[ActiveDir] Remove invalid PTR records
Does anyone have a script that will walk a DNS Reverse lookup zone and delete invalid records. In my mind, if you read a PTR record and ping the fully qualified host name and it does not answer it could be considered invalid. Laptops, shutdown clients should be o.k. when they boot up. We have an application that uses PTR records to work and we are getting a lot of invalid ones and in some cases duplicate, that causes a bit of a DNS round robin. I've addressed all the best practices for making sure that records are scavenged, etc with Microsoft but it does not help me with the current bad records that would take a while to age. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Remove user rights
Jeff, I spent the time working out all the rights and placing them in the template, this way making all machines uniform. Mark -Original Message- From: "Cothern Jeff D. Team EITC" <[EMAIL PROTECTED]> Date: Thu, 4 Aug 2005 18:12:35 To: Subject: RE: [ActiveDir] Remove user rights The problem with this method is if I define what accounts/groups can have the access right thru a GPO attached to an OU then it could cause applications that need certain user rights to not function. For instance SMS needs several user rights to function properly but since the sms client is not installed on the baseline until joining the domain then I cannot set this on the baseline. There are other service accounts depending on specialized applications that may need rights that a GPO could pull away. I used the ntrights that Bob suggested in a batch file and it did the trick of pulling the access rights for ASPNET. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, August 04, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove user rights You could build a security configuration template using the Security templates snap in, then either apply it to your standard image or import it in to a GPO, on the OU where the computers reside. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 04 August 2005 22:02 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Thanks a Lot. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Friday, August 05, 2005 4:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. http://www.microsoft.com/downloads/details.aspx?FamilyID=be596899-7bb8-4 208-b7fc-09e02a13696c&DisplayLang=en -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 12:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Where can I find this tool for download? I tried to search download.microsoft.com, but couldn't find it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\tools>err 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for "0523" V:\tools>net helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
http://www.microsoft.com/downloads/details.aspx?FamilyID=be596899-7bb8-4 208-b7fc-09e02a13696c&DisplayLang=en -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 12:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Where can I find this tool for download? I tried to search download.microsoft.com, but couldn't find it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\tools>err 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for "0523" V:\tools>net helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Where can I find this tool for download? I tried to search download.microsoft.com, but couldn't find it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\tools>err 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for "0523" V:\tools>net helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT WEB Hosting
Infovue hosts ActiveDir.org. Dave Rolling runs it and has always been a great help to me. http://www.infovue.net/ Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, 5 August 2005 11:09 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT WEB Hosting ServerIntellect has been nothing but the best for me… Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Thursday, August 04, 2005 5:02 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT WEB Hosting Completely OTI would be grateful if anyone could recommend WEB hosting services.RegardsPeter Jessop This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
Re: [ActiveDir] Biggest AD Gripes
Check out Dsrevoke.exe: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en From the docs and stuff.. Dsrevoke is a command-line tool that can be used on domain controllers that are running Windows Server 2003 or Windows 2000 Server to report the existence of all permissions for a specific user or group on a set of OUs in a domain and optionally remove from the DACLs of a set of OUs all permissions specified for a particular user or group. Dsrevoke complements the functionality provided by the Delegation of Control Wizard, which is used to delegate administrative authority, by providing the ability to revoke delegated administrative authority. If you follow these delegation guidelines, you can use Dsrevoke to easily and reliably undelegate authority. Simply run Dsrevoke in the domain, providing as input the name of the specific security group used to represent the delegated role, and use the /report switch to verify the existence of all explicit permissions for that security group that have been set on all OU objects in the domain . Once you have reviewed the reported permissions, you can use the /remove switch to revoke all permissions granted to that security group, thereby revoking the delegated authority. spat - Original Message - From: "Lamberty, Dave" <[EMAIL PROTECTED]> To: Sent: Thursday, August 04, 2005 5:41 PM Subject: RE: [ActiveDir] Biggest AD Gripes I would love to see some better tools related to delegation, or rather, 'un-delegation.' It's relatively easy to delegate AD permissions, but somewhat more difficult to remove them (or even view what's been delegated already). Some sort of Delegation Viewer or Un-Delegate tool would be very welcome. Integration with Exchange would be great too. I'm new to Exchange, and it's been challenging for me to figure out what permissions some of the other admin staff really need to manage users' Exchange mailboxes. --Dave -Original Message- From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 8/2/2005 11:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Biggest AD Gripes So what are everyone's biggest AD Gripes? I am not talking about gripes about things that use AD like GPOs[1] or Exchange or NFS or anything else like that. I mean actual AD really missed the boat because of this that or the other thing. Like o I dislike that when you defunct an attribute it doesn't purge the information in the directory for that attribute. o The fact that AD Security policy is managed through a technology dependent on AD and replicates both within AD and the other technology. o I dislike that there is no true schema delete. o I dislike the fact that I can't specify which branches of the tree replicate where. o I dislike the fact that GUIDs are represented in multiple ways in the directory. o I dislike the implementation of property sets especially since they could be so incredible awesomely cool. Specifically I dislike that an attribute can only be in a single property set. o I dislike creator/owner on SDs. o I dislike the lack of configurable business rules. o I dislike the fact that I can't run multiple domains on a single domain controller. Etc etc. I have more but lets see what others say. Everyone pipe up. Let's pretend that MS will actually see this, let's further say let's pretend MS AD Developers will see this. What would you tell them if you were sitting in the room with them? joe [1] I do not consider GPOs to be part of AD. They are a technology that leverages AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
