RE: [ActiveDir] Computer Accounts logging onto servers
just to clarify the machine part for Dennis: this means that some process is either running as Local System or NT AUTHORITY\NetworkService - this would typically be some service installed on the machine. It is then able to leverage the machine-account's credentials from AD to connect to resources in the network, such as to a share of your application server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, February 27, 2005 8:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer Accounts logging onto servers That simply means a machine attached to the server across the network. It could be anything, best thing would be to go to those machines and try to see what they are doing or set up a network sniffer and watch the traffic coming in from them. In summary, could be a virus or a worm, could be something else. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Depp Sent: Sunday, February 27, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Computer Accounts logging onto servers I have a Sys admin who is seeing two computer accounts logging on to one of her applications servers. The computer account logs on with a logon type 3 and then logs off. This admin is thinking something nefarious is going on, while I do not. Does anyone know what might be causing the computer accounts to logon to an application server? Thanks Dennis List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Problem using Certificates to connect to AD machine
Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA
RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names
Title: OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Hello Jorge and Paul, ...but it happens on all Win95 clients ? well, first of all, it may be wise to get rid of Win95, but I'm sure you've been through all of that ("no time and budget to do so right now", "it worked before, so why shouldn't it work now", "need to get this working now and will fix my OS issue later")... Funny how companies sometimes spend thousands of dollars for fixing problems that wouldn't exist if they spend the same money to update their systems ;-) As you know, I'm also currentlysupporting a Novell/AD migration with thousands of NT4 clients... Back to your problem:I hope it's fair to assume, that you only have a limited amount of Win9x machines in the environment and most other clientsare WinNT and above so that anything you're going to do to fix the Win95 issue now is of temporary nature - correct? If that assumption is correct, I wouldn't really do any more work on this to solve the issue, as you already have it solved: just re-map the homeshare for the Win95 clients during the execution of the login script. You shouldn't have an issue simply checking the OS env-variable and for all clients that are not equal to Windows_NTunmap and re-map the homeshare.Assuming you want to mapa share that contains the logon-nameof the user, it may be wise topass the user's samaccount name as a parameter to the logon-script(as far as I recall, Win9x clients don't automatically get the username variable in their environment). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van GeldropSent: Friday, February 25, 2005 8:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Oh, And to add those finest little details: Same users, same documents on Windows 98.. no problem. Open a document with a long file name in the corresponding application, and save as under another long name.. no problem either. Yeah, time for more beer.. Regards, Paul -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Friday, February 25, 2005 7:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Hi, During our Novell/NT4 to W2K3 migration we are experiencing a very very strange issue that we until now have not been able to solve. The situation is: * Homedirectory data was stored on Novell en users had a H-mapping to it * Homedirectory data has been migrated to Windows * Netlogon loginscript has been implemented in NT4 domain (clients/users are still in NT4 domain) and each user in NT4 has it loginscript attribute with LOGON.BAT * The Netlogon loginscript makes a H-mapping for a user to its homedirectory on the windows file server * The Netlogon loginscript makes a other mappings for a user to other locations on the windows file server The issue: * Users can create documents with WORD on H (new document in word and save in H) with long file names * Users can create documents with WORD on other drives (new document in word and save in H) with long file names * Users can rename documents in Explorer on other drives with long file names (document with some LFN gets another LFN) The problem: * SOME Users (NOT ALL) CANNOT rename documents in Explorer on H-mapping with long file names (document with some LFN gets another LFN is not possible!) It only accepts 8.3 names!!! The VERY STRANGE ISSUES: * If we change the H-mapping for the home directory to some other mapping (lets say T:) then the problem does not occur -- ? * If we in the command prompt type "NET USE H: /DELETE" and after that "NET USE H: /HOME" (delete the H-mapping and create it again) the problem does not occur -- ? WTF is this???!!! I have tried everything, at least I think I have, and it's making me nuts. Has any of you guys experienced this or do any of you what this is and/or how to solve this? The workaround we have until now is that we've sent those users a batch file that recreates the H-mapping, but I would like to solve this by making it work in the loginscript I'm going to get a beer and play some darts Hope you guys can help. Thanks in advance Have a nice weekend! Regards, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Problem using Certificates to connect to AD machine
Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA cert.cer Description: application/x509-ca-cert
[ActiveDir] A referral was returned from the server when executing a query.
I´m working on an application for listing contacts and address lists in active directory. But I get an error everytime I execute a query. I´m using the DirectoryServices namespace in .NET (which encapsulates the Active Directory Service Interfaces) to communicate with Active Directory 1. I bind to the RootDSE object to retrieve the DN of the configuration container and the root domain. According to the log file, I get: Configuration container: DC=configuration,DC=myDomain,DC=com Root Domain: DC=myDomain,DC=com 2. I connect to the configuration container and retrieve all the address lists (using the directorySearcher with the filter ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purportedSearch=*)) ... so far so good ... 3. I then connect using the value from the rootDomainNamingContext property. (this gives me the path: LDAP://DC=myDomain,DC=com;) This works fine. ... Now the problem begin ... I use the .NET DirectorySearcher class to execute an ldap query agains active directory. (the query is taken from the currently selected address list) Whenever I execute a query, I get an exception: -2147016661 A referral was returned from the server This is usually an indication that the DN is wrong (i.e the server does not exist), but it doesn´t add up since I´m able to connect and retrieve the address lists. I have set the option to follow all referrals (subordinal external). Does anyone know what might be wrong? I´m pretty convinced it is not a programming error. Probably just my lack of knowlegde regarding Active Directory :) Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win 2003 DC behind firewall
I think you might want to investigate using a VPN to connect your DC to the other DC's. http://infosecuritymag.techtarget.com/2003/mar/surgeongeneral.shtml http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac tivedirectory/deploy/depovg/advpnddd.mspx Couple words of caution. By Default AD Replication and FRS operations are optimized for LAN based operation not WAN. There are no control panel applets for controlling AD Replication RPC behavior. The only tools you have are registry settings, KB articles and white papers. (As well as the MS diagnostic tools, and third-party tools like AD Troubleshooter) You also should be aware that AD Replication traffic and Kerberos uses UDP by default. I have encountered situations where all the ports are open and working, but trust keep breaking, and replication keeps failing. This is usually due to UDP traffic getting fragmented. If you encounter this, you will want to force Kerberos and AD to use TCP packets. I have spoken to the MS AD Firewall PM about this. MSFT seems to think registry modification is good enough in these situations. I am on them to change this in Longhorn. I would also like to see the replication protocol have some built-in diagnostics that throw more descriptive events when they encounter replication problems that are the result of firewall and RPC issues. You might want to run this by MSFT before you implement it, to see what their support will cover, cause when you encounter problems, they are going to be the only ones that will be able to really assist you. Thanks, Todd Myrick MS MVP Directory Services -Original Message- From: Chris Gauch [mailto:[EMAIL PROTECTED] Sent: Sunday, February 27, 2005 7:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Win 2003 DC behind firewall We currently run 4 Windows 2003 domain controllers on our network(s), all 4 of which are on different public networks (we own several IP blocks as we are an ISP). We'd like to place one of the DCs behind our Sonicwall to serve as a DC/global catalog for al of the servers within NAT'ed environment, as we've run into odd issues mapping drives, etc. with the servers behind the firewall (obviously this is caused by DNS issues). Additionally, we'd like this DC to act as an internal DNS server for the NAT'ed network behind the firewall. The problem we've faced with DNS is that our NAT'ed servers publish their private IP addresses on the public DCs; we'd like to set up a configuration where our NAT'ed servers publish ONLY to the internal/NAT'ed DC, and the public addresses that have been set up for IP forwarding (behind the firewall) are published to the public DCs (running DNS). I guess I'm just looking for tips/advice for how to best go about running a single Windows 2003 domain across both public and private networks with regards to the situation above. Thanks in advance for any input. - Chris -- Chris Gauch Systems Administrator Digicon Communications, Inc. [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD User Export and Import
Good morning, I have 2 AD 2003 forest with Ex2003. We need to export all the users from one forest and import ito the second Forest as contacts. Unfortunately, IIFP is not an option because we are going to merge both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. Is there a way I can copy the GAL between the forests and schedule the task? Thanks in advance!
RE: [ActiveDir] A referral was returned from the server when executing a query.
1. Cool 2. Your search should use objectcategory, not objectclass. 3a. Ok 3b. What exactly is the query? The rest of the stuff building up to it isn't throwing the referral, the query you neglect to show is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 4:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A referral was returned from the server when executing a query. I´m working on an application for listing contacts and address lists in active directory. But I get an error everytime I execute a query. I´m using the DirectoryServices namespace in .NET (which encapsulates the Active Directory Service Interfaces) to communicate with Active Directory 1. I bind to the RootDSE object to retrieve the DN of the configuration container and the root domain. According to the log file, I get: Configuration container: DC=configuration,DC=myDomain,DC=com Root Domain: DC=myDomain,DC=com 2. I connect to the configuration container and retrieve all the address lists (using the directorySearcher with the filter ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purportedSea rch=*)) ... so far so good ... 3. I then connect using the value from the rootDomainNamingContext property. (this gives me the path: LDAP://DC=myDomain,DC=com;) This works fine. ... Now the problem begin ... I use the .NET DirectorySearcher class to execute an ldap query agains active directory. (the query is taken from the currently selected address list) Whenever I execute a query, I get an exception: -2147016661 A referral was returned from the server This is usually an indication that the DN is wrong (i.e the server does not exist), but it doesn´t add up since I´m able to connect and retrieve the address lists. I have set the option to follow all referrals (subordinal external). Does anyone know what might be wrong? I´m pretty convinced it is not a programming error. Probably just my lack of knowlegde regarding Active Directory :) Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD User Export and Import
Yes, it requires you writing a script to export mailbox enabled users from both forests, then create mail-enabled contacts in the other forest. This could get involved if you have naming collisions.It could take 2 weeks just to work the script out so it doesn't cause more issues than it helps. It depends on what you are starting with. You could look for another third party toolto buy as well, but not sure you would want to do that for 2 weeks. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh SivarajanSent: Monday, February 28, 2005 8:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD User Export and Import Good morning, I have 2 AD 2003 forest with Ex2003. We need to export all the users from one forest and import ito the second Forest as contacts. Unfortunately, IIFP is not an option because we are going to merge both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. Is there a way I can copy the GAL between the forests and schedule the task? Thanks in advance!
RE: [ActiveDir] AD User Export and Import
You might look at the AD toolkit from www.javelinasoftware.com if you want to manually do it. Quest / Aelita have a tool called collaboration services that syncs GALs. http://wm.quest.com/products/collaborationservicesexchange/ Todd Myrick MVP Directory Services From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD User Export and Import Good morning, I have 2 AD 2003 forest with Ex2003. We need to export all the users from one forest and import ito the second Forest as contacts. Unfortunately, IIFP is not an option because we are going to merge both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. Is there a way I can copy the GAL between the forests and schedule the task? Thanks in advance!
RE: [ActiveDir] Problem using Certificates to connect to AD machine
Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA
RE: [ActiveDir] AD User Export and Import
It is my understanding that you can download the free MIIS Identity Integration Feature Pack for this purpose. http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5DisplayLang=en http://www.microsoft.com/windowsserversystem/miis2003/techinfo/planning/galsynchstep.mspx Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 28, 2005 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD User Export and Import Yes, it requires you writing a script to export mailbox enabled users from both forests, then create mail-enabled contacts in the other forest. This could get involved if you have naming collisions.It could take 2 weeks just to work the script out so it doesn't cause more issues than it helps. It depends on what you are starting with. You could look for another third party toolto buy as well, but not sure you would want to do that for 2 weeks. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Monday, February 28, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD User Export and Import Good morning, I have 2 AD 2003 forest with Ex2003. We need to export all the users from one forest and import ito the second Forest as contacts. Unfortunately, IIFP is not an option because we are going to merge both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. Is there a way I can copy the GAL between the forests and schedule the task? Thanks in advance!
RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names
Title: OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Hi Guido, See inline answers We are not going to put more time in this as we are not able to find the problem. Last week we had a user where it first did not work and a day later it did work (nothing changed as I know of). For those where it still does not work we provided a batch file to re-create the H- mapping after the user has logged on Greetz, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: maandag 28 februari 2005 9:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Hello Jorge and Paul, ...but it happens on all Win95 clients ? ANSWER: that's the funny part... NO, not on all Win95 clients well, first of all, it may be wise to get rid of Win95, but I'm sure you've been through all of that ("no time and budget to do so right now", "it worked before, so why shouldn't it work now", "need to get this working now and will fix my OS issue later")... Funny how companies sometimes spend thousands of dollars for fixing problems that wouldn't exist if they spend the same money to update their systems ;-) As you know, I'm also currentlysupporting a Novell/AD migration with thousands of NT4 clients... ANSWER:I know what you mean that companies sometimes believe that it's cheaper to screw around and keep the old crap running than implementing a new clean system. In short term they might be true, but in long term the money that was used to keep the old crap running could used to implement a new system and afterwards to have a huge party! ;-)) At the same time we're migrating from theclient/server concept to the SBC concept. Users on Win95/98 have appsinstalled locally. In time, local apps (I mean the exe that start the app)are de-installed and they receive their new version app through Citrix. When all apps are almost done Back to your problem:I hope it's fair to assume, that you only have a limited amount of Win9x machines in the environment and most other clientsare WinNT and above so that anything you're going to do to fix the Win95 issue now is of temporary nature - correct? ANSWER:it's the other way around. Mostly W95/98 and some NT based systems (WNT/W2K/WXP) If that assumption is correct, I wouldn't really do any more work on this to solve the issue, as you already have it solved: just re-map the homeshare for the Win95 clients during the execution of the login script. You shouldn't have an issue simply checking the OS env-variable and for all clients that are not equal to Windows_NTunmap and re-map the homeshare.Assuming you want to mapa share that contains the logon-nameof the user, it may be wise topass the user's samaccount name as a parameter to the logon-script(as far as I recall, Win9x clients don't automatically get the username variable in their environment). ANSWER:That's the fun part... it's the mappingthat created through the loginscript (NET USE H: /HOME) thatsometimes does not allow to rename to LFN. After the user has logged and executes "NET USE H: /DELETE NET USE H: /HOME" the problem disappears. If I map the home directory in the loginscript to another DRIVE it works without the error!!!??? Fun ain't it? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van GeldropSent: Friday, February 25, 2005 8:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Oh, And to add those finest little details: Same users, same documents on Windows 98.. no problem. Open a document with a long file name in the corresponding application, and save as under another long name.. no problem either. Yeah, time for more beer.. Regards, Paul -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Friday, February 25, 2005 7:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: VERY STRANGE ISSUE - Windows 95 and Long File Names Hi, During our Novell/NT4 to W2K3 migration we are experiencing a very very strange issue that we until now have not been able to solve. The situation is: * Homedirectory data was stored on Novell en users had a H-mapping to it * Homedirectory data has been migrated to Windows * Netlogon loginscript has been implemented in NT4 domain (clients/users are still in NT4 domain) and each user in NT4 has it loginscript attribute with LOGON.BAT * The Netlogon loginscript makes a H-mapping for a user to its homedirectory on the windows file server * The Netlogon loginscript makes a other mappings for a user to other locations on the windows file server The issue: * Users can create documents with WORD on H (new document in word and save in H) with long file names * Users can create documents with WORD on other drives (new document in word and save in H) with long
Re: [ActiveDir] A referral was returned from the server when executing a query.
Any query throws the referral exception. Like ( (mailnickname=*) (| ((objectCategory=person)(objectClass=contact)) )) which is from the All Contacts address list. or ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList) )) whis is from the Default Global Address list. Any ideas are welcome =) Mikael Håkansson On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote: 1. Cool 2. Your search should use objectcategory, not objectclass. 3a. Ok 3b. What exactly is the query? The rest of the stuff building up to it isn't throwing the referral, the query you neglect to show is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 4:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A referral was returned from the server when executing a query. I´m working on an application for listing contacts and address lists in active directory. But I get an error everytime I execute a query. I´m using the DirectoryServices namespace in .NET (which encapsulates the Active Directory Service Interfaces) to communicate with Active Directory 1. I bind to the RootDSE object to retrieve the DN of the configuration container and the root domain. According to the log file, I get: Configuration container: DC=configuration,DC=myDomain,DC=com Root Domain: DC=myDomain,DC=com 2. I connect to the configuration container and retrieve all the address lists (using the directorySearcher with the filter ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purportedSea rch=*)) ... so far so good ... 3. I then connect using the value from the rootDomainNamingContext property. (this gives me the path: LDAP://DC=myDomain,DC=com;) This works fine. ... Now the problem begin ... I use the .NET DirectorySearcher class to execute an ldap query agains active directory. (the query is taken from the currently selected address list) Whenever I execute a query, I get an exception: -2147016661 A referral was returned from the server This is usually an indication that the DN is wrong (i.e the server does not exist), but it doesn´t add up since I´m able to connect and retrieve the address lists. I have set the option to follow all referrals (subordinal external). Does anyone know what might be wrong? I´m pretty convinced it is not a programming error. Probably just my lack of knowlegde regarding Active Directory :) Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disabling Inactive Users
Any other times that you know of? Outlook wouldn't be a simple bind (I hope not anyway!!). Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 25, 2005 11:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling Inactive Users lastLogon isn't updated during a simple bind. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, February 23, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling Inactive Users One of the things mentioned in this thread was that lastlogon doesn't get updated in all cases even if the user-ojbect is used for authentication. I'm very interested in knowing under what circumstances this can occur and why lastlogon wouldn't update when a user authenticates. From some off-line conversations, one example might be that when they use Outlook with prompt for credentials option. I would suspect that if a user-object that lives in AD authenticates from a NT 4 domain that this might be possible as well. I'm also interested in what would be a true indicator of the credentials being used. My expectation is that any time a credential is used, lastlogon should get updated and that lastlogonTimeStamp would get updated every 7 days and replicated out. I would appreciate hearing the details if possible. Anyone? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Wednesday, February 23, 2005 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling Inactive Users James, I would like to just expand a little on what Gil said about Javelina's product. http://www.Javelinasoftware.com http://www.javelinasoftware.com/ AD Toolkit is the Hyena of reporting / bulk AD Administration tools. It is extremely useful and has the ability to schedule the execution of reports and bulk administration. It can also be customized relatively quickly and distributed to data administrators so they can only do certain AD functions and are limited to what they can modify on AD objects. One report that comes canned with the tool is a report that identifies accounts based on last login date. With some work, I think you could automate a process that would report on this, and then you could us the report to bulk deactivate accounts and move them. I encourage everyone to evaluate the tool and make their own conclusions, but it is extremely powerful and useful. Todd Myrick MVP From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 22, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabling Inactive Users AFAIK there's no GPO setting to do this. Most people run a script periodically or use a 3rd part tool like Javelina. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James Sent: Tuesday, February 22, 2005 1:56 PM To: ActiveDir@Mail.ActiveDir.org Subject: [ActiveDir] Disabling Inactive Users Is there a GPO setting (or some other path) to disable inactive users after a specified period of time? In other words, I'd like to automatically disable Joe User if he has not logged on in more than 90 days. Thanks, James R. Rogers List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Unlock Workstation User Right
I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] A referral was returned from the server when ex ecuting a query.
