RE: [ActiveDir] Recursive serach on Root domain failed.
ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] "DisableVLVBrowsing"=dword:0001" added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: dimanche 26 juin 2005 00:45À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts . From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly . If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later) .. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 12:54 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the "to... '"field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE)Date: sam. 25/06/2005 18:25À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bug contact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 9:01 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: "Unavailable Critical Extension".but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message
RE: [ActiveDir] Recursive serach on Root domain failed.
Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it wont find it. If the PHP scripts just use VLV w/o first checking, theyll still fail (though Id argue while what we did isnt ideal, what they would be doing is just as bad if not worse, because you shouldnt use something like VLV w/o first checking that the DSA supports it). I dont really know what that Outlook thing you tried does from the Outlook side, Im an AD guy, not an Outlook guy. Ive been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didnt mention. Maybe you dont have a late enough Outlook binary that understands it. Maybe you didnt do the magic DisableVLVBrowsing dance. I dont know. As I mentioned before, Im doing a write-up of this which Ill probably blog. Ill post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first Im afraid. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 1:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] DisableVLVBrowsing=dword:0001 added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman Envoyé: dimanche 26 juin 2005 00:45 À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the
RE: [ActiveDir] Recursive serach on Root domain failed.
Eric, For the Outlook Side, when added the value "DisableVLVBrowsing"=dword:0001" per workstations, the browsing did not show any users as u stated (blank list). Without the RegValue, the error "Unavailable Critical Extension" appears with, again, no users showing in the browsing list. So the regkey seems to disable the VLV feature at the client side BUT without showing any users :( Ifound a way to LDAP search in my AD by contourning this problem :) With your regkey set in the configuration partition,that resolve definitively my pb, the browsing in Outlook 2003 works. And at the time of writing, i tested the ldap browsing in 10 worstations that have outlook 2003 in LDAP, and that works, whereas they did not work before and with the same error !! All the outlook i've installed have all the necessary binaries,have all the last pacthes :) I will forward u the network trace of the php search. Thanks for help :) PS: let us know when u will publish a KB on the VLV feature please :) Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: lundi 27 juin 2005 10:46À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it wont find it. If the PHP scripts just use VLV w/o first checking, theyll still fail (though Id argue while what we did isnt ideal, what they would be doing is just as bad if not worse, because you shouldnt use something like VLV w/o first checking that the DSA supports it). I dont really know what that Outlook thing you tried does from the Outlook side, Im an AD guy, not an Outlook guy. Ive been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didnt mention. Maybe you dont have a late enough Outlook binary that understands it. Maybe you didnt do the magic DisableVLVBrowsing dance. I dont know. As I mentioned before, Im doing a write-up of this which Ill probably blog. Ill post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first Im afraid. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, June 27, 2005 1:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] "DisableVLVBrowsing"=dword:0001" added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric FleischmanEnvoyé: dimanche 26 juin 2005 00:45À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts . From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly . If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later) .. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Saturday, June 25, 2005 12:54 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message
RE: [ActiveDir] Recursive serach on Root domain failed.
Eric, I would blog it and then those that are interested can pull the blog post. What is your blog address? Chris Haaker ITS Infrastructure x7841 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, June 25, 2005 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and
[ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
I would have thought the answer would be A. %Username%. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
Hi, No the answer is B. It you use A (%Username%) it then would be replaced by the samaccountname of the user executing the command Zie links and search for $Username$ http://www.ss64.com/nt/dsadd.html http://www.ss64.com/nt/dsmod.html http://www.examcram2.com/articles/article.asp?p=102278seqNum=2rl=1 Cheers, #JORGE# -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: Monday, June 27, 2005 15:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
Title: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) From dsmod user /? : The special token $username$ (case insensitive) may be used to place the SAM account name in the value of -webpg, -profile, -hmdir, and -email parameter. For example, if the target user DN is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name attribute is janed, the -hmdir parameter can have the following substitution: -hmdir \users\$username$\home Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
Title: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Learn something new everyday, did not know that. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Monday, June 27, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) From dsmod user /? : The special token $username$ (case insensitive) may be used to place the SAM account name in the value of -webpg, -profile, -hmdir, and -email parameter. For example, if the target user DN is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name attribute is janed, the -hmdir parameter can have the following substitution: -hmdir \users\$username$\home Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
I am studying on the 70-292 kit for my upgrade exam and all of their references as well are to $username$. Chris Haaker ITS Infrastructure x7841 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remove View Menu From Explorer
In Windows 2000, is it possible to remove or disable the View menu from Windows Explorer and Internet Explorer 6? If not, then is it possible to remove or disable the Explorer Bar submenu? It would also be OK to be able to just remove all text menus (Edit, View, Go, etc). We are locking down a kiosk machine and want the clients to be able to see one folder only and not be able to navigate to others. The problem is that if we just remove access from the parent folder, a certain program we are using does not work properly, plus, even though the user account is given modify permissions to their folder and no permissions to the parent folder, the shortcut used to open their folder does not work. I appreciate any help on this issue, _ Daniel DeStefano
[ActiveDir] Open Another User's Registry File
Is it possible to open another users ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
RE: [ActiveDir] Open Another User's Registry File
Open Regedit, set your focus to HKLM, use Load Hive from the File Menu. Be sure to unload the hive when you are done. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Monday, June 27, 2005 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Open Another User's Registry File Is it possible to open another users ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
[ActiveDir] Logon server bad discovery
Hello I have the following problem. I Have network with only W2K3 SP1 domain controllers in several sites (uhnete). Subnet, site, and site links are configured . There are DNS, GC in each site. My klient are XP SP2. When I tested my logon server through set l=logon server I discovered that my logon server is from another site, than client reside (belongs) . DC and DNS and replication in function corectly. I discovered that the clients after logon belong to incorect site (nltest /dsgetsite) Site which client belongs to changes randomly. When I set parametr DynamicSiteName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters to correct SITE evr. Is function correctly. I would like to get more information how the logon process discovery right site and right domain controller. I found some information on MSDN about DsGetDcName, but this information is incomplete. http://support.microsoft.com/default.aspx?scid=kb;en-us;314861 Does anybody solution for this. THX Zdenek
RE: [ActiveDir] Open Another User's Registry File
You can also script this using reg.exe. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robinson, ChuckSent: Monday, June 27, 2005 6:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Open Another User's Registry File Open Regedit, set your focus to HKLM, use Load Hive from the File Menu. Be sure to unload the hive when you are done. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Monday, June 27, 2005 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Open Another User's Registry File Is it possible to open another users ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
[ActiveDir] OT: GPO undefined definition
If something is set to undefined in group policy, does it get set to the Windows default all the time? The reason I ask is because I had Microsoft network server: Digitally sign communications (always) set to enabled, then changed it to undefined. I was thinking this would leave all those machines set to enabled, and then I could just disable it on the single machine that I wanted to, but it set them all to disabled (the Windows default). Is this the correct behavior?