I would love to see some better tools related to delegation, or rather, 'un-delegation.' It's relatively easy to delegate AD permissions, but somewhat more difficult to remove them (or even view what's been delegated already). Some sort of Delegation Viewer or Un-Delegate tool would be very welcome. Integration with Exchange would be great too. I'm new to Exchange, and it's been challenging for me to figure out what permissions some of the other admin staff really need to manage users' Exchange mailboxes. --Dave -Original Message- From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 8/2/2005 11:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Biggest AD Gripes So what are everyone's biggest AD Gripes? I am not talking about gripes about things that use AD like GPOs[1] or Exchange or NFS or anything else like that. I mean actual AD really missed the boat because of this that or the other thing. Like o I dislike that when you defunct an attribute it doesn't purge the information in the directory for that attribute. o The fact that AD Security policy is managed through a technology dependent on AD and replicates both within AD and the other technology. o I dislike that there is no true schema delete. o I dislike the fact that I can't specify which branches of the tree replicate where. o I dislike the fact that GUIDs are represented in multiple ways in the directory. o I dislike the implementation of property sets especially since they could be so incredible awesomely cool. Specifically I dislike that an attribute can only be in a single property set. o I dislike creator/owner on SDs. o I dislike the lack of configurable business rules. o I dislike the fact that I can't run multiple domains on a single domain controller. Etc etc. I have more but lets see what others say. Everyone pipe up. Let's pretend that MS will actually see this, let's further say let's pretend MS AD Developers will see this. What would you tell them if you were sitting in the room with them? joe [1] I do not consider GPOs to be part of AD. They are a technology that leverages AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
Re: [ActiveDir] Pop-up Blocker Settings with GPO's
On Thu, 04 Aug 2005 12:42:22 -0500, "Devan Pala" <[EMAIL PROTECTED]> said: > Do you know what/where it is? Computer / Administrative Templates / Windows Components / Internet Explorer / Pop-up allow list. There's another for "turn off pop-up management" It's the allow list that wasn't populating for us. Let me know if you can get it to work. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT WEB Hosting
I’ve used Intermedia.net and interland.net for web hosting; and have recently gone the route of a dedicated SERVER at godaddy.com b/c the rate was unbelievable. Very happy with all 3. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, August 04, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT WEB Hosting ServerIntellect has been nothing but the best for me… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Thursday, August 04, 2005 5:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT WEB Hosting Completely OT I would be grateful if anyone could recommend WEB hosting services. Regards Peter Jessop
RE: [ActiveDir] Biggest AD Gripes
Please note that this is EXTREMELY inefficient though and queries like this will often timeout unless you disable the timeout or extend it considerably. AD doesn't do a great job with query filters that have the wildcard anywhere but at the end of the search string. This can be corrected with tuple indexing in K3 but should only be done if you really do it a lot as it is an expensive index. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 11:43 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes although not available it is possible to use it! for that you need to use a custom search and enter your own LDAP query string for example to search user accounts that contain MINI in their samaccountname use the foloowing: (&(objectCategory=person)(objectClass=user)(samAccountName=*MINI*)) In a domain this would return the administrator user account Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Thu 8/4/2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hi Jorge, Hey, thanks for pointing that out! It seems a little "backdoorish" but it'll work. Any idea why the operator "contains" is not available? Mike Thommes Ps. joe, don't ever go GUI! LOL! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 9:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I'm not sure if I understand what you say, but if you define a query in the Saved Queries node and run it, you are able to export the result to a textfile by right-clicking the query and selecting 'Export List' Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Thu 8/4/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank y
RE: [ActiveDir] Biggest AD Gripes
LOL. If I do GUI, I will try hard to make it as flexible and functional as my command line tools. I have some MCS friends who bug me about making a GUI version of adfind every time I see them. Until I started working a lot with Exchange I had no use for a GUI for AD. Once I started playing with Exchange I found myself pulling out LDP and using that occasionally due to all of those extremely nasty DNs in the config container related to Exchange. It was extremely obvious when I was spinning up on the Exchange stuff that the MS Exchange people really didn't know what the command line was. If they were aware of it and used it, I think the structures would all look considerably different. In general when I look at a customers AD for the first time I can get a decent impression on whether they are GUI admins or CLI admins based on the layout and "feel" of the directory. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, August 04, 2005 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hi Jorge, Hey, thanks for pointing that out! It seems a little "backdoorish" but it'll work. Any idea why the operator "contains" is not available? Mike Thommes Ps. joe, don't ever go GUI! LOL! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 9:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I'm not sure if I understand what you say, but if you define a query in the Saved Queries node and run it, you are able to export the result to a textfile by right-clicking the query and selecting 'Export List' Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Thu 8/4/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archiv
RE: [ActiveDir] Biggest AD Gripes
Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but even worse, any port can be used... If all machines are part of a domain or forest, you could set up policies to block the running of the ADAM binaries I guess. I like AD/AM more from the standpoint that I think it can hint as to where AD will go. What is the largest Enterprise deployment of NDS that anyone has seen? I haven't seen anything larger than say 5000 or so users, it seems that the management got too difficult even at that level, but then I never looked really close at it, so possibly the admins and designers involved weren't that great. I certainly have never heard of any 100k globally distributed NDS implementations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 11:16 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes Re ADAM: I am unsure about this technology. I can handle multiple instances of an AD database which all provide a common service, but ADAM *could* lead to anarchy, where anyone can fire up an instance of their own home grown directory. That thought scares me and right now I do not know how a large org would manage such a scenario. I'd prefer to keep control, but have a more elegant and modular way to patch the various components which exist throughout the infra. Re your last para: 1. NDS was simpler to design IMHO and thus never attracted large design rates 2. AD has greater penetration, as you say and so demand is thus greater. 3. Directories themselves have a much larger scope today than they ever did. Compare NT and what we did with it vs AD and what we do with that. A good architect who can "juggle" all the necessary directory "balls" can demand a better rate than someone who merely installs a few NT domains and WINS servers [no disrespect intended - I was once in the latter category myself] 4. I haven't supported Netware/NDS for 10 years, so cannot reap those benefits that the admins may realise one day :) [I doubt that day will ever come, however.] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 15:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes No worries, probably the fault of my reading versus your writing. I have been known to have trouble reading English which is why I tend to write more than read. :o) Yes absolutely on the modular piece. I completely agree on this direction as well and exactly what I argued for with them. Personally, I look at AD/AM with great hope as to what it can eventually become, it could be the way to get to that without having to drag everyone there. People just jump to some AD/AM like system at some point when they want to and leave legacy behind but still have AD for some time available to anyone not ready. Agreed on well worth it. The last comment I find interesting. Is the earnings based on the relatively low penetration of NDS or simply NDS folks are just payed less? I would expect, if NDS marketshare gets to even lower points, that NDS admins would start to fetch bonus pay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 4:41 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may "scare" MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM - large changes needed yes, but I think they are *well* worth it :) I have yet to find any good reasons for giving up NDS (except that AD architects earn more than NDS equivalents :)) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 02:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not sure it is a people wanting NDS/Netware features as much as it is people wanting certain features that would make their lives easier and it just so happens Novelle had come to some of the same conclusions previously on what to add or were bugged for them. A lot of the things being asked for would probably be asked for on other directories as well unless they were already there. And then on the others, peopl