Can you include the code snippet where this occurs? Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate that you don't get the same results from those tools? ??Is this a single domain forest that you're testing in? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A referral was returned from the server when executing a query. Any query throws the referral exception. Like ( (mailnickname=*) (| ((objectCategory=person)(objectClass=contact)) )) which is from the All Contacts address list. or ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServer Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHome ServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategor y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributi onList) )) whis is from the Default Global Address list. Any ideas are welcome =) Mikael Håkansson On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote: 1. Cool 2. Your search should use objectcategory, not objectclass. 3a. Ok 3b. What exactly is the query? The rest of the stuff building up to it isn't throwing the referral, the query you neglect to show is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 4:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A referral was returned from the server when executing a query. I´m working on an application for listing contacts and address lists in active directory. But I get an error everytime I execute a query. I´m using the DirectoryServices namespace in .NET (which encapsulates the Active Directory Service Interfaces) to communicate with Active Directory 1. I bind to the RootDSE object to retrieve the DN of the configuration container and the root domain. According to the log file, I get: Configuration container: DC=configuration,DC=myDomain,DC=com Root Domain: DC=myDomain,DC=com 2. I connect to the configuration container and retrieve all the address lists (using the directorySearcher with the filter ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purpor tedSea rch=*)) ... so far so good ... 3. I then connect using the value from the rootDomainNamingContext property. (this gives me the path: LDAP://DC=myDomain,DC=com;) This works fine. ... Now the problem begin ... I use the .NET DirectorySearcher class to execute an ldap query agains active directory. (the query is taken from the currently selected address list) Whenever I execute a query, I get an exception: -2147016661 A referral was returned from the server This is usually an indication that the DN is wrong (i.e the server does not exist), but it doesn´t add up since I´m able to connect and retrieve the address lists. I have set the option to follow all referrals (subordinal external). Does anyone know what might be wrong? I´m pretty convinced it is not a programming error. Probably just my lack of knowlegde regarding Active Directory :) Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unlock Workstation User Right
Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] AD User Export and Import
Santhosh, If you would like to download our SimpleSync product from www.CPS-Systems.com you can use it in a 'test' mode for two weeks. Should take less than an hour to implement a 2-way synchronization. If you would like to discuss please give me a call. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh SivarajanSent: Monday, February 28, 2005 8:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD User Export and Import Good morning, I have 2 AD 2003 forest with Ex2003. We need to export all the users from one forest and import ito the second Forest as contacts. Unfortunately, IIFP is not an option because we are going to merge both forests in 2 weeks. During this 2 weeks period, we need to sync both GAL. Is there a way I can copy the GAL between the forests and schedule the task? Thanks in advance!
RE: [ActiveDir] Unlock Workstation User Right
If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)Sent: Monday, February 28, 2005 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] A referral was returned from the server when ex ecuting a query.
Hopefully JoeK will swing by shortly to say his piece on the NET call. For the queries below, unless you want them scoped at a specific domain anyway, consider querying a GC since all of those attribs are in the GC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, February 28, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A referral was returned from the server when ex ecuting a query. Can you include the code snippet where this occurs? Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate that you don't get the same results from those tools? ??Is this a single domain forest that you're testing in? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A referral was returned from the server when executing a query. Any query throws the referral exception. Like ( (mailnickname=*) (| ((objectCategory=person)(objectClass=contact)) )) which is from the All Contacts address list. or ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServer Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHome ServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategor y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributi onList) )) whis is from the Default Global Address list. Any ideas are welcome =) Mikael Håkansson On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote: 1. Cool 2. Your search should use objectcategory, not objectclass. 3a. Ok 3b. What exactly is the query? The rest of the stuff building up to it isn't throwing the referral, the query you neglect to show is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 4:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A referral was returned from the server when executing a query. I´m working on an application for listing contacts and address lists in active directory. But I get an error everytime I execute a query. I´m using the DirectoryServices namespace in .NET (which encapsulates the Active Directory Service Interfaces) to communicate with Active Directory 1. I bind to the RootDSE object to retrieve the DN of the configuration container and the root domain. According to the log file, I get: Configuration container: DC=configuration,DC=myDomain,DC=com Root Domain: DC=myDomain,DC=com 2. I connect to the configuration container and retrieve all the address lists (using the directorySearcher with the filter ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purpor tedSea rch=*)) ... so far so good ... 3. I then connect using the value from the rootDomainNamingContext property. (this gives me the path: LDAP://DC=myDomain,DC=com;) This works fine. ... Now the problem begin ... I use the .NET DirectorySearcher class to execute an ldap query agains active directory. (the query is taken from the currently selected address list) Whenever I execute a query, I get an exception: -2147016661 A referral was returned from the server This is usually an indication that the DN is wrong (i.e the server does not exist), but it doesn´t add up since I´m able to connect and retrieve the address lists. I have set the option to follow all referrals (subordinal external). Does anyone know what might be wrong? I´m pretty convinced it is not a programming error. Probably just my lack of knowlegde regarding Active Directory :) Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] A referral was returned from the server when ex ecuting a query.
Well, this is the problem... I don´t really know. This module is a part of a bigger application, and the error occurs on one of the customers networks. I assume there exists several forests since it´s a big company (world-wide). Unfortunately, I can´t run any test with e.g. LDP since they do not allow any test on their live environment. I was hoping that someone might have any idea what could cause a problem like this. Code snippet: dim de as new directoryEntry(LDAP://; m_sRootDomain) dim dsDirSearcher as new DirectorySearcher(de) dim src as SearchResultCollection dsDirSearcher.Filter = m_AddressBook.Filter dsDirSearcher.SizeLimit = Options.MaxHits dsDirSearcher.PropertiesToLoad = m_arrProperties dsDirSearcher.ReferralChasing = ReferralChasingOption.All dsDirSearcher.SearchScope = SearchScope.Subtree dsDirSearcher.CacheResults = True src = dsDirSearcher.FindAll() boom, this is where it all goes to h*** Regarding Joe´s post about GC. Which attributes are stored in the GC? I need to retrieve information like phone numbers, name, address, mail etc. This are the attributes I´m interested in: givenName,sn,title,mail,company,department,info,whenChanged,physicalDeliveryOfficeName,whenCreated,userPrincipalName,targetaddress,Street,l,postalCode,c,st,telephoneNumber,facsimileTelephoneNumber,otherFacsimileTelephoneNumber,homePhone,otherHomePhone,mobile,otherMobile,otherTelephone,distinguishedname Mikael On Mon, 28 Feb 2005 09:52:08 -0500, joe [EMAIL PROTECTED] wrote: Hopefully JoeK will swing by shortly to say his piece on the NET call. For the queries below, unless you want them scoped at a specific domain anyway, consider querying a GC since all of those attribs are in the GC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, February 28, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A referral was returned from the server when ex ecuting a query. Can you include the code snippet where this occurs? Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate that you don't get the same results from those tools? ??Is this a single domain forest that you're testing in? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A referral was returned from the server when executing a query. Any query throws the referral exception. Like ( (mailnickname=*) (| ((objectCategory=person)(objectClass=contact)) )) which is from the All Contacts address list. or ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServer Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHome ServerName=*)))((objectCategory=person)(objectClass=contact))(objectCategor y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributi onList) )) whis is from the Default Global Address list. Any ideas are welcome =) Mikael Håkansson On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED] wrote: 1. Cool 2. Your search should use objectcategory, not objectclass. 3a. Ok 3b. What exactly is the query? The rest of the stuff building up to it isn't throwing the referral, the query you neglect to show is. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 4:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A referral was returned from the server when executing a query. I´m working on an application for listing contacts and address lists in active directory. But I get an error everytime I execute a query. I´m using the DirectoryServices namespace in .NET (which encapsulates the Active Directory Service Interfaces) to communicate with Active Directory 1. I bind to the RootDSE object to retrieve the DN of the configuration container and the root domain. According to the log file, I get: Configuration container: DC=configuration,DC=myDomain,DC=com Root Domain: DC=myDomain,DC=com 2. I connect to the configuration container and retrieve all the address lists (using the directorySearcher with the filter ((|(objectClass=addressBookContainer)(objectClass=msExchOAB))(purpor tedSea rch=*)) ... so far so good ... 3. I then connect using the value from the rootDomainNamingContext property. (this gives me the path: LDAP://DC=myDomain,DC=com;) This works fine. ... Now the problem begin ... I use the .NET DirectorySearcher class to execute an ldap query agains active directory. (the query is taken from the currently selected address list) Whenever I execute a query, I get an exception: -2147016661 A referral was returned from the server This is
[ActiveDir] Lee Jessup is out of the office.
I will be out of the office starting 02/28/2005 and will not return until 03/04/2005. I will respond to your message when I return.
Re: [ActiveDir] Problem using Certificates to connect to AD machine
If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA
Re: [ActiveDir] A referral was returned from the server when ex ecuting a query.
Ok, thanks. I will check this immediately :) Mikael On Mon, 28 Feb 2005 10:25:50 -0500, Mulnick, Al [EMAIL PROTECTED] wrote: I would expect the error to occur in the part of the code that makes the search request. src = dsDirSearcher.FindAll() The referral may be occurring because of a multi-domain environment. You're making a call to the directory looking for objects that exist in one domain while the string you are using to connect may be the root domain instead. You can debug that by writing out your variables and strings to see what the exact query string is (I like to write out the query string exactly as it's called to make sure I'm not making a syntax error). When you posted here, you cleaned it up, but look again to make sure that the domain you're trying to query against is the domain your app lives in. This one m_sRootDomain would be an interesting string/var to know the value of at runtime. As Joe mentioned, the GC is likely a better bet to use since you won't have to worry about domain location as much. The GAL is made up of attributes that are in the GC since it needs to be global anyway. Microsoft put the GAL attributes into the GC so you can find all users globally in a forest and that is presented back to you as an Address List. You can find out exactly which attributes get put there from MDSN and looking at the Exchange attributes. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 10:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A referral was returned from the server when ex ecuting a query. Well, this is the problem... I don´t really know. This module is a part of a bigger application, and the error occurs on one of the customers networks. I assume there exists several forests since it´s a big company (world-wide). Unfortunately, I can´t run any test with e.g. LDP since they do not allow any test on their live environment. I was hoping that someone might have any idea what could cause a problem like this. Code snippet: dim de as new directoryEntry(LDAP://; m_sRootDomain) dim dsDirSearcher as new DirectorySearcher(de) dim src as SearchResultCollection dsDirSearcher.Filter = m_AddressBook.Filter dsDirSearcher.SizeLimit = Options.MaxHits dsDirSearcher.PropertiesToLoad = m_arrProperties dsDirSearcher.ReferralChasing = ReferralChasingOption.All dsDirSearcher.SearchScope = SearchScope.Subtree dsDirSearcher.CacheResults = True src = dsDirSearcher.FindAll() boom, this is where it all goes to h*** Regarding Joe´s post about GC. Which attributes are stored in the GC? I need to retrieve information like phone numbers, name, address, mail etc. This are the attributes I´m interested in: givenName,sn,title,mail,company,department,info,whenChanged,physicalDelivery OfficeName,whenCreated,userPrincipalName,targetaddress,Street,l,postalCode,c ,st,telephoneNumber,facsimileTelephoneNumber,otherFacsimileTelephoneNumber,h omePhone,otherHomePhone,mobile,otherMobile,otherTelephone,distinguishedname Mikael On Mon, 28 Feb 2005 09:52:08 -0500, joe [EMAIL PROTECTED] wrote: Hopefully JoeK will swing by shortly to say his piece on the NET call. For the queries below, unless you want them scoped at a specific domain anyway, consider querying a GC since all of those attribs are in the GC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, February 28, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A referral was returned from the server when ex ecuting a query. Can you include the code snippet where this occurs? Have you tried using an alternate tool (LDP or Joe's ADFIND) to validate that you don't get the same results from those tools? ??Is this a single domain forest that you're testing in? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Monday, February 28, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A referral was returned from the server when executing a query. Any query throws the referral exception. Like ( (mailnickname=*) (| ((objectCategory=person)(objectClass=contact)) )) which is from the All Contacts address list. or ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHome Server Name=*)))((objectCategory=person)(objectClass=user)(|(homeMDB=*)(msEx chHome ServerName=*)))((objectCategory=person)(objectClass=contact))(objectC ategor y=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDist ributi onList) )) whis is from the Default Global Address list. Any ideas are welcome =) Mikael Håkansson On Mon, 28 Feb 2005 08:50:43 -0500, joe [EMAIL PROTECTED]
[ActiveDir] Change the Password Error Message
Is it possible to change the error message you get when you set a password to something that isn't compliant to the password policy. A couple of people on my team think it is a registry setting in NT 4. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Change the Password Error Message
Nope. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change the Password Error Message Is it possible to change the error message you get when you set a password to something that isn't compliant to the password policy. A couple of people on my team think it is a registry setting in NT 4. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Change the Password Error Message
Actually, I did find a KB that pointed to a hotfix that addresses the issue slightly. http://support.microsoft.com/?kbid=821425 Todd -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Nope. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change the Password Error Message Is it possible to change the error message you get when you set a password to something that isn't compliant to the password policy. A couple of people on my team think it is a registry setting in NT 4. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Change the Password Error Message
Yep, the good fix would be able to specify exactly the text of the message. This has been one of the banes against deploying custom password filters for years and years and has forced people into building or buying custom packages that send people to special web sites prior to the system expiring their password or having special client apps on the workstations to do the work and display the correct message. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Actually, I did find a KB that pointed to a hotfix that addresses the issue slightly. http://support.microsoft.com/?kbid=821425 Todd -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Nope. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change the Password Error Message Is it possible to change the error message you get when you set a password to something that isn't compliant to the password policy. A couple of people on my team think it is a registry setting in NT 4. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unlock Workstation User Right
Hi Tim We have some users who were delegated the right to do this. The delegation wizard will not do it but you can change the security settings on the OU or domain to allow specific groups / users the right without making them part of any elevated group. 1.On the Object tab, find Apply onto: click on the down arrow to find User objects (last entry). 2.In the Permissions: window find Reset Password (2nd from the bottom), check the Allow box. 3.Click on the Properties tab, find Apply onto: click on the down arrow to find User objects (last entry). 4.In the Permissions: window check the Allow box for the following 4 permissions. (Permissions are more or less alphabetical, look about 1/3 down the list.) Read lockoutTime Write lockoutTime Read pwdLastSet Write pwdLastSet Remark: The user who is given this permission will not be able to unlock any user that does not have Inherit from parent the permission entries that apply to child objects checked off under the Security tab in an users properties This came out of the MS KB article http://support.microsoft.com/?kbid=294952 Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Myrick, Todd | | | (NIH/CC/DNA) | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/28/2005 09:30 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | --| Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] Unlock Workstation User Right
Sorry, ignore my last post completely - I read that as unlock user right, not the unlock workstation. I think Joe is correct - I believe only admins on the machine can unlock computers. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/28/2005 09:42 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | --| If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. [EMAIL PROTECTED] Vry-4ibb
RE: [ActiveDir] Unlock Workstation User Right
Thanks for the input from all. Sorry to not be clear - I meant unlock workstations. Thanks, Joe, for pointing out that I meant local admins group on the workstation. I was hoping that I could be a bit more granular in assigning this right - i.e. just the right to unlock the workstation instead of being a local administrator. Maybe I'll have to think again - maybe force logoff outside of office hours instead of allowing the workstation to lock. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:58 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unlock Workstation User Right Sorry, ignore my last post completely - I read that as unlock user right, not the unlock workstation. I think Joe is correct - I believe only admins on the machine can unlock computers. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/28/2005 09:42 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | --| If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. [EMAIL PROTECTED] Vry-4ibb
Re: [ActiveDir] Problem using Certificates to connect to AD machine
This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent Systems Pvt. Ltd.,402E, Bhageerath,Senapati Bapat Road.Pune - 16.Phone: 020-25602983Persistent Systems is the Gold Sponsor of SOFTWARE 2005 April 26th-27th, Santa Clara, CA
RE: [ActiveDir] Change the Password Error Message
You as an MVP have a mechanism to submit this request. :o) Something bug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Thanks Joe, I think my main point was to make sure there wasn't a way to specify it without modifying MSgina.dll on all workstations and servers. With MS Identity Management push in Longhorn, maybe we can sway them to allow for more customized account management operations / jobs. Todd -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 11:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Yep, the good fix would be able to specify exactly the text of the message. This has been one of the banes against deploying custom password filters for years and years and has forced people into building or buying custom packages that send people to special web sites prior to the system expiring their password or having special client apps on the workstations to do the work and display the correct message. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Actually, I did find a KB that pointed to a hotfix that addresses the issue slightly. http://support.microsoft.com/?kbid=821425 Todd -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change the Password Error Message Nope. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change the Password Error Message Is it possible to change the error message you get when you set a password to something that isn't compliant to the password policy. A couple of people on my team think it is a registry setting in NT 4. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Problem using Certificates to connect to AD machine
I generated this certificate from the CA and it says, it doesn't have enough information to verify this certificate! I generated a new certificate from "Personal-certificate" from Certificate snap-in. Then copied this certificate onto my machine and installed it here under the "Trusted Root Certification Authorities" store. But am still not able to connect. :-( - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 11:33 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh. - Original Message - From: Mayuresh Kshirsagar To: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 1:51 PM Subject: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I have installed a CA on my PDC. and now I want to connect to this PDC from a different machine to change the "unicodePwd" attribute. I created a certificate and exported it and installed it on the connecting machine, but dont seem to be able to connect. Can you tell me how do I issue, and which certificate should I issue to be able to connect to the PDC machine? Thanks. Mayuresh KshirsagarPersistent
Re: [ActiveDir] Problem using Certificates to connect to AD machine
I also see that The certificate that I see from right clicking the CA is as attached. But when I check using a utility from my machine, I see the following information: Subject name: CN=kaling.meta.testIssuer name : C=IN, L=Pune, O=PSPL, OU=support, CN=meta-testValid from (dd/mm/): 25/03/2004Valid to (dd/mm/): 25/03/2006 Which is not matching. How can I correct this? - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Tuesday, March 01, 2005 1:30 AM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine I generated this certificate from the CA and it says, it doesn't have enough information to verify this certificate! I generated a new certificate from "Personal-certificate" from Certificate snap-in. Then copied this certificate onto my machine and installed it here under the "Trusted Root Certification Authorities" store. But am still not able to connect. :-( - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 11:33 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org Sent: Monday, February 28, 2005 2:06 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine Hi, I tried to generate a certificate using the w2k CA, but smehow, I am not able to correctly generate one. The s/w (CP MDS server) is not able to connect to the server using this certificate. The name of the PDC is "kaling" in the domain "meta.test". But this machine is accessible from outside (eg. from my machine) as "kaling.persistent.co.in". Any thing I must take care while generating the certificate? Regards, Mayuresh.
RE: [ActiveDir] DEC questions
Hi Dave, This will be my fourth DEC and everyone has been worth it. I think I have learned more at this conference than any other I have attended. It is very focused, intimate and full of some incredibly interesting people who are out there doing it. The content ranges in complexity but almost all is going to be accessible if you have been working with AD for years. What helps at this show is after the talk you are having conversations with attendees who can clarify topics based on their own experiences as well as provide tips on how it may be applicable to your situation. Like Joe mentioned the ability to have candid conversations with people from Microsoft is also incredibly valuable. There are a slew of Microsoft people there and they are all focused on Directories and surrounding technologies. The networking outside of the Microsoft people is also a great value. Oh yeah, occasionally watching hung over people try to pay attention to deep DNS discussions is sort of fun as well G. Being a hung over person trying to pay attention to deep DNS discussions, well, that is not quite as fun! I hope to see you there. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, February 24, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DEC questions Hi all, Hope you don't mind these... My company has considered the idea of sending a couple of us to the conference, but are wondering if they shoulduse ourvouchers to have us attend someADtroubleshooting workshops [by Microsoft] instead. While I don't know any specific details as to what that entails, we've also never been to one of these DECs! Our managers have asked us tojustify in writing what we think we'll get out of this conference, and if it will prove more worthwhile than the MS offering (again - sorry that I don't know exactly *what* that is). Myself? I have4+ years in a live AD environment, andcan honestly say that some of what I've seen written on this list zooms high overhead (!), while other stuff falls right in line, so am hoping that I would be a good candidate to attend. I see many testimonials, etc...on the conf. website, so just hoping to get any brief thoughts from anyone - with many thanks in advance! -DaveC Reuters AITS Infrastructure - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Lee Jessup is out of the office.
Well - great, Lee. Have a safe Holiday and well be happy to hear from you when you return. :oP -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee Jessup Sent: Monday, February 28, 2005 9:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Lee Jessup is out of the office. I will be out of the office starting 02/28/2005 and will not return until 03/04/2005. I will respond to your message when I return.
Re: [ActiveDir] Problem using Certificates to connect to AD machine
One more thing I noticed here is that it is using the cert which was installed long while ago. But after that, the CA was installed/uninstalled several times, and new certificates were issued. but still it is using the same cert? - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Tuesday, March 01, 2005 1:44 AM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine I also see that The certificate that I see from right clicking the CA is as attached. But when I check using a utility from my machine, I see the following information: Subject name: CN=kaling.meta.testIssuer name : C=IN, L=Pune, O=PSPL, OU=support, CN=meta-testValid from (dd/mm/): 25/03/2004Valid to (dd/mm/): 25/03/2006 Which is not matching. How can I correct this? - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Tuesday, March 01, 2005 1:30 AM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine I generated this certificate from the CA and it says, it doesn't have enough information to verify this certificate! I generated a new certificate from "Personal-certificate" from Certificate snap-in. Then copied this certificate onto my machine and installed it here under the "Trusted Root Certification Authorities" store. But am still not able to connect. :-( - Original Message - From: Mayuresh Kshirsagar To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 11:33 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine This is the error number I am able to see. session=3741BE8 cannot negotiate SSL security error 8048 can you speculate what this means? - Original Message - From: Steve Patrick To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 9:03 PM Subject: Re: [ActiveDir] Problem using Certificates to connect to AD machine If you installed the CA on the PDC then did you install it as an Enterprise CA? If this is a production environment you should reallyunderstand the PKIneeds for your company currently, andany future plans. In a nutshell you need a Domain Controller certor Server Auth cert on the DCwith the FQDN of the DC in the Subjectfield. Your clients need tobe able to resolve the FQDN and be able to reach the CDP locations you specified when setting up the CA (defaults are LDAP and HTTP pathsto the CA itself) Clients also need tohave the Root CA cert in the TrustedRoots storeso the cert chains up correctly. good luck! steve - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Monday, February 28, 2005 5:58 AM Subject: RE: [ActiveDir] Problem using Certificates to connect to AD machine Slow down. This isn't the instant email AD support hotline. You sent the message when most of the people are offline that tend to respond to things. If you seeit goes a couple of days without a response, then it is probably good to ping the list asking if anyone has seen it. In the meanwhile, have you referred to the MS websites oncerts? Read the white papers and related docs? You were unaware of the cert requirement for an LDAP update at all until I responded Saturday with a fairly well known KB article that you could have found through google. Unless you are doing this from a non-windows machine, also consider alternative mechanisms for changing passwords that don't require the cert and ssl connection as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, February 28, 2005 8:34 AMTo: Siddharth SawkarCc: activeDir@mail.activedir.orgSubject: Re: [ActiveDir] Problem using Certificates to connect to AD machine any views? - Original Message - From: Mayuresh Kshirsagar To: Siddharth Sawkar Cc: activeDir@mail.activedir.org
[ActiveDir] GPO List
Hi - Can anyone point me to a comprehensive list of the GPO options on a standard 2003 install? I have an Excel sheet that I downloaded from MS some years ago, but it is for 2000 only. This actually leads to another question: how do admins track their policies and links? I have been using this sheet (all options down the left) with each GPO/linked object across the top. Any better ideas? Thanks. attachment: winmail.dat
RE: [ActiveDir] GPO List
Title: RE: [ActiveDir] GPO List Hi, See http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14=en (Group Policy Settings Reference for .adm files and Security Settings included with Windows XP Professional Service Pack 2) This includes all Administrative Template policy settings supported on the following operating systems: Microsoft Windows Server(tm) 2003, Windows XP Professional with SP2 or earlier service packs, and Microsoft Windows 2000 with Service Pack 4 or earlier service packs To Manage GPOs there are some third party tools (Quest, etc.), but MS has also a GPO Tool (Group Policy Management Console) that's free and has great capabilities. Check it out at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx Cheers Jorge -Original Message- From: Noah Eiger To: ActiveDir@mail.activedir.org Sent: 2/28/2005 10:34 PM Subject: [ActiveDir] GPO List Hi - Can anyone point me to a comprehensive list of the GPO options on a standard 2003 install? I have an Excel sheet that I downloaded from MS some years ago, but it is for 2000 only. This actually leads to another question: how do admins track their policies and links? I have been using this sheet (all options down the left) with each GPO/linked object across the top. Any better ideas? Thanks. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Querying for all users
Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
Hi, The following should return all user accounts (DNs only) ADFIND -dn -b dc=joehome,dc=net -f (objectcategory=person)(samaccountname=*) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 2/28/2005 11:48 PM Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048's and 262656'sdamn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely it's so simple I would never have even thought about it. TIA Alex. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Querying for all users
Hi Alex, The following filter might be right for you: ((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512)) Yours, Sakari PS. This gives the same result as Jorge's filter, that he just sent, but mine look cooler :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, March 01, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s .damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
Lol Dang! Always forget about the objectcategory attrib. Thanks guys! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, February 28, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users Hi Alex, The following filter might be right for you: ((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512)) Yours, Sakari PS. This gives the same result as Jorge's filter, that he just sent, but mine look cooler :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, March 01, 2005 12:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
A couple of different ways adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))" The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in the useraccountcontrol. That will seriously slow down the query. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Monday, February 28, 2005 5:48 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
Hi All Is there a way that I can know which users have logon to which DC. On individual client pc if I type set command I will know the logon server. But this is huge burden. If there a command in AD that can tell me which users have logon to which DCthis will help me to isolate user logon delays and authentication. Thanks Have a Wonderful Day Mohamed Yunus Saleem System Network Specialist - IT Dept. Royal Commission for Jubail Project. Jubail Industrial City. ): +966-3-3414213 *: [EMAIL PROTECTED] : www.rcjubail.gov.sa
[ActiveDir] lsass.exe hogs my domain controller cpu
Hello experts, Lsass.exe hogs my domain controllers cpu (99%), what could be the reason for this, how do I get rid off this problem. Machine was started twice but the problem still persists. By the way, machines has advanced windows 2000 with sp4. Regards, DISCLAIMER:This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure, copying, distribution or use of the contents of this information, including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).
RE: [ActiveDir] Querying for all users
Yeah, enable auditing on each DC through the DDC-GPO and then suck-out the security log of each DCs. One of the free tools to do this is EventComb from MS Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saleem, Mohamed YunusSent: Tuesday, March 01, 2005 05:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all users Hi All Is there a way that I can know which users have logon to which DC. On individual client pc if I type set command I will know the logon server. But this is huge burden. If there a command in AD that can tell me which users have logon to which DCthis will help me to isolate user logon delays and authentication. Thanks Have a Wonderful Day Mohamed Yunus Saleem System Network Specialist - IT Dept.Royal Commission for Jubail Project. Jubail Industrial City. ): +966-3-3414213 *: [EMAIL PROTECTED] ": www.rcjubail.gov.sa This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] lsass.exe hogs my domain controller cpu
See the following if it applies: http://support.microsoft.com/Default.aspx?kbid=842382 Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif NaserSent: Tuesday, March 01, 2005 08:22To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] lsass.exe hogs my domain controller cpu Hello experts, Lsass.exe hogs my domain controllers cpu (99%), what could be the reason for this, how do I get rid off this problem. Machine was started twice but the problem still persists. By the way, machines has advanced windows 2000 with sp4. Regards, DISCLAIMER:This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure, copying, distribution or use of the contents of this information, including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO). This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] EntDrv52 service failed
Title: EntDrv52 service failed Hi I am getting an error in my system event log one every 4 minutes. It states that The EntDrv52 service failed to start due to the following error: The system cannot find the file specified. Does anyone know what this service is? This started after upgrading the server from 2000 to 2003. I can't find anything on Google and Microsoft's KB. Regards, Dinesh Tashildar Cognizant Technology Solutions India Pvt. Ltd. Tel : 91-20-4062600 Extn : 3119 Vnet : 23119 This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com