RE: [ActiveDir] Logon server bad discovery
Are you sure you have mapped the correct subnets to the correct sites? Is the subnet where those clients reside assigned in AD to a site? Check that to be sure. A client gets his site assigned from the subnet-site mappings in AD. If some subnet is not in AD and assigned to a site the client might be authentication randomly by any available DC. The authenticating DC will also record an event id concerning the unmapped subnet Cheers, #JORGE# From: Lev Zdenek [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 4:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon server bad discovery Hello I have the following problem. I Have network with only W2K3 SP1 domain controllers in several sites (uhnete). Subnet, site, and site links are configured . There are DNS, GC in each site. My klient are XP SP2. When I tested my logon server through set l=logon server I discovered that my logon server is from another site, than client reside (belongs) . DC and DNS and replication in function corectly. I discovered that the clients after logon belong to incorect site (nltest /dsgetsite) Site which client belongs to changes randomly. When I set parametr DynamicSiteName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters to correct SITE evr. Is function correctly. I would like to get more information how the logon process discovery right site and right domain controller. I found some information on MSDN about DsGetDcName, but this information is incomplete. http://support.microsoft.com/default.aspx?scid=kb;en-us;314861 Does anybody solution for this. THX Zdenek This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logon server bad discovery
Thanks a lot, I appreciate it. _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. From: Lev Zdenek [mailto:[EMAIL PROTECTED] Sent: Monday, June 27, 2005 9:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon server bad discovery Hello I have the following problem. I Have network with only W2K3 SP1 domain controllers in several sites (uhnete). Subnet, site, and site links are configured . There are DNS, GC in each site. My klient are XP SP2. When I tested my logon server through set l=logon server I discovered that my logon server is from another site, than client reside (belongs) . DC and DNS and replication in function corectly. I discovered that the clients after logon belong to incorect site (nltest /dsgetsite) Site which client belongs to changes randomly. When I set parametr DynamicSiteName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters to correct SITE evr. Is function correctly. I would like to get more information how the logon process discovery right site and right domain controller. I found some information on MSDN about DsGetDcName, but this information is incomplete. http://support.microsoft.com/default.aspx?scid=kb;en-us;314861 Does anybody solution for this. THX Zdenek
RE: [ActiveDir] Open Another User's Registry File
Thank you for your help _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. From: Robinson, Chuck [mailto:[EMAIL PROTECTED] Sent: Monday, June 27, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Open Another User's Registry File Open Regedit, set your focus to HKLM, use Load Hive from the File Menu. Be sure to unload the hive when you are done. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, June 27, 2005 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Open Another User's Registry File Is it possible to open another users ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
RE: [ActiveDir] OT: GPO undefined definition
Yep, correct behavior! If you have an OU with servers and a GPO linked to that OU with the setting you mention to enbaled, it will affect all servers in that OU. Default GPO settings do not tattoo so if you change the setting in the GPO to Not defined the servers (all of them in the OU )will revert back to their default value with is configured in the local policy settings or in the registry. Cheers #JORGE# From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: GPO undefined definition If something is set to undefined in group policy, does it get set to the Windows default all the time? The reason I ask is because I had Microsoft network server: Digitally sign communications (always) set to enabled, then changed it to undefined. I was thinking this would leave all those machines set to enabled, and then I could just disable it on the single machine that I wanted to, but it set them all to disabled (the Windows default). Is this the correct behavior? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain Admins Group Membership
Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I dont seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan
Re: [ActiveDir] Domain Admins Group Membership
You can not add users from DomainB to the Domain Admins group in DomainA. You can add users to the Administrators group, or you can create another type of group and delegate rights to that new group. Phil On 6/27/05, Ibarra, Juan [EMAIL PROTECTED] wrote: I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Admins Group Membership
the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO for Citrix and WSUS