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
FYI If nTSecurityDescriptor isn't specified, the system will insert the defaultSD from the schema for the objectclass. objectSid can't be specified, the system will set it to what it wants to set it to. The issue is definitely with the sAMAccountName attribute. I admit the first two can be a bit confusing. Even though the schema says something is mandatory, AD may not actually require you to specify it. This makes the schema less than a perfect source of info for AD for determining what you need for new objects as well as what you can and can't do. Other examples are length of sAMAccountName and the fact that even though the schema says description is multivalued, it actually is single values on certain SAM objects. There are other examples. It means your programs have to have special hard coded routines for certain pieces or you have to maintain in your head certain special rules for special things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT WEB Hosting
ServerIntellect has been nothing but the best for me… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Thursday, August 04, 2005 5:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT WEB Hosting Completely OT I would be grateful if anyone could recommend WEB hosting services. Regards Peter Jessop
[ActiveDir] DCs and Certificate Expirations
Guys, I have been tasked with creating a report showing the certificate expirations for every DC in each of the forests we support. I'm doing some digging through the literature, but thought if anyone had something that already worked, I'd check here first. If not, any advice on the best resources to check would be very helpful! Thanks in advance, Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove user rights
The problem with this method is if I define what accounts/groups can have the access right thru a GPO attached to an OU then it could cause applications that need certain user rights to not function. For instance SMS needs several user rights to function properly but since the sms client is not installed on the baseline until joining the domain then I cannot set this on the baseline. There are other service accounts depending on specialized applications that may need rights that a GPO could pull away. I used the ntrights that Bob suggested in a batch file and it did the trick of pulling the access rights for ASPNET. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, August 04, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove user rights You could build a security configuration template using the Security templates snap in, then either apply it to your standard image or import it in to a GPO, on the OU where the computers reside. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 04 August 2005 22:02 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove user rights
Thanks that did the job. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, August 04, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove user rights NTRIGHTS will probably do it for you. http://support.microsoft.com/?kbid=315276 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, August 04, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove user rights
You could build a security configuration template using the Security templates snap in, then either apply it to your standard image or import it in to a GPO, on the OU where the computers reside. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 04 August 2005 22:02 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remove user rights
NTRIGHTS will probably do it for you. http://support.microsoft.com/?kbid=315276 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, August 04, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove user rights Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Remove user rights
Is there a way thru script to remove an accounts user rights from a local policy on a machine without affect other accounts or groups that have that same right? For instance. Ensure that ASPNET account does not have login as a service, login as batch job user rights. But I don't want to affect any other accounts that may have that right. I know I could go in and manually edit the local policy but looking to do this in a batch file or something so I can ensure that all drive are built the same. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Windows Installer Errors
"The Windows Installer service could not be accessed" is the error message I am getting in the application log. I have tried http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q315346 with no luck. Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, August 04, 2005 4:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT:Windows Installer Errors I have two Windows 2000 Pro SP4 computers that when trying to install CA Etrust through GPO fail with warnings that the Windows Installer cannot access the server and that the Windows Installer cannot find registry stuff and so forth. Has any one else ever experienced this? Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT:Windows Installer Errors
I have two Windows 2000 Pro SP4 computers that when trying to install CA Etrust through GPO fail with warnings that the Windows Installer cannot access the server and that the Windows Installer cannot find registry stuff and so forth. Has any one else ever experienced this? Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Thanks a lot. I'll try this out and get back to you with the results. Best Regards, Mayuresh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 04, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\tools>err 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for "0523" V:\tools>net helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Pop-up Blocker Settings with GPO's
Do you know what/where it is? Thanks, Original Message Follows From: "RM" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Pop-up Blocker Settings with GPO's Date: Thu, 04 Aug 2005 09:52:26 -0700 On Thu, 04 Aug 2005 10:30:22 -0500, "Devan Pala" <[EMAIL PROTECTED]> said: > Hi all, > > Is it possible to modify the pop-up blocker sites exception list to > allow pop-ups from sites through a GPO? It's supposed to be. The GPO settings exist. Our workstations aren't paying attention to them, though. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Branch Office Question
so, your network is not fully routed? is auto site link bridging enabled or disabled. If it is enabled, disable it! To to so: * start sites and services * goto to Inter site transports * right click IP and uncheck "bridge all sitre links" wait until this has replicated to the other DCs Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Thu 8/4/2005 6:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Branch Office Question Hi - Ok. Finally, one of my questions is ON topic ;-) I have three branch office sites that connect to a single hub. VPN connectivity, Site links, and connection objects only allows each branch to see the hub. Replication is working smoothly and consistently. Yet, I am still seeing repeated errors in the Event Viewers of the branches complaining that they cannot see one another. The options offered in the errors all seem to point to trying to get the branches to see one another (e.g., "publish sufficient site connectivity information..."). I want to tell it not to look for the other branches at all. Specifically, I see: Event Type: Warning Event Source: NTDS KCC Event Category: (1) Event ID: 1566 Date: 7/29/2005 Time: 11:45:08 AM User: N/A Computer: BRANCHDC1 Event Type: Error Event Source: NTDS KCC Event Category: (1) Event ID: 1311 Date: 7/29/2005 Time: 11:45:08 AM User: N/A Computer: BRANCHDC1 Thanks. -- nme This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
If you take the error number passed back it will normally point you to the exact problem. In this case the Server_Info message passed back was 0523. You can use the err.exe tool that can be down loaded from download.microsoft.com or convert the hex number to decimal, your choice to see what error was returned. In this case it is the following: V:\tools>err 0523 # for decimal 523 / hex 0x20b : SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL msaudite.h # The security log is now %1 percent full. # for hex 0x523 / decimal 1315 : ERROR_INVALID_ACCOUNT_NAMEwinerror.h # The name provided is not a properly formed account name. # 2 matches found for "0523" V:\tools>net helpmsg 1315 The name provided is not a properly formed account name. The first hit is not the one we want as we know this is returned in hex and the second one tells you that you have tried to input an invalid account name as was mentioned below. So change the sam account name to one that does not contain illegal characters and you should be good to go at least to get past that error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe "nTSecurityDescriptor" and "objectSid". Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Your samAccountName has a comma in it. I don't think that's allowed. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 04, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
Re: [ActiveDir] Pop-up Blocker Settings with GPO's
On Thu, 04 Aug 2005 10:30:22 -0500, "Devan Pala" <[EMAIL PROTECTED]> said: > Hi all, > > Is it possible to modify the pop-up blocker sites exception list to > allow > pop-ups from sites through a GPO? It's supposed to be. The GPO settings exist. Our workstations aren't paying attention to them, though. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Branch Office Question
Hi - Ok. Finally, one of my questions is ON topic ;-) I have three branch office sites that connect to a single hub. VPN connectivity, Site links, and connection objects only allows each branch to see the hub. Replication is working smoothly and consistently. Yet, I am still seeing repeated errors in the Event Viewers of the branches complaining that they cannot see one another. The options offered in the errors all seem to point to trying to get the branches to see one another (e.g., "publish sufficient site connectivity information..."). I want to tell it not to look for the other branches at all. Specifically, I see: Event Type: WarningEvent Source: NTDS KCCEvent Category: (1)Event ID: 1566Date: 7/29/2005Time: 11:45:08 AMUser: N/AComputer: BRANCHDC1 Event Type: ErrorEvent Source: NTDS KCCEvent Category: (1)Event ID: 1311Date: 7/29/2005Time: 11:45:08 AMUser: N/AComputer: BRANCHDC1 Thanks. -- nme
[ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
although not available it is possible to use it! for that you need to use a custom search and enter your own LDAP query string for example to search user accounts that contain MINI in their samaccountname use the foloowing: (&(objectCategory=person)(objectClass=user)(samAccountName=*MINI*)) In a domain this would return the administrator user account Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Thu 8/4/2005 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hi Jorge, Hey, thanks for pointing that out! It seems a little "backdoorish" but it'll work. Any idea why the operator "contains" is not available? Mike Thommes Ps. joe, don't ever go GUI! LOL! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 9:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I'm not sure if I understand what you say, but if you define a query in the Saved Queries node and run it, you are able to export the result to a textfile by right-clicking the query and selecting 'Export List' Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Thu 8/4/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Zone Transfer Question
Return Receipt Your RE: [ActiveDir] Zone Transfer Question document : was Ricardo Konno/SCI received by: at: 04/08/2005 12:37:48 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Pop-up Blocker Settings with GPO's
Hi all, Is it possible to modify the pop-up blocker sites exception list to allow pop-ups from sites through a GPO? Thanks, Devan. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
Re ADAM: I am unsure about this technology. I can handle multiple instances of an AD database which all provide a common service, but ADAM *could* lead to anarchy, where anyone can fire up an instance of their own home grown directory. That thought scares me and right now I do not know how a large org would manage such a scenario. I'd prefer to keep control, but have a more elegant and modular way to patch the various components which exist throughout the infra. Re your last para: 1. NDS was simpler to design IMHO and thus never attracted large design rates 2. AD has greater penetration, as you say and so demand is thus greater. 3. Directories themselves have a much larger scope today than they ever did. Compare NT and what we did with it vs AD and what we do with that. A good architect who can "juggle" all the necessary directory "balls" can demand a better rate than someone who merely installs a few NT domains and WINS servers [no disrespect intended - I was once in the latter category myself] 4. I haven't supported Netware/NDS for 10 years, so cannot reap those benefits that the admins may realise one day :) [I doubt that day will ever come, however.] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 15:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes No worries, probably the fault of my reading versus your writing. I have been known to have trouble reading English which is why I tend to write more than read. :o) Yes absolutely on the modular piece. I completely agree on this direction as well and exactly what I argued for with them. Personally, I look at AD/AM with great hope as to what it can eventually become, it could be the way to get to that without having to drag everyone there. People just jump to some AD/AM like system at some point when they want to and leave legacy behind but still have AD for some time available to anyone not ready. Agreed on well worth it. The last comment I find interesting. Is the earnings based on the relatively low penetration of NDS or simply NDS folks are just payed less? I would expect, if NDS marketshare gets to even lower points, that NDS admins would start to fetch bonus pay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 4:41 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may "scare" MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM - large changes needed yes, but I think they are *well* worth it :) I have yet to find any good reasons for giving up NDS (except that AD architects earn more than NDS equivalents :)) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 02:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not sure it is a people wanting NDS/Netware features as much as it is people wanting certain features that would make their lives easier and it just so happens Novelle had come to some of the same conclusions previously on what to add or were bugged for them. A lot of the things being asked for would probably be asked for on other directories as well unless they were already there. And then on the others, people could be asking for features that AD already has implemented, but not necessarily because they have used AD. Yeah I also like the idea of upgrading AD outside of the OS. I really tried to push for that in April 2004 at Redmond. There was a mixed response of that will never happen and never say never, that is an interesting idea followed up by would I be willing to pay for AD as a separate product. My response to that was if the price of the OS product went down in a similar way. Of course it also opens up MS to more competition there. Someone else just may come out with an AD like product to run on Windows if it was sold separately and someone knew they had to buy it from someone. Now who could that be? I like the last one too... A machine becomes part of a domain, its local SAM no longer functions. That would be some pretty massive changes though I expect. So what reasons did you come up with to remind yourself why you left NDS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, August 03, 2005 4:31 AM To: 'Acti
RE: [ActiveDir] Biggest AD Gripes
Hi Jorge, Hey, thanks for pointing that out! It seems a little "backdoorish" but it'll work. Any idea why the operator "contains" is not available? Mike Thommes Ps. joe, don't ever go GUI! LOL! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 9:02 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I'm not sure if I understand what you say, but if you define a query in the Saved Queries node and run it, you are able to export the result to a textfile by right-clicking the query and selecting 'Export List' Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Thu 8/4/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT WEB Hosting
For business.
Re: [ActiveDir] OT WEB Hosting
For personal or business hosting? Phil On 8/4/05, Peter Jessop <[EMAIL PROTECTED]> wrote: > Completely OT > > I would be grateful if anyone could recommend WEB hosting services. > > > Regards > > Peter Jessop > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)
Ouch Bad Rick. I haven't spent as much time as I would like with R2. I appreciate you pointing out the schema update, and I'll have to go look at the .ldf to get an idea of what it does. To be honest - I completely missed that. As to testing and functionality, I highly recommend that anyone looking to implement new functionality into an exitisng production environment test it. Interaction and co-operation among applications and server components is a funny thing. One should not blindly believe that just because it's a module on top of Win2k3 that it will not have any negative side effects is asking for trouble. As to DFS-R, I'd have to say that it - too, is the number one on my list of best additions that should have been there a long time ago. I see it as having the potential of solving many problems. However, I've had horrible experiences with DFS, and have high expectations for DFS-R. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 04, 2005 3:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes) Rick, I agree that R2 adds new functionalities. As we all know R2 is an updated release of the Windows Server OS and it is not mandatory. My opinion is that R2 has some new cool features and my favorite is DFS-R!!! Update Releases (http://www.microsoft.com/windowsserver2003/evaluation/overview/roadmap.mspx ) Update releases integrate the previous major release with the latest service pack, selected feature packs, and new functionality. Because an update release is based on the previous major release, customers can incorporate it into their environment without any additional testing beyond what would be required for a typical service pack. Any additional functionality provided by an update would be optional and thus not affect application compatibility or require customers to re-certify or re-test applications. As you can see above, Microsoft states "Because an update release is based on the previous major release, customers can incorporate it into their environment without any additional testing beyond what would be required for a typical service pack" The integration on member servers is easy and straightforward and requires no testing as nothing will be enabled. The integration on DCs and the use of several component (print connections, DFS-R, etc) demand an extension of the AD schema to version 31 so the new objects and attributes are available for "print connections", DFS-R and Unix Identity Management. Some components also demand the installation and use of the new "Microsoft .NET Framework v2".. With this in mind, and for those who want to implement R2, my opinion is to still test and plan it. Especially for the new framework and the schema update. By the way: the R2 schema update does not change the PAS. What are your thoughts on this? Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 8/3/2005 11:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes) Guido (and all, really)- You bring up a good point. There seems to be some misconception and misinformation (BTW, no one here is doing the misinformation - just to be clear) around R2. When R2 is installed (or whatever this is going to be called when released - it may be just Windows Server 2003 Release 2 - or it might be something else) it is really a series of modules that ADD FUNCTIONALITY. That's key - it adds functionality. Remember that Rights Management Services when run on Win2k3 really changes nothing in the way that the OS operates and communicates. Functionality of the base doesn't change. However, RMS adds functionality and has a very minor impact on AD - which is not a schema change, but a Service Point addition to allow detection and determination of what server(s) is/are running RMS. This is really what you'll see out of R2. ADFS (Active Directory Federation Services) for example, is not going to make a huge change to the underlying OS functions - nor is it going to make a big change to AD. It's going to provide a way to EXTEND AD into a Federated Service for Partner access/auth to a common AuthN mechanism (and much more - but it's not important at the moment). The important thing is that for this release - R2 is a collection of really valuable and cool enhancement that many, many customers have been asking for. However, the point is that they are plug-in modules. It's much like putting new rims, tires, a body kit, a stereo, lowering kit, and a fart can on your Honda. It's still a Honda, but you've added customized pieces to it. Think of R2 as these things for your Honda. (However, you might want R2 much more than you want a 'fart can' or a lowering kit...) As Guido mentions -
RE: [ActiveDir] Replicating AD
can he predict the future now? ;-) From: [EMAIL PROTECTED] on behalf of Hutchins, Mike Sent: Thu 8/4/2005 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replicating AD lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 04, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replicating AD Pst Steve, check the date on your machine. You seem to be about 2 months ahead of the rest of us -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, October 04, 2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Replicating AD Ha! Nice response... On another note - GPMC has built in APIs for this and there is a script included with it that will export your OU,groups and users as well as GPO's of course, to an XML file and then you can use that to reimport. I cant recall the name of it right now.. something about an *environment*.vbs my .02 steve - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 03, 2005 5:44 PM Subject: RE: [ActiveDir] Replicating AD >I just typed > > ldifde > > at the command line and it didn't sync my environment, what's wrong > with it Guido? > > > :o) > > joe > > _ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, > Guido > Sent: Tuesday, August 02, 2005 2:22 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Replicating AD > > > the ldifde command can do the job for you > > /Guido > > _ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda > Sent: Dienstag, 2. August 2005 18:48 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Replicating AD > > > I'm trying to setup a test AD that's identical to the production AD with > the > same OU structure and user accounts. I'd like to avoid having to manually > creating them by hopefully finding a tool that would import all those > object. Does any one know of such a tool? > > > > Antonio > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replicating AD
lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 04, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replicating AD Pst Steve, check the date on your machine. You seem to be about 2 months ahead of the rest of us -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, October 04, 2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Replicating AD Ha! Nice response... On another note - GPMC has built in APIs for this and there is a script included with it that will export your OU,groups and users as well as GPO's of course, to an XML file and then you can use that to reimport. I cant recall the name of it right now.. something about an *environment*.vbs my .02 steve - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 03, 2005 5:44 PM Subject: RE: [ActiveDir] Replicating AD >I just typed > > ldifde > > at the command line and it didn't sync my environment, what's wrong > with it Guido? > > > :o) > > joe > > _ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, > Guido > Sent: Tuesday, August 02, 2005 2:22 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Replicating AD > > > the ldifde command can do the job for you > > /Guido > > _ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda > Sent: Dienstag, 2. August 2005 18:48 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Replicating AD > > > I'm trying to setup a test AD that's identical to the production AD with > the > same OU structure and user accounts. I'd like to avoid having to manually > creating them by hopefully finding a tool that would import all those > object. Does any one know of such a tool? > > > > Antonio > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
I'm not sure if I understand what you say, but if you define a query in the Saved Queries node and run it, you are able to export the result to a textfile by right-clicking the query and selecting 'Export List' Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Thu 8/4/2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
No worries, probably the fault of my reading versus your writing. I have been known to have trouble reading English which is why I tend to write more than read. :o) Yes absolutely on the modular piece. I completely agree on this direction as well and exactly what I argued for with them. Personally, I look at AD/AM with great hope as to what it can eventually become, it could be the way to get to that without having to drag everyone there. People just jump to some AD/AM like system at some point when they want to and leave legacy behind but still have AD for some time available to anyone not ready. Agreed on well worth it. The last comment I find interesting. Is the earnings based on the relatively low penetration of NDS or simply NDS folks are just payed less? I would expect, if NDS marketshare gets to even lower points, that NDS admins would start to fetch bonus pay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, August 04, 2005 4:41 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may "scare" MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM - large changes needed yes, but I think they are *well* worth it :) I have yet to find any good reasons for giving up NDS (except that AD architects earn more than NDS equivalents :)) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 02:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not sure it is a people wanting NDS/Netware features as much as it is people wanting certain features that would make their lives easier and it just so happens Novelle had come to some of the same conclusions previously on what to add or were bugged for them. A lot of the things being asked for would probably be asked for on other directories as well unless they were already there. And then on the others, people could be asking for features that AD already has implemented, but not necessarily because they have used AD. Yeah I also like the idea of upgrading AD outside of the OS. I really tried to push for that in April 2004 at Redmond. There was a mixed response of that will never happen and never say never, that is an interesting idea followed up by would I be willing to pay for AD as a separate product. My response to that was if the price of the OS product went down in a similar way. Of course it also opens up MS to more competition there. Someone else just may come out with an AD like product to run on Windows if it was sold separately and someone knew they had to buy it from someone. Now who could that be? I like the last one too... A machine becomes part of a domain, its local SAM no longer functions. That would be some pretty massive changes though I expect. So what reasons did you come up with to remind yourself why you left NDS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, August 03, 2005 4:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes I always find it quite ironic that those who have never used NDS/Netware always seem to want NDS/Netware features, once they've worked with AD for a period of time :) I have to remind myself why I booted NDS out in preference to NT/AD years ago... Novell have been offering the vast majority of what is being proposed here for many years and even started to support the equivalent of GPO to Windows devices around 10 years ago too! I would add a new gripe (which Novell do support and have done since Netware 4) and that is the ability to upgrade the AD (or any other component for that matter) across an enterprise. Naturally, this means that these components need to be more modular, but it would be great if I could upgrade AD from version n to n+1 by simply deploying a file/files across all my DCs and then re-starting AD out of hours (not a server re-start, just a component re-start). Another gripe (if I may) would be my hate for local accounts. Why do we have / need an AD database and another database on each member server? Again, NDS/eDIR has a better architecture, in that all SPs exist within the directory and none exist on the servers themselves. TCO diminished immediately :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 02 August 2005 23:02 To: ActiveDir@mail.activ
RE: [ActiveDir] Biggest AD Gripes
I sent this request to Microsoft a couple of months ago. I believe they said it was a good idea. We'll see if it ever happens. Having a query without a save is nonsensical. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Thursday, August 04, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replicating AD
Title: Message Hehe. Very good. I like that. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, August 03, 2005 10:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replicating AD I think you forgot /unsafe. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, August 03, 2005 7:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replicating AD I just typed ldifde at the command line and it didn't sync my environment, what's wrong with it Guido? :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, August 02, 2005 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replicating AD the ldifde command can do the job for you /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Dienstag, 2. August 2005 18:48To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replicating AD I’m trying to setup a test AD that's identical to the production AD with the same OU structure and user accounts. I'd like to avoid having to manually creating them by hopefully finding a tool that would import all those object. Does any one know of such a tool? Antonio
RE: [ActiveDir] Replicating AD
Pst Steve, check the date on your machine. You seem to be about 2 months ahead of the rest of us -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, October 04, 2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Replicating AD Ha! Nice response... On another note - GPMC has built in APIs for this and there is a script included with it that will export your OU,groups and users as well as GPO's of course, to an XML file and then you can use that to reimport. I cant recall the name of it right now.. something about an *environment*.vbs my .02 steve - Original Message - From: "joe" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 03, 2005 5:44 PM Subject: RE: [ActiveDir] Replicating AD >I just typed > > ldifde > > at the command line and it didn't sync my environment, what's wrong with > it > Guido? > > > :o) > > joe > > _ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, > Guido > Sent: Tuesday, August 02, 2005 2:22 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Replicating AD > > > the ldifde command can do the job for you > > /Guido > > _ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda > Sent: Dienstag, 2. August 2005 18:48 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Replicating AD > > > I'm trying to setup a test AD that's identical to the production AD with > the > same OU structure and user accounts. I'd like to avoid having to manually > creating them by hopefully finding a tool that would import all those > object. Does any one know of such a tool? > > > > Antonio > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
If we are going to include gripes with the tools how about this one? I might be opening myself up to abuse due to not knowing how to do something but here we go :) :) You can create saved queries in ADUC but the doesn't seem to be a way to export the result of the query from the pop up windows. This would be quite useful even if not as flexible as Joe's amazing utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 04 August 2005 12:53 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy delays
Check the event logs on the ones which are *not* having a problem. It may be that for some reason they are not applying group policies - this will then make them start up quickly (ie "normal" behaviour is slow because of the security profile settings but some machines are skipping them). Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark > Sent: 03 August 2005 11:12 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Group Policy delays > > Hi Neil, > > Thanks some long forgotten security profile settings seem to > have woken up. Computer policy refresh on each start up so > why only a subset of users are suffering is still a bit of a > mystery. Some rethinking of our policies is in order methinks. > > Thank you for your help. > > Gary > > > --- > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil > Sent: 03 August 2005 09:43 > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] Group Policy delays > > - Are your subnets and sites defined correctly? If not, > clients may authenticate and process GPOs from DCs across > slow WAN links. > - Does your GPO contain lots of registry and/or file > DACL/SACL settings? This could account for the slow processing. > > neil > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark > Sent: 03 August 2005 09:32 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Group Policy delays > > > > Hello, > > We have 300 identical Dell GX270's running XP in a 2003 > Active Directory and we are seeing a few (<1%) suffering from > extremely long logons. The applying computer settings is > displayed after the users signs in and stays there for some > 20-30 Mins, during which time the HDD activity light is near > constantly on. Given a long enough wait the PC then opens > the desktop and behaves itself. > > Having started, the computer can then be re-started and the > PC starts in a timely fashion with no delay. > > The logs show clean, and the long delays can be experienced > whether or not a change to the Group policy has been > published. We suspected that it follows a user not shutting > down cleanly and that some sort of chkdsk may be running > (scanning a 120GB drive could be expected to take half an > hour), however we have users who swear blind that they are > shutting their computers down nicely and still having the > slow starts. > > The Policies that we run are minimal and if it were a screwed > up policy it would effect all computers as the OU structure > does not separate the computers. > > If anyone has some thoughts for seeking out the root cause I > would be very grateful. > > Cheers > Gary > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > == > == > == > Please access the attached hyperlink for an important > electronic communications disclaimer: > > http://www.csfb.com/legal_terms/disclaimer_external_email.shtml > > == > == > == > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
In all fairness, all reg keys can be managed via ADM templates, which can be custom crafted. I for one, have done this from JDP times onward, esp when configuring 3rd party apps. However, it would be far more elegant if more (Windows) settings were exposed via the out of the box ADM files and hopefully, one day, vendors will supply ADM files for their products too. Deleting and undeleting features are definitely well over due. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 04 August 2005 11:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
I am not a big fan of having to use the registry editor to set fixed RPC ports. It would be nice if during the DCPROMO process you could set the ports with in the GUI or Script. Recently I have been using GPO's to make the settings changes. A nicer tool for deleting orphan/linger objects would be nice. Thanks, Todd List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT WEB Hosting
Completely OTI would be grateful if anyone could recommend WEB hosting services. RegardsPeter Jessop
RE: [ActiveDir] Domain DFS Roots hosted on DC
Very true! However, this will change in R2.. Better delegation etc. #JORGE# From: [EMAIL PROTECTED] on behalf of Dan Holme Sent: Wed 8/3/2005 9:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC There's one much bigger issue that may or may not impact you, but is usually 'missed' by folks. That is the delegation of MAINTENANCE OF THE DFS ROOT. DFS Roots are really, technically and practically, a scope for delegation of administration, as well as a root of a namespace. One should have separate DFS roots whenever separate teams/people will be supporting those roots (i.e. adding/removing/maintaining links). To maintain a DFS root, you must be delegated permissions to the appropriate object in AD (under the SYSTEM node in ADUC) *and* you **MUST BE AN ADMINISTRATOR OF THE MACHINE ON WHICH THE DFS ROOT TARGET IS HOSTED** This is a SUPER BIGGIE GOTCHA in your situation, perhaps... because as soon as you host a DFS root target on a DC, you must have Administrators credentials on the DC, which means you 1) have to log on with domain administrator equivalence just to maintain your root (nasty!) and 2) you can only delegate maintenance of the root to folks who are trusted as domain administrators. Therefore, I always recommend that DFS root targets be hosted on member servers!! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Wednesday, August 03, 2005 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC Correct Neil, I don't want to host data on the DC's, just use them to refer to the actual data hosted on fileservers. Thanks, Todd From: Ruston, Neil [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 7:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Domain DFS Roots hosted on DC I agree with your sentiments in principle, but would state that the number of links rather than users is of importance. Domain and stand alone DFS each have their own limitations so you should ascertain whether domain DFS will meet your requirements, whatever they may be. I assume DCs would not host links and therefore as you say, would simply refer clients to the correct server. As such, the overhead will be minimal as you say. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: 03 August 2005 12:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain DFS Roots hosted on DC Hey all, Have a quick question about Domain DFS roots. If you have about 3000 users, do you recommend hosting the DFS root on DC's or having dedicated boxes to host the Domain DFS roots? Since the root is mainly just doing referrals, my though is that as long as you have sufficient memory on the DC's it should work. My concern is that since my strategy is to locate all the domain resources through DFS, it might be a lot of overhead to put on the DC's. The other part of my brain things since it is basically just referral traffic, it can't be any more overhead than running DDNS. Thanks, Todd == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Biggest AD Gripes
What you state in the first para is what I was trying to say, but obviously not eloquently enough :) I am aware that many of the ppl here have never used NDS so have no clue what it can offer. Hence the irony, that we/they ask for features that Novell offered 12 years ago in Netware 4. Re the second para - I guess I'm asking that AD be considered a modular, independent app that runs on Windows. As you say, that may "scare" MS somewhat, but it would make AD a lot more palatable and attractive to those who have yet to deploy. Local SAM - large changes needed yes, but I think they are *well* worth it :) I have yet to find any good reasons for giving up NDS (except that AD architects earn more than NDS equivalents :)) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 August 2005 02:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I am not sure it is a people wanting NDS/Netware features as much as it is people wanting certain features that would make their lives easier and it just so happens Novelle had come to some of the same conclusions previously on what to add or were bugged for them. A lot of the things being asked for would probably be asked for on other directories as well unless they were already there. And then on the others, people could be asking for features that AD already has implemented, but not necessarily because they have used AD. Yeah I also like the idea of upgrading AD outside of the OS. I really tried to push for that in April 2004 at Redmond. There was a mixed response of that will never happen and never say never, that is an interesting idea followed up by would I be willing to pay for AD as a separate product. My response to that was if the price of the OS product went down in a similar way. Of course it also opens up MS to more competition there. Someone else just may come out with an AD like product to run on Windows if it was sold separately and someone knew they had to buy it from someone. Now who could that be? I like the last one too... A machine becomes part of a domain, its local SAM no longer functions. That would be some pretty massive changes though I expect. So what reasons did you come up with to remind yourself why you left NDS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, August 03, 2005 4:31 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes I always find it quite ironic that those who have never used NDS/Netware always seem to want NDS/Netware features, once they've worked with AD for a period of time :) I have to remind myself why I booted NDS out in preference to NT/AD years ago... Novell have been offering the vast majority of what is being proposed here for many years and even started to support the equivalent of GPO to Windows devices around 10 years ago too! I would add a new gripe (which Novell do support and have done since Netware 4) and that is the ability to upgrade the AD (or any other component for that matter) across an enterprise. Naturally, this means that these components need to be more modular, but it would be great if I could upgrade AD from version n to n+1 by simply deploying a file/files across all my DCs and then re-starting AD out of hours (not a server re-start, just a component re-start). Another gripe (if I may) would be my hate for local accounts. Why do we have / need an AD database and another database on each member server? Again, NDS/eDIR has a better architecture, in that all SPs exist within the directory and none exist on the servers themselves. TCO diminished immediately :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 02 August 2005 23:02 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Biggest AD Gripes I think what a lot of the stuff people are asking for is to take some of the stuff that NDS and eDir already use. Rights and login scripts at ou's and divivding AD as an admin sees fit. As least that's what it seems like to me but I haven't worked with Novell in about 4yrs. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.a
RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes)
Rick, I agree that R2 adds new functionalities. As we all know R2 is an updated release of the Windows Server OS and it is not mandatory. My opinion is that R2 has some new cool features and my favorite is DFS-R!!! Update Releases (http://www.microsoft.com/windowsserver2003/evaluation/overview/roadmap.mspx) Update releases integrate the previous major release with the latest service pack, selected feature packs, and new functionality. Because an update release is based on the previous major release, customers can incorporate it into their environment without any additional testing beyond what would be required for a typical service pack. Any additional functionality provided by an update would be optional and thus not affect application compatibility or require customers to re-certify or re-test applications. As you can see above, Microsoft states "Because an update release is based on the previous major release, customers can incorporate it into their environment without any additional testing beyond what would be required for a typical service pack" The integration on member servers is easy and straightforward and requires no testing as nothing will be enabled. The integration on DCs and the use of several component (print connections, DFS-R, etc) demand an extension of the AD schema to version 31 so the new objects and attributes are available for "print connections", DFS-R and Unix Identity Management. Some components also demand the installation and use of the new "Microsoft .NET Framework v2".. With this in mind, and for those who want to implement R2, my opinion is to still test and plan it. Especially for the new framework and the schema update. By the way: the R2 schema update does not change the PAS. What are your thoughts on this? Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 8/3/2005 11:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Functionality - (Was Biggest AD Gripes) Guido (and all, really)- You bring up a good point. There seems to be some misconception and misinformation (BTW, no one here is doing the misinformation - just to be clear) around R2. When R2 is installed (or whatever this is going to be called when released - it may be just Windows Server 2003 Release 2 - or it might be something else) it is really a series of modules that ADD FUNCTIONALITY. That's key - it adds functionality. Remember that Rights Management Services when run on Win2k3 really changes nothing in the way that the OS operates and communicates. Functionality of the base doesn't change. However, RMS adds functionality and has a very minor impact on AD - which is not a schema change, but a Service Point addition to allow detection and determination of what server(s) is/are running RMS. This is really what you'll see out of R2. ADFS (Active Directory Federation Services) for example, is not going to make a huge change to the underlying OS functions - nor is it going to make a big change to AD. It's going to provide a way to EXTEND AD into a Federated Service for Partner access/auth to a common AuthN mechanism (and much more - but it's not important at the moment). The important thing is that for this release - R2 is a collection of really valuable and cool enhancement that many, many customers have been asking for. However, the point is that they are plug-in modules. It's much like putting new rims, tires, a body kit, a stereo, lowering kit, and a fart can on your Honda. It's still a Honda, but you've added customized pieces to it. Think of R2 as these things for your Honda. (However, you might want R2 much more than you want a 'fart can' or a lowering kit...) As Guido mentions - and rightfully so, the big plumbing pieces aren't coming in until LH Server. However, THOSE are really going to be worth waiting for. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, August 03, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes actually that's not the case Carlos - even after all DCs are upgraded to R2, SYSVOL is still using the legacy FRS replication mechanism. This won't change before Lonhorn. so it should stay on the list of gripes ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Dienstag, 2. August 2005 23:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD