RE: [ActiveDir] Recursive serach on Root domain failed.

2005-06-27 Thread TIROA YANN



ERIC !!! You're the BEST !!! THAT WORKS FINE !!

I 
have never found the solution of my problem for one year :(

For oulook 2003, the search succeeded thanks to your Value 
addedwith adsiedit, and it works better than the 
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] 
"DisableVLVBrowsing"=dword:0001" added per workstations 
!!!

But I noticed that for php scripts, the error still remaining... any 
thoughts ?

Thank u very much eric for the invaluable help u provided me 
:-)

Cheers,

Yann


De: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de Eric 
FleischmanEnvoyé: dimanche 26 juin 2005 
00:45À: ActiveDir@mail.activedir.orgObjet: RE: 
[ActiveDir] Recursive serach on Root domain failed.


So I am writing a 
longer note about the history of VLV fixes we’ve thrown at it and why, but 
haven’t finished yet, and am trying to decide if it is best done in a blog post 
or an email to this list (it’s 2 pages so far).

In the interim, a 
couple of thoughts….
From the DSID you’re 
getting, I’d speculate you’re still doing VLV. I don’t know what you’ve tweaked 
on the Outlook side, but that’s my suspicion. A network sniff (or some more 
data) would confirm.
However, looking at 
this more broadly….

If you implement this 
change as your “fix”, you’ll find you need to do this on every client. That 
might grow old. J
A better fix, assuming 
2k3 SP1 DCs (for RTM DCs, you’d need a QFE on them for this, namely a binary 
from the QFE tree that is Q886683 or later)…..

  Fire up adsiedit, crack open the 
  config NC 
  Expand CN=Directory 
  Service,CN=Windows NT,CN=Services. 
  Edit CN=Directory 
  Services. 
  Nav down to msds-Other-Settings. 
  Edit. 
  In the Value to add box, type, 
  without the quotes: “DisableVLVSupport=1”. Click 
  Add. 
Give that a try, let us 
know how it goes. J

~Eric








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of TIROA 
YANNSent: Saturday, June 25, 
2005 12:54 PMTo: 
ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive 
serach on Root domain failed.



Thanks for reply 
:)



Yes, i have already 
followed the link you sepcified. I disable LDAP address-list-browsing 
functionality in my outlook 2003:the browsing isthen disable 
-The list is empty without the Unavailable Critical 
Extension error message 
box.

The only way I found 
to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure 
Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and 
type the sender in the "to... '"field of outlook: Outlook the verify the 
sender against LDAP AD first and that works. I thought distributing his regkey 
with GPO in all my users...



I Have already installed sp1 for 
w2k3 a months ago, and no way :(



The same problem is reproduced in an 
other French 
University.



The maxpagesize = the max LDAP page 
size for the default query policy in my domain is set to a hight value 2 
instead of the default value of 1000 I wondering if this can be the 
reason...





Cheers,



Yann







De: 
[EMAIL PROTECTED] de la part de Robert Williams 
(RRE)Date: sam. 25/06/2005 
18:25À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] Recursive serach on 
Root domain failed.

Try disabling VLV in 
outlook, you can do that here:
820864 You Experience Performance Problems in Outlook 2003 When You Browse an
http://support.microsoft.com/?id=820864

If that solves your 
problem then you might be hitting a known bug…contact PSS for the hotfix (or 
install SP1 which I believe has the fix).


Robert 
Williams, MCSE NT4/2K/2K3, Security+
Infrastructure Rapid Response 
Engineer
Northeast 
Region
MicrosoftCorporation
Global Solutions Support Center




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of TIROA 
YANNSent: Saturday, June 25, 
2005 9:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recursive serach on 
Root domain failed.



Hello,



When I do a LDAP recursive 
search(with Outlook 2003 in Exchange 2003MAPIor php scripts) 
througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with 
the corresponding error: "Unavailable Critical Extension".but when I put the 
complete DN of an OU (ou=test,dc=domain,dc=fr) then the search 
worked.



When I used Outlook 
Expressconfigured in LDAP , the recursive search ... 
worked.

My environnement:Forest ad2003 raised to windows server 2003 functional 
level. Idid an in place upgrade from AD 2000 native mode to AD 
2003.



Curious thing is when i installed 
fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with 
php, outlook 2003,etc..) works 



So I suspect that i is the migration 
that causes the problem but, I didn't know if such request workedbefore 
migration :(



My network trace between my 
workstation and any DCs confirmed the error:



LDAP: ProtocolOp = SearchResponse 
(simple) LDAP: Result Code = 
Unavailable Critical Extension 
LDAP: Error Message 

RE: [ActiveDir] Recursive serach on Root domain failed.

2005-06-27 Thread Eric Fleischman








Can you take a network sniff of the PHP
scripts failing?

I suspect they are just blindly doing VLV,
not actually checking if the DC they are talking to supports it. The mod you
made below will remove the VLV OID from supportedCapabilities such that people
that look for it wont find it. If the PHP scripts just use VLV w/o first
checking, theyll still fail (though Id argue while what we did
isnt ideal, what they would be doing is just as bad if not worse,
because you shouldnt use something like VLV w/o first checking that the
DSA supports it).



I dont really know what that
Outlook thing you tried does from the Outlook side, Im an AD guy, not an
Outlook guy. Ive been told by people that I know that it just disables
the attempt to use VLV, but there might the caveats they didnt mention.
Maybe you dont have a late enough Outlook binary that understands it. Maybe
you didnt do the magic DisableVLVBrowsing dance. I dont know.



As I mentioned before, Im doing a write-up
of this which Ill probably blog. Ill post to this list with a
link to that post when I do it, probably soon, but I have a few other things I
need to do first Im afraid.



~Eric



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 27, 2005 1:34
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recursive
serach on Root domain failed.





ERIC !!! You're the BEST !!! THAT WORKS FINE !!



I have never found the solution of my problem for one year
:(



For oulook 2003, the search succeeded thanks to your Value
addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP]
DisableVLVBrowsing=dword:0001 added per workstations !!!



But I noticed that for php scripts, the error still
remaining... any thoughts ?



Thank u very much eric for the invaluable help u provided me
:-)



Cheers,



Yann









De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman
Envoyé: dimanche 26 juin
2005 00:45
À:
ActiveDir@mail.activedir.org
Objet: RE: [ActiveDir]
Recursive serach on Root domain failed.

So I am writing a longer note about the
history of VLV fixes weve thrown at it and why, but havent
finished yet, and am trying to decide if it is best done in a blog post or an
email to this list (its 2 pages so far).



In the interim, a couple of
thoughts.

From the DSID youre getting,
Id speculate youre still doing VLV. I dont know what
youve tweaked on the Outlook side, but thats my suspicion. A
network sniff (or some more data) would confirm.

However, looking at this more
broadly.



If you implement this change as your
fix, youll find you need to do this on every client. That
might grow old. J

A better fix, assuming 2k3 SP1 DCs (for
RTM DCs, youd need a QFE on them for this, namely a binary from the QFE
tree that is Q886683 or later)..


 Fire up adsiedit, crack open
 the config NC 
 Expand CN=Directory
 Service,CN=Windows NT,CN=Services. 
 Edit CN=Directory Services.
 
 Nav down to
 msds-Other-Settings. Edit. 
 In the Value to add box, type,
 without the quotes: DisableVLVSupport=1. Click Add. 


Give that a try, let us know how it goes. J



~Eric

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 25, 2005
12:54 PM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Recursive serach on Root domain failed.









Thanks for reply :)











Yes, i have already followed the link you
sepcified. I disable LDAP address-list-browsing functionality in my outlook
2003:the browsing isthen disable -The list is empty
without the Unavailable Critical Extension error message box.





The only way I found to use the LDAP
seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng
LDAP Active Directory first and not the Exchange GAL , and type the sender in
the to... 'field of outlook: Outlook the verify the sender
against LDAP AD first and that works. I thought distributing his regkey with
GPO in all my users...











I Have already installed sp1 for w2k3 a months ago, and no
way :(











The same problem is reproduced in an other French University.











The maxpagesize = the max LDAP page size for the default
query policy in my domain is set to a hight value 2 instead of the default
value of 1000 I wondering if this can be the reason...

















Cheers,













Yann





















De:
[EMAIL PROTECTED] de la part de Robert Williams (RRE)
Date: sam. 25/06/2005 18:25
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Recursive
serach on Root domain failed.







Try disabling VLV in outlook, you can do
that here:



820864 You Experience Performance Problems in Outlook 2003 When You Browse an

http://support.microsoft.com/?id=820864



If that solves your problem then you might
be hitting a known bugcontact PSS for the 

RE: [ActiveDir] Recursive serach on Root domain failed.

2005-06-27 Thread TIROA YANN



Eric,

For the Outlook Side, when added the value 
"DisableVLVBrowsing"=dword:0001" per workstations, the browsing did not show 
any users as u stated (blank list). Without the RegValue, the error "Unavailable 
Critical Extension" appears with, again, no users showing in the browsing list. 
So the regkey seems to disable the VLV feature at the client side BUT without 
showing any users :(
Ifound a way to LDAP search in my AD by contourning this problem 
:)

With your regkey set in the configuration partition,that resolve 
definitively my pb, the browsing in Outlook 2003 works.
And at the time of writing, i tested the ldap browsing in 10 worstations 
that have outlook 2003 in LDAP, and that works, whereas they did not work before 
and with the same error !!

All the outlook i've installed have all the necessary binaries,have 
all the last pacthes :)

I 
will forward u the network trace of the php search.

Thanks for help :)

PS: let us know when u will publish a KB on the VLV feature please 
:)

Yann


De: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de Eric 
FleischmanEnvoyé: lundi 27 juin 2005 10:46À: 
ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive 
serach on Root domain failed.


Can you take a network 
sniff of the PHP scripts failing?
I suspect they are just 
blindly doing VLV, not actually checking if the DC they are talking to supports 
it. The mod you made below will remove the VLV OID from supportedCapabilities 
such that people that look for it won’t find it. If the PHP scripts just use VLV 
w/o first checking, they’ll still fail (though I’d argue while what we did isn’t 
ideal, what they would be doing is just as bad if not worse, because you 
shouldn’t use something like VLV w/o first checking that the DSA supports 
it).

I don’t really know 
what that Outlook thing you tried does from the Outlook side, I’m an AD guy, not 
an Outlook guy. I’ve been told by people that I know that it just disables the 
attempt to use VLV, but there might the caveats they didn’t mention. Maybe you 
don’t have a late enough Outlook binary that understands it. Maybe you didn’t do 
the magic DisableVLVBrowsing dance. I don’t know.

As I mentioned before, 
I’m doing a write-up of this which I’ll probably blog. I’ll post to this list 
with a link to that post when I do it, probably soon, but I have a few other 
things I need to do first I’m afraid.

~Eric









From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of TIROA 
YANNSent: Monday, June 27, 
2005 1:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive serach 
on Root domain failed.

ERIC !!! You're the BEST !!! THAT 
WORKS FINE !!

I have never found the solution of 
my problem for one year :(

For oulook 2003, the search 
succeeded thanks to your Value addedwith adsiedit, and it works better 
than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] 
"DisableVLVBrowsing"=dword:0001" added per workstations 
!!!

But I noticed that for php scripts, 
the error still remaining... any thoughts ?

Thank u very much eric for the 
invaluable help u provided me :-)

Cheers,

Yann




De: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
De la part de Eric 
FleischmanEnvoyé: 
dimanche 26 juin 2005 00:45À: 
ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Recursive 
serach on Root domain failed.
So I am writing a 
longer note about the history of VLV fixes we’ve thrown at it and why, but 
haven’t finished yet, and am trying to decide if it is best done in a blog post 
or an email to this list (it’s 2 pages so far).

In the interim, a 
couple of thoughts….
From the DSID you’re 
getting, I’d speculate you’re still doing VLV. I don’t know what you’ve tweaked 
on the Outlook side, but that’s my suspicion. A network sniff (or some more 
data) would confirm.
However, looking at 
this more broadly….

If you implement this 
change as your “fix”, you’ll find you need to do this on every client. That 
might grow old. J
A better fix, assuming 
2k3 SP1 DCs (for RTM DCs, you’d need a QFE on them for this, namely a binary 
from the QFE tree that is Q886683 or later)…..

  Fire up adsiedit, crack open the 
  config NC 
  Expand CN=Directory 
  Service,CN=Windows NT,CN=Services. 
  Edit CN=Directory 
  Services. 
  Nav down to msds-Other-Settings. 
  Edit. 
  In the Value to add box, type, 
  without the quotes: “DisableVLVSupport=1”. Click 
  Add. 
Give that a try, let us 
know how it goes. J

~Eric








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of TIROA 
YANNSent: Saturday, June 25, 
2005 12:54 PMTo: 
ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recursive 
serach on Root domain failed.



Thanks for reply 
:)



Yes, i have already 
followed the link you sepcified. I disable LDAP address-list-browsing 
functionality in my outlook 2003:the browsing isthen disable 
-The list is empty without the Unavailable Critical 
Extension error message 

RE: [ActiveDir] Recursive serach on Root domain failed.

2005-06-27 Thread Haaker, Chris








Eric,



I would blog it and
then those that are interested can pull the blog post. What is your blog
address?







Chris Haaker

ITS Infrastructure

x7841

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, June 25, 2005 6:45
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recursive
serach on Root domain failed.





So I am writing a longer note about the
history of VLV fixes weve thrown at it and why, but havent
finished yet, and am trying to decide if it is best done in a blog post or an
email to this list (its 2 pages so far).



In the interim, a couple of
thoughts.

From the DSID youre getting,
Id speculate youre still doing VLV. I dont know what
youve tweaked on the Outlook side, but thats my suspicion. A
network sniff (or some more data) would confirm.

However, looking at this more
broadly.



If you implement this change as your
fix, youll find you need to do this on every client. That
might grow old. J

A better fix, assuming 2k3 SP1 DCs (for
RTM DCs, youd need a QFE on them for this, namely a binary from the QFE
tree that is Q886683 or later)..


 Fire up adsiedit, crack open
 the config NC
 Expand CN=Directory
 Service,CN=Windows NT,CN=Services. 
 Edit CN=Directory Services.
 Nav down to
 msds-Other-Settings. Edit. 
 In the Value to add box, type,
 without the quotes: DisableVLVSupport=1. Click Add. 