Title: Message I've recently rolled out WSUS in a test lab environment, and I've come across a problem I can't find an answer for. On the test Citrix server, when updates have been applied and the server needs to reboot, the annoying "Windows Automatic Update" window flashes to nag the user to reboot. Of course, all of the buttons (including the "X") are grayed out so the user can't reboot a loaded terminal server, but this also means the user can't close the window. I don't want to flood our help desk with a jabillion calls about this "mysterious window," but I can't seem to find anything in Group Policy to prevent this window from appearing. Disabling "Allow non-administrators to receive update notifications" doesn't seem to affect this window. Any insight? Thank You, James R. RogersFirst National Bank of Three Rivers The information transmitted is intended only for the person(s) or entity(ies) to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy, disseminate, distribute, disclose, or deliver this message to anyone. If you have received this e-mail transmission in error, please reply to the sender so that arrangements can be made for proper delivery, after which, please delete the message. Thank You. smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Open Another User's Registry File
Yup. In Regedit, highlight the HKU tree and click file, load hive. Browse to the ntuser.dat file, open it and give it a name, ie TempReg. You can then edit that hive in regedit just as you would the normal HKCU hive. When youre done, highlight the root of the tree TempReg and click file, unload hive. You can also edit the hive using .reg files by changing HKEY_CURRENT_USER to HKEY_USERS\TempReg in the .reg file and importing as normal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, June 27, 2005 8:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Open Another User's Registry File Is it possible to open another users ntuser.dat file for editing? I would like to be able to edit some per-user settings for specific users, but when I try to open it using regedt or regedt32, I am asked if I want to add the information in the file to the registry, which I do not want to do. This is on a Windows 2000 Server machine. I appreciate any help, _ Daniel DeStefano
RE: [ActiveDir][OT] File copy with security intact
Great feedback and your points are very well taken. Thanks for the info and the clarification. Jose :-) - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Grillenmeier, Guido Sent: Saturday, June 25, 2005 1:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact with all of the options mentioned (incl. FSMT and RoboCopy) you have to be aware of the limitations of copying ACLs from source to target, which basically depends on how you've ACLed the data on your servers: If you've used Server-Local groups, the tools won't do the work for you to re-create appropriate Server-Local groups on the target machine and convert the SIDs in the ACLs where required (i.e. leave SIDs from non-server-local secprins alone and copy them as is and just replace the server-local stuff with those of the target machine). This is a considerable restriction for consolidating data - but you can also circumvent it by first doing some homework on your own and replace all server-local groups with AD domain-local groups incl. the re-ACLing on the source machine(s). I'm not trying to say that you'd always want to use this approach, as it has other challenges (token group-bloat for user's logging onto the domain etc.), but it may be a valid option depending on your environment. I only know of non-free tools, to do this during the file-copy / consolidation which either give you the option to create new server-local groups on the target server or to convert them to AD Domain-Local groups plus do the appropriate ReAcling of the data on the target machine. Too bad Microsoft's FSMT doesn't have this feature, which is one of the main things I don't like with it. Otherwise it's a useful tool, as it will also copy and re-create the shares etc. for you (no big deal, but...) and has a very useful integration with the DFSroot-consolidation feature of Win2003/SP1 (see Q829885 Distributed File System update to support consolidation roots in Windows Server 2003 if you're unfamiliar with this feature). Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Freitag, 24. Juni 2005 01:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact It's a solid tool that MCS uses for consolidation of multiple systems to one (think a bunch of file servers NT 4, Win2k, whatever), or for hardware to hardware copy after the OS is installed. Nice thing is it brings over the security and is a bit easier for the command-line challenged, or when there are a number of pick this, don't copy this, type decisions that need to be made. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, June 23, 2005 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Hi Rick, I have not had any need to try yet and I was just wondering if any one liked it, had any problems with it and how it compares to RoboCopy. It seems to be a take off of Fastlane's server consolidator that was written for Microsoft several years back. test Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 22, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Yep - what assist do you need, or what information related to it? Happy to help Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, June 21, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Has anyone had any experience using the Microsoft File Server Migration Toolkit? http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc. mspx Jose - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Tuesday, June 21, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact I don't want to seem like I am knocking Robocopy, however from my experience Robocopy also does the same thing. It will stop when a file is locked or in use. It does not copy at the block level like rsync. It is a very useful tool but beware of it's limitations. (Although the version I used was from the 2000 resource kit, so if there has been improvements I may be mistaken). Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 21, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Robocopy is my FRS engine for Dfs. :) :m:dsm:cci:mvp -Original Message- From: [EMAIL
RE: [ActiveDir] Recursive serach on Root domain failed.
http://blogs.technet.com/efleis Not much there, I dont blog often. Ill try and get to it today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris Sent: Monday, June 27, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Eric, I would blog it and then those that are interested can pull the blog post. What is your blog address? Chris Haaker ITS Infrastructure x7841 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, June 25, 2005 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp =
RE: [ActiveDir] Domain Admins Group Membership
Does any one have an idea on how else to accomplish this? Thanks, Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 8:39 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Admins Group Membership
that is what I'm asking... what do you want to do? what are your thoughts? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Does any one have an idea on how else to accomplish this? Thanks, Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 8:39 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Admins Group Membership
Jorge, I am trying to give several users on Domain B Admin rights on Domain A so that they can get full access to the servers. I am trying to avoid giving them local admin access to everyone on every server. Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership that is what I'm asking... what do you want to do? what are your thoughts? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Does any one have an idea on how else to accomplish this? Thanks, Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 8:39 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Admins Group Membership
We create a domain local group in Domain A and then use either a startup script (net add) or the GPO setting for restricted groups to add that group into the local admin group on every machine. In cases where cross domain admin access is needed a group is created in Domain B, added to the domain local group in Domain A and they get the rights needed. Generally we do this on an OU basis as well to provide admin rights in each OU. We tend to use the script here because the Restricted Group option in 2000 allowed you to define the local admin group rather then just adding to it. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Ibarra, Juan | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/27/2005 10:25 AM MST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Domain Admins Group Membership | --| Jorge, I am trying to give several users on Domain B Admin rights on Domain A so that they can get full access to the servers. I am trying to avoid giving them local admin access to everyone on every server. Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership that is what I'm asking... what do you want to do? what are your thoughts? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Does any one have an idea on how else to accomplish this? Thanks, Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 8:39 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Domain Admins Group Membership
If Domain B is an AD domain and at least native mode, then create a Domain Local Group in Domain B and add the Domain Admins of Domain A to that group. Then add the Domain Local Group from Domain B to the local Admins group on the servers you wish to be administered (basically all servers) - you can achieve this via a GPO using the Restricted Groups feature. I guess you could even add the Domain Admins of A directly to the servers via restricted groups, but I like to keep that type of control in the resource domain (via a Domain Local Group). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Montag, 27. Juni 2005 19:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Jorge, I am trying to give several users on Domain B Admin rights on Domain A so that they can get full access to the servers. I am trying to avoid giving them local admin access to everyone on every server. Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership that is what I'm asking... what do you want to do? what are your thoughts? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Does any one have an idea on how else to accomplish this? Thanks, Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 8:39 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Admins Group Membership
Got it thanks. Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, June 27, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership If Domain B is an AD domain and at least native mode, then create a Domain Local Group in Domain B and add the Domain Admins of Domain A to that group. Then add the Domain Local Group from Domain B to the local Admins group on the servers you wish to be administered (basically all servers) - you can achieve this via a GPO using the Restricted Groups feature. I guess you could even add the Domain Admins of A directly to the servers via restricted groups, but I like to keep that type of control in the resource domain (via a Domain Local Group). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Montag, 27. Juni 2005 19:25 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Jorge, I am trying to give several users on Domain B Admin rights on Domain A so that they can get full access to the servers. I am trying to avoid giving them local admin access to everyone on every server. Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 10:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership that is what I'm asking... what do you want to do? what are your thoughts? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Does any one have an idea on how else to accomplish this? Thanks, Juan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 8:39 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership the way you want to do it can not be accomplished! Why? The domain admins group is a global security group and global (security) groups can only have members from its own domain and not from other domains. By design What are you trying to accomplish? Cheers, #JORGE# From: Ibarra, Juan [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Account Policies
Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU 14 Days Sales OU 30 Days Finance OU 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf
RE: [ActiveDir] Account Policies
With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Scavenging
All, I am not 100% sure, but it appears that I may be having some issues with scavenging old records. I have a Win2003 domain with 5 DC's running 2003 functional level. All of the DC's run DNS and on one of them I enabled scavening at the server level and configured all zones to have a no-refresh interval of 1 hour and a refresh interval of 8 hours. I did this a few weeks ago and many of the records still exist in DNS. I know for a fact that I have a few thousand workstations which have been off the network for more than 30 days. I think what I am seeing is the issue where the records that existed prior to me enabling scavenging won't get scaveneged. That said,I know I can manually age all of the records using the dnscmd, but this will take all of my statically created records with it. Are there any ways around this so that my static records don't get touched? Thanks, -Tim
RE : [ActiveDir] Account Policies
Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Account Policies
Title: RE: [ActiveDir] Account Policies You see in his mail below the following: Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU When you are logging in using a domain account, the domain account policies are appliedwhen you log on using a local machine account on the machine in OU, then the account policy applied to OU are applied. I hope that makes sense Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED]] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Set Dial-In on W2K3 local accounts
Title: OT: Set Dial-In on W2K3 local accounts Greetings, I have a standalone W2K3 (non-DC) server that we are populating with user accounts for RADIUS authentication. I would like to script the account setup so that the user name, password and an IP address are set. The IP address would be the one you can set via the Assign a Static IP Address checkbox on the Dial-In tab. I can't find any hints on how to access this set of data that apply to non-AD accounts. Any ideas? Thanks, JD ___ J.D. Williams MCNE, MCSE Systems Integrator Northrop Grumman Information Technology Commercial, State Local Solutions Austin, TX. 512-377-x235 Alphapage 866-521-6091 E-Page [EMAIL PROTECTED]
