RE: [ActiveDir] Advertising RPC services - best practices - resen d
Title: Message Does anyone have any experiences of apps that advertise their RPC services, which they'd care to share? neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: 28 June 2005 09:24To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Advertising RPC services - best practices Apologies for being vague :) I would like to restrict the app so it has read/write/delete to its own RPC container [in AD] and no more. Moreover, I'm interested to hear any experiences others have of similar RPC advertised apps. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: 24 June 2005 16:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Advertising RPC services - best practices Neil, What are you trying to restrict? Access to the App, access via RPC, or access via AD? I can help, but the scope is pretty big at this point. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, June 24, 2005 9:40 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Advertising RPC services - best practices Does anyone have any suggestions, comments or experiences with applications that advertise themselves via the RPCservices container in AD? Specifically, the subject of security is of interest to me. i.e. how can the application be restricted so that it has a minimum set of privileges without 'breaking' the app? I have read various MS papers on the subject and am happy with the general principles involved. I'm more interested in "real world" examples :) TIA, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Tuning the server service and event ID 2022 - res end
Title: Message I'm interested to hear from others who've encountered similar issues and also what the default values for the keys below are for w2k3 [I've heard conflicting reports]. Any offers? thanks, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: 22 June 2005 14:40To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Tuning the server service and event ID 2022 Whilst working with Windows NT and Windows 2000, I've encountered issues with the server service which manifest themselves as "event id 2022" http://support.microsoft.com/?kbid=245080 Specifically, I have observed this on w2k DCs (SP3) and made registry changes to the lanmanserver key as a result. See below for detail. Maximum Work Items 65535Maximum Raw Work Items 512Maximum Free Connections 100Minimum Free Connections 32The above changes appear to have alleviated the issues and I am now researching if these changes are needed on w2k3 DCs. I have read/been informed that the w2k3 server service is self tuning and therefore will not require the above changes to be made. I have also been led to believe that the default and max values for the above keys are significantly increased when comparing w2k and w2k3. Does anyone else have any experiences / suggestions / best practices they can share on this subject? TIA, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] OT - Script to check if reg entry present
you can either add the DNs of the machines directly into your server.txt input file, or - if you preferr just to enter the hostnames - then you'll have to query for their DN prior to adding them to the group in the code below. The latter will naturally require additional coding to either retrieve the DN for each single computer name as you retrieve it from your file (expensive with respect to AD performance), or you first query for a list of all computers in a certain base DN (e.g. the OU that contains your machines) and save that result in an array = then you can grab the DNs from the array (less expensive). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Freitag, 1. Juli 2005 21:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Script to check if reg entry present Ok instead of manually putting the names of the computers into the script. Can I use this On Error Resume Next Const ForReading = 1 Const ADS_PROPERTY_APPEND = 3 Set objFSO = CreateObject(Scripting.FileSystemObject) Set objTextFile = objFSO.OpenTextFile(c:\scripts\servers.txt, ForReading) Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = ' Insert your code here ' = Set objGroup = GetObject _ (LDAP://cn=mygroup,cn=Users,dc=NA,dc=fabrikam,dc=com) objGroup.PutEx ADS_PROPERTY_APPEND, member, _ (And this is where I get lost) objGroup.SetInfo ' = ' End ' = Loop objTextFile.Close -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 01, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Script to check if reg entry present same as adding users - you always update the group, not the object you put into the group. So just replace the user DNs with the computer's DNs in this sample: http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb03 .mspx /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Freitag, 1. Juli 2005 21:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Script to check if reg entry present Thanks that definitely got me on the right point and now I have a script that will check for the entry and if no there puts it there. I have looked around that page for another issue am trying to figure out. Mainly in AD a script that will add a computer account to a group. Jeff Trying to keep eyes from crossing -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, June 30, 2005 3:58 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Script to check if reg entry present see: http://www.microsoft.com/technet/scriptcenter/scripts/os/registry/osrgvb 18.mspx Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Thu 6/30/2005 9:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT - Script to check if reg entry present Anyone good with scripting that could help with a script to query the servers on a subnet to determine if a registry entry is present. Specifically looking for [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Applicati on] AutoBackupLogFiles=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security] AutoBackupLogFiles=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System] AutoBackupLogFiles=dword:0001 Thanks for any help Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] LegacyExchangeDN
I'm trying to use Exmerge to backup the Exchange store (this is an extra to a proper store level backup so that we can retrieve odd messages for people who manage to delete them; I do know that it's not the best way to do the backup!). It all works well except for users with a comma in the LegacyExchangeDN - the mailboxes.txt file created by ExMerge has lines like: /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=1794 /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT, VANESSA The first of these backs up OK; the second doesn't. I'm guessing that it's because of the comma. I could probably find some way of creating the file so that there were quotes round the whole line but I'd rather lose the comma. Is there anything which depends on the value of LegacyExchangeDN which might fall over if I change the values for some accounts (running Exchange 2003 on Windows 2003 but these accounts started life on Exchange 5.5/NT4) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Turn off an audit
Can you dump the SDDL string of the domain head security descriptor for us and share it out? (feel free to send it to me offline if you are more comfy that way) You can do this with ldp or maybe dsacls (I forget if dsacls can show you the raw string or not, but I know LDP can). ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, July 02, 2005 2:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Turn off an audit I cannot remember the name of the commandline app to do this. I want to turn off auditing of the msExchALObjectVersion attribute all together. This is set to audit success/fail at the domain level. If I go in ADUC/ADSIEdit and look at the domain head, that property is no where to be found in the list. If I goto some OU, its inheriting the option to audit this property from the domain. How to turn off? --brian
RE: [ActiveDir] Corrupted NTDS.dit
If we aren't having fun, we are doing the wrong thing. This stuff isn't worth it if it isn't fun. My boss always tells me, have fun. If I am not having fun, he wants to know so we can work on correcting it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, July 02, 2005 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit Steve, I'm glad that you do find the humor here. It does exist - and many times, it's just more obvious than others. Heck, if there wasn't the gigging each other and the occasional off color comments, this would be just like work! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, July 01, 2005 11:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Corrupted NTDS.dit I don't post real often but besides slashdot postings being a bit humorous. This list ranks right up there in making me laugh. Some of these posts are even funnier when I've had a few beers..Don't figure. Happy 4th weekend... Steve - Original Message - From: Rocky Habeeb [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, July 01, 2005 4:00 PM Subject: RE: [ActiveDir] Corrupted NTDS.dit joe (dog), Please send me a complete list of MS docs that are ... confusing, wrong and dangerous. OK ... forget the confusing, just the wrong and dangerous. YMYMYM Rocky ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, July 01, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit Now this is a fun note chain. ;o) To further clarify what Dean has so eloquently said. MS sometimes makes mistakes in documentation. As a general rule I look at MS documentation more as propoganda until otherwise proven correct, it tends to be safer that way. Most of it is great, a lot of it is confusing, some of it is wrong, some of it is outright dangerous. This is why there are many folks who submit changes to MS to get implemented into the documentation. I myself probably submit 5-10 KB changes a month, probably double that to MSDN per month. The comment You do not want the DC's that exist to use the old cname record. is incorrect. The existence of it in DNS will not force the DC to use it. However, cleaning up after a demotion, failed or otherwise, is generally a good idea to do. I was simply trying to illustrate, as Dean indicated, that it won't actually cause a failure. I also want to point out the part Dean indicated about the value of this list. This is an incredible list, there can be a lot of side chatter but you can learn things here that you won't find anywhere else. We have a ton of well known authors, Microsoft employees from PSS(ROSS/CPR/Other)/MCS/Dev(AD/JET)/Enterprise Computing, some of the top consultants in the industry, programmers, admins (from the smallest to the largest deployments), and we even have Rick Kingslan and sometimes let him post. The list isn't really just about posting a KB and sending someone on their way, you will often get a lot of opinion on the KB and/or the poster as well substantial background information on how things work and how they REALLY work. No one should really take anything personally or as an attack, it is just a bunch of geeks trying to help each other out with varying levels of social and writing skills. As I once told a Microsoft Manager, I don't care if your consultant kicks me every day when he sees me, as long as he knows what he is talking about I want him around. Oh there is one time there is personal attacks, it is every time Guido tries to confront me on Domain Local Groups versus Universal groups. That is entirely personal. He even brought it up in a DEC Conference to really dig me. Of course it doesn't bother too badly because I know I'm right. ;o) Ok, now where is my g/f. She snuck out to get her hair done when we were supposed to be getting ready to go up north for the weekend and I have been waiting for 3 hours for her to get back! Reh! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 01, 2005 2:27 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Corrupted NTDS.dit Hehehe ... I'm feeling neither confused nor mislead, though your last comment did evoke one response; mild annoyance, but it was fleeting ;o) I've no doubt that the article's instructions will work as (like many KB articles) they serve as an all encompassing solution. Referencing the KB article's URL is also likely to be of use to Kevin who originally asked the question but this (and many other technical forums like it) offer a great deal of additional value since much of the commentary falls
RE: [ActiveDir] Corrupted NTDS.dit
LOL. Any time I find bad docs I almost immediately submit to MS. Much easier to help them correct than to maintain a list of articles to not pay attention too. Plus they can constantly update articles so something I thought was good or bad could be reversed at any point. Best to just look at the article on the spot and verify it makes sense to you. Basically have an understanding of why you are doing something and what it is intended to do prior to just doing it. I guess that pretty much applies to anything one does. I recently made a request to start having a doesn't apply to field or reviewed for field added to KB articles so that an article that say applies to 2K will explicitly say it applies to K3 or not or whether it was even reviewed for K3. So if you see that start happening, you know who to thank, I have lots of joeware thongs in stock, buy them for your loved ones. Some old friends I worked for I heard had one or more sent to their TAM. Let me say that there is no way even the largest size would fit since the TAM was a larger guy To even visualize it is scary, I guess everyone got a laugh out of it though. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, July 01, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit joe (dog), Please send me a complete list of MS docs that are ... confusing, wrong and dangerous. OK ... forget the confusing, just the wrong and dangerous. YMYMYM Rocky ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, July 01, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit Now this is a fun note chain. ;o) To further clarify what Dean has so eloquently said. MS sometimes makes mistakes in documentation. As a general rule I look at MS documentation more as propoganda until otherwise proven correct, it tends to be safer that way. Most of it is great, a lot of it is confusing, some of it is wrong, some of it is outright dangerous. This is why there are many folks who submit changes to MS to get implemented into the documentation. I myself probably submit 5-10 KB changes a month, probably double that to MSDN per month. The comment You do not want the DC's that exist to use the old cname record. is incorrect. The existence of it in DNS will not force the DC to use it. However, cleaning up after a demotion, failed or otherwise, is generally a good idea to do. I was simply trying to illustrate, as Dean indicated, that it won't actually cause a failure. I also want to point out the part Dean indicated about the value of this list. This is an incredible list, there can be a lot of side chatter but you can learn things here that you won't find anywhere else. We have a ton of well known authors, Microsoft employees from PSS(ROSS/CPR/Other)/MCS/Dev(AD/JET)/Enterprise Computing, some of the top consultants in the industry, programmers, admins (from the smallest to the largest deployments), and we even have Rick Kingslan and sometimes let him post. The list isn't really just about posting a KB and sending someone on their way, you will often get a lot of opinion on the KB and/or the poster as well substantial background information on how things work and how they REALLY work. No one should really take anything personally or as an attack, it is just a bunch of geeks trying to help each other out with varying levels of social and writing skills. As I once told a Microsoft Manager, I don't care if your consultant kicks me every day when he sees me, as long as he knows what he is talking about I want him around. Oh there is one time there is personal attacks, it is every time Guido tries to confront me on Domain Local Groups versus Universal groups. That is entirely personal. He even brought it up in a DEC Conference to really dig me. Of course it doesn't bother too badly because I know I'm right. ;o) Ok, now where is my g/f. She snuck out to get her hair done when we were supposed to be getting ready to go up north for the weekend and I have been waiting for 3 hours for her to get back! Reh! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 01, 2005 2:27 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Corrupted NTDS.dit Hehehe ... I'm feeling neither confused nor mislead, though your last comment did evoke one response; mild annoyance, but it was fleeting ;o) I've no doubt that the article's instructions will work as (like many KB articles) they serve as an all encompassing solution. Referencing the KB article's URL is also likely to be of use to Kevin who originally asked the question but this (and many other technical forums like it) offer a great deal of additional value since much of the commentary falls outside the scope of the vendors
RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group
H. Last I looked, admod didn't have an -addmbr option... I guess someone could have snuck it in when I wasn't looking though... ;o) Just messing with you. I assume you mean dsmod everywhere you say admod below? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, July 02, 2005 8:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group One wrinkle to this task...admod group group DN -addmbr generates an error if a user in the source group already exists in the target group. The -c option doesn't help. It's too bad that admod does not have a switch to ignore duplicates. Any thoughts on getting around this? TIA! Mike Thommes -Original Message- From: Thommes, Michael M. Sent: Thursday, June 23, 2005 8:18 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Charlie, This worked great! Thanks! (And thanks to the others for the other suggestions!) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, June 23, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group I couldn't get this to work with adfind/admod, but I was able to make it work with dsget/dsmod. Here's the syntax: dsget group DN of source group -members | dsmod group DN of destination group -addmbr This took all the members of the source DL and added them to the destination DL... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 23, 2005 2:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Yep! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, June 23, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Does the new DL already exist? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 23, 2005 1:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group Hi, Task - to copy members of an AD email distribution group to another email distribution group I have looked at both adfind and dsquery and while I can output all of the properties of the source email distribution group (including members), I can't see how to restrict the output just to members in order to pipe them to another email distribution group. Any thoughts? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ds commands
To just use them, none. To use specific functions like the stalepwd function you will need to be in K3 domain functional mode so that lastLogonTimeStamp is active. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, July 01, 2005 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ds commands What domain functional level do I have to be in to use the DS commands? Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LegacyExchangeDN
legacyExchangeDN is what is stored with mail messages and calendar entries etc. If you change an LEDN of UserX there is a possibility that the people will not be able to simply respond to an email UserX sent, they would have to readdress it. Additionally meeting notices sent out by UserX would no longer be owned by UserX from my understanding. You could try doing it and moving the ledn into the proxyAddresses as an x500 address. This should alleviate the mail delivery issues, not sure if it would help with the calendar stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Monday, July 04, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegacyExchangeDN I'm trying to use Exmerge to backup the Exchange store (this is an extra to a proper store level backup so that we can retrieve odd messages for people who manage to delete them; I do know that it's not the best way to do the backup!). It all works well except for users with a comma in the LegacyExchangeDN - the mailboxes.txt file created by ExMerge has lines like: /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=1794 /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT, VANESSA The first of these backs up OK; the second doesn't. I'm guessing that it's because of the comma. I could probably find some way of creating the file so that there were quotes round the whole line but I'd rather lose the comma. Is there anything which depends on the value of LegacyExchangeDN which might fall over if I change the values for some accounts (running Exchange 2003 on Windows 2003 but these accounts started life on Exchange 5.5/NT4) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Turn off an audit
Or do it with adfind... adfind -b dc=domain,dc=com -s base -sddc ntsecuritydescriptor Since Eric is interested in the SACL I expect you could append |grep -i "\[sacl" to the command to have it dump just the piece he is interested in. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, July 04, 2005 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Turn off an audit Can you dump the SDDL string of the domain head security descriptor for us and share it out? (feel free to send it to me offline if you are more comfy that way) You can do this with ldp or maybe dsacls (I forget if dsacls can show you the raw string or not, but I know LDP can). ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Saturday, July 02, 2005 2:55 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Turn off an audit I cannot remember the name of the commandline app to do this. I want to turn off auditing of the msExchALObjectVersion attribute all together. This is set to audit success/fail at the domain level. If I go in ADUC/ADSIEdit and look at the domain head, that property is no where to be found in the list. If I goto some OU, its inheriting the option to audit this property from the domain. How to turn off? --brian
RE: [ActiveDir] OT: scheduler account?
What? No french human readable? LOL. Ok, I will run it through my English to French translater It says 20050518144457 when converted to French looks like 20050518144457. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 01, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Hi joe, It may not be in *french* human readable format :-)), and Neil just proposed himself to translate 20050518144457.0Z in french format... I'm just waiting for his answer ... :o) However, thank u for the explanations and the links u forwarded. Nice day all :) Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Envoyé : vendredi 1 juillet 2005 16:05 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: scheduler account? That is human readable. :o) It just isn't friendly or in a format most people unaware of the Generalized Time Format would be able to understand at a quick glance. However, Neil showed how to parse it out. The one thing to keep in mind is that is UT/UTC/GMT time also known as Zulu time which is where the Z comes from on the end. Take a look a the Generalized Time section of http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/a dsi_attribute_syntax.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 01, 2005 2:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Hi, How do u translate the 20050518144457.0Z format into human readable format :) ? Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Envoyé : vendredi 1 juillet 2005 01:30 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: scheduler account? And from adfind adfind -gc -b -f name=scheduler -owner whencreated Output would look something like [Thu 06/30/2005 19:29:09.67] F:\tempadfind -gc -b -f name=someuser -owner whencreated AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 dn:CN=someuser,CN=Users,DC=joe,DC=com whenCreated: 20050518144457.0Z _OBJECT_OWNER: JOE\Domain Admins 1 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 29, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? Jorge, Thanks for the slap along side of head idea to use ADSIEdit to track down this account! Values of related attributes show this account was created a long time ago when we were an NT4 domain. It has been dispensed with accordingly. Thanks again! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, June 29, 2005 1:09 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? nope... not a default account in AD. * see the creation date to see if you remember what happened on that date * see the owner to see to who caused the creation Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Wed 6/29/2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: scheduler account? I have found a user account in my AD named Scheduler with a Display name of Scheduler Service Account and a Description of Gives the Scheduler network access. I don't know where it comes from. I don't see it in child domain ADs. Does anyone know the origin of this account? Maybe some software installation did it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Corrupted NTDS.dit
No I didn't, your email client forgot to display it. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, July 01, 2005 9:49 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit Joe... you forgot to type your message! ;-) Jorge From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 7/1/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike (OFT) Sent: Friday, July 01, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Corrupted NTDS.dit As long as you still have a Domain Controller with a good copy of the Active Directory Database, I would just demote it and then run dcpromo to promote it again. Make sure you check that the CNAME and SRV records in DNS are removed after the demotion. If the server is promoted again the GUID will be different and will cause File Replication problems among other things. I would also recommend running ntdsutil to perform a MetaData cleanup of the server object you are demoting before you promote it again. Microsoft has a procedure for doing this on the website if you are not familiar with it. Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 30, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Corrupted NTDS.dit Hi, I have a corrupt NTDS.dit file with no backup, although the windows 2003 DC starts up fine and partially replicates to my other 4 DC's. Can someone tell me the best steps to restore this file. This particular DC is also the FSMO holder. I was considering transferring the role temporarily, demoting and then promoting this DC and having DCPROMO rewrite the NTDS.dit. Is this suicide? Thanks in advance Kevin Atnip List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Windows 2003 Shadow Copy
Jenn, New to me, I have to admit. I haven't seen that behavior - nor have I specifically tested for it, either. I might be able to look into it a bit further, if I can find a suitable external. Now, when you say EMC, are you saying like a SAN or a NAS head? Or, something not mentioned? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, July 03, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Windows 2003 Shadow Copy Is anyone aware of a problem were if shadow copy is configure on an external device (such as EMC Disk) and it does not come up before the shadow copy service it clears the shadow copies? If so, how can I fix this? Thanks in advance! Thanks Jenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LegacyExchangeDN
Steve, As someone who knows quite a bit about AD and LDAP, but am just now getting my arms around the Exchange juggernaut (there is s much more to know than I even imagined I am awed by Exchange Guru's much like I'm sure that they are awed by us) I'd wonder if this could be written as such: Second line, with the Comma: /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT\, VANESSA Which is specified in RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names (http://www.faqs.org/rfcs/rfc2253.html) And, which presents and eample of such: CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB Dunno - I'm not messing with the Exchange systems today, else I'd try it out. Let me know if you make progress. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Monday, July 04, 2005 10:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegacyExchangeDN I'm trying to use Exmerge to backup the Exchange store (this is an extra to a proper store level backup so that we can retrieve odd messages for people who manage to delete them; I do know that it's not the best way to do the backup!). It all works well except for users with a comma in the LegacyExchangeDN - the mailboxes.txt file created by ExMerge has lines like: /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=1794 /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT, VANESSA The first of these backs up OK; the second doesn't. I'm guessing that it's because of the comma. I could probably find some way of creating the file so that there were quotes round the whole line but I'd rather lose the comma. Is there anything which depends on the value of LegacyExchangeDN which might fall over if I change the values for some accounts (running Exchange 2003 on Windows 2003 but these accounts started life on Exchange 5.5/NT4) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LegacyExchangeDN
However, seeing joe's reply - go with his suggestion. He's got a better instinct for this stuff than I do. But, strangely he's not an Exchange whiz kid either funny, that. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, July 04, 2005 3:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LegacyExchangeDN Steve, As someone who knows quite a bit about AD and LDAP, but am just now getting my arms around the Exchange juggernaut (there is s much more to know than I even imagined I am awed by Exchange Guru's much like I'm sure that they are awed by us) I'd wonder if this could be written as such: Second line, with the Comma: /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT\, VANESSA Which is specified in RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names (http://www.faqs.org/rfcs/rfc2253.html) And, which presents and eample of such: CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB Dunno - I'm not messing with the Exchange systems today, else I'd try it out. Let me know if you make progress. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Monday, July 04, 2005 10:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LegacyExchangeDN I'm trying to use Exmerge to backup the Exchange store (this is an extra to a proper store level backup so that we can retrieve odd messages for people who manage to delete them; I do know that it's not the best way to do the backup!). It all works well except for users with a comma in the LegacyExchangeDN - the mailboxes.txt file created by ExMerge has lines like: /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=1794 /O=THE COLLEGE OF NORTH WEST LONDON/OU=MAIN/CN=RECIPIENTS/CN=KENT, VANESSA The first of these backs up OK; the second doesn't. I'm guessing that it's because of the comma. I could probably find some way of creating the file so that there were quotes round the whole line but I'd rather lose the comma. Is there anything which depends on the value of LegacyExchangeDN which might fall over if I change the values for some accounts (running Exchange 2003 on Windows 2003 but these accounts started life on Exchange 5.5/NT4) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