Give that a try, let us know how it goes. J



~Eric

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of TIROA YANN
Sent: Saturday, June 25, 2005
12:54 PM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Recursive serach on Root domain failed.









Thanks for reply :)











Yes, i have already followed the link you
sepcified. I disable LDAP address-list-browsing functionality in my outlook
2003:the browsing isthen disable -The list is empty
without the Unavailable Critical Extension error message box.





The only way I found to use the LDAP
seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng
LDAP Active Directory first and not the Exchange GAL , and type the sender in
the to... 'field of outlook: Outlook the verify the sender
against LDAP AD first and that works. I thought distributing his regkey with
GPO in all my users...











I Have already installed sp1 for w2k3 a months ago, and no
way :(











The same problem is reproduced in an other French University.











The maxpagesize = the max LDAP page size for the default
query policy in my domain is set to a hight value 2 instead of the default
value of 1000 I wondering if this can be the reason...

















Cheers,













Yann





















De:
[EMAIL PROTECTED] de la part de Robert Williams (RRE)
Date: sam. 25/06/2005 18:25
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Recursive
serach on Root domain failed.







Try disabling VLV in outlook, you can do
that here:



820864 You Experience Performance Problems in Outlook 2003 When You Browse an

http://support.microsoft.com/?id=820864



If that solves your problem then you might
be hitting a known bugcontact PSS for the hotfix (or install SP1 which I
believe has the fix).





Robert
Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

MicrosoftCorporation

Global Solutions Support
 Center











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of TIROA YANN
Sent: Saturday, June 25, 2005 9:01
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recursive
serach on Root domain failed.









Hello,











When I do a LDAP recursive search(with Outlook 2003 in
Exchange 2003MAPIor php scripts) througth my root Domain
AD2003 (dc=domain,dc=fr), the search failed with the corresponding error:
Unavailable Critical Extension.but when I put the complete DN of an
OU (ou=test,dc=domain,dc=fr) then the search worked.











When I used Outlook Expressconfigured in LDAP ,
the recursive search ... worked.





My environnement:Forest
ad2003 raised to windows server 2003 functional level. Idid an in place
upgrade from AD 2000 native mode to AD 2003.











Curious thing is when i installed fresh domain AD2003 test
(without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..)
works 











So I suspect that i is the migration that causes the problem
but, I didn't know if such request workedbefore migration :(











My network trace between my workstation and any DCs
confirmed the error:











LDAP: ProtocolOp = SearchResponse (simple)
 LDAP: Result Code = Unavailable
Critical Extension
 LDAP: Error Message =20EF: SvcErr:
DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION)
 LDAP: Controls
  LDAP: Sort Response
Control
  LDAP: Criticality = 0
(0x0)
 LDAP: Sort Result Code =
Unwilling to Perform











I contacted MS French support and 

[ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread Rocky Habeeb
Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit
training manual, I have come upon a question in the Chapter 3 lesson review
on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create
user-specific home folders and profile folders?
a.  %Username%
b.  $Username$
c.  CN=Username
d.  Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread Burkes, Jeremy [Contractor]
I would have thought the answer would be A. %Username%.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Monday, June 27, 2005 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training
Kit
training manual, I have come upon a question in the Chapter 3 lesson
review
on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create
user-specific home folders and profile folders?
a.  %Username%
b.  $Username$
c.  CN=Username
d.  Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread Almeida Pinto, Jorge de
Hi,

No the answer is B. It you use A (%Username%) it then would be replaced
by the samaccountname of the user executing the command

Zie links and search for $Username$
http://www.ss64.com/nt/dsadd.html
http://www.ss64.com/nt/dsmod.html
http://www.examcram2.com/articles/article.asp?p=102278seqNum=2rl=1
 
Cheers,
#JORGE#

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 27, 2005 15:00
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training
Kit
training manual, I have come upon a question in the Chapter 3 lesson
review on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create
user-specific home folders and profile folders?
a.  %Username%
b.  $Username$
c.  CN=Username
d.  Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread Teverovsky, Guy
Title: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)






From dsmod user /? :

The special token $username$ (case insensitive) may be used to place the

SAM account name in the value of -webpg, -profile, -hmdir, and

-email parameter.

For example, if the target user DN is

CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name

attribute is janed, the -hmdir parameter can have the following

substitution:

-hmdir \users\$username$\home



Guy



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb
Sent: Monday, June 27, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit

training manual, I have come upon a question in the Chapter 3 lesson review

on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create

user-specific home folders and profile folders?

a. %Username%

b.  $Username$

c. CN=Username

d. Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb

Microsoft Systems Administrator

James W. Sewall Company

Old Town, Maine

Voice: 207.827.4456 Ext. 387

Email: [EMAIL PROTECTED]

www.jws.com

_


List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread Burkes, Jeremy [Contractor]
Title: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)








Learn something new everyday, did not know
that.



Jeremy











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Teverovsky, Guy
Sent: Monday, June 27, 2005 9:10
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ? on MCSE
Exam 70-290 (W2K3S)





From dsmod user /? :

The special token $username$ (case
insensitive) may be used to place the

SAM account name in the value of -webpg,
-profile, -hmdir, and

-email parameter.

For example, if the target user DN is

CN=Jane Doe,CN=users,CN=microsoft,CN=com and
the SAM account name

attribute is janed, the -hmdir
parameter can have the following

substitution:

-hmdir \users\$username$\home

Guy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Rocky Habeeb
Sent: Monday, June 27, 2005 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self
Paced training Kit

training manual, I have come upon a question in the Chapter 3
lesson review

on page 3-55:

What variable can be used with the DSMOD and DSADD
commands to create

user-specific home folders and profile folders?

a. %Username%

b.  $Username$

c. CN=Username

d. Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb

Microsoft Systems Administrator

James W. Sewall Company

Old Town,
 Maine

Voice: 207.827.4456 Ext. 387

Email: [EMAIL PROTECTED]

www.jws.com

_



List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/








RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread Haaker, Chris
I am studying on the 70-292 kit for my upgrade exam and all of their
references as well are to $username$.

 
Chris Haaker
ITS Infrastructure
x7841
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Monday, June 27, 2005 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit
training manual, I have come upon a question in the Chapter 3 lesson review
on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create
user-specific home folders and profile folders?
a.  %Username%
b.  $Username$
c.  CN=Username
d.  Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] Remove View Menu From Explorer

2005-06-27 Thread Dan DeStefano








In Windows 2000, is it possible to remove or disable the View
menu from Windows Explorer and Internet Explorer 6? If not, then is it possible
to remove or disable the Explorer Bar submenu? It would also be
OK to be able to just remove all text menus (Edit, View, Go, etc). We are
locking down a kiosk machine and want the clients to be able to see one folder
only and not be able to navigate to others. The problem is that if we just
remove access from the parent folder, a certain program we are using does not
work properly, plus, even though the user account is given modify
permissions to their folder and no permissions to the parent folder, the
shortcut used to open their folder does not work.





I appreciate any help on this issue,



_





Daniel DeStefano












[ActiveDir] Open Another User's Registry File

2005-06-27 Thread Dan DeStefano








Is it possible to open another users ntuser.dat file
for editing? I would like to be able to edit some per-user settings for
specific users, but when I try to open it using regedt or regedt32, I am asked
if I want to add the information in the file to the registry, which I do not
want to do. This is on a Windows 2000 Server machine.





I appreciate any help,

_





Daniel DeStefano












RE: [ActiveDir] Open Another User's Registry File

2005-06-27 Thread Robinson, Chuck



Open Regedit, set your focus to HKLM, use Load Hive from 
the File Menu. Be sure to unload the hive when you are 
done.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Monday, June 27, 2005 9:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Open Another User's 
Registry File


Is it possible to open another 
users ntuser.dat file for editing? I would like to be able to edit some 
per-user settings for specific users, but when I try to open it using regedt or 
regedt32, I am asked if I want to add the information in the file to the 
registry, which I do not want to do. This is on a Windows 2000 Server 
machine.


I appreciate any 
help,
_


Daniel DeStefano



[ActiveDir] Logon server bad discovery

2005-06-27 Thread Lev Zdenek








Hello 

I have the following problem. I Have network with only W2K3 SP1
domain controllers in several sites (uhnete). Subnet, site, and site links are
configured . There are DNS, GC in each site. My klient are XP SP2. When I tested
my logon server through set l=logon server I discovered that my
logon server is from another site, than client reside (belongs) . DC and DNS
and replication in function corectly. I discovered that the clients after logon
belong to incorect site (nltest /dsgetsite)
Site which client belongs to changes randomly. When I set parametr DynamicSiteName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
to correct SITE evr. Is function correctly. I would like to get more information
how the logon process discovery right site and right domain controller. I found
some information on MSDN about DsGetDcName, but this information is incomplete.
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

Does anybody solution for this.

THX

Zdenek












RE: [ActiveDir] Open Another User's Registry File

2005-06-27 Thread Darren Mar-Elia



You can also script this using 
reg.exe.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robinson, 
ChuckSent: Monday, June 27, 2005 6:57 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Open Another 
User's Registry File

Open Regedit, set your focus to HKLM, use Load Hive from 
the File Menu. Be sure to unload the hive when you are 
done.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Monday, June 27, 2005 9:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Open Another User's 
Registry File


Is it possible to open another 
users ntuser.dat file for editing? I would like to be able to edit some 
per-user settings for specific users, but when I try to open it using regedt or 
regedt32, I am asked if I want to add the information in the file to the 
registry, which I do not want to do. This is on a Windows 2000 Server 
machine.


I appreciate any 
help,
_


Daniel DeStefano



[ActiveDir] OT: GPO undefined definition

2005-06-27 Thread Douglas M. Long












If something is set to undefined in group policy, does it
get set to the Windows default all the time?



The reason I ask is because I had Microsoft
network server: Digitally sign communications (always) set to
enabled, then changed it to undefined. I was thinking this would leave all
those machines set to enabled, and then I could just disable it on the single
machine that I wanted to, but it set them all to disabled (the Windows
default). Is this the correct behavior?








RE: [ActiveDir] Logon server bad discovery

2005-06-27 Thread Almeida Pinto, Jorge de
Are you sure you have mapped the correct subnets to the correct sites? Is the 
subnet where those clients reside assigned in AD to a site? Check that to be 
sure.
 
A client gets his site assigned from the subnet-site mappings in AD. If some 
subnet is not in AD and assigned to a site the client might be authentication 
randomly by any available DC. The authenticating DC will also record an event 
id concerning the unmapped subnet
Cheers,
#JORGE#
 



From: Lev Zdenek [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon server bad discovery



Hello 

I have the following problem. I Have network with only W2K3 SP1 domain 
controllers in several sites (uhnete). Subnet, site, and site links are 
configured . There are DNS, GC in each site. My klient are XP SP2. When I 
tested my logon server through set l=logon server I discovered that my logon 
server is from another site, than client reside (belongs) . DC and DNS and 
replication in function corectly. I discovered that the clients after logon 
belong to incorect site (nltest /dsgetsite) Site which client belongs to 
changes randomly. When I set parametr DynamicSiteName  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters to 
correct SITE evr. Is function correctly. I would like to get more information 
how the logon process discovery right site and right domain controller. I found 
some information on MSDN about DsGetDcName, but this information is incomplete. 
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

Does anybody solution for this.

THX

Zdenek

 

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Logon server bad discovery

2005-06-27 Thread Dan DeStefano








Thanks a lot, I appreciate it.





_



Daniel DeStefano

PC Support Specialist



IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300



www.iagr.net

Measuring Ad Effectiveness on Television



The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.

















From: Lev Zdenek
[mailto:[EMAIL PROTECTED] 
Sent: Monday, June 27, 2005 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon server
bad discovery





Hello 

I have the following
problem. I Have network with only W2K3 SP1 domain controllers in several sites
(uhnete). Subnet, site, and site links are configured . There are DNS, GC in
each site. My klient are XP SP2. When I tested my logon server through set
l=logon server I discovered that my logon server is from another
site, than client reside (belongs) . DC and DNS and replication in function
corectly. I discovered that the clients after logon belong to incorect site
(nltest /dsgetsite) Site which client belongs
to changes randomly. When I set parametr DynamicSiteName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
to correct SITE evr. Is function
correctly. I would like to get more information how the logon process discovery
right site and right domain controller. I found some information on MSDN about
DsGetDcName, but this information is incomplete. http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

Does anybody solution for this.

THX

Zdenek












RE: [ActiveDir] Open Another User's Registry File

2005-06-27 Thread Dan DeStefano








Thank you for your help





_



Daniel DeStefano

PC Support Specialist



IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300



www.iagr.net

Measuring Ad Effectiveness on Television



The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.

















From: Robinson, Chuck
[mailto:[EMAIL PROTECTED] 
Sent: Monday, June 27, 2005 9:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Open
Another User's Registry File





Open Regedit, set your
focus to HKLM, use Load Hive from the File Menu. Be sure to unload the hive
when you are done.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, June 27, 2005 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Open Another
User's Registry File

Is it possible to open another
users ntuser.dat file for editing? I would like to be able to edit some
per-user settings for specific users, but when I try to open it using regedt or
regedt32, I am asked if I want to add the information in the file to the
registry, which I do not want to do. This is on a Windows 2000 Server machine.





I appreciate any help,

_





Daniel DeStefano












RE: [ActiveDir] OT: GPO undefined definition

2005-06-27 Thread Almeida Pinto, Jorge de
Yep, correct behavior!
 
If you have an OU with servers and a GPO linked to that OU with the setting you 
mention to enbaled, it will affect all servers in that OU. Default GPO settings 
do not tattoo so if you change the setting in the GPO to Not defined the 
servers (all of them in the OU )will revert back to their default value with is 
configured in the local policy settings or in the registry.
 
Cheers
#JORGE#



From: Douglas M. Long [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: GPO undefined definition



 

 

If something is set to undefined in group policy, does it get set to the 
Windows default all the time?

 

The reason I ask is because I had Microsoft network server: Digitally sign 
communications (always) set to enabled, then changed it to undefined. I was 
thinking this would leave all those machines set to enabled, and then I could 
just disable it on the single machine that I wanted to, but it set them all to 
disabled (the Windows default). Is this the correct behavior?



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Ibarra, Juan








Hi,



I need to add certain users from domain B, Win 2000 Domain,
to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two
way trust between the two domains; however, I dont seem to find the way
to do this. I am able to add users to shares but not the group.


How could I accomplish this?



Thanks,

Juan 












Re: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Phil Renouf
You can not add users from DomainB to the Domain Admins group in
DomainA. You can add users to the Administrators group, or you can
create another type of group and delegate rights to that new group.

Phil

On 6/27/05, Ibarra, Juan [EMAIL PROTECTED] wrote: 
 I need to add certain users from domain B, Win 2000 Domain, to the Domain
 Admins group of Domain A, Windows 2003 Domain.  There is a two way trust
 between the two domains; however, I don't seem to find the way to do this. 
 I am able to add users to shares but not the group.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Almeida Pinto, Jorge de
the way you want to do it can not be accomplished! Why?
 
The domain admins group is a global security group and global (security) groups 
can only have members from its own domain and not from other domains. By design
 
What are you trying to accomplish?
 
Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Group Membership



Hi,

 

I need to add certain users from domain B, Win 2000 Domain, to the Domain 
Admins group of Domain A, Windows 2003 Domain.  There is a two way trust 
between the two domains; however, I don't seem to find the way to do this.  I 
am able to add users to shares but not the group.


How could I accomplish this?

 

Thanks,

Juan 

 

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] GPO for Citrix and WSUS

2005-06-27 Thread Rogers, James
Title: Message



I've 
recently rolled out WSUS in a test lab environment, and I've come across a 
problem I can't find an answer for. On the test Citrix server, when 
updates have been applied and the server needs to reboot, the annoying "Windows 
Automatic Update" window flashes to nag the user to reboot. Of course, all 
of the buttons (including the "X") are grayed out so the user can't reboot a 
loaded terminal server, but this also means the user can't close the 
window.

I 
don't want to flood our help desk with a jabillion calls about this "mysterious 
window," but I can't seem to find anything in Group Policy to prevent this 
window from appearing. Disabling "Allow non-administrators to receive 
update notifications" doesn't seem to affect this window. Any 
insight?


Thank You, James R. 
RogersFirst National Bank of Three Rivers

The information transmitted is 
intended only for the person(s) or entity(ies) to which it is addressed and may 
contain confidential and/or privileged material. If you are not the addressee 
indicated in this message (or responsible for delivery of the message to such 
person), you may not copy, disseminate, distribute, disclose, or deliver this 
message to anyone. If you have received this e-mail transmission in error, 
please reply to the sender so that arrangements can be made for proper delivery, 
after which, please delete the message. Thank 
You.


smime.p7s
Description: S/MIME cryptographic signature


RE: [ActiveDir] Open Another User's Registry File

2005-06-27 Thread Crawford, Scott








Yup. In Regedit, highlight the HKU
tree and click file, load hive. Browse to the ntuser.dat file, open it
and give it a name, ie TempReg. You can then edit that hive in regedit
just as you would the normal HKCU hive. When youre done, highlight
the root of the tree  TempReg  and click file, unload hive.



You can also edit the hive using .reg
files by changing HKEY_CURRENT_USER to HKEY_USERS\TempReg in the .reg file and
importing as normal.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, June 27, 2005 8:49
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Open Another
User's Registry File





Is it possible to open another users ntuser.dat file
for editing? I would like to be able to edit some per-user settings for
specific users, but when I try to open it using regedt or regedt32, I am asked
if I want to add the information in the file to the registry, which I do not
want to do. This is on a Windows 2000 Server machine.





I appreciate any help,

_





Daniel DeStefano












RE: [ActiveDir][OT] File copy with security intact

2005-06-27 Thread Medeiros, Jose
Great feedback and your points are very well taken.

Thanks for the info and the clarification.

Jose :-)

-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grillenmeier,
Guido
Sent: Saturday, June 25, 2005 1:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


with all of the options mentioned (incl. FSMT and RoboCopy) you have to
be aware of the limitations of copying ACLs from source to target, which
basically depends on how you've ACLed the data on your servers:
 
If you've used Server-Local groups, the tools won't do the work for you
to re-create appropriate Server-Local groups on the target machine and
convert the SIDs in the ACLs where required (i.e. leave SIDs from
non-server-local secprins alone and copy them as is and just replace the
server-local stuff with those of the target machine).

This is a considerable restriction for consolidating data - but you can
also circumvent it by first doing some homework on your own and replace
all server-local groups with AD domain-local groups incl. the re-ACLing
on the source machine(s). I'm not trying to say that you'd always want
to use this approach, as it has other challenges (token group-bloat for
user's logging onto the domain etc.), but it may be a valid option
depending on your environment.

I only know of non-free tools, to do this during the file-copy /
consolidation which either give you the option to create new
server-local groups on the target server or to convert them to AD
Domain-Local groups plus do the appropriate ReAcling of the data on the
target machine.

Too bad Microsoft's FSMT doesn't have this feature, which is one of the
main things I don't like with it. Otherwise it's a useful tool, as it
will also copy and re-create the shares etc. for you (no big deal,
but...) and has a very useful integration with the DFSroot-consolidation
feature of Win2003/SP1 (see Q829885 Distributed File System update to
support consolidation roots in Windows Server 2003 if you're unfamiliar
with this feature).

Cheers,
Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Freitag, 24. Juni 2005 01:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

It's a solid tool that MCS uses for consolidation of multiple systems to
one
(think a bunch of file servers NT 4, Win2k, whatever), or for hardware
to
hardware copy after the OS is installed.  Nice thing is it brings over
the
security and is a bit easier for the command-line challenged, or when
there
are a number of pick this, don't copy this, type decisions that need to
be
made.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, June 23, 2005 5:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

Hi Rick,


I have not had any need to try yet and I was just wondering if any one
liked
it, had any problems with it and how it compares to RoboCopy. It seems
to be
a take off of Fastlane's server consolidator that was written for
Microsoft
several years back. test 


Jose 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
Sent: Wednesday, June 22, 2005 8:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


Yep - what assist do you need, or what information related to it?

Happy to help

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Tuesday, June 21, 2005 6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact

Has anyone had any experience using the Microsoft File Server Migration
Toolkit?
http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.
mspx

Jose 

-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose
Sent: Tuesday, June 21, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


I don't want to seem like I am knocking Robocopy, however from my
experience
Robocopy also does the same thing. It will stop when a file is locked or
in
use. It does not copy at the block level like rsync. It is a very useful
tool but beware of it's limitations. (Although the version I used was
from
the 2000 resource kit, so if there has been improvements I may be
mistaken).

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir][OT] File copy with security intact


Robocopy is my FRS engine for Dfs.  :)

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL 

RE: [ActiveDir] Recursive serach on Root domain failed.

2005-06-27 Thread Eric Fleischman








http://blogs.technet.com/efleis

Not much there, I dont blog often.



Ill try and get to it today.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris
Sent: Monday, June 27, 2005 5:16
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recursive
serach on Root domain failed.





Eric,



I would blog it and
then those that are interested can pull the blog post. What is your blog
address?







Chris Haaker

ITS Infrastructure

x7841

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, June 25, 2005 6:45
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recursive
serach on Root domain failed.





So I am writing a longer note about the
history of VLV fixes weve thrown at it and why, but havent
finished yet, and am trying to decide if it is best done in a blog post or an
email to this list (its 2 pages so far).



In the interim, a couple of thoughts.

From the DSID youre getting,
Id speculate youre still doing VLV. I dont know what
youve tweaked on the Outlook side, but thats my suspicion. A
network sniff (or some more data) would confirm.

However, looking at this more
broadly.



If you implement this change as your
fix, youll find you need to do this on every client. That
might grow old. J

A better fix, assuming 2k3 SP1 DCs (for
RTM DCs, youd need a QFE on them for this, namely a binary from the QFE
tree that is Q886683 or later)..


 Fire up adsiedit, crack open
 the config NC
 Expand CN=Directory
 Service,CN=Windows NT,CN=Services. 
 Edit CN=Directory Services.
 Nav down to
 msds-Other-Settings. Edit. 
 In the Value to add box, type,
 without the quotes: DisableVLVSupport=1. Click Add. 


Give that a try, let us know how it goes. J



~Eric

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 25, 2005
12:54 PM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Recursive serach on Root domain failed.









Thanks for reply :)











Yes, i have already followed the link you
sepcified. I disable LDAP address-list-browsing functionality in my outlook
2003:the browsing isthen disable -The list is empty
without the Unavailable Critical Extension error message box.





The only way I found to use the LDAP
seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng
LDAP Active Directory first and not the Exchange GAL , and type the sender in
the to... 'field of outlook: Outlook the verify the sender
against LDAP AD first and that works. I thought distributing his regkey with
GPO in all my users...











I Have already installed sp1 for w2k3 a months ago, and no
way :(











The same problem is reproduced in an other French University.











The maxpagesize = the max LDAP page size for the default
query policy in my domain is set to a hight value 2 instead of the default value
of 1000 I wondering if this can be the reason...

















Cheers,













Yann





















De:
[EMAIL PROTECTED] de la part de Robert Williams (RRE)
Date: sam. 25/06/2005 18:25
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Recursive serach
on Root domain failed.







Try disabling VLV in outlook, you can do
that here:



820864 You Experience Performance Problems in Outlook 2003 When You Browse an

http://support.microsoft.com/?id=820864



If that solves your problem then you might
be hitting a known bugcontact PSS for the hotfix (or install SP1 which I
believe has the fix).





Robert
Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

MicrosoftCorporation

Global Solutions Support
 Center











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Saturday, June 25, 2005 9:01
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recursive serach
on Root domain failed.









Hello,











When I do a LDAP recursive search(with Outlook 2003 in
Exchange 2003MAPIor php scripts) througth my root Domain
AD2003 (dc=domain,dc=fr), the search failed with the corresponding error:
Unavailable Critical Extension.but when I put the complete DN of an
OU (ou=test,dc=domain,dc=fr) then the search worked.











When I used Outlook Expressconfigured in LDAP ,
the recursive search ... worked.





My environnement:Forest ad2003
raised to windows server 2003 functional level. Idid an in place upgrade
from AD 2000 native mode to AD 2003.











Curious thing is when i installed fresh domain AD2003 test
(without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..)
works 











So I suspect that i is the migration that causes the problem
but, I didn't know if such request workedbefore migration :(











My network trace between my workstation and any DCs
confirmed the error:











LDAP: ProtocolOp = 

RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Ibarra, Juan
Does any one have an idea on how else to accomplish this?

Thanks,
Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 8:39 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

the way you want to do it can not be accomplished! Why?
 
The domain admins group is a global security group and global (security)
groups can only have members from its own domain and not from other
domains. By design
 
What are you trying to accomplish?
 
Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Group Membership



Hi,

 

I need to add certain users from domain B, Win 2000 Domain, to the
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
way trust between the two domains; however, I don't seem to find the way
to do this.  I am able to add users to shares but not the group.


How could I accomplish this?

 

Thanks,

Juan 

 

 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Almeida Pinto, Jorge de
that is what I'm asking... what do you want to do? what are your thoughts?
 
Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership



Does any one have an idea on how else to accomplish this? 

Thanks, 
Juan 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de 
Sent: Monday, June 27, 2005 8:39 AM 
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] Domain Admins Group Membership 

the way you want to do it can not be accomplished! Why? 
  
The domain admins group is a global security group and global (security) 
groups can only have members from its own domain and not from other 
domains. By design 
  
What are you trying to accomplish? 
  
Cheers, 
#JORGE# 

 

From: Ibarra, Juan [mailto:[EMAIL PROTECTED] 
Sent: Mon 6/27/2005 5:32 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Domain Admins Group Membership 



Hi, 

I need to add certain users from domain B, Win 2000 Domain, to the 
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two 
way trust between the two domains; however, I don't seem to find the way 
to do this.  I am able to add users to shares but not the group. 


How could I accomplish this? 

Thanks, 

Juan 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and 
any attachment and all copies and inform the sender. Thank you. 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Ibarra, Juan
Jorge, I am trying to give several users on Domain B Admin rights on
Domain A so that they can get full access to the servers.  I am trying
to avoid giving them local admin access to everyone on every server. 

Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

that is what I'm asking... what do you want to do? what are your
thoughts?
 
Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership



Does any one have an idea on how else to accomplish this? 

Thanks, 
Juan 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de 
Sent: Monday, June 27, 2005 8:39 AM 
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] Domain Admins Group Membership 

the way you want to do it can not be accomplished! Why? 
  
The domain admins group is a global security group and global (security)

groups can only have members from its own domain and not from other 
domains. By design 
  
What are you trying to accomplish? 
  
Cheers, 
#JORGE# 

 

From: Ibarra, Juan [mailto:[EMAIL PROTECTED] 
Sent: Mon 6/27/2005 5:32 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Domain Admins Group Membership 



Hi, 

I need to add certain users from domain B, Win 2000 Domain, to the 
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two 
way trust between the two domains; however, I don't seem to find the way

to do this.  I am able to add users to shares but not the group. 


How could I accomplish this? 

Thanks, 

Juan 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and 
any attachment and all copies and inform the sender. Thank you. 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread James_Day
We create a domain local group in Domain A and then use either a startup
script (net add) or the GPO setting for restricted groups to add that group
into the local admin group on every machine.  In cases where cross domain
admin access is needed a group is created in Domain B, added to the domain
local group in Domain A and they get the rights needed.  Generally we do
this on an OU basis as well to provide admin rights in each OU.

We tend to use the script here because the Restricted Group option in 2000
allowed you to define the local admin group rather then just adding to it.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   Ibarra, Juan |
| |   [EMAIL PROTECTED]  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   06/27/2005 10:25 AM MST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org  
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Domain Admins Group Membership  
 |
  
--|




Jorge, I am trying to give several users on Domain B Admin rights on
Domain A so that they can get full access to the servers.  I am trying
to avoid giving them local admin access to everyone on every server.

Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

that is what I'm asking... what do you want to do? what are your
thoughts?

Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership



Does any one have an idea on how else to accomplish this?

Thanks,
Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 8:39 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

the way you want to do it can not be accomplished! Why?

The domain admins group is a global security group and global (security)

groups can only have members from its own domain and not from other
domains. By design

What are you trying to accomplish?

Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Group Membership



Hi,

I need to add certain users from domain B, Win 2000 Domain, to the
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
way trust between the two domains; however, I don't seem to find the way

to do this.  I am able to add users to shares but not the group.


How could I accomplish this?