RE: [ActiveDir] Account Policies
Yann, As Jorge stated Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Mark _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 27 June 2005 20:45 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann _ De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
[ActiveDir] Creating share object in an OU
What's the purpose of being able to create shares beneath an OU versus just having a share on a file server? How will the users see the share in the OU? Whats the advantages and disadvantages of creating the share in an OU versus just having it exist on a fileserver? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Account Policies
the order is: 1 local policies 2 GPOs at site level 3 GPOs at domain level 4 GPOs at OU level and lower levels cheers #JORGE# From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] Account Policies
Oupsss.. sorry Mark and Robert I will carefully read what people write before posting a notice :-) Great day all :-) Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: lun. 27/06/2005 21:56 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies You see in his mail below the following: Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU When you are logging in using a domain account, the domain account policies are applied...when you log on using a local machine account on the machine in OU, then the account policy applied to OU are applied. I hope that makes sense... Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Account Policies
If I recall in addition it is: 0 Legacy Policies (such as ADMs) 1 local policies 2 GPOs at site level 3 GPOs at domain level 4 GPOs at OU level and lower levels Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 27 June 2005 21:44 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Policies the order is: 1 local policies 2 GPOs at site level 3 GPOs at domain level 4 GPOs at OU level and lower levels cheers #JORGE# From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: GPO undefined definition
Yep - that is the prescribed behavior. Rick From: Douglas M. Long [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 10:14:42 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: GPO undefined definition If something is set to undefined in group policy, does it get set to the Windows default all the time? The reason I ask is because I had Microsoft network server: Digitally sign communications (always) set to enabled, then changed it to undefined. I was thinking this would leave all those machines set to enabled, and then I could just disable it on the single machine that I wanted to, but it set them all to disabled (the Windows default). Is this the correct behavior? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Domain Admins Group Membership
Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Creating share object in an OU
the concept is similar to that of printer objects in AD: you you don't create printer queues in an OU (or as child-objects of servers) - instead you create a reference to an existing printer queue on a server - this reference is stored ina printer object; basicallyActive _Directory_can act as a "central repository" of all printers available in a network, which allows you easy searching for printers (e.g. to find those close to you when you're located in a specific subnet or those that have a specific feature, such as duplex printing or color etc.) Similarly, you don't create shares in an OU - instead you create a shared folder object which contains a reference to an existing share on a server. AD could again be used as a "central repository" of all shares available on all servers in the network. While the first example (printer objects) has been adapted quite well, I hardly find companies that see much value in using the shared volume objects. I'd say this is basically due to the fact that AD as a "search engine" for printers is integrated in the printer-install UI on Win2000/XP clients and there is no similar search-engine for shared folder objects(you'd have to use LDAP queries or build you own UI).Also, it's likely due to the nature of the objects they represent: printers are output devices which can and should be used by most people ina company (although you can still restrict printing to expensive devices via permissions on the printer queue and via their object's visibility in AD). Shares however are used to make data available to a select group of people - you don't really want users "sniffing" for available shares in the network. Instead you want to control which user mounts which share to do their work (often controlled via logon-scripts). hope this clarifies some of the things you're wondering about /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Montag, 27. Juni 2005 22:39To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Creating share object in an OU What's the purpose of being able to create shares beneath an OU versus just having a share on a file server? How will the users see the share in the OU? Whats the advantages and disadvantages of creating the share in an OU versus just having it exist on a fileserver? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Domain Admins Group Membership
Rick - you should have taken the time to read the other posts ;-) He wants to grant admin access to memberservers, which you won't achieve by adding the domain A users to domain B's administrator group... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Montag, 27. Juni 2005 23:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] Domain Admins Group Membership
Yeah - I saw that after reading the other posts. However, I wasn't going to post a follow-up just to call attention to myself. Thanks for your help, Guido! You blew THAT plan! ;o) Rick From: Grillenmeier, Guido [EMAIL PROTECTED] Date: 2005/06/27 Mon PM 05:40:11 EDT To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Rick - you should have taken the time to read the other posts ;-) He wants to grant admin access to memberservers, which you won't achieve by adding the domain A users to domain B's administrator group... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Montag, 27. Juni 2005 23:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: RE: [ActiveDir] Domain Admins Group Membership
anytime ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Montag, 27. Juni 2005 23:50 To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] Domain Admins Group Membership Yeah - I saw that after reading the other posts. However, I wasn't going to post a follow-up just to call attention to myself. Thanks for your help, Guido! You blew THAT plan! ;o) Rick From: Grillenmeier, Guido [EMAIL PROTECTED] Date: 2005/06/27 Mon PM 05:40:11 EDT To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Rick - you should have taken the time to read the other posts ;-) He wants to grant admin access to memberservers, which you won't achieve by adding the domain A users to domain B's administrator group... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Montag, 27. Juni 2005 23:31 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Outlook Web Access Split DNS
When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Default Domain Policy Issues
Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
Last I looked, dsmod uses $username$ but it doesn't create anything on the filesystem, it only updates AD attributes. Specifying a homedir in the user object doesn't make it appear except when you use ADUC which actually goes off and does it separately. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain Policy Issues
What OS and what Service pack are all DC's at? steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, June 27, 2005 3:01 PM Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain Policy Issues
Oh I'm sorry, Windows 2000, SP4, Native Mode Domains. The other child domain is similar but there the settings have changed. Thanks, Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 15:17:51 -0700 What OS and what Service pack are all DC's at? steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, June 27, 2005 3:01 PM Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: GPO undefined definition
I just wanted to point out that setting to undefined won't revert anything, it simply allows any lower policy to kick in. If there is no policy, then whatever was last set will stay. If a new machine is put into the OU, whatever its normal default is will stay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, June 27, 2005 11:20 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: GPO undefined definition Yep, correct behavior! If you have an OU with servers and a GPO linked to that OU with the setting you mention to enbaled, it will affect all servers in that OU. Default GPO settings do not tattoo so if you change the setting in the GPO to Not defined the servers (all of them in the OU )will revert back to their default value with is configured in the local policy settings or in the registry. Cheers #JORGE# From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: GPO undefined definition If something is set to undefined in group policy, does it get set to the Windows default all the time? The reason I ask is because I had Microsoft network server: Digitally sign communications (always) set to enabled, then changed it to undefined. I was thinking this would leave all those machines set to enabled, and then I could just disable it on the single machine that I wanted to, but it set them all to disabled (the Windows default). Is this the correct behavior? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts
Title: [ActiveDir] Increase ICMP packet size on a PIX - GPO related Changing the associated AG would involve changing the legacyExchangeDNs. This is a touchy thing as you want to make sure you do not get any duplicates and can impact mail delivery since outlook likes to store legacyExchangeDNs with messages. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, June 24, 2005 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts You will find a series of articles on Exchange scripting at http://www.microsoft.com/technet/scriptcenter/hubs/exchange.mspx Mail-enabled, mailbox-enabled contacts are covered. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frost, David: #CIO-BPISent: Friday, June 24, 2005 7:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts Can anyone offer some guidance on whether it is possible to script the change of the associated Exchange Admin Group for mail enabled contacts? I have a large number of mail enabled contacts that I would like to move from one Exchange Admin Group to another without deleting and recreating them. David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada email:[EMAIL PROTECTED] (613) 957-8442
RE: [ActiveDir] Site IP Change
And WINS too You may find you need to delete the domain 1C record(s) and 1B record(s) [1] and force the DCs to refresh the records through NBTSTAT -RR to get them updated. Obviously anything pointing at the DCs for DNS and/or WINS resolution need to be updated. If anyone was silly enough to point specifically at a DC for LDAP services and was even sillier and used an IP address would need to be updated. joe [1] The (s) is in case of multiple domains being involved. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 23, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change yep, no reboot required, just need to make sure that you get your DNS straight - could be chaotic if you change the IP addresses of too many DCs at once. Ensure that replication still works before changing the next (may sometimes be required to configure a different primary DNS so that it registers it's addresses with a partner DC) and ensure that you configure in a DC's site clients appropriately to use the new IP address as DNS resolver. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 23. Juni 2005 21:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change I've done this many times and haven't had to reboot my 2003 DCs. Just fyi... :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, June 23, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change Nathan, I hope you reboot your servers after you change the IP address. As good as the TCP/IP stack has gotten with 2003 server, I still feel it's important to reboot with such changes on a DC. Jose - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Thursday, June 23, 2005 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change Nathan, Typically, the change of IP address, subnet, default gateway and associated DNS entries will take care of most of what you need. However, there is one more thing that needs to be done. Pull up a command prompt on the DC that you've re-IPed, and type this at the prompt (in its entirety: Net stop netlogon net start netlogon This will stop the netlogon service, then turn around and restart it automatically. As you might know, the NetLogon service is responsible for maintaining the DNS entries (SRV records, et. al.) and updating those as necessary. The stop/start of the service forces the update to happen 'right now', and will be updated with the new data you've entered. Hope this helps you along in your process. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Henderson Sent: Thursday, June 23, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site IP Change We are currently updating our network infrastructure and a part of this is having to change IPs on our internal network. Most devices are pretty simple, but the main point I'm concerned about is changing our DCs. They will all still be in the same subnet just using a different IP range. Is there anything I would need to take care of specially in this situation besides updating DNS information during/after the change to ensure replication between DCs will function? I'm trying to think through possible scenarios or issues that could arise. If anyone has any insight it would be much appreciated. Nate List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group
This really isn't trivial to do with ad* or ds* tools I don't think. Actually LDIFDE might work out well. If you were creating the DL it would definitely be easy, just dump the group, change the DN and other name attributes and reimport. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 23, 2005 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Hi, Task - to copy members of an AD email distribution group to another email distribution group I have looked at both adfind and dsquery and while I can output all of the properties of the source email distribution group (including members), I can't see how to restrict the output just to members in order to pipe them to another email distribution group. Any thoughts? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outlook Web Access Split DNS
IIS - Default Website (or wherever your exchange VD is located) - right-click on Exchange - Directory Security - Default Domain. Type in the name of your domain in there or just browse and select it. And he says this isnt his specialty . Yeah, right . ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation to Child Domain Failing
Title: Delegation to Child Domain Failing Are you getting anything returned from the DNS Server for the query where anything is defined as seeing something in a network sniffer, not whatever tool is asking. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, June 26, 2005 11:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegation to Child Domain Failing Sure Guido thanks for the response. For an unknown reason, root name servers stop responding properly to requests for records in a child domain. In other words, delegation is setup, but delegation isnt working. For example, root domain is root.com. If I query for child.root.com, I get no returns. When it works properly, I get a list of all the NS records for child.root.com. Rebooting the server or restarting DNS doesnt clear this up. However, if I remove the delegation to child.root.com and create it again, delegation works properly. Have you heard of anything like this before? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, June 25, 2005 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegation to Child Domain Failing can you explain your issue a little more? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Donnerstag, 23. Juni 2005 22:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation to Child Domain Failing Anyone else seeing this? This is the second time Ive had to delete and create the child domain delegation. For some reason, the root NS seems to quit referring. Im running Windows 2003. I cant find anything regarding this problem. The last time I had a case opened with MS but they didnt know of anything either. No errors, etc
RE: [ActiveDir] OT: Outlook Web Access Split DNS
Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Error while adding user to AD
Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Site IP Change
Thanks Joe, Jorge, Jose, Rick, and Marcus for your thoughts and insight. You've validated my thoughts on the matter. Looks like things should go as close to schedule as I can help. Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change And WINS too You may find you need to delete the domain 1C record(s) and 1B record(s) [1] and force the DCs to refresh the records through NBTSTAT -RR to get them updated. Obviously anything pointing at the DCs for DNS and/or WINS resolution need to be updated. If anyone was silly enough to point specifically at a DC for LDAP services and was even sillier and used an IP address would need to be updated. joe [1] The (s) is in case of multiple domains being involved. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 23, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change yep, no reboot required, just need to make sure that you get your DNS straight - could be chaotic if you change the IP addresses of too many DCs at once. Ensure that replication still works before changing the next (may sometimes be required to configure a different primary DNS so that it registers it's addresses with a partner DC) and ensure that you configure in a DC's site clients appropriately to use the new IP address as DNS resolver. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 23. Juni 2005 21:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change I've done this many times and haven't had to reboot my 2003 DCs. Just fyi... :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, June 23, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change Nathan, I hope you reboot your servers after you change the IP address. As good as the TCP/IP stack has gotten with 2003 server, I still feel it's important to reboot with such changes on a DC. Jose - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Thursday, June 23, 2005 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Site IP Change Nathan, Typically, the change of IP address, subnet, default gateway and associated DNS entries will take care of most of what you need. However, there is one more thing that needs to be done. Pull up a command prompt on the DC that you've re-IPed, and type this at the prompt (in its entirety: Net stop netlogon net start netlogon This will stop the netlogon service, then turn around and restart it automatically. As you might know, the NetLogon service is responsible for maintaining the DNS entries (SRV records, et. al.) and updating those as necessary. The stop/start of the service forces the update to happen 'right now', and will be updated with the new data you've entered. Hope this helps you along in your process. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Henderson Sent: Thursday, June 23, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site IP Change We are currently updating our network infrastructure and a part of this is having to change IPs on our internal network. Most devices are pretty simple, but the main point I'm concerned about is changing our DCs. They will all still be in the same subnet just using a different IP range. Is there anything I would need to take care of specially in this situation besides updating DNS information during/after the change to ensure replication between DCs will function? I'm trying to think through possible scenarios or issues that could arise. If anyone has any insight it would be much appreciated. Nate List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Error while adding user to AD
This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] Verification on a GPO issue
Title: RE: [ActiveDir] Can't find anyting on this If you have a GPO that is setting file and registry permissions. And you take those particular settings out of the GPO they are still in place on the servers that the GPO was applying to correct? Jeff
Re: [ActiveDir] DNS Scavenging
First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution that doesn't require some leg work. You could dump the zone via dnscmd.exe /zoneexport and see which don't have timestamps and from there figure out which ones are supposed to be static and which ones aren't. This will be simplified if you have a standard naming convention... --- Wright, T. MR NSSB [EMAIL PROTECTED] wrote: All, I am not 100% sure, but it appears that I may be having some issues with scavenging old records. I have a Win2003 domain with 5 DC's running 2003 functional level. All of the DC's run DNS and on one of them I enabled scavening at the server level and configured all zones to have a no-refresh interval of 1 hour and a refresh interval of 8 hours. I did this a few weeks ago and many of the records still exist in DNS. I know for a fact that I have a few thousand workstations which have been off the network for more than 30 days. I think what I am seeing is the issue where the records that existed prior to me enabling scavenging won't get scaveneged. That said, I know I can manually age all of the records using the dnscmd, but this will take all of my statically created records with it. Are there any ways around this so that my static records don't get touched? Thanks, -Tim List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outlook Web Access Split DNS
This of course only works in a single domain forest. In a multidomain forest, if you put a \ in the domain box your users dont have to specify a domain and IIS/Exchange does some magic to figure that part out. You should be specifying this in ESM though, not inetmgr. DS2MB will resync it and clear out anything you do in inetmgr. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS IIS - Default Website (or wherever your exchange VD is located) - right-click on Exchange - Directory Security - Default Domain. Type in the name of your domain in there or just browse and select it. And he says this isnt his specialty . Yeah, right . ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Verification on a GPO issue
Correct. They will not undo themselves in this case. This is true for most (all?) of the security related settings. You would need to reverse the settings to undo them. --- Cothern Jeff D. Team EITC [EMAIL PROTECTED] wrote: If you have a GPO that is setting file and registry permissions. And you take those particular settings out of the GPO they are still in place on the servers that the GPO was applying to correct? Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outlook Web Access Split DNS
You and Jeff are both completely correct - well, almost :). It's well-documented - I was just too excited to think when I saw Joe cop a plea on Exchange :) Since he has E2K3, I believe that this is what he wants: http://support.microsoft.com/kb/820378/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 6/27/2005 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This of course only works in a single domain forest. In a multidomain forest, if you put a \ in the domain box your users don't have to specify a domain and IIS/Exchange does some magic to figure that part out. You should be specifying this in ESM though, not inetmgr. DS2MB will resync it and clear out anything you do in inetmgr. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS IIS - Default Website (or wherever your exchange VD is located) - right-click on Exchange - Directory Security - Default Domain. Type in the name of your domain in there or just browse and select it. And he says this isn't his specialty .. Yeah, right ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error while adding user to AD
That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outlook Web Access Split DNS
:o) This is why I said it wasn't my specialty. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Monday, June 27, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outlook Web Access Split DNS
I am decent with the Exchange/AD interface, Exchange's functionality itself is out of my scope and not anything I want in my scope though lately I have been fielding questions on event sinks which is scaring me. Mostly I am interested in how AD works. Not so interested in how technologies that use AD work such as GPOs and Exchange and other things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 8:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS You and Jeff are both completely correct - well, almost :). It's well-documented - I was just too excited to think when I saw Joe cop a plea on Exchange :) Since he has E2K3, I believe that this is what he wants: http://support.microsoft.com/kb/820378/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 6/27/2005 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This of course only works in a single domain forest. In a multidomain forest, if you put a \ in the domain box your users don't have to specify a domain and IIS/Exchange does some magic to figure that part out. You should be specifying this in ESM though, not inetmgr. DS2MB will resync it and clear out anything you do in inetmgr. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS IIS - Default Website (or wherever your exchange VD is located) - right-click on Exchange - Directory Security - Default Domain. Type in the name of your domain in there or just browse and select it. And he says this isn't his specialty .. Yeah, right ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Command line to create a local account
What would be the syntax in a batch files that I could create a local account. Assign it a password and disable the account. Also the account needs to be part of the guest group and password be required for it. I got an idead but trying to do it in as little commands as possible. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Command line to create a local account
try cusrmgr. Look for the -alg and +s options. Jsiinc.com had some details on cusrmgr. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Mon 6/27/2005 5:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line to create a local account What would be the syntax in a batch files that I could create a local account. Assign it a password and disable the account. Also the account needs to be part of the guest group and password be required for it. I got an idead but trying to do it in as little commands as possible. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Error while adding user to AD
I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error while adding user to AD
After you set the policy, you have to wait for the policy to be replicated to all DCs in the domain and applied before you get convergence on the new policy rules. Depending on the environment this can take varying amounts of time. If you have only a couple of K3 DCs in a single site and great FRS/AD replication you can set it and then wait a minute and then do a gpupdate /force To force the update of the policy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error while adding user to AD
I expect the policy hasn't completely applied yet. Can you control the process used by the metadirectory software for object creation? If so, have it create the object in the way specified below. The alternative is to create it with the useraccountcontrol flagged to allow the account to not have a password. Then after the initial object create set a password and change useraccountcontrol to 512. I highly recommend creating it disabled and then setting the password and then setting the useraccountcontrol to 512 though. It is more obvious if something gets dropped and not handled properly. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Scavenging
Thanks for your response. I have one more question, is the recommended settings still one hour for no-refresh and 7 days for refresh? This is what I initially had it set to but since it didn't appear to be working I lowered the intervals. I think I will start by dumping the zone and sorting out the static entries, I don't think there are too many so it shouldn't be too difficult, I just wanted to be sure that I didn't miss any. The zones that I am concerned with are all AD integrated, but scavenging was turned on after the fact. Thanks, -Tim From: [EMAIL PROTECTED] on behalf of David Adner Sent: Mon 6/27/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Scavenging First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution that doesn't require some leg work. You could dump the zone via dnscmd.exe /zoneexport and see which don't have timestamps and from there figure out which ones are supposed to be static and which ones aren't. This will be simplified if you have a standard naming convention... --- Wright, T. MR NSSB [EMAIL PROTECTED] wrote: All, I am not 100% sure, but it appears that I may be having some issues with scavenging old records. I have a Win2003 domain with 5 DC's running 2003 functional level. All of the DC's run DNS and on one of them I enabled scavening at the server level and configured all zones to have a no-refresh interval of 1 hour and a refresh interval of 8 hours. I did this a few weeks ago and many of the records still exist in DNS. I know for a fact that I have a few thousand workstations which have been off the network for more than 30 days. I think what I am seeing is the issue where the records that existed prior to me enabling scavenging won't get scaveneged. That said, I know I can manually age all of the records using the dnscmd, but this will take all of my statically created records with it. Are there any ways around this so that my static records don't get touched? Thanks, -Tim List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Outlook Web Access Split DNS
though lately I have been fielding questions on event sinks Sweet. Can we expect a chapter on this in the cat book? :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS I am decent with the Exchange/AD interface, Exchange's functionality itself is out of my scope and not anything I want in my scope though lately I have been fielding questions on event sinks which is scaring me. Mostly I am interested in how AD works. Not so interested in how technologies that use AD work such as GPOs and Exchange and other things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 8:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS You and Jeff are both completely correct - well, almost :). It's well-documented - I was just too excited to think when I saw Joe cop a plea on Exchange :) Since he has E2K3, I believe that this is what he wants: http://support.microsoft.com/kb/820378/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 6/27/2005 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This of course only works in a single domain forest. In a multidomain forest, if you put a \ in the domain box your users don't have to specify a domain and IIS/Exchange does some magic to figure that part out. You should be specifying this in ESM though, not inetmgr. DS2MB will resync it and clear out anything you do in inetmgr. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS IIS - Default Website (or wherever your exchange VD is located) - right-click on Exchange - Directory Security - Default Domain. Type in the name of your domain in there or just browse and select it. And he says this isn't his specialty .. Yeah, right ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] Error while adding user to AD
Thanks a lot Joe, This has been of tremendous help for diagnosing the issue! Grateful to you! Mayuresh. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:32 AM Subject: RE: [ActiveDir] Error while adding user to AD I expect the policy hasn't completely applied yet. Can you control the process used by the metadirectory software for object creation? If so, have it create the object in the way specified below. The alternative is to create it with the useraccountcontrol flagged to allow the account to not have a password. Then after the initial object create set a password and change useraccountcontrol to 512. I highly recommend creating it disabled and then setting the password and then setting the useraccountcontrol to 512 though. It is more obvious if something gets dropped and not handled properly. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:56 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD I set the Domain Security policy to be a password length policy. i set the minimum length to be 8. still i am able to provision using a different server. am i missing something? - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 7:19 AM Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed even though our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet all the policy requirements in AD. Make sure all the required attributes are set properly, and make sure that the password assigned to the user object meets the current domain complexity requirements. -gil From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar Sent: Mon 6/27/2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error while adding user to AD Hi, I am using a meta directory to provision a new user in AD. But while adding the user, I am getting the following error: Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM), data 0 Can you guide me as to how can I detect and eliminate the cause of it please. Thanks, Mayuresh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: