting on Wind2000 machine however). This same scenario runs without problems from the Win2000 business layer machine. If anyone can share any advice or ideas it will be highly appreciated. I have not had much experience with Active Directories and it's a mystery for me. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP and Win2003 Question
Hmm,
Is this:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
really supposed to work for anything but the leaf level object class?
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
I know if you did the equivalent search with the same filter in ADO/.NET
DirectorySearcher, you'd get the same result as your search. I honestly
don't know what the behavior of IADsContainer::GetObject is supposed to
do. It seems reasonable that it might work either way to me. Like I
said to Al, I never use that in .NET, I just search for stuff.
We could always run it up the flagpole with the DS API guys if anyone
really thinks it is a problem. I'm not sure I do.
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 03, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the
time
I was having a particularly hard time to get MS to admit to bugs so I
never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes
derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW
;;;S
Y)(A;;RPLCLORC;;;AU)
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultObjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
Then you create an object of this class
C:\tempadfind -default -f name=joeschematest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: joewarefromuser
cn: joeschematest
distinguishedName: CN=joeschematest,CN=Users,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181412.0Z
whenChanged: 20050203181412.0Z
uSNCreated: 70955
uSNChanged: 70956
name: joeschematest
objectGUID: {B13B6BFD-00D9-485A-94AB-41FA33768725}
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1862701446-4008382571-2198042679-6107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: joeschematest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
This object clearly has user in the set of objectclasses. You can
further
prove it like this
C:\tempadfind -default -f (name=joeschematest)(objectclass=user) -dn
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
1 Objects returned
However if you run this simple script:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
You will fail with
C:\temp\test.vbs(2, 1) Active Directory: An unknown directory object was
requested
Interesting note on the return order, when looking at the return order
of
objectclass I have always seen it returned from the DC in hierarchical
order
of the classes. I.E. Top is always the top, anything derived directly
from
top is directly under top, something derived further down the chain is
under
the object type it is derived from, etc. The order being displayed below
is
interesting, I expect if you did a coughnetwork trace/cough you
would
see the order correctly and something else is tossing it around on you.
However, ~Eric is 1000% correct in you don't depend on order either of
what
AD returns for objects (unless server side sort control specified) nor
the
values in a single attribute. I wonder if the ADSI people are simply
looking
at the last objectclass value? Otherwise, how can they say my object
isn't a
RE: [ActiveDir] LDAP and Win2003 Question
wipes eyes Oops. You're right, no .net. I must have it on the brain lately :) Still, it's pretty much verbatim from the site and should work. Just that it doesn't. I don't see anything in that code that indicates it's checking a certain order making me think it's likely a bug. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 03, 2005 10:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Late to the party. :) I'm pretty sure there is no .NET in here. This is VB6. I'm pretty sure Eric's diagnosis was correct though. Otherwise, I probably wouldn't know. I don't really use IADsContainer or its .NET version. I search for everything. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 03, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Based on the code presented, it looks more like a bug in .NET. That's exactly how the iadscontainer::getobject method is supposed to be used. If there is any order dependency, it's with .NET, but I would not have expected it to care about the order. I'd post this to a vb.net newsgroup and see what comes back. Unless Joe K. is around and sees something off the bat :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, February 02, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question We don't guarantee the order that a set of values in a given attribute is returned to the client. That said, if you depend on order, you'll have problems now or in the future. It's not a matter of if, only when. :) You want to make any code you have which relies on order become order insensitive. That should resolve this issue if I understand it correctly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elena Mananova (DSL AK) Sent: Wednesday, February 02, 2005 8:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP and Win2003 Question Hi In the current system we used to have business layer (accessing user details in LDAP) and LDAP running on two servers, both of which were Windows 2000. Recently we have migrated business layer server to Windows 2003 machine. Now we have problem. We can't access data of some of the users. The business layer code retrieving user details is written in VB and as follows: Dim oDS As IADs Dim sDN As String dim moUsers As IADsContainer sDN = LDAP://ldapserver:389/ou=users,o=abc,c=nz; Set oDS = GetObject(LDAP:) Set moUsers = oDS.OpenDSObject(sDN, cn=admin,o=abc,c=nz, Password, 0) Set oDS = Nothing Dim oPList As IADsPropertyList Dim oUser As User Set oPList = moUsers.GetObject(inetOrgPerson, cn=myUserName) If oPList Is Nothing Then RaiseError Else Set oUser = New User oUser.Initialise oPList Set GetUser = oUser Set oUser = Nothing End If When viewing user details in LDAP (we are using JXplorer tool) there is a minor difference between the way the users' data is displayed for those users that we can retrieve details for and those that we can't. Besides the standard object classes (top, person, organizationalPerson and inetOrgPerson) we also have custom classes. These are abcOrgPerson, abcOrgPerson2 and nxAccountInfo. The users that we can retrieve data for have these classes displayed in the following order: nxAccountInfo abcOrgPerson2 abcOrgPerson inetOrgPerson top person organizationalPerson For the non-working users this order is: inetOrgPerson nxAccountInfo abcOrgPerson2 abcOrgPerson top person organizationalPerson I have tried to manually change the class order but it did work. I am not quite sure why the order is different. The line of code that fails is Set oPList = moUsers.GetObject(inetOrgPerson, cn=myUserName) If I change inetOrgPerson parameter to abcOrgPerson2 then the non-working users' details can be retrieved but not the working users' details. So it seems that the class order matters for Windows 2003 (LDAP is still sitting on Wind2000 machine however). This same scenario runs without problems from the Win2000 business layer machine. If anyone can share any advice or ideas it will be highly appreciated. I have not had much experience with Active Directories and it's a mystery for me. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If
RE: [ActiveDir] LDAP and Win2003 Question
We're crossing email I think, but I think it's a problem. I read that to
bind to the container and then pull the object with the matching class/cn
vs. searching for the object.
As a workaround, you could just make the change to search vs. grabbing an
item that way but I have no way of telling what that would do with the rest
of the code.
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 03, 2005 10:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Hmm,
Is this:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
really supposed to work for anything but the leaf level object class?
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
I know if you did the equivalent search with the same filter in ADO/.NET
DirectorySearcher, you'd get the same result as your search. I honestly
don't know what the behavior of IADsContainer::GetObject is supposed to do.
It seems reasonable that it might work either way to me. Like I said to Al,
I never use that in .NET, I just search for stuff.
We could always run it up the flagpole with the DS API guys if anyone really
thinks it is a problem. I'm not sure I do.
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 03, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the time
I was having a particularly hard time to get MS to admit to bugs so I never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW
;;;S
Y)(A;;RPLCLORC;;;AU)
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultObjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
Then you create an object of this class
C:\tempadfind -default -f name=joeschematest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: joewarefromuser
cn: joeschematest
distinguishedName: CN=joeschematest,CN=Users,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181412.0Z
whenChanged: 20050203181412.0Z
uSNCreated: 70955
uSNChanged: 70956
name: joeschematest
objectGUID: {B13B6BFD-00D9-485A-94AB-41FA33768725}
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1862701446-4008382571-2198042679-6107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: joeschematest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
This object clearly has user in the set of objectclasses. You can further
prove it like this
C:\tempadfind -default -f (name=joeschematest)(objectclass=user) -dn
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
1 Objects returned
However if you run this simple script:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
You will fail with
C:\temp\test.vbs(2, 1) Active Directory: An unknown directory object was
requested
Interesting note on the return order, when looking at the return order of
objectclass I have always seen it returned from the DC in hierarchical order
of the classes. I.E. Top is always the top, anything derived directly from
top is directly
RE: [ActiveDir] LDAP and Win2003 Question
If someone has an active repro, I can debug it. Ideally a repro that
could be sent to me (using any class inheritance, I'm not picky, I just
want the snip of code to run), second best is a repro in a test
environment you don't mind me logging in to.
Joe, can you repro with something like 'top' if you target a user
specifically? In theory it should repro with any class that appears
later in the list, if my understanding of the original issue is correct?
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 03, 2005 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Hmm,
Is this:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
really supposed to work for anything but the leaf level object class?
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
I know if you did the equivalent search with the same filter in ADO/.NET
DirectorySearcher, you'd get the same result as your search. I honestly
don't know what the behavior of IADsContainer::GetObject is supposed to
do. It seems reasonable that it might work either way to me. Like I
said to Al, I never use that in .NET, I just search for stuff.
We could always run it up the flagpole with the DS API guys if anyone
really thinks it is a problem. I'm not sure I do.
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 03, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the
time
I was having a particularly hard time to get MS to admit to bugs so I
never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes
derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW
;;;S
Y)(A;;RPLCLORC;;;AU)
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultObjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
Then you create an object of this class
C:\tempadfind -default -f name=joeschematest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: joewarefromuser
cn: joeschematest
distinguishedName: CN=joeschematest,CN=Users,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181412.0Z
whenChanged: 20050203181412.0Z
uSNCreated: 70955
uSNChanged: 70956
name: joeschematest
objectGUID: {B13B6BFD-00D9-485A-94AB-41FA33768725}
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1862701446-4008382571-2198042679-6107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: joeschematest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
This object clearly has user in the set of objectclasses. You can
further
prove it like this
C:\tempadfind -default -f (name=joeschematest)(objectclass=user) -dn
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
1 Objects returned
However if you run this simple script:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
You will fail with
C:\temp\test.vbs(2, 1) Active Directory: An unknown directory object was
requested
Interesting note on the return order, when looking at the return order
of
objectclass I have always seen it returned from the
RE: [ActiveDir] LDAP and Win2003 Question
Ok, I'll take a stab. I'm hoping that this scenario is what we are
actually talking about. I'm not really sure if we are still helping the
original poster either, but here goes...
, given a container:
cn=users,dc=joe,dc=com
a user (standard AD schema)
cn=joe,cn=users,dc=joe,dc=com
This works:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joe)
wscript.echo usr.description
This fails:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(person,CN=joeschematest)
wscript.echo usr.description
Questions:
Is this the same basic thing Joe mentioned?
Is this the designed behavior or a bug?
I still think this is the designed behavior. I just want to make sure I
haven't missed the whole point here. Eric, please debug at your
leisure. :)
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, February 03, 2005 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
If someone has an active repro, I can debug it. Ideally a repro that
could be sent to me (using any class inheritance, I'm not picky, I just
want the snip of code to run), second best is a repro in a test
environment you don't mind me logging in to.
Joe, can you repro with something like 'top' if you target a user
specifically? In theory it should repro with any class that appears
later in the list, if my understanding of the original issue is correct?
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 03, 2005 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Hmm,
Is this:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
really supposed to work for anything but the leaf level object class?
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
I know if you did the equivalent search with the same filter in ADO/.NET
DirectorySearcher, you'd get the same result as your search. I honestly
don't know what the behavior of IADsContainer::GetObject is supposed to
do. It seems reasonable that it might work either way to me. Like I
said to Al, I never use that in .NET, I just search for stuff.
We could always run it up the flagpole with the DS API guys if anyone
really thinks it is a problem. I'm not sure I do.
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 03, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the
time
I was having a particularly hard time to get MS to admit to bugs so I
never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes
derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW
;;;S
Y)(A;;RPLCLORC;;;AU)
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultObjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
Then you create an object of this class
C:\tempadfind -default -f name=joeschematest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: joewarefromuser
cn: joeschematest
distinguishedName: CN=joeschematest,CN=Users,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181412.0Z
whenChanged: 20050203181412.0Z
uSNCreated: 70955
uSNChanged: 70956
name: joeschematest
objectGUID: {B13B6BFD-00D9-485A-94AB-41FA33768725}
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
RE: [ActiveDir] OT: exchange and temp folder
Maybe not running AV on exchange is the problem. I occasionally see .eml files pop up in guest access shares - virus related. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, February 03, 2005 6:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: exchange and temp folder Mulnick, Al wrote: I wouldn't think exifs. I would think anti-virus or conversion files that would use the temp space. i don't run AV on exchange What do you have loaded on the machine? all i have on that box is exchange and backup exec. i posted earlier about having scsi time out issues and i never resloved them. its an active/passive exchange2k cluster with an HP MSA 500 storage box ultra3 scsi. the scsi driver spits out timeout errors and occansionally the cluster fails over. when i ran perfmon, all the bottlenecks were disk related. no mem,cpu,or network issues. it runs 2 info stores. each store is about 30gig with 500 mailboxes overall. also backupexec writes its catolog files to the shared array as well. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, February 03, 2005 2:05 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: exchange and temp folder Hi. anyone know why my c:\winnt\temp folder would be filling up with emails(.eml files) on my exchange2k server? I found about 11 gig of them this morning alot dated from a month or so ago. strange. is this something related to EXIFS? i can open the mails in OE so they're not corrupted. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD startup scripts problem
Title: Message Does gpresult z show a script execution time thats current? Also, consider the batch file is running in system context so with that in, do you have any funny security settings that may be blocking batch or vbs script execution that may be generating a pop-up dialog or some sort ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 6:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Get the latest version of ethereal, it has a windows kind of mode now. Just select that package on the install. Either way, spend a couple of hours with it and you will work it out pretty quickly. It is worth it for the follow stream function all by itself where you click on a packet and tell it to filter everything but that stream. But the filtering overall smokes netmon and the decoding of packets is at least an order of magnitude better from what I have seen. I have also been very happy in that every single trace someone has sent me regardless of what tool was used to generate the trace, ethereal has been able to open and translate for me. I was just looking at the nomas tool and scanning the tracethinking, man this doesn't look very efficient. I did a resync on my test lab domain of like 30 users and I saw binds strewn all through the trace. So then I go into the filters, tell it to only show me LDAP binds, bam, I all of a sudden just have LDAP binds on the screen. How many you ask? 43 I can't for the life of me understand why a program that only needs one bind or at most one bind per thread if it is multithreaded to bind 43 times for 30 users. I won'tgo into thesearches other than to sayI think the DN for one of the storeswas retrieved a good 20+ times as well. I am going to write up everything I see that doesn't seem quite right and send it to PSS. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, February 03, 2005 5:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I once tried to figure out how to use that damn thing. Netmon has the UI factor that I need g. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2/3/2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I would concur but say use ethereal. Much easier generally to read the traces. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 01, 2005 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Mark- If you put the problem computer, and your computer on a hub (not a switch), and use the version of netmon included with SMS, then you can run the trace. To make things easier, Id set a filter in Netmon to only capture traffic to/from the problem host. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, February 01, 2005 4:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem How can I do a network trace whilst the computer is booting up ? When I have logged on as normal user the share and files are fully accessible. I looked at my bootup log (userenv.log) and can see that the GPO is called. But I just don't know what could prevent my startup script accessing the network share. Are there any other GPO settings that may be set in another GPO that could be blocking network accessing during the bootup ? As I say, using the batch after logging on causes absolutely no problems. This is really frustrating !! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 31. Januar 2005 17:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Have you done a network trace yet? If you are getting an access denied, you will see it in the trace. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 31, 2005 4:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Just to follow up on this problem, I would like to clarify my current situation : I have now determined the script is actually running during startup. The problem however remains that I am not able to run the executable from the network share location. Everything works fine if I re-code the batch command andput the EXE locally on the computer. But using UNC addresses in the batch does not work. On the network share and
RE: [ActiveDir] LDAP and Win2003 Question
That looks like it fits the overall issue. Except the user specified should
be the same in both, i.e. cn=joe or cn=joeschematest
My concern is if you derive from user, you should be able to use the
getobject with user to open the object. The trace shows the object being
returned ok as it is a simple base query with the objectclasses only, then
it looks like adsi looks at it and says, HEY, this isn't a user!!! It is a
insert class that has user as a subclass.
Not sure why they have you specify the object type anyway since the rdn
value can't be duped within the container.
Honestly, I don't care if it works or not except for when people ask me how
come it doesn't work. I don't personally use it.
On the designed behavior versus bug, it could be both. :o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 03, 2005 11:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Ok, I'll take a stab. I'm hoping that this scenario is what we are actually
talking about. I'm not really sure if we are still helping the original
poster either, but here goes...
, given a container:
cn=users,dc=joe,dc=com
a user (standard AD schema)
cn=joe,cn=users,dc=joe,dc=com
This works:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joe) wscript.echo usr.description
This fails:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(person,CN=joeschematest)
wscript.echo usr.description
Questions:
Is this the same basic thing Joe mentioned?
Is this the designed behavior or a bug?
I still think this is the designed behavior. I just want to make sure I
haven't missed the whole point here. Eric, please debug at your leisure. :)
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, February 03, 2005 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
If someone has an active repro, I can debug it. Ideally a repro that could
be sent to me (using any class inheritance, I'm not picky, I just want the
snip of code to run), second best is a repro in a test environment you don't
mind me logging in to.
Joe, can you repro with something like 'top' if you target a user
specifically? In theory it should repro with any class that appears later in
the list, if my understanding of the original issue is correct?
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 03, 2005 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Hmm,
Is this:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
really supposed to work for anything but the leaf level object class?
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
I know if you did the equivalent search with the same filter in ADO/.NET
DirectorySearcher, you'd get the same result as your search. I honestly
don't know what the behavior of IADsContainer::GetObject is supposed to do.
It seems reasonable that it might work either way to me. Like I said to Al,
I never use that in .NET, I just search for stuff.
We could always run it up the flagpole with the DS API guys if anyone really
thinks it is a problem. I'm not sure I do.
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 03, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the time
I was having a particularly hard time to get MS to admit to bugs so I never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
RE: [ActiveDir] LDAP and Win2003 Question
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
Absolutely. However lets say you have 5 different objects in a container
that are all instances of classes subclassed from user, you want to bind to
one, in order to use this method, you would have to know the leaf class of
it. This doesn't make sense. Your alternate is to return the adspath, then
tack on the rdn, then getobject on that path.
Again, I don't personally care. Real programmers use LDAP API. :o)
HAR HAR!
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 03, 2005 10:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Hmm,
Is this:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
really supposed to work for anything but the leaf level object class?
I would expect you'd get the desired result if you did:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(joewarefromuser,CN=joeschematest)
wscript.echo usr.description
I know if you did the equivalent search with the same filter in ADO/.NET
DirectorySearcher, you'd get the same result as your search. I honestly
don't know what the behavior of IADsContainer::GetObject is supposed to do.
It seems reasonable that it might work either way to me. Like I said to Al,
I never use that in .NET, I just search for stuff.
We could always run it up the flagpole with the DS API guys if anyone really
thinks it is a problem. I'm not sure I do.
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 03, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP and Win2003 Question
Oh I have seen this before. Figured it for an ADSI bug. I think at the time
I was having a particularly hard time to get MS to admit to bugs so I never
submitted it.
Anyway, if the issue is the same, the issue I saw was with classes derived
from some other well known base class.
For instance, say you derive the joewareFromUser class from user.
dn:CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass: top
objectClass: classSchema
cn: joewarefromuser
distinguishedName:
CN=joewarefromuser,CN=Schema,CN=Configuration,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181231.0Z
whenChanged: 20050203181230.0Z
uSNCreated: 70914
subClassOf: user
governsID: 1.2.840.113556.1.8000.1420.0.0.0.0.0.0.0.0.0.0.10001
rDNAttID: cn
uSNChanged: 70914
showInAdvancedViewOnly: TRUE
adminDisplayName: joewarefromuser
adminDescription: Test
objectClassCategory: 1
lDAPDisplayName: joewarefromuser
name: joewarefromuser
objectGUID: {25ABF0AB-2567-4B0D-9C20-259F8FE6172F}
schemaIDGUID: {4AE060FB-6C2C-43D9-83CE-68409C44FFF7}
systemOnly: FALSE
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW
;;;S
Y)(A;;RPLCLORC;;;AU)
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultObjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
Then you create an object of this class
C:\tempadfind -default -f name=joeschematest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: joewarefromuser
cn: joeschematest
distinguishedName: CN=joeschematest,CN=Users,DC=joe,DC=com
instanceType: 4
whenCreated: 20050203181412.0Z
whenChanged: 20050203181412.0Z
uSNCreated: 70955
uSNChanged: 70956
name: joeschematest
objectGUID: {B13B6BFD-00D9-485A-94AB-41FA33768725}
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-1862701446-4008382571-2198042679-6107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: joeschematest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
1 Objects returned
This object clearly has user in the set of objectclasses. You can further
prove it like this
C:\tempadfind -default -f (name=joeschematest)(objectclass=user) -dn
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005
Using server: 2k3dc02.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeschematest,CN=Users,DC=joe,DC=com
1 Objects returned
However if you run this simple script:
Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;)
Set usr = cont.GetObject(user,CN=joeschematest)
wscript.echo usr.description
You will fail with
C:\temp\test.vbs(2, 1) Active
RE: [ActiveDir] LDAP and Win2003 Question
Crap, that was a typo. :) I actually did test this on real data but failed to copy and paste correctly. Doh! Hopefully that little flub didn't confuse Eric. I can see the point being argued either way. I'll be interested to see what the API guys say. My guess is that it is working as designed. I guess we could look at the source and find out... I'm with you on just doing a search to get what you want, but LDAP API? Pointers are so, like, last century. :) Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question That looks like it fits the overall issue. Except the user specified should be the same in both, i.e. cn=joe or cn=joeschematest My concern is if you derive from user, you should be able to use the getobject with user to open the object. The trace shows the object being returned ok as it is a simple base query with the objectclasses only, then it looks like adsi looks at it and says, HEY, this isn't a user!!! It is a insert class that has user as a subclass. Not sure why they have you specify the object type anyway since the rdn value can't be duped within the container. Honestly, I don't care if it works or not except for when people ask me how come it doesn't work. I don't personally use it. On the designed behavior versus bug, it could be both. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 03, 2005 11:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Ok, I'll take a stab. I'm hoping that this scenario is what we are actually talking about. I'm not really sure if we are still helping the original poster either, but here goes... , given a container: cn=users,dc=joe,dc=com a user (standard AD schema) cn=joe,cn=users,dc=joe,dc=com This works: Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;) Set usr = cont.GetObject(user,CN=joe) wscript.echo usr.description This fails: Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;) Set usr = cont.GetObject(person,CN=joeschematest) wscript.echo usr.description Questions: Is this the same basic thing Joe mentioned? Is this the designed behavior or a bug? I still think this is the designed behavior. I just want to make sure I haven't missed the whole point here. Eric, please debug at your leisure. :) Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, February 03, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question If someone has an active repro, I can debug it. Ideally a repro that could be sent to me (using any class inheritance, I'm not picky, I just want the snip of code to run), second best is a repro in a test environment you don't mind me logging in to. Joe, can you repro with something like 'top' if you target a user specifically? In theory it should repro with any class that appears later in the list, if my understanding of the original issue is correct? ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 03, 2005 9:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Hmm, Is this: Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;) Set usr = cont.GetObject(user,CN=joeschematest) wscript.echo usr.description really supposed to work for anything but the leaf level object class? I would expect you'd get the desired result if you did: Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;) Set usr = cont.GetObject(joewarefromuser,CN=joeschematest) wscript.echo usr.description I know if you did the equivalent search with the same filter in ADO/.NET DirectorySearcher, you'd get the same result as your search. I honestly don't know what the behavior of IADsContainer::GetObject is supposed to do. It seems reasonable that it might work either way to me. Like I said to Al, I never use that in .NET, I just search for stuff. We could always run it up the flagpole with the DS API guys if anyone really thinks it is a problem. I'm not sure I do. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Oh I have seen this before. Figured it for an ADSI bug. I think at the time I was having a particularly hard time to get MS to admit to bugs so I never submitted it. Anyway, if the issue is the same, the issue I saw was with classes derived from some other well known base class. For instance, say you derive the joewareFromUser class from user.
RE: [ActiveDir] LDAP and Win2003 Question
The info doesn't stay in ptr format for long. I make the call, check the error codes and then throw the data into some STL containers such as strings or maps or vectors or what not. I agree that it is working as designed but I am not so sure it is working as intended. Sort of like the whole issue around 812499 that I fought with MS on a long while back in order to get 812499 implemented. Basically the intent was to allow users to change passwords on every DC. However as designed what happened was that they simply took out the check to see if a DC was the PDC when processing a change password request. This allowed anyone to change passwords on any DC. The down side is that if you had your password reset on the PDC and flagged to change password on next logon the user will go to logon, the password will be wrong at the local DC, it will pass it to the PDC which will say it is fine but the user needs to change the password. That goes back to the local DC. It sends a message back to the client that says, welcome aboard, now change your password. So you go to the change password dialog and the password you just typed to let you logon is denied. This is because the process to verify the old password doesn't chain to the PDC like the logon does, it is still the old NT4 code which assumes that this machine is the PDC and that the password on the local database is authoritative so it refuses the change because the password hash doesn't match. Exactly as per design but not likely the intent. The fix would have been to chain the password check again or have the original chain process force the new password info back to the local DC so it is authoritative. They implemented the latter. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 04, 2005 12:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Crap, that was a typo. :) I actually did test this on real data but failed to copy and paste correctly. Doh! Hopefully that little flub didn't confuse Eric. I can see the point being argued either way. I'll be interested to see what the API guys say. My guess is that it is working as designed. I guess we could look at the source and find out... I'm with you on just doing a search to get what you want, but LDAP API? Pointers are so, like, last century. :) Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question That looks like it fits the overall issue. Except the user specified should be the same in both, i.e. cn=joe or cn=joeschematest My concern is if you derive from user, you should be able to use the getobject with user to open the object. The trace shows the object being returned ok as it is a simple base query with the objectclasses only, then it looks like adsi looks at it and says, HEY, this isn't a user!!! It is a insert class that has user as a subclass. Not sure why they have you specify the object type anyway since the rdn value can't be duped within the container. Honestly, I don't care if it works or not except for when people ask me how come it doesn't work. I don't personally use it. On the designed behavior versus bug, it could be both. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 03, 2005 11:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question Ok, I'll take a stab. I'm hoping that this scenario is what we are actually talking about. I'm not really sure if we are still helping the original poster either, but here goes... , given a container: cn=users,dc=joe,dc=com a user (standard AD schema) cn=joe,cn=users,dc=joe,dc=com This works: Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;) Set usr = cont.GetObject(user,CN=joe) wscript.echo usr.description This fails: Set cont = GetObject(LDAP://cn=users,dc=joe,dc=com;) Set usr = cont.GetObject(person,CN=joeschematest) wscript.echo usr.description Questions: Is this the same basic thing Joe mentioned? Is this the designed behavior or a bug? I still think this is the designed behavior. I just want to make sure I haven't missed the whole point here. Eric, please debug at your leisure. :) Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, February 03, 2005 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and Win2003 Question If someone has an active repro, I can debug it. Ideally a repro that could be sent to me (using any class inheritance, I'm not picky, I just want the snip of code to run), second best is a repro in a test environment you don't mind me logging in to. Joe, can you repro
RE: [ActiveDir] Members of a group in AD
Thanks Za Vue and Aramide Perhaps i didn't explain too much, i World like to know a method to see the users of a group, for example with a script. Sergio Sánchez De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Za Vue Enviado el: jueves, 03 de febrero de 2005 14:23 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Members of a group in AD I believe that is one purpose of any generallocal areanetwork. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez Trujillo Sent: Thursday, February 03, 2005 3:09 AM To: Lista ActiveDirectory (ActiveDir@mail.activedir.org) Subject: [ActiveDir] Members of a group in AD Hello, I would like to know, if a user in a Workstation that is in a domain, could see the member of Active Directory's groups, for example in a command line or across windows interface. Thanks, Sergio Sánchez
RE: [ActiveDir] Login/Logoff
I have also seen some fun examples that send an email message on logon and logoff to a special account and then a perl script harvests the emails and throws them into a database. One company I worked for did this for automated server builds too. The script would email the build logs when the server was finished with the build process. That info was saved as it helped let you know exactly how a server was built and was an alarm to let you know it was done so you could go do whatever you needed to it. It was quite a bright idea to do it. Genius in its simplicity. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, February 03, 2005 5:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Login/Logoff Have every machine write the data locally to a hidden folder, then send the data to a central file share. This logonscript actually has an example of that: http://www.ultratech-llc.com/KB/Scripts/?File=LogOn.BAT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:44:39 -0700, Carstensen, Pete [EMAIL PROTECTED] wrote: Put what in there? I suspect you are thinking adding a flag record or something to an audit text file. We have 6 DC's in 4 locations. To save crossing over, it would have to parse the netlogon DC and point the flag record append to a specific directory there. I can see several problems with that. Is there a simpler way? * Pete Carstensen, MCSE Senior LAN Engineer CSK Auto, Inc. 645 E. Missouri Ave. Phoenix, AZ 85012 (602) 631-7176 [EMAIL PROTECTED] So many of our dreams at first seem impossible, then they seem improbable, and then, when we summon the will, they soon become inevitable. -- Christopher Reeve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Thursday, February 03, 2005 3:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Login/Logoff Put it in the Logon and LogOff Scripts... -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 3 Feb 2005 15:13:35 -0700, Carstensen, Pete [EMAIL PROTECTED] wrote: In trying to track user activity, I am parsing the security logs using EventCombMT. It finds the 538/540 events just fine but the problem is that it finds far too many. I am seeing groups of consecutive logon events, which I presume is attachments to network resources, but then I immediately see logoff events too. Perhaps an hour goes by and more of these occur. In fact, it occurs throughout the day. I suspect that perhaps the first in the series is the user logging on Then more occur with resource connection (mapped drives, printers, etc. Some of those log out. Further login/logoff events occur as resources are requested during the day. Final logoff for the day is the actual user doing so. Q: If the above is a correct assessment of the situation, is there a better event id or filter to see the actual user netlogon timing rather than resource attachment? * Pete Carstensen List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