Thanks,

Juan



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : 

RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Grillenmeier, Guido
If Domain B is an AD domain and at least native mode, then create a
Domain Local Group in Domain B and add the Domain Admins of Domain A to
that group. Then add the Domain Local Group from Domain B to the local
Admins group on the servers you wish to be administered (basically all
servers) - you can achieve this via a GPO using the Restricted Groups
feature.

I guess you could even add the Domain Admins of A directly to the
servers via restricted groups, but I like to keep that type of control
in the resource domain (via a Domain Local Group).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan
Sent: Montag, 27. Juni 2005 19:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

Jorge, I am trying to give several users on Domain B Admin rights on
Domain A so that they can get full access to the servers.  I am trying
to avoid giving them local admin access to everyone on every server. 

Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

that is what I'm asking... what do you want to do? what are your
thoughts?
 
Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership



Does any one have an idea on how else to accomplish this? 

Thanks, 
Juan 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de 
Sent: Monday, June 27, 2005 8:39 AM 
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] Domain Admins Group Membership 

the way you want to do it can not be accomplished! Why? 
  
The domain admins group is a global security group and global (security)

groups can only have members from its own domain and not from other 
domains. By design 
  
What are you trying to accomplish? 
  
Cheers, 
#JORGE# 

 

From: Ibarra, Juan [mailto:[EMAIL PROTECTED] 
Sent: Mon 6/27/2005 5:32 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Domain Admins Group Membership 



Hi, 

I need to add certain users from domain B, Win 2000 Domain, to the 
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two 
way trust between the two domains; however, I don't seem to find the way

to do this.  I am able to add users to shares but not the group. 


How could I accomplish this? 

Thanks, 

Juan 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and 
any attachment and all copies and inform the sender. Thank you. 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Ibarra, Juan
Got it thanks.
Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Monday, June 27, 2005 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

If Domain B is an AD domain and at least native mode, then create a
Domain Local Group in Domain B and add the Domain Admins of Domain A to
that group. Then add the Domain Local Group from Domain B to the local
Admins group on the servers you wish to be administered (basically all
servers) - you can achieve this via a GPO using the Restricted Groups
feature.

I guess you could even add the Domain Admins of A directly to the
servers via restricted groups, but I like to keep that type of control
in the resource domain (via a Domain Local Group).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan
Sent: Montag, 27. Juni 2005 19:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

Jorge, I am trying to give several users on Domain B Admin rights on
Domain A so that they can get full access to the servers.  I am trying
to avoid giving them local admin access to everyone on every server. 

Juan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 10:02 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership

that is what I'm asking... what do you want to do? what are your
thoughts?
 
Cheers,
#JORGE#



From: Ibarra, Juan [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Group Membership



Does any one have an idea on how else to accomplish this? 

Thanks, 
Juan 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de 
Sent: Monday, June 27, 2005 8:39 AM 
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] Domain Admins Group Membership 

the way you want to do it can not be accomplished! Why? 
  
The domain admins group is a global security group and global (security)

groups can only have members from its own domain and not from other 
domains. By design 
  
What are you trying to accomplish? 
  
Cheers, 
#JORGE# 

 

From: Ibarra, Juan [mailto:[EMAIL PROTECTED] 
Sent: Mon 6/27/2005 5:32 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] Domain Admins Group Membership 



Hi, 

I need to add certain users from domain B, Win 2000 Domain, to the 
Domain Admins group of Domain A, Windows 2003 Domain.  There is a two 
way trust between the two domains; however, I don't seem to find the way

to do this.  I am able to add users to shares but not the group. 


How could I accomplish this? 

Thanks, 

Juan 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and 
any attachment and all copies and inform the sender. Thank you. 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] Account Policies

2005-06-27 Thread Yusuf Mayet








Hi all,



As far as I remember and with best practices you can only
have the one account policy takes effect in a domain but I have a client that
has changed this option. 

Domain OU  14 Days

Sales OU  30 Days

Finance OU  35 Days



Now I would like some clarification around this
implementation of password policy?



TIA 

-Yusuf










RE: [ActiveDir] Account Policies

2005-06-27 Thread Almeida Pinto, Jorge de
With the setup you show us the following applies
 
Domain OU - 14 Days - applies to all user accounts in the domain and to all 
user accounts local to each server/client except for the servers/clients in the 
sales OU and the finance OU
 

Sales OU - 30 Days - applies to all user accounts local to each server/client 
located in the sales ou

 

Finance OU - 35 Days - applies to all user accounts local to each 
server/client located in the finance ou

 

Definition of account policies at domain level apply to all user accounts in 
the domain

 

Definition of account policies at OU level apply to all user accounts local to 
the servers in that particular OU

 

Cheers

 

#JORGE#

 



From: Yusuf Mayet [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,

 

As far as I remember and with best practices you can only have the one account 
policy takes effect in a domain but I have a client that has changed this 
option. 

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days

 

Now I would like some clarification around this implementation of password 
policy?

 

TIA 

-Yusuf

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] DNS Scavenging

2005-06-27 Thread Wright, T. MR NSSB



All,
 I 
am not 100% sure, but it appears that I may be having some issues with 
scavenging old records. I have a Win2003 domain with 5 DC's running 2003 
functional level. All of the DC's run DNS and on one of them I enabled 
scavening at the server level and configured all zones to have a no-refresh 
interval of 1 hour and a refresh interval of 8 hours. I did this a few 
weeks ago and many of the records still exist in DNS. I know for a fact 
that I have a few thousand workstations which have been off the network for more 
than 30 days.
 I 
think what I am seeing is the issue where the records that existed prior to me 
enabling scavenging won't get scaveneged. That said,I know I can 
manually age all of the records using the dnscmd, but this will take all of my 
statically created records with it. Are there any ways around this so that 
my static records don't get touched?

Thanks,

-Tim




RE : [ActiveDir] Account Policies

2005-06-27 Thread TIROA YANN
Hi Jorge :)
 
Just a notice about what you said.
 
When u set a account policie at the domain level, doesn't it override all other 
account policies that was set in child OUs ? i thought that only account 
policies at the domain level apply to all domain + OUs level..
 
Cheers, 
 
Yann



De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: lun. 27/06/2005 21:24
À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account Policies



With the setup you show us the following applies

Domain OU - 14 Days - applies to all user accounts in the domain and to all 
user accounts local to each server/client except for the servers/clients in the 
sales OU and the finance OU


Sales OU - 30 Days - applies to all user accounts local to each server/client 
located in the sales ou



Finance OU - 35 Days - applies to all user accounts local to each 
server/client located in the finance ou



Definition of account policies at domain level apply to all user accounts in 
the domain



Definition of account policies at OU level apply to all user accounts local to 
the servers in that particular OU



Cheers



#JORGE#





From: Yusuf Mayet [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,



As far as I remember and with best practices you can only have the one account 
policy takes effect in a domain but I have a client that has changed this 
option.

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days



Now I would like some clarification around this implementation of password 
policy?



TIA

-Yusuf





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

RE: [ActiveDir] Account Policies

2005-06-27 Thread Robert Williams \(RRE\)
Title: RE: [ActiveDir] Account Policies








You see in his mail below the following:

Definition of account policies at OU level apply to all user accounts
local to the servers in that particular OU



When you are logging in using a domain
account, the domain account policies are appliedwhen you log on using a
local machine account on the machine in  OU, then the account policy
applied to  OU are applied.



I hope that makes sense



Have a great day!





Robert Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

MicrosoftCorporation

Global Solutions Support
 Center













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 27, 2005 3:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Account Policies









Hi Jorge :)











Just a notice about what you said.











When u set a account policie at the domain level, doesn't it
override all other account policies that was set in child OUs ? i thought that
only account policies at the domain level apply to all domain + OUs level..











Cheers, 











Yann

















De:
[EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: lun. 27/06/2005 21:24
À: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account
Policies







With the
setup you show us the following applies

Domain OU - 14 Days - applies to all user accounts in the domain and to all
user accounts local to each server/client except for the servers/clients in the
sales OU and the finance OU


Sales OU - 30 Days - applies to all user accounts local to each
server/client located in the sales ou



Finance OU - 35 Days - applies to all user accounts local to each
server/client located in the finance ou



Definition of account policies at domain level apply to all user accounts in
the domain



Definition of account policies at OU level apply to all user accounts local to
the servers in that particular OU



Cheers



#JORGE#





From: Yusuf Mayet [mailto:[EMAIL PROTECTED]]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,



As far as I remember and with best practices you can only have the one account
policy takes effect in a domain but I have a client that has changed this
option.

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days



Now I would like some clarification around this implementation of password
policy?



TIA

-Yusuf





This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential information
and/or be subject to legal privilege. It should not be copied, disclosed to,
retained or used by, any other party. If you are not an intended recipient then
please promptly delete this e-mail and any attachment and all copies and inform
the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/










[ActiveDir] OT: Set Dial-In on W2K3 local accounts

2005-06-27 Thread WILLIAMS, J.D.
Title: OT: Set Dial-In on W2K3 local accounts 





Greetings,

I have a standalone W2K3 (non-DC) server that we are populating with user accounts for RADIUS authentication. I would like to script the account setup so that the user name, password and an IP address are set. The IP address would be the one you can set via the Assign a Static IP Address checkbox on the Dial-In tab.

I can't find any hints on how to access this set of data that apply to non-AD accounts. Any ideas?

Thanks, 

JD
___
J.D. Williams
MCNE, MCSE
Systems Integrator
Northrop Grumman
Information Technology
 Commercial, State  Local Solutions
Austin, TX.
512-377-x235
Alphapage 866-521-6091
E-Page [EMAIL PROTECTED] 






RE: [ActiveDir] Account Policies

2005-06-27 Thread Mark Parris
Yann,

 

As Jorge stated Definition of account policies at OU level apply to all
user accounts local to the servers in that particular OU

 

Mark

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 27 June 2005 20:45
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Account Policies

 

Hi Jorge :)

 

Just a notice about what you said.

 

When u set a account policie at the domain level, doesn't it override all
other account policies that was set in child OUs ? i thought that only
account policies at the domain level apply to all domain + OUs level..

 

Cheers, 

 

Yann

 

  _  

De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: lun. 27/06/2005 21:24
À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account Policies

With the setup you show us the following applies

Domain OU - 14 Days - applies to all user accounts in the domain and to all
user accounts local to each server/client except for the servers/clients in
the sales OU and the finance OU


Sales OU - 30 Days - applies to all user accounts local to each
server/client located in the sales ou



Finance OU - 35 Days - applies to all user accounts local to each
server/client located in the finance ou



Definition of account policies at domain level apply to all user accounts in
the domain



Definition of account policies at OU level apply to all user accounts local
to the servers in that particular OU



Cheers



#JORGE#





From: Yusuf Mayet [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,



As far as I remember and with best practices you can only have the one
account policy takes effect in a domain but I have a client that has changed
this option.

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days



Now I would like some clarification around this implementation of password
policy?



TIA

-Yusuf





This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

attachment: winmail.dat

[ActiveDir] Creating share object in an OU

2005-06-27 Thread Rimmerman, Russ



What's
the purpose of being able to create shares beneath an OU versus just having a
share on a file server? How will the users see the share in the OU?
Whats the advantages and disadvantages of creating the share in an OU versus
just having it exist on a fileserver?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~


RE: [ActiveDir] Account Policies

2005-06-27 Thread Almeida Pinto, Jorge de
the order is:
1 local policies
2 GPOs at site level
3 GPOs at domain level
4 GPOs at OU level and lower levels
 
cheers
#JORGE#



From: TIROA YANN [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Account Policies


Hi Jorge :)
 
Just a notice about what you said.
 
When u set a account policie at the domain level, doesn't it override all other 
account policies that was set in child OUs ? i thought that only account 
policies at the domain level apply to all domain + OUs level..
 
Cheers, 
 
Yann



De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: lun. 27/06/2005 21:24
À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account Policies



With the setup you show us the following applies

Domain OU - 14 Days - applies to all user accounts in the domain and to all 
user accounts local to each server/client except for the servers/clients in the 
sales OU and the finance OU


Sales OU - 30 Days - applies to all user accounts local to each server/client 
located in the sales ou



Finance OU - 35 Days - applies to all user accounts local to each 
server/client located in the finance ou



Definition of account policies at domain level apply to all user accounts in 
the domain



Definition of account policies at OU level apply to all user accounts local to 
the servers in that particular OU



Cheers



#JORGE#





From: Yusuf Mayet [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,



As far as I remember and with best practices you can only have the one account 
policy takes effect in a domain but I have a client that has changed this 
option.

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days



Now I would like some clarification around this implementation of password 
policy?



TIA

-Yusuf





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE : [ActiveDir] Account Policies

2005-06-27 Thread TIROA YANN
Oupsss.. sorry Mark and Robert 
 
 I will carefully read what people write before posting a notice :-)
 
Great day all :-)
 
Cheers,
 
Yann



De: [EMAIL PROTECTED] de la part de Robert Williams (RRE)
Date: lun. 27/06/2005 21:56
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account Policies



You see in his mail below the following:

Definition of account policies at OU level apply to all user accounts local to 
the servers in that particular OU

 

When you are logging in using a domain account, the domain account policies are 
applied...when you log on using a local machine account on the machine in  
OU, then the account policy applied to  OU are applied.

 

I hope that makes sense...

 

Have a great day!

 

Robert Williams, MCSE NT4/2K/2K3, Security+

Infrastructure Rapid Response Engineer

Northeast Region

Microsoft Corporation

Global Solutions Support Center

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 27, 2005 3:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Account Policies

 

Hi Jorge :)

 

Just a notice about what you said.

 

When u set a account policie at the domain level, doesn't it override all other 
account policies that was set in child OUs ? i thought that only account 
policies at the domain level apply to all domain + OUs level..

 

Cheers, 

 

Yann

 



De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: lun. 27/06/2005 21:24
À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account Policies

With the setup you show us the following applies

Domain OU - 14 Days - applies to all user accounts in the domain and to all 
user accounts local to each server/client except for the servers/clients in the 
sales OU and the finance OU


Sales OU - 30 Days - applies to all user accounts local to each server/client 
located in the sales ou



Finance OU - 35 Days - applies to all user accounts local to each 
server/client located in the finance ou



Definition of account policies at domain level apply to all user accounts in 
the domain



Definition of account policies at OU level apply to all user accounts local to 
the servers in that particular OU



Cheers



#JORGE#





From: Yusuf Mayet [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,



As far as I remember and with best practices you can only have the one account 
policy takes effect in a domain but I have a client that has changed this 
option.

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days



Now I would like some clarification around this implementation of password 
policy?



TIA

-Yusuf





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

winmail.dat

RE: [ActiveDir] Account Policies

2005-06-27 Thread Mark Parris
If I recall in addition it is:

0 Legacy Policies (such as ADMs)
1 local policies
2 GPOs at site level
3 GPOs at domain level
4 GPOs at OU level and lower levels

Mark


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 27 June 2005 21:44
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account Policies

the order is:
1 local policies
2 GPOs at site level
3 GPOs at domain level
4 GPOs at OU level and lower levels
 
cheers
#JORGE#



From: TIROA YANN [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Account Policies


Hi Jorge :)
 
Just a notice about what you said.
 
When u set a account policie at the domain level, doesn't it override all
other account policies that was set in child OUs ? i thought that only
account policies at the domain level apply to all domain + OUs level..
 
Cheers, 
 
Yann



De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: lun. 27/06/2005 21:24
À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Account Policies



With the setup you show us the following applies

Domain OU - 14 Days - applies to all user accounts in the domain and to all
user accounts local to each server/client except for the servers/clients in
the sales OU and the finance OU


Sales OU - 30 Days - applies to all user accounts local to each
server/client located in the sales ou



Finance OU - 35 Days - applies to all user accounts local to each
server/client located in the finance ou



Definition of account policies at domain level apply to all user accounts in
the domain



Definition of account policies at OU level apply to all user accounts local
to the servers in that particular OU



Cheers



#JORGE#





From: Yusuf Mayet [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 9:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Policies



Hi all,



As far as I remember and with best practices you can only have the one
account policy takes effect in a domain but I have a client that has changed
this option.

Domain OU - 14 Days

Sales OU - 30 Days

Finance OU - 35 Days



Now I would like some clarification around this implementation of password
policy?



TIA

-Yusuf





This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] OT: GPO undefined definition

2005-06-27 Thread rkingsla
Yep - that is the prescribed behavior.

Rick
 
 From: Douglas M. Long [EMAIL PROTECTED]
 Date: 2005/06/27 Mon AM 10:14:42 EDT
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: GPO undefined definition
 
  
 
  
 
 If something is set to undefined in group policy, does it get set to
 the Windows default all the time?
 
  
 
 The reason I ask is because I had Microsoft network server: Digitally
 sign communications (always) set to enabled, then changed it to
 undefined. I was thinking this would leave all those machines set to
 enabled, and then I could just disable it on the single machine that I
 wanted to, but it set them all to disabled (the Windows default). Is
 this the correct behavior?
 
 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread rkingsla
Juan,

You won't be able to add users from another domain to the Domain Admins group.  
The Domain Admins group is a global group, and rules for Globals Groups are 
that they can contain users from the domain in which the global group was 
created.

By that rule, only users of Domain A may be members of the Domain Admins group 
of Domain A.

However, IIRC, the Administrators group is a special group or a Domain Local 
group, and will allow the add of users from Domain B.

Rick

 
 From: Ibarra, Juan [EMAIL PROTECTED]
 Date: 2005/06/27 Mon AM 11:24:58 EDT
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Domain Admins Group Membership
 
 Hi,
 
  
 
 I need to add certain users from domain B, Win 2000 Domain, to the
 Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
 way trust between the two domains; however, I don't seem to find the way
 to do this.  I am able to add users to shares but not the group.
 
 
 How could I accomplish this?
 
  
 
 Thanks,
 
 Juan 
 
  
 
  
 
 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Creating share object in an OU

2005-06-27 Thread Grillenmeier, Guido



the concept is similar to that of printer objects in AD: 
you you don't create printer queues in an OU (or as child-objects of servers) - 
instead you create a reference to an existing printer queue on a server - this 
reference is stored ina printer object; basicallyActive 
_Directory_can act as a "central repository" of 
all printers available in a network, which allows you easy searching for 
printers (e.g. to find those close to you when you're located in a specific 
subnet or those that have a specific feature, such as duplex printing or color 
etc.)

Similarly, you don't create shares in an OU - instead you 
create a shared folder object which contains a reference to an existing share on 
a server. AD could again be used as a "central repository" of all shares 
available on all servers in the network. 

While the first example (printer objects) has been adapted 
quite well, I hardly find companies that see much value in using the shared 
volume objects. 

I'd say this is basically due to the fact that AD as a 
"search engine" for printers is integrated in the printer-install UI on 
Win2000/XP clients and there is no similar search-engine for shared folder 
objects(you'd have to use LDAP queries or build you own UI).Also, 
it's likely due to the nature of the objects they represent: printers are output 
devices which can and should be used by most people ina company (although 
you can still restrict printing to expensive devices via permissions on the 
printer queue and via their object's visibility in AD). Shares however are 
used to make data available to a select group of people - you don't really want 
users "sniffing" for available shares in the network. Instead you want to 
control which user mounts which share to do their work (often controlled via 
logon-scripts).

hope this clarifies some of the things you're wondering 
about

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Montag, 27. Juni 2005 22:39To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Creating share 
object in an OU

What's 
the purpose of being able to create shares beneath an OU versus just having a 
share on a file server? How will the users see the share in the OU? 
Whats the advantages and disadvantages of creating the share in an OU versus 
just having it exist on a fileserver?

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~


RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Grillenmeier, Guido
Rick - you should have taken the time to read the other posts ;-)  

He wants to grant admin access to memberservers, which you won't achieve
by adding the domain A users to domain B's administrator group...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Montag, 27. Juni 2005 23:31
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Group Membership

Juan,

You won't be able to add users from another domain to the Domain Admins
group.  The Domain Admins group is a global group, and rules for Globals
Groups are that they can contain users from the domain in which the
global group was created.

By that rule, only users of Domain A may be members of the Domain Admins
group of Domain A.

However, IIRC, the Administrators group is a special group or a Domain
Local group, and will allow the add of users from Domain B.

Rick

 
 From: Ibarra, Juan [EMAIL PROTECTED]
 Date: 2005/06/27 Mon AM 11:24:58 EDT
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Domain Admins Group Membership
 
 Hi,
 
  
 
 I need to add certain users from domain B, Win 2000 Domain, to the
 Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
 way trust between the two domains; however, I don't seem to find the
way
 to do this.  I am able to add users to shares but not the group.
 
 
 How could I accomplish this?
 
  
 
 Thanks,
 
 Juan 
 
  
 
  
 
 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread rkingsla
Yeah - I saw that after reading the other posts.  However, I wasn't going to 
post a follow-up just to call attention to myself.

Thanks for your help, Guido!  You blew THAT plan! ;o)

Rick

 
 From: Grillenmeier, Guido [EMAIL PROTECTED]
 Date: 2005/06/27 Mon PM 05:40:11 EDT
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Domain Admins Group Membership
 
 Rick - you should have taken the time to read the other posts ;-)  
 
 He wants to grant admin access to memberservers, which you won't achieve
 by adding the domain A users to domain B's administrator group...
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Montag, 27. Juni 2005 23:31
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Domain Admins Group Membership
 
 Juan,
 
 You won't be able to add users from another domain to the Domain Admins
 group.  The Domain Admins group is a global group, and rules for Globals
 Groups are that they can contain users from the domain in which the
 global group was created.
 
 By that rule, only users of Domain A may be members of the Domain Admins
 group of Domain A.
 
 However, IIRC, the Administrators group is a special group or a Domain
 Local group, and will allow the add of users from Domain B.
 
 Rick
 
  
  From: Ibarra, Juan [EMAIL PROTECTED]
  Date: 2005/06/27 Mon AM 11:24:58 EDT
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Domain Admins Group Membership
  
  Hi,
  
   
  
  I need to add certain users from domain B, Win 2000 Domain, to the
  Domain Admins group of Domain A, Windows 2003 Domain.  There is a two
  way trust between the two domains; however, I don't seem to find the
 way
  to do this.  I am able to add users to shares but not the group.
  
  
  How could I accomplish this?
  
   
  
  Thanks,
  
  Juan 
  
   
  
   
  
  
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: RE: [ActiveDir] Domain Admins Group Membership

2005-06-27 Thread Grillenmeier, Guido
anytime ;-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Montag, 27. Juni 2005 23:50
To: ActiveDir@mail.activedir.org
Subject: Re: RE: [ActiveDir] Domain Admins Group Membership

Yeah - I saw that after reading the other posts.  However, I wasn't
going to post a follow-up just to call attention to myself.

Thanks for your help, Guido!  You blew THAT plan! ;o)

Rick

 
 From: Grillenmeier, Guido [EMAIL PROTECTED]
 Date: 2005/06/27 Mon PM 05:40:11 EDT
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Domain Admins Group Membership
 
 Rick - you should have taken the time to read the other posts ;-)  
 
 He wants to grant admin access to memberservers, which you won't
achieve
 by adding the domain A users to domain B's administrator group...
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Montag, 27. Juni 2005 23:31
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Domain Admins Group Membership
 
 Juan,
 
 You won't be able to add users from another domain to the Domain
Admins
 group.  The Domain Admins group is a global group, and rules for
Globals
 Groups are that they can contain users from the domain in which the
 global group was created.
 
 By that rule, only users of Domain A may be members of the Domain
Admins
 group of Domain A.
 
 However, IIRC, the Administrators group is a special group or a Domain
 Local group, and will allow the add of users from Domain B.
 
 Rick
 
  
  From: Ibarra, Juan [EMAIL PROTECTED]
  Date: 2005/06/27 Mon AM 11:24:58 EDT
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Domain Admins Group Membership
  
  Hi,
  
   
  
  I need to add certain users from domain B, Win 2000 Domain, to the
  Domain Admins group of Domain A, Windows 2003 Domain.  There is a
two
  way trust between the two domains; however, I don't seem to find the
 way
  to do this.  I am able to add users to shares but not the group.
  
  
  How could I accomplish this?
  
   
  
  Thanks,
  
  Juan 
  
   
  
   
  
  
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread Lamberty, Dave
When users log in to our Outlook Web Access site, they must enter their
username in the format domainname\username, as the domain name isn't
being passed. I'd like to be able to pass the domain name so users don't
have to remember to enter it when they log on (and reduce help desk call
volume by about 50%...). We're not using ISA Server, and have just a
single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to
be switched to native mode.

We have a split DNS structure, where the OWA page resides in a different
DNS domain than our AD user accounts, and I'm wondering if that might be
part of the problem. Does anyone know how (or if it's possible) to pass
OWA a different domain name?

Thanks!

--Dave
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] Default Domain Policy Issues

2005-06-27 Thread Devan Pala

Hi all,

After making changes to the Password Policy (Enforing password History) for 
a child domain's Default Domain Policy it reverts back to the previous 
setting right after the replication cycle has completed with other DC's.


I don't see any out of the ordinary NTFRS log events.

Any leads would be appreciated?

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

2005-06-27 Thread joe
Last I looked, dsmod uses $username$ but it doesn't create anything on the
filesystem, it only updates AD attributes. Specifying a homedir in the user
object doesn't make it appear except when you use ADUC which actually goes
off and does it separately.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Monday, June 27, 2005 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)

Ladies and Gentlemen;

In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit
training manual, I have come upon a question in the Chapter 3 lesson review
on page 3-55:

What variable can be used with the DSMOD and DSADD commands to create
user-specific home folders and profile folders?
a.  %Username%
b.  $Username$
c.  CN=Username
d.  Username

The correct answer is b

Is this true?

Thanks in advance.

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Default Domain Policy Issues

2005-06-27 Thread Steve Patrick
What OS and what Service pack are all DC's at?

steve
- Original Message - 
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, June 27, 2005 3:01 PM
Subject: [ActiveDir] Default Domain Policy Issues


 Hi all,

 After making changes to the Password Policy (Enforing password History)
for
 a child domain's Default Domain Policy it reverts back to the previous
 setting right after the replication cycle has completed with other DC's.

 I don't see any out of the ordinary NTFRS log events.

 Any leads would be appreciated?

 Thanks,


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Default Domain Policy Issues

2005-06-27 Thread Devan Pala

Oh I'm sorry,

Windows 2000, SP4, Native Mode Domains. The other child domain is similar 
but there the settings have changed.


Thanks,

Original Message Follows
From: Steve Patrick [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Default Domain Policy Issues
Date: Mon, 27 Jun 2005 15:17:51 -0700

What OS and what Service pack are all DC's at?

steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, June 27, 2005 3:01 PM
Subject: [ActiveDir] Default Domain Policy Issues


 Hi all,

 After making changes to the Password Policy (Enforing password History)
for
 a child domain's Default Domain Policy it reverts back to the previous
 setting right after the replication cycle has completed with other DC's.

 I don't see any out of the ordinary NTFRS log events.

 Any leads would be appreciated?

 Thanks,


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: GPO undefined definition

2005-06-27 Thread joe
I just wanted to point out that setting to undefined won't revert anything,
it simply allows any lower policy to kick in. If there is no policy, then
whatever was last set will stay. If a new machine is put into the OU,
whatever its normal default is will stay. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, June 27, 2005 11:20 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: GPO undefined definition

Yep, correct behavior!
 
If you have an OU with servers and a GPO linked to that OU with the setting
you mention to enbaled, it will affect all servers in that OU. Default GPO
settings do not tattoo so if you change the setting in the GPO to Not
defined the servers (all of them in the OU )will revert back to their
default value with is configured in the local policy settings or in the
registry.
 
Cheers
#JORGE#



From: Douglas M. Long [mailto:[EMAIL PROTECTED]
Sent: Mon 6/27/2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: GPO undefined definition



 

 

If something is set to undefined in group policy, does it get set to the
Windows default all the time?

 

The reason I ask is because I had Microsoft network server: Digitally sign
communications (always) set to enabled, then changed it to undefined. I was
thinking this would leave all those machines set to enabled, and then I
could just disable it on the single machine that I wanted to, but it set
them all to disabled (the Windows default). Is this the correct behavior?



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts

2005-06-27 Thread joe
Title: [ActiveDir] Increase ICMP packet size on a PIX - GPO related



Changing the associated AG would involve changing the 
legacyExchangeDNs. This is a touchy thing as you want to make sure you do not 
get any duplicates and can impact mail delivery since outlook likes to store 
legacyExchangeDNs with messages.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alain 
LissoirSent: Friday, June 24, 2005 10:52 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Scripting 
changing of Exchange Admin Group for Contacts

You will find a series of articles on Exchange scripting 
at
http://www.microsoft.com/technet/scriptcenter/hubs/exchange.mspx

Mail-enabled, mailbox-enabled contacts are 
covered.

HTH
/Alain


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frost, David: 
#CIO-BPISent: Friday, June 24, 2005 7:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Scripting 
changing of Exchange Admin Group for Contacts


Can anyone offer some 
guidance on whether it is possible to script the change of the associated 
Exchange Admin Group for mail enabled contacts? I have a large number of 
mail enabled contacts that I would like to move from one Exchange Admin Group to 
another without deleting and recreating them.



David Frost
Directory Engineering,
Messaging, Directories and PKI Engineering Services 
Industry Canada
email:[EMAIL PROTECTED]
(613) 957-8442


RE: [ActiveDir] Site IP Change

2005-06-27 Thread joe
And WINS too

You may find you need to delete the domain 1C record(s) and 1B record(s) [1]
and force the DCs to refresh the records through NBTSTAT -RR to get them
updated.

Obviously anything pointing at the DCs for DNS and/or WINS resolution need
to be updated. If anyone was silly enough to point specifically at a DC for
LDAP services and was even sillier and used an IP address would need to be
updated.

  joe



[1] The (s) is in case of multiple domains being involved. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, June 23, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

yep, no reboot required, just need to make sure that you get your DNS
straight - could be chaotic if you change the IP addresses of too many DCs
at once.  Ensure that replication still works before changing the next (may
sometimes be required to configure a different primary DNS so that it
registers it's addresses with a partner DC) and ensure that you configure in
a DC's site clients appropriately to use the new IP address as DNS resolver.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Donnerstag, 23. Juni 2005 21:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

I've done this many times and haven't had to reboot my 2003 DCs.  Just
fyi... 

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, June 23, 2005 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

Nathan, 

I hope you reboot your servers after you change the IP address. As good as
the TCP/IP stack has gotten with 2003 server, I still feel it's important to
reboot with such changes on a DC.

Jose 


-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
Sent: Thursday, June 23, 2005 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 


Nathan,

Typically, the change of IP address, subnet, default gateway and associated
DNS entries will take care of most of what you need.

However, there is one more thing that needs to be done.  Pull up a command
prompt on the DC that you've re-IPed, and type this at the prompt (in its
entirety:

Net stop netlogon  net start netlogon

This will stop the netlogon service, then turn around and restart it
automatically.  As you might know, the NetLogon service is responsible for
maintaining the DNS entries (SRV records, et. al.) and updating those as
necessary.  The stop/start of the service forces the update to happen 'right
now', and will be updated with the new data you've entered.

Hope this helps you along in your process.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Henderson
Sent: Thursday, June 23, 2005 11:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site IP Change 

We are currently updating our network infrastructure and a part of this is
having to change IPs on our internal network. Most devices are pretty
simple, but the main point I'm concerned about is changing our DCs. They
will all still be in the same subnet just using a different IP range. Is
there anything I would need to take care of specially in this situation
besides updating DNS information during/after the change to ensure
replication between DCs will function?

I'm trying to think through possible scenarios or issues that could arise.
If anyone has any insight it would be much appreciated.


Nate
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group

2005-06-27 Thread joe
This really isn't trivial to do with ad* or ds* tools I don't think. 

Actually LDIFDE might work out well. If you were creating the DL it would
definitely be easy, just dump the group, change the DN and other name
attributes and reimport.

  joe 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, June 23, 2005 4:48 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in
a group

Hi,
Task - to copy members of an AD email distribution group to another
email distribution group

I have looked at both adfind and dsquery and while I can output all of the
properties of the source email distribution group (including members), I
can't see how to restrict the output just to members in order to pipe them
to another email distribution group.

Any thoughts?

TIA,
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread deji








IIS - Default Website (or wherever your exchange VD is located) -
right-click on Exchange - Directory Security -  Default Domain.



Type in the name of your domain in there or just browse and select it.



And he says this isnt his specialty . Yeah,
right . ;)



Sincerely,



Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I

Microsoft MVP - Dir. Services / Security

www.readymaids.com - we know IT

www.akomolafe.com

Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS



This isn't my specialty but I believe you can set the default auth
domain in

the IIS settings where you configure authentication types.  



  joe



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave

Sent: Monday, June 27, 2005 6:00 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] OT: Outlook Web Access  Split DNS



When users log in to our Outlook Web Access site, they must enter their

username in the format domainname\username, as the domain name isn't
being

passed. I'd like to be able to pass the domain name so users don't have
to

remember to enter it when they log on (and reduce help desk call volume
by

about 50%...). We're not using ISA Server, and have just a single
Exchange

2003 server for our mail. AD is 2003 mixed mode, soon to be switched to

native mode.



We have a split DNS structure, where the OWA page resides in a
different DNS

domain than our AD user accounts, and I'm wondering if that might be
part of

the problem. Does anyone know how (or if it's possible) to pass OWA a

different domain name?



Thanks!



--Dave

List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/








RE: [ActiveDir] Delegation to Child Domain Failing

2005-06-27 Thread joe
Title: Delegation to Child Domain Failing



Are you getting anything returned from the DNS Server for 
the query where anything is defined as seeing something in a network sniffer, 
not whatever tool is asking.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Sunday, June 26, 2005 11:54 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Delegation to Child Domain Failing


Sure Guido thanks for 
the response.

For an unknown reason, 
root name servers stop responding properly to requests for records in a child 
domain. In other words, delegation is setup, but delegation isnt 
working. For example, root domain is root.com. If I query for 
child.root.com, I get no returns. When it works properly, I get a list of 
all the NS records for child.root.com.

Rebooting the server or 
restarting DNS doesnt clear this up. However, if I remove the delegation 
to child.root.com and create it again, delegation works 
properly.

Have you heard of 
anything like this before?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: Saturday, June 25, 
2005 4:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegation to 
Child Domain Failing

can you explain your 
issue a little more?




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Donnerstag, 23. Juni 2005 
22:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation to Child 
Domain Failing
Anyone 
else seeing this? 
This is the second 
time Ive had to delete and create the child domain delegation. For some 
reason, the root NS seems to quit referring. Im running Windows 
2003. I cant find anything regarding this problem. The last time I 
had a case opened with MS but they didnt know of anything either. No 
errors, etc 


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread Crawford, Scott
Well, you can, and it will work for a while, but Exchange will reset it
to whatever is set in Exchange Enterprise Manager.  You can change it by
browsing to Organization/Administrative
Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange,
right click Exchange, Properties, Access tab, Authentication and set
whatever options you like.  Whatever you set here will show up in IIS.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 5:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

This isn't my specialty but I believe you can set the default auth
domain in
the IIS settings where you configure authentication types.  

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave
Sent: Monday, June 27, 2005 6:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Outlook Web Access  Split DNS

When users log in to our Outlook Web Access site, they must enter their
username in the format domainname\username, as the domain name isn't
being
passed. I'd like to be able to pass the domain name so users don't have
to
remember to enter it when they log on (and reduce help desk call volume
by
about 50%...). We're not using ISA Server, and have just a single
Exchange
2003 server for our mail. AD is 2003 mixed mode, soon to be switched to
native mode.

We have a split DNS structure, where the OWA page resides in a different
DNS
domain than our AD user accounts, and I'm wondering if that might be
part of
the problem. Does anyone know how (or if it's possible) to pass OWA a
different domain name?

Thanks!

--Dave
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] Error while adding user to AD

2005-06-27 Thread Mayuresh Kshirsagar
Hi,

I am using a meta directory to provision a new user in AD. But while adding
the user, I am getting the following error:

Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
(WILL_NOT_PERFORM), data 0

Can you guide me as to how can I detect and eliminate the cause of it
please.

Thanks,
Mayuresh

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Site IP Change

2005-06-27 Thread Nathan Henderson
Thanks Joe, Jorge, Jose, Rick, and Marcus for your thoughts and insight.
You've validated my thoughts on the matter. Looks like things should go
as close to schedule as I can help. 

Nate

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

And WINS too

You may find you need to delete the domain 1C record(s) and 1B record(s)
[1] and force the DCs to refresh the records through NBTSTAT -RR to get
them updated.

Obviously anything pointing at the DCs for DNS and/or WINS resolution
need to be updated. If anyone was silly enough to point specifically at
a DC for LDAP services and was even sillier and used an IP address would
need to be updated.

  joe



[1] The (s) is in case of multiple domains being involved. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, June 23, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

yep, no reboot required, just need to make sure that you get your DNS
straight - could be chaotic if you change the IP addresses of too many
DCs at once.  Ensure that replication still works before changing the
next (may sometimes be required to configure a different primary DNS so
that it registers it's addresses with a partner DC) and ensure that you
configure in a DC's site clients appropriately to use the new IP address
as DNS resolver.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Donnerstag, 23. Juni 2005 21:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

I've done this many times and haven't had to reboot my 2003 DCs.  Just
fyi... 

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Thursday, June 23, 2005 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 

Nathan, 

I hope you reboot your servers after you change the IP address. As good
as the TCP/IP stack has gotten with 2003 server, I still feel it's
important to reboot with such changes on a DC.

Jose 


-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan
Sent: Thursday, June 23, 2005 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Site IP Change 


Nathan,

Typically, the change of IP address, subnet, default gateway and
associated DNS entries will take care of most of what you need.

However, there is one more thing that needs to be done.  Pull up a
command prompt on the DC that you've re-IPed, and type this at the
prompt (in its
entirety:

Net stop netlogon  net start netlogon

This will stop the netlogon service, then turn around and restart it
automatically.  As you might know, the NetLogon service is responsible
for maintaining the DNS entries (SRV records, et. al.) and updating
those as necessary.  The stop/start of the service forces the update to
happen 'right now', and will be updated with the new data you've
entered.

Hope this helps you along in your process.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan
Henderson
Sent: Thursday, June 23, 2005 11:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site IP Change 

We are currently updating our network infrastructure and a part of this
is having to change IPs on our internal network. Most devices are pretty
simple, but the main point I'm concerned about is changing our DCs. They
will all still be in the same subnet just using a different IP range. Is
there anything I would need to take care of specially in this situation
besides updating DNS information during/after the change to ensure
replication between DCs will function?

I'm trying to think through possible scenarios or issues that could
arise.
If anyone has any insight it would be much appreciated.


Nate
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:

RE: [ActiveDir] Error while adding user to AD

2005-06-27 Thread Gil Kirkpatrick
This sort of error happens when the user you are provisioning doesn't meet all 
the policy requirements in AD. Make sure all the required attributes are set 
properly, and make sure that the password assigned to the user object meets the 
current domain complexity requirements.
 
-gil



From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar
Sent: Mon 6/27/2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Error while adding user to AD



Hi,

I am using a meta directory to provision a new user in AD. But while adding
the user, I am getting the following error:

Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
(WILL_NOT_PERFORM), data 0

Can you guide me as to how can I detect and eliminate the cause of it
please.

Thanks,
Mayuresh

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

[ActiveDir] Verification on a GPO issue

2005-06-27 Thread Cothern Jeff D. Team EITC
Title: RE: [ActiveDir] Can't find anyting on this



If you have 
a GPO that is setting file and registry permissions. And you take those 
particular settings out of the GPO they are still in place on the servers that 
the GPO was applying to correct?

Jeff



Re: [ActiveDir] DNS Scavenging

2005-06-27 Thread David Adner
First off, you need to be careful with such low no
refresh/refresh intervals since, for example, 2003
computers only refresh their records every 24 hours
(it initially refreshes faster, but it uses
ever-widening intervals until it reaches 24 hours).

For your primary concern, you can enable Advanced in
the DNS console and view the properties of your old
records.  If you don't see a timestamp then they won't
fall under the scavenging rules.  You can also use
dnscmd.exe /zoneexport to dump the entire zone(s) to a
file.  You'll see an [Age:###] (Or maybe it's
Aging:) value for records with timestamps.

If your zone used to be a standard primary zone and
you never had scavenging enabled on it then any
dynamically registered records into that zone would
have not received a timestamp.  An AD integrated zone
with scavenging disabled will cause an initial
timestamp to be recorded for dynamically registered
records but won't cause them to be refreshed until
scavenging is enabled.

As for easier ways to address your issue, I'm unaware
of a solution that doesn't require some leg work.  You
could dump the zone via dnscmd.exe /zoneexport and see
which don't have timestamps and from there figure out
which ones are supposed to be static and which ones
aren't.  This will be simplified if you have a
standard naming convention...

--- Wright, T. MR   NSSB [EMAIL PROTECTED]
wrote:

 All,
 I am not 100% sure, but it appears that I may be
 having some issues
 with scavenging old records.  I have a Win2003
 domain with 5 DC's
 running 2003 functional level.  All of the DC's run
 DNS and on one of
 them I enabled scavening at the server level and
 configured all zones to
 have a no-refresh interval of 1 hour and a refresh
 interval of 8 hours.
 I did this a few weeks ago and many of the records
 still exist in DNS.
 I know for a fact that I have a few thousand
 workstations which have
 been off the network for more than 30 days.
 I think what I am seeing is the issue where the
 records that existed
 prior to me enabling scavenging won't get
 scaveneged.  That said, I know
 I can manually age all of the records using the
 dnscmd, but this will
 take all of my statically created records with it. 
 Are there any ways
 around this so that my static records don't get
 touched?
  
 Thanks,
  
 -Tim
  
  
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread Brian Desmond








This of course only works in a single domain forest. In a multidomain
forest, if you put a \ in the domain box your users dont
have to specify a domain and IIS/Exchange does some magic to figure that part
out.



You should be specifying this in ESM though, not inetmgr. DS2MB will
resync it and clear out anything you do in inetmgr. 





Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 27, 2005 5:58
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Outlook Web Access  Split DNS





IIS - Default Website (or wherever your exchange VD is located)
- right-click on Exchange - Directory Security -  Default Domain.



Type in the name of your domain in there or just browse and select it.



And he says this isnt his specialty . Yeah,
right . ;)



Sincerely,



Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I

Microsoft MVP - Dir. Services / Security

www.readymaids.com - we know IT

www.akomolafe.com

Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS



This isn't my specialty but I believe you can set the default auth
domain in

the IIS settings where you configure authentication types. 



 joe



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave

Sent: Monday, June 27, 2005 6:00 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] OT: Outlook Web Access  Split DNS



When users log in to our Outlook Web Access site, they must enter their

username in the format domainname\username, as the domain name isn't
being

passed. I'd like to be able to pass the domain name so users don't have
to

remember to enter it when they log on (and reduce help desk call volume
by

about 50%...). We're not using ISA Server, and have just a single
Exchange

2003 server for our mail. AD is 2003 mixed mode, soon to be switched to

native mode.



We have a split DNS structure, where the OWA page resides in a
different DNS

domain than our AD user accounts, and I'm wondering if that might be
part of

the problem. Does anyone know how (or if it's possible) to pass OWA a

different domain name?



Thanks!



--Dave

List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/








Re: [ActiveDir] Error while adding user to AD

2005-06-27 Thread Mayuresh Kshirsagar
Active Directory password policy was set as follows:

Policy Setting
Enforce password history 0 passwords remembered
Maximum password age 999 days
Minimum password age 0 days
Minimum password length 8 characters
Password must meet complexity requirements Disabled
Store passwords using reversible encryption Disabled
Provisioning new accounts failed even though our passwords are longer
than 8 characters.

When modifying the policy to a minimum length of 0 characters
provisioning works.

Any pointers of how this happened?

Regards,
Mayuresh


- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 4:57 AM
Subject: RE: [ActiveDir] Error while adding user to AD


This sort of error happens when the user you are provisioning doesn't meet
all the policy requirements in AD. Make sure all the required attributes are
set properly, and make sure that the password assigned to the user object
meets the current domain complexity requirements.

-gil



From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar
Sent: Mon 6/27/2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Error while adding user to AD



Hi,

I am using a meta directory to provision a new user in AD. But while adding
the user, I am getting the following error:

Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
(WILL_NOT_PERFORM), data 0

Can you guide me as to how can I detect and eliminate the cause of it
please.

Thanks,
Mayuresh

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Verification on a GPO issue

2005-06-27 Thread David Adner
Correct.  They will not undo themselves in this
case.  This is true for most (all?) of the security
related settings.  You would need to reverse the
settings to undo them.

--- Cothern Jeff D. Team EITC [EMAIL PROTECTED]
wrote:

 If you have a GPO that is setting file and registry
 permissions.  And
 you take those particular settings out of the GPO
 they are still in
 place on the servers that the GPO was applying to
 correct?
  
 Jeff
  
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread deji
You and Jeff are both completely correct - well, almost :). It's
well-documented - I was just too excited to think when I saw Joe cop a plea
on Exchange :)
 
Since he has E2K3, I believe that this is what he wants:
http://support.microsoft.com/kb/820378/
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Mon 6/27/2005 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS



This of course only works in a single domain forest. In a multidomain forest,
if you put a \ in the domain box your users don't have to specify a domain
and IIS/Exchange does some magic to figure that part out.

 

You should be specifying this in ESM though, not inetmgr. DS2MB will resync
it and clear out anything you do in inetmgr. 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

c - 312.731.3132

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 27, 2005 5:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

 

IIS - Default Website (or wherever your exchange VD is located) -
right-click on Exchange - Directory Security -  Default Domain.

 

Type in the name of your domain in there or just browse and select it.

 

And he says this isn't his specialty .. Yeah, right  ;)

 

Sincerely,

 

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I

Microsoft MVP - Dir. Services / Security

www.readymaids.com - we know IT

www.akomolafe.com

Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

 

This isn't my specialty but I believe you can set the default auth domain in

the IIS settings where you configure authentication types.  

 

  joe

 

-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave

Sent: Monday, June 27, 2005 6:00 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] OT: Outlook Web Access  Split DNS

 

When users log in to our Outlook Web Access site, they must enter their

username in the format domainname\username, as the domain name isn't being

passed. I'd like to be able to pass the domain name so users don't have to

remember to enter it when they log on (and reduce help desk call volume by

about 50%...). We're not using ISA Server, and have just a single Exchange

2003 server for our mail. AD is 2003 mixed mode, soon to be switched to

native mode.

 

We have a split DNS structure, where the OWA page resides in a different DNS

domain than our AD user accounts, and I'm wondering if that might be part of

the problem. Does anyone know how (or if it's possible) to pass OWA a

different domain name?

 

Thanks!

 

--Dave

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Error while adding user to AD

2005-06-27 Thread joe
That DSID can pop up when an account is improperly created. I.E. Someone is
trying to set the account enabled in the actual creation of the account when
there is password length policy. 

If you have a password length policy you need to create the account
disabled, then set a password, then enable it. 

It sounds like the meta directory product doesn't know how to properly
create an account in AD.



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Monday, June 27, 2005 7:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Error while adding user to AD

Active Directory password policy was set as follows:

Policy Setting
Enforce password history 0 passwords remembered Maximum password age 999
days Minimum password age 0 days Minimum password length 8 characters
Password must meet complexity requirements Disabled Store passwords using
reversible encryption Disabled Provisioning new accounts failed even though
our passwords are longer than 8 characters.

When modifying the policy to a minimum length of 0 characters provisioning
works.

Any pointers of how this happened?

Regards,
Mayuresh


- Original Message -
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 4:57 AM
Subject: RE: [ActiveDir] Error while adding user to AD


This sort of error happens when the user you are provisioning doesn't meet
all the policy requirements in AD. Make sure all the required attributes are
set properly, and make sure that the password assigned to the user object
meets the current domain complexity requirements.

-gil



From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar
Sent: Mon 6/27/2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Error while adding user to AD



Hi,

I am using a meta directory to provision a new user in AD. But while adding
the user, I am getting the following error:

Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
(WILL_NOT_PERFORM), data 0

Can you guide me as to how can I detect and eliminate the cause of it
please.

Thanks,
Mayuresh

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread joe
:o)

This is why I said it wasn't my specialty. :o)
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Monday, June 27, 2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

Well, you can, and it will work for a while, but Exchange will reset it to
whatever is set in Exchange Enterprise Manager.  You can change it by
browsing to Organization/Administrative
Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right
click Exchange, Properties, Access tab, Authentication and set whatever
options you like.  Whatever you set here will show up in IIS.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 5:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

This isn't my specialty but I believe you can set the default auth domain in
the IIS settings where you configure authentication types.  

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave
Sent: Monday, June 27, 2005 6:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Outlook Web Access  Split DNS

When users log in to our Outlook Web Access site, they must enter their
username in the format domainname\username, as the domain name isn't being
passed. I'd like to be able to pass the domain name so users don't have to
remember to enter it when they log on (and reduce help desk call volume by
about 50%...). We're not using ISA Server, and have just a single Exchange
2003 server for our mail. AD is 2003 mixed mode, soon to be switched to
native mode.

We have a split DNS structure, where the OWA page resides in a different DNS
domain than our AD user accounts, and I'm wondering if that might be part of
the problem. Does anyone know how (or if it's possible) to pass OWA a
different domain name?

Thanks!

--Dave
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread joe
I am decent with the Exchange/AD interface, Exchange's functionality itself
is out of my scope and not anything I want in my scope though lately I have
been fielding questions on event sinks which is scaring me. 

Mostly I am interested in how AD works. Not so interested in how
technologies that use AD work such as GPOs and Exchange and other things. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 27, 2005 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

You and Jeff are both completely correct - well, almost :). It's
well-documented - I was just too excited to think when I saw Joe cop a plea
on Exchange :)
 
Since he has E2K3, I believe that this is what he wants:
http://support.microsoft.com/kb/820378/
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Mon 6/27/2005 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS



This of course only works in a single domain forest. In a multidomain
forest, if you put a \ in the domain box your users don't have to specify
a domain and IIS/Exchange does some magic to figure that part out.

 

You should be specifying this in ESM though, not inetmgr. DS2MB will resync
it and clear out anything you do in inetmgr. 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

c - 312.731.3132

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 27, 2005 5:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

 

IIS - Default Website (or wherever your exchange VD is located) -
right-click on Exchange - Directory Security -  Default Domain.

 

Type in the name of your domain in there or just browse and select it.

 

And he says this isn't his specialty .. Yeah, right  ;)

 

Sincerely,

 

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I

Microsoft MVP - Dir. Services / Security

www.readymaids.com - we know IT

www.akomolafe.com

Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

 

This isn't my specialty but I believe you can set the default auth domain in

the IIS settings where you configure authentication types.  

 

  joe

 

-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave

Sent: Monday, June 27, 2005 6:00 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] OT: Outlook Web Access  Split DNS

 

When users log in to our Outlook Web Access site, they must enter their

username in the format domainname\username, as the domain name isn't being

passed. I'd like to be able to pass the domain name so users don't have to

remember to enter it when they log on (and reduce help desk call volume by

about 50%...). We're not using ISA Server, and have just a single Exchange

2003 server for our mail. AD is 2003 mixed mode, soon to be switched to

native mode.

 

We have a split DNS structure, where the OWA page resides in a different DNS

domain than our AD user accounts, and I'm wondering if that might be part of

the problem. Does anyone know how (or if it's possible) to pass OWA a

different domain name?

 

Thanks!

 

--Dave

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[ActiveDir] OT: Command line to create a local account

2005-06-27 Thread Cothern Jeff D. Team EITC
 
What would be the syntax in a batch files that I could create a local
account. Assign it a password and disable the account.  Also the account
needs to be part of the guest group and password be required for it. 

I got an idead but trying to do it in as little commands as possible.

Jeff

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Command line to create a local account

2005-06-27 Thread deji
try cusrmgr. Look for the -alg and +s options.
 
Jsiinc.com had some details on cusrmgr.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team
EITC
Sent: Mon 6/27/2005 5:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Command line to create a local account




What would be the syntax in a batch files that I could create a local
account. Assign it a password and disable the account.  Also the account
needs to be part of the guest group and password be required for it.

I got an idead but trying to do it in as little commands as possible.

Jeff

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Error while adding user to AD

2005-06-27 Thread Mayuresh Kshirsagar
Thanks a lots Joe. I'll try this out.

One more query. After I've changed my password policy, they dont seem to be
reflected immediately. how can i force it?

- Original Message - 
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 5:38 AM
Subject: RE: [ActiveDir] Error while adding user to AD


 That DSID can pop up when an account is improperly created. I.E. Someone
is
 trying to set the account enabled in the actual creation of the account
when
 there is password length policy.

 If you have a password length policy you need to create the account
 disabled, then set a password, then enable it.

 It sounds like the meta directory product doesn't know how to properly
 create an account in AD.





 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
Kshirsagar
 Sent: Monday, June 27, 2005 7:42 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Error while adding user to AD

 Active Directory password policy was set as follows:

 Policy Setting
 Enforce password history 0 passwords remembered Maximum password age 999
 days Minimum password age 0 days Minimum password length 8 characters
 Password must meet complexity requirements Disabled Store passwords using
 reversible encryption Disabled Provisioning new accounts failed even
though
 our passwords are longer than 8 characters.

 When modifying the policy to a minimum length of 0 characters provisioning
 works.

 Any pointers of how this happened?

 Regards,
 Mayuresh


 - Original Message -
 From: Gil Kirkpatrick [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Tuesday, June 28, 2005 4:57 AM
 Subject: RE: [ActiveDir] Error while adding user to AD


 This sort of error happens when the user you are provisioning doesn't meet
 all the policy requirements in AD. Make sure all the required attributes
are
 set properly, and make sure that the password assigned to the user object
 meets the current domain complexity requirements.

 -gil

 

 From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar
 Sent: Mon 6/27/2005 4:09 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Error while adding user to AD



 Hi,

 I am using a meta directory to provision a new user in AD. But while
adding
 the user, I am getting the following error:

 Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
 (WILL_NOT_PERFORM), data 0

 Can you guide me as to how can I detect and eliminate the cause of it
 please.

 Thanks,
 Mayuresh

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


Re: [ActiveDir] Error while adding user to AD

2005-06-27 Thread Mayuresh Kshirsagar
I set the Domain  Security policy to be a password length policy. i set the
minimum length to be 8. still i am able to provision using a different
server. am i missing something?

- Original Message - 
From: Mayuresh Kshirsagar [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 7:19 AM
Subject: Re: [ActiveDir] Error while adding user to AD


 Thanks a lots Joe. I'll try this out.

 One more query. After I've changed my password policy, they dont seem to
be
 reflected immediately. how can i force it?

 - Original Message - 
 From: joe [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Tuesday, June 28, 2005 5:38 AM
 Subject: RE: [ActiveDir] Error while adding user to AD


  That DSID can pop up when an account is improperly created. I.E. Someone
 is
  trying to set the account enabled in the actual creation of the account
 when
  there is password length policy.
 
  If you have a password length policy you need to create the account
  disabled, then set a password, then enable it.
 
  It sounds like the meta directory product doesn't know how to properly
  create an account in AD.
 
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
 Kshirsagar
  Sent: Monday, June 27, 2005 7:42 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Error while adding user to AD
 
  Active Directory password policy was set as follows:
 
  Policy Setting
  Enforce password history 0 passwords remembered Maximum password age 999
  days Minimum password age 0 days Minimum password length 8 characters
  Password must meet complexity requirements Disabled Store passwords
using
  reversible encryption Disabled Provisioning new accounts failed even
 though
  our passwords are longer than 8 characters.
 
  When modifying the policy to a minimum length of 0 characters
provisioning
  works.
 
  Any pointers of how this happened?
 
  Regards,
  Mayuresh
 
 
  - Original Message -
  From: Gil Kirkpatrick [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Tuesday, June 28, 2005 4:57 AM
  Subject: RE: [ActiveDir] Error while adding user to AD
 
 
  This sort of error happens when the user you are provisioning doesn't
meet
  all the policy requirements in AD. Make sure all the required attributes
 are
  set properly, and make sure that the password assigned to the user
object
  meets the current domain complexity requirements.
 
  -gil
 
  
 
  From: [EMAIL PROTECTED] on behalf of Mayuresh
Kshirsagar
  Sent: Mon 6/27/2005 4:09 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Error while adding user to AD
 
 
 
  Hi,
 
  I am using a meta directory to provision a new user in AD. But while
 adding
  the user, I am getting the following error:
 
  Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
  (WILL_NOT_PERFORM), data 0
 
  Can you guide me as to how can I detect and eliminate the cause of it
  please.
 
  Thanks,
  Mayuresh
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Error while adding user to AD

2005-06-27 Thread joe
After you set the policy, you have to wait for the policy to be replicated
to all DCs in the domain and applied before you get convergence on the new
policy rules. Depending on the environment this can take varying amounts of
time. If you have only a couple of K3 DCs in a single site and great FRS/AD
replication you can set it and then wait a minute and then do a 

gpupdate /force

To force the update of the policy.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Monday, June 27, 2005 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Error while adding user to AD

Thanks a lots Joe. I'll try this out.

One more query. After I've changed my password policy, they dont seem to be
reflected immediately. how can i force it?

- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 5:38 AM
Subject: RE: [ActiveDir] Error while adding user to AD


 That DSID can pop up when an account is improperly created. I.E. Someone
is
 trying to set the account enabled in the actual creation of the account
when
 there is password length policy.

 If you have a password length policy you need to create the account
 disabled, then set a password, then enable it.

 It sounds like the meta directory product doesn't know how to properly
 create an account in AD.





 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
Kshirsagar
 Sent: Monday, June 27, 2005 7:42 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Error while adding user to AD

 Active Directory password policy was set as follows:

 Policy Setting
 Enforce password history 0 passwords remembered Maximum password age 999
 days Minimum password age 0 days Minimum password length 8 characters
 Password must meet complexity requirements Disabled Store passwords using
 reversible encryption Disabled Provisioning new accounts failed even
though
 our passwords are longer than 8 characters.

 When modifying the policy to a minimum length of 0 characters provisioning
 works.

 Any pointers of how this happened?

 Regards,
 Mayuresh


 - Original Message -
 From: Gil Kirkpatrick [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Tuesday, June 28, 2005 4:57 AM
 Subject: RE: [ActiveDir] Error while adding user to AD


 This sort of error happens when the user you are provisioning doesn't meet
 all the policy requirements in AD. Make sure all the required attributes
are
 set properly, and make sure that the password assigned to the user object
 meets the current domain complexity requirements.

 -gil

 

 From: [EMAIL PROTECTED] on behalf of Mayuresh Kshirsagar
 Sent: Mon 6/27/2005 4:09 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Error while adding user to AD



 Hi,

 I am using a meta directory to provision a new user in AD. But while
adding
 the user, I am getting the following error:

 Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
 (WILL_NOT_PERFORM), data 0

 Can you guide me as to how can I detect and eliminate the cause of it
 please.

 Thanks,
 Mayuresh

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] Error while adding user to AD

2005-06-27 Thread joe
I expect the policy hasn't completely applied yet. 

Can you control the process used by the metadirectory software for object
creation? If so, have it create the object in the way specified below. The
alternative is to create it with the useraccountcontrol flagged to allow the
account to not have a password. Then after the initial object create set a
password and change useraccountcontrol to 512. I highly recommend creating
it disabled and then setting the password and then setting the
useraccountcontrol to 512 though. It is more obvious if something gets
dropped and not handled properly.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Monday, June 27, 2005 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Error while adding user to AD

I set the Domain  Security policy to be a password length policy. i set the
minimum length to be 8. still i am able to provision using a different
server. am i missing something?

- Original Message -
From: Mayuresh Kshirsagar [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 7:19 AM
Subject: Re: [ActiveDir] Error while adding user to AD


 Thanks a lots Joe. I'll try this out.

 One more query. After I've changed my password policy, they dont seem to
be
 reflected immediately. how can i force it?

 - Original Message - 
 From: joe [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Tuesday, June 28, 2005 5:38 AM
 Subject: RE: [ActiveDir] Error while adding user to AD


  That DSID can pop up when an account is improperly created. I.E. Someone
 is
  trying to set the account enabled in the actual creation of the account
 when
  there is password length policy.
 
  If you have a password length policy you need to create the account
  disabled, then set a password, then enable it.
 
  It sounds like the meta directory product doesn't know how to properly
  create an account in AD.
 
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
 Kshirsagar
  Sent: Monday, June 27, 2005 7:42 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Error while adding user to AD
 
  Active Directory password policy was set as follows:
 
  Policy Setting
  Enforce password history 0 passwords remembered Maximum password age 999
  days Minimum password age 0 days Minimum password length 8 characters
  Password must meet complexity requirements Disabled Store passwords
using
  reversible encryption Disabled Provisioning new accounts failed even
 though
  our passwords are longer than 8 characters.
 
  When modifying the policy to a minimum length of 0 characters
provisioning
  works.
 
  Any pointers of how this happened?
 
  Regards,
  Mayuresh
 
 
  - Original Message -
  From: Gil Kirkpatrick [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Tuesday, June 28, 2005 4:57 AM
  Subject: RE: [ActiveDir] Error while adding user to AD
 
 
  This sort of error happens when the user you are provisioning doesn't
meet
  all the policy requirements in AD. Make sure all the required attributes
 are
  set properly, and make sure that the password assigned to the user
object
  meets the current domain complexity requirements.
 
  -gil
 
  
 
  From: [EMAIL PROTECTED] on behalf of Mayuresh
Kshirsagar
  Sent: Mon 6/27/2005 4:09 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Error while adding user to AD
 
 
 
  Hi,
 
  I am using a meta directory to provision a new user in AD. But while
 adding
  the user, I am getting the following error:
 
  Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
  (WILL_NOT_PERFORM), data 0
 
  Can you guide me as to how can I detect and eliminate the cause of it
  please.
 
  Thanks,
  Mayuresh
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] DNS Scavenging

2005-06-27 Thread Wright, T. MR NSSB
 
Thanks for your response.  I have one more question, is the recommended 
settings still one hour for no-refresh and 7 days for refresh?  This is what I 
initially had it set to but since it didn't appear to be working I lowered the 
intervals.  I think I will start by dumping the zone and sorting out the static 
entries, I don't think there are too many so it shouldn't be too difficult, I 
just wanted to be sure that I didn't miss any. The zones that I am concerned 
with are all AD integrated, but scavenging was turned on after the fact.
 
Thanks,
 
-Tim



From: [EMAIL PROTECTED] on behalf of David Adner
Sent: Mon 6/27/2005 7:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Scavenging



First off, you need to be careful with such low no
refresh/refresh intervals since, for example, 2003
computers only refresh their records every 24 hours
(it initially refreshes faster, but it uses
ever-widening intervals until it reaches 24 hours).

For your primary concern, you can enable Advanced in
the DNS console and view the properties of your old
records.  If you don't see a timestamp then they won't
fall under the scavenging rules.  You can also use
dnscmd.exe /zoneexport to dump the entire zone(s) to a
file.  You'll see an [Age:###] (Or maybe it's
Aging:) value for records with timestamps.

If your zone used to be a standard primary zone and
you never had scavenging enabled on it then any
dynamically registered records into that zone would
have not received a timestamp.  An AD integrated zone
with scavenging disabled will cause an initial
timestamp to be recorded for dynamically registered
records but won't cause them to be refreshed until
scavenging is enabled.

As for easier ways to address your issue, I'm unaware
of a solution that doesn't require some leg work.  You
could dump the zone via dnscmd.exe /zoneexport and see
which don't have timestamps and from there figure out
which ones are supposed to be static and which ones
aren't.  This will be simplified if you have a
standard naming convention...

--- Wright, T. MR   NSSB [EMAIL PROTECTED]
wrote:

 All,
 I am not 100% sure, but it appears that I may be
 having some issues
 with scavenging old records.  I have a Win2003
 domain with 5 DC's
 running 2003 functional level.  All of the DC's run
 DNS and on one of
 them I enabled scavening at the server level and
 configured all zones to
 have a no-refresh interval of 1 hour and a refresh
 interval of 8 hours.
 I did this a few weeks ago and many of the records
 still exist in DNS.
 I know for a fact that I have a few thousand
 workstations which have
 been off the network for more than 30 days.
 I think what I am seeing is the issue where the
 records that existed
 prior to me enabling scavenging won't get
 scaveneged.  That said, I know
 I can manually age all of the records using the
 dnscmd, but this will
 take all of my statically created records with it.
 Are there any ways
 around this so that my static records don't get
 touched?
 
 Thanks,
 
 -Tim
 
 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


RE: [ActiveDir] OT: Outlook Web Access Split DNS

2005-06-27 Thread Coleman, Hunter
 though lately I have been fielding questions on event sinks

Sweet. Can we expect a chapter on this in the cat book? :-)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 6:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

I am decent with the Exchange/AD interface, Exchange's functionality itself is 
out of my scope and not anything I want in my scope though lately I have been 
fielding questions on event sinks which is scaring me. 

Mostly I am interested in how AD works. Not so interested in how technologies 
that use AD work such as GPOs and Exchange and other things. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 27, 2005 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

You and Jeff are both completely correct - well, almost :). It's 
well-documented - I was just too excited to think when I saw Joe cop a plea on 
Exchange :)
 
Since he has E2K3, I believe that this is what he wants:
http://support.microsoft.com/kb/820378/
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Mon 6/27/2005 4:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS



This of course only works in a single domain forest. In a multidomain forest, 
if you put a \ in the domain box your users don't have to specify a domain 
and IIS/Exchange does some magic to figure that part out.

 

You should be specifying this in ESM though, not inetmgr. DS2MB will resync it 
and clear out anything you do in inetmgr. 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

c - 312.731.3132

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 27, 2005 5:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

 

IIS - Default Website (or wherever your exchange VD is located) - right-click 
on Exchange - Directory Security -  Default Domain.

 

Type in the name of your domain in there or just browse and select it.

 

And he says this isn't his specialty .. Yeah, right  ;)

 

Sincerely,

 

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I

Microsoft MVP - Dir. Services / Security

www.readymaids.com - we know IT

www.akomolafe.com

Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, June 27, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Outlook Web Access  Split DNS

 

This isn't my specialty but I believe you can set the default auth domain in

the IIS settings where you configure authentication types.  

 

  joe

 

-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave

Sent: Monday, June 27, 2005 6:00 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] OT: Outlook Web Access  Split DNS

 

When users log in to our Outlook Web Access site, they must enter their

username in the format domainname\username, as the domain name isn't being

passed. I'd like to be able to pass the domain name so users don't have to

remember to enter it when they log on (and reduce help desk call volume by

about 50%...). We're not using ISA Server, and have just a single Exchange

2003 server for our mail. AD is 2003 mixed mode, soon to be switched to

native mode.

 

We have a split DNS structure, where the OWA page resides in a different DNS

domain than our AD user accounts, and I'm wondering if that might be part of

the problem. Does anyone know how (or if it's possible) to pass OWA a

different domain name?

 

Thanks!

 

--Dave

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: 

Re: [ActiveDir] Error while adding user to AD

2005-06-27 Thread Mayuresh Kshirsagar
Thanks a lot Joe,

This has been of tremendous help for diagnosing the issue!

Grateful to you!
Mayuresh.

- Original Message - 
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 7:32 AM
Subject: RE: [ActiveDir] Error while adding user to AD


 I expect the policy hasn't completely applied yet.

 Can you control the process used by the metadirectory software for object
 creation? If so, have it create the object in the way specified below. The
 alternative is to create it with the useraccountcontrol flagged to allow
the
 account to not have a password. Then after the initial object create set a
 password and change useraccountcontrol to 512. I highly recommend creating
 it disabled and then setting the password and then setting the
 useraccountcontrol to 512 though. It is more obvious if something gets
 dropped and not handled properly.

   joe

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
Kshirsagar
 Sent: Monday, June 27, 2005 9:56 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Error while adding user to AD

 I set the Domain  Security policy to be a password length policy. i set
the
 minimum length to be 8. still i am able to provision using a different
 server. am i missing something?

 - Original Message -
 From: Mayuresh Kshirsagar [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Tuesday, June 28, 2005 7:19 AM
 Subject: Re: [ActiveDir] Error while adding user to AD


  Thanks a lots Joe. I'll try this out.
 
  One more query. After I've changed my password policy, they dont seem to
 be
  reflected immediately. how can i force it?
 
  - Original Message - 
  From: joe [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Tuesday, June 28, 2005 5:38 AM
  Subject: RE: [ActiveDir] Error while adding user to AD
 
 
   That DSID can pop up when an account is improperly created. I.E.
Someone
  is
   trying to set the account enabled in the actual creation of the
account
  when
   there is password length policy.
  
   If you have a password length policy you need to create the account
   disabled, then set a password, then enable it.
  
   It sounds like the meta directory product doesn't know how to properly
   create an account in AD.
  
  
  
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
  Kshirsagar
   Sent: Monday, June 27, 2005 7:42 PM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] Error while adding user to AD
  
   Active Directory password policy was set as follows:
  
   Policy Setting
   Enforce password history 0 passwords remembered Maximum password age
999
   days Minimum password age 0 days Minimum password length 8 characters
   Password must meet complexity requirements Disabled Store passwords
 using
   reversible encryption Disabled Provisioning new accounts failed even
  though
   our passwords are longer than 8 characters.
  
   When modifying the policy to a minimum length of 0 characters
 provisioning
   works.
  
   Any pointers of how this happened?
  
   Regards,
   Mayuresh
  
  
   - Original Message -
   From: Gil Kirkpatrick [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Tuesday, June 28, 2005 4:57 AM
   Subject: RE: [ActiveDir] Error while adding user to AD
  
  
   This sort of error happens when the user you are provisioning doesn't
 meet
   all the policy requirements in AD. Make sure all the required
attributes
  are
   set properly, and make sure that the password assigned to the user
 object
   meets the current domain complexity requirements.
  
   -gil
  
   
  
   From: [EMAIL PROTECTED] on behalf of Mayuresh
 Kshirsagar
   Sent: Mon 6/27/2005 4:09 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Error while adding user to AD
  
  
  
   Hi,
  
   I am using a meta directory to provision a new user in AD. But while
  adding
   the user, I am getting the following error:
  
   Server_Info='052D: SvcErr: DSID-031A0B56, problem 5003
   (WILL_NOT_PERFORM), data 0
  
   Can you guide me as to how can I detect and eliminate the cause of it
   please.
  
   Thanks,
   Mayuresh
  
   List info   : http://www.activedir.org/List.aspx
   List FAQ: http://www.activedir.org/ListFAQ.aspx
   List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
  
   List info   : http://www.activedir.org/List.aspx
   List FAQ: http://www.activedir.org/ListFAQ.aspx
   List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
  
   List info   : http://www.activedir.org/List.aspx
   List FAQ: http://www.activedir.org/ListFAQ.aspx
   List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: