RE: [ActiveDir] Kinda OT: Advice welcomed
What Deji said. Document the risks of what is being done, document what you think would be a better and more secure solution, and document what you will need to do on the remainder of your network to compensate for this insecurity (if that's even possible). Then hand it to this person in two forms - email and on paper - that are dated and acknolwedged by the recipient. Save all documentation for a later date, as you're probably going to need it. When you're good at your job and take pride in that fact, it's very easy to take things like this personally...to jump up and down yelling AAAGHH THE STUPID! IT BURNS LIKE FIRE!!! because you know you're right. But it's not personal and you can't treat it as such. Cover yourself and your network by making all concerned parties aware of the risks of the situation; there's not much else you can do...nothing that's professionally acceptable, anyway. And remember: this is only IT, nobody dies. (Unless you're in a medical/military/whatever line of work in which someone actually -might-, in which case use that as a barometer of how loudly you need to make your objections known.) - Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 20, 2005 12:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kinda OT: Advice welcomed You make your disagreement known to the CIO in a corporately-acceptable way - and move on. Chalk it down as one of the things numerous IT personnel encounter on a very regular basis everyday. Don't take it personal, is what I tell myself. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Fri 8/19/2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kinda OT: Advice welcomed Here's a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password. What do you do? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kinda OT: Advice welcomed
Additionally, document the business costs/issues that arise later down the track (if any). This will allow you to be prepared in case: a) you need to push back against a similar suggestion down the track b) this decision ever comes up for discussion again Cheers Ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Hunter, Laura E. : Sent: Saturday, 20 August 2005 9:13 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kinda OT: Advice welcomed : : What Deji said. : : Document the risks of what is being done, document what you think would be : a better and more secure solution, and document what you will need to do : on the remainder of your network to compensate for this insecurity (if : that's even possible). Then hand it to this person in two forms - email : and on paper - that are dated and acknolwedged by the recipient. Save all : documentation for a later date, as you're probably going to need it. : : When you're good at your job and take pride in that fact, it's very easy : to take things like this personally...to jump up and down yelling : AAAGHH THE STUPID! IT BURNS LIKE FIRE!!! because you : know you're right. But it's not personal and you can't treat it as such. : Cover yourself and your network by making all concerned parties aware of : the risks of the situation; there's not much else you can do...nothing : that's professionally acceptable, anyway. : : And remember: this is only IT, nobody dies. (Unless you're in a : medical/military/whatever line of work in which someone actually -might-, : in which case use that as a barometer of how loudly you need to make your : objections known.) : : - Laura : : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of : [EMAIL PROTECTED] : Sent: Saturday, August 20, 2005 12:41 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kinda OT: Advice welcomed : : You make your disagreement known to the CIO in a : corporately-acceptable way - : and move on. Chalk it down as one of the things numerous IT personnel : encounter on a very regular basis everyday. : : Don't take it personal, is what I tell myself. : : : Sincerely, : : Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I : Microsoft MVP - Directory Services : www.readymaids.com - we know IT : www.akomolafe.com : Do you now realize that Today is the Tomorrow you were worried about : Yesterday? -anon : : : : From: [EMAIL PROTECTED] on behalf of Douglas M. Long : Sent: Fri 8/19/2005 8:38 PM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] Kinda OT: Advice welcomed : : : : Here's a question for everyone: : : : : Your CIO decides it is cheaper to host an application : remotely at a site that : you know nothing about (and for that reason do not trust). He : then decides on : his own that he will just tell the network guy to open port : 389 to one of : your production DCs without consulting, or even mentioning it : to you or : anyone else that may have something to say about the security : risks. Then he : asks you to create a test user account for a junior admin to : test with, and : gives the remote site the username and password. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ok, last one really
quick question- what does your script do if the server is offline or can't be accessed for some reason? does it just go to the next server in the list? How long does it try to connect for? Thanks On 8/15/05, Tom Kern [EMAIL PROTECTED] wrote: So, if i set a dns addy and then change it or use dhcp to set it, windows will still keep a phantom reference to it in the registry? is there a normal procedure to whack it? On 8/15/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: probably because those addresses are still in the registry and have not been whacked. Sincerely, Dиjм Akуmцlбfй, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/15/2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ok, last one really This script gives me the client dns ip's that are there as well as ones that haven't been there in a long time. one's i set and removed awhile ago. why is that? thanks On 8/15/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What, you mean you don't trust my codes? Shesh! :-p 'Still using the same folder structure and input file as before, you will run this AFTER running the previous script 'Code Begins Const FILEPATH = C:\MyScripts\ 'Get the input file Set FSO = CreateObject(Scripting.FileSystemObject) Set fsoFile = FSO.GetFile(FILEPATH Server-List.txt) strFilePath = fsoFile.Path Set fsoInput = FSO.OpenTextFile(strFilePath, 1) Set FSOWrite=FSO.OpenTextFile(FILEPATH Output.txt, 8, True) Do While Not fsoInput.AtEndOfStream ComputerName = fsoInput.ReadLine FSOWrite.WriteLine ComputerName Call ChangeDNS_addy(ComputerName) Loop FSOWrite.Close Set FSOWrite = Nothing Set fsoInput = Nothing Set fsoFile = Nothing set FSO=Nothing Sub ChangeDNS_addy(ComputerName) On Error Resume Next Set objWMIService = GetObject(winmgmts:\\ ComputerName \root\cimv2) Set colNetCards = objWMIService.ExecQuery _ (Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True) For Each objNetCard in colNetCards If Not IsNull(objNetCard.DNSServerSearchOrder) Then For i = 0 To UBound(objNetCard.DNSServerSearchOrder) FSOWrite.WriteLine vbTab objNetCard.DNSServerSearchOrder(i) Next End If Next Set colNetCards = Nothing Set objWMIService = Nothing End Sub 'Code Ends Sincerely, Dиjм Akуmцlбfй, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/15/2005 7:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ok, last one really Now how can I write a script or modify that to tell me it worked? Do i need to write a new script to query the client dns ip's and feed it the same file and spit that out to a text file so i can see it took? thanks On 8/14/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Let's say the new DNS servers are 192.168.11.250 and 192.168.11.251 Let's say you have a folder called Myscripts in C:\ You create a file called Server-List.txt that contains all your servers' names, listed one per line and put it in C:\myscripts Then you copy the following code, put it in a file and call the file, say, change-dns.vbs Off you go. 'Code starts here Const FILEPATH = C:\MyScripts\ 'Get the input file Set FSO = CreateObject(Scripting.FileSystemObject) Set fsoFile = FSO.GetFile(FILEPATH Server-List.txt) strFilePath = fsoFile.Path Set fsoInput = FSO.OpenTextFile(strFilePath, 1) Do While Not fsoInput.AtEndOfStream ComputerName = fsoInput.ReadLine Call ChangeDNS_addy(ComputerName) Loop Set fsoInput = Nothing Set fsoFile = Nothing set FSO=Nothing Sub ChangeDNS_addy(ComputerName) On Error Resume Next Set objWMIService = GetObject(winmgmts:\\ ComputerName \root\cimv2) Set colNetCards = objWMIService.ExecQuery _ (Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True) For Each objNetCard in colNetCards arrDNSServers = Array(192.168.11.250, 192.168.11.251) objNetCard.SetDNSServerSearchOrder(arrDNSServers) Next Set colNetCards = Nothing Set objWMIService = Nothing End Sub 'code ends Enjoy. Sincerely, Dиjм Akуmцlбfй, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com
RE: [ActiveDir] Database Corruption
I'd also look at running hardware diagnostics, particularly on the disk subsystem and controller. No point in restoring or repromoting if there is an unresolved hardware problem. -Original Message- From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/19/2005 8:18 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Database Corruption Well the first thing I always recommend is to try an offline defrag as it is possible that the corruption is in an index, i.e. metadata, that can be rebuilt. If the offline defrag fails then restoring from backup or repromoting will be your next step. Thanks, -Steve _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, August 19, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 19, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? I’m concerned that this may happen again and wasn’t able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source:NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date:8/19/2005 Time:2:00:24 PM User:N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. winmail.dat
[ActiveDir] hide an attribute
For those of us still running windows 2000 AD, how would you hide an attribute from auth users? Say you wanted to hide streetAddress or something simillar. How would you go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange public folders(OT)
Hi Tom Not sure about your PF question. It could be a permissions thing. In other words, in addition to the parent folder, the user would need the appropriate permissions on the child folders in order to be able to restore them. Deleted items are retained in the Exchange private information store, but outside the user's mailbox folder structure. Aside from the dumpster view in the Outlook client, you can use the MFCMAPI tool to view and move/restore deleted items associated with a specific mailbox. More info on MFCMAPI in this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;291794 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, 20 August 2005 8:38 a.m. To: activedirectory Subject: [ActiveDir] Exchange public folders(OT) I had someone delete a PF in Exchange from Outlook which had child folders. We have deleted item retension on the PF store but when he restored the folder, only some of the child folders came back. Is this normal? also, where does exchange actually keep deleted items and is there a way to view it? I'm running exchange 2k. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Yeah this is actually fairly trivial, you just avoid AllocateAndInitializeSid and use GetSidLengthRequired, InitializeSid, and GetSidSubAuthority and you can pretty quickly make up a function to handle up to the max. I recall the first time I saw the function and was confused why AllocateAndInitializeSid was set up that way because it would have been quite easy, probably actually easier, to have specified a subauthority count and array of subauthorities to submit to the API. In order to properly blow our foot off, we would need to completely manually build the SID structure and exceed 15 subauthorities. Interestly enough or I guess the point where our foot would disappear in a mangled mess would be when the SID structure would get chopped to 15 (or less depending on what was written to the subauth count field) whenever it got passed to anything that used the actual proper mechanisms. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 10:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... :o) Right, Joe! They don't come from us, as far as I can tell. If you look at the function AllocateAndInitializeSid(), it is hard coded to 8 sub-authorities. However, the customer in question from the 68 bytes max defined his own function with base level calls and worked around the 8 sub-auths by defining a variable that would accept however many he wanted to input. Bottomline: WE might give you the instructions on how to blow your foot off, but generally you are expected to supply your own ammo and finger to pull the trigger. :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 19, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the highest number of RIDs a SID can hold. There is only 1 byte reserved in the first 8 bytes of a the SID structure to store the number of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you). Where do these giant SIDs come from? Most AD SIDs I've seen are 24 or 28 bytes (4 or 5 RIDs respectively). Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] User SIDs...
:o) I wasn't going after you JoeK. I am more against how MS set the terms in MSDN, you are simply using MS's terms for the fields so by the MS book, your post is exactly correct. I also agree that at the bit level, there is no difference between a RID and a subauthority, they are simply a 32 bit portion of an identifier. In the interest of less confusion for those less than comfortable with swimming through winnt.h and reading what the dev guys actually wrote and possibly intended, what I posted was hopefully more in line with how most admins understand it now for easier digest. Actually I spent a little time yesterday just surfing through a lot of the SID based docs and there is a lot there that is stated in confusing ways, I may spend some time writing the MSDN feedback alias on the issues I saw. It even mentions RIDs greater than 32 bits which isn't really possible from how I understand it and also Dean pinged me on my post mentioning that RIDs are actually limited to 2^30 instead of 2^32 (i.e. 30 bits instead of 32) which I am not surprised by though the field for its reprensentation in a SID is still 32 bits. It is the RID generation side of the house that limits it to 30 bits. A SID with a RID of 32 bits would be entirely valid because it is defined to be so. It is sort of like building a car to do 100 and then other components that the car is dependent upon are only efficient enough to get it to 80. The car can still do 100 fine, just not with the way it is being supplied. As an aside, I received an offlist response from a trustworthy individual discussing a little bit about the ADAM SIDs and that they are actually an attempt at not having a RID master and use a variation of the GUID generation algorithm to generate the SIDs. That makes sense from what I saw when I first noticed that the ADAM SIDs were odd. I still think my idea of each host of an instance should be as subauthority of the entire instance so it could positively guarantee unique SIDs is better than just producing something that is a best effort unique but hey, its not my call. I also still like the idea of dumping SIDS and GUIDs entirely for a more OID based space as well. As this person put it, if there was a natural occurrence that caused a failure off the statistical improbability of duplicates that person would be looking for a new job anyway... ;o) As for your last question, it would be when you are using actual real subauthorities and allowing them to also issue SIDs. For instance say the president of your company can issue SIDs and her SID is S-1-5-21-1. Anything she issues would be S-1-5-21-1-xxx where xxx would be the unique RID within her realm. Now lets say that her VP represented by S-1-5-21-1-10 is VP of Finance and wants to issue her own SIDs so any SID produced by her would be S-1-5-21-1-10-yyy. Then someone under her, say S-1-5-21-1-10-200 wants to issue SIDs of the type S-1-5-21-1-10-200-zzz, etc etc etc. Until you hit 14 subauths (don't forget the 21 is a subauth after the identifier of 5) and then all you can have would be the unique RIDs. Now if you wanted and didn't mind going against the standard, you could create your own Version 2 of the SID and then redefine the rest of the structure so that you use all 8 bits of the subauth field size (versus setting defined max of 15 and using 4 bits) so you now get up to 255 subauths. Or since you are off the standard anyway, you could even say you want the 4 extra bits of subauth count field AND the 4 reserved bits giving you up to 4095 subauths which would be one heck of a large SID buffer. If you were going to do this, I would just say set up your own OID attribute and go from there. In either case, you could say that the VP of Finance was found to be untrustworthy and immediately cancel access to anyone under the S-1-5-21-1-10 level. That would obviously require security to be done a little different than it is now since it really isn't hierarchical though the original plan seems to have been a hierarchical based plan. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 19, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... LOL! The great irony of this message is that Dean emailed me offline to ask me something about it too and I lamented that I had probably under-engineered my response, but I had assumed that you would come along to clean up my mess. :) I also claim lack of time due to book writing responsibilities and such. However, aside from my smearing of the distinction between a sub authority and a RID, I believe I was correct from a binary standpoint. The winnt.h structure definition actually doesn't make a distinction between a sub authority and a RID, so I always thought the terms could be used interchangeably. Given that the sub authorities and the RID are both DWORDs that are treated as integers when converted to the SDDL
RE: [ActiveDir] Kinda OT: Advice welcomed
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat How big is your company? Do you have a security group that doesn't report through the CIO? This is almost certainly unacceptable corporate exposure that your CIO really doesn't have the right to expose the company too on his own in my opinion. This is the kind of thing that I would certainly really push up the ladder hard and would be willing to be terminated for. However, it completely depends on your feelings on the matter. Is it something you would quit over? If not, then it probably isn't something you would want to be fired for and making a stink of it other than simply reporting it to your direct manager is probably not what you want to do. In your shoes, I would consider locking down the traffic from that address or range of addresses with ipsec or something else under my complete control and report it to my management and security to make a call on what the next steps were. If your company is so small that the CIO is directly tasking you, I expect you don't have a separate security group and you may have very very little recourse other than to talk directly to the CIOand explain the risk he is putting the company in (he told you what to do directly, IMO, that gives you the right to question and explain why you think it isn't right). If he still says full speed ahead, say damn the torpedoes and go with it OR throw up the white flag and move on to bigger and better things. Again, if you don't have a separate security chain, it is a good chance that you have no leverage to fight so you could never "win" so the battle is not very appealing. Another way of looking at this is if something bad happens, whose ass is up on the firing line? If it is mine, I certainly would make it very clear how bad I thought this was so my rebuttal at the time of the decision to fire or not is "I told you this was stupid". Then again, I am very much about doing the right thing and have enough job security that I am not overly upset about losing a crappy position. As the others said, that AD and that company isn't yours. But, IMO,it is your job to make sure you speak up when things are not done properly. If not, you are admitting that you were simply hired to push buttons. Our jobs as admins is tohelpour management make gooddecisions and recover from stupid ones as well as implement all of them, smart or stupid. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Friday, August 19, 2005 11:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kinda OT: Advice welcomed Heres a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password. What do you do?
[ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Hi, I have a requirement to determine themachines that are currently online for a particular domain. I use the Net View command and give it a domain name such as: Net View /Domain:DomName SinceI know the Fully qualified Domain name AAA.BBB.CCC then I use:- Net View /Domain:AAA and it normally works. However I have one client that uses a different Pre Windows 2000 name (don't ask me why). I tried the following bit of code to try and programmatically work out the Pre Windows 2000 name:- Dim Sdou As IADs Dim PropertyValue As Variant Set Sdou = GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC") For Each PropertyValue In Sdou.GetEx("Name") If PropertyValue "" Then MsgBox PropertyValue End If Next but it just returnedAAA. So, is there a property in Active Directory that returns the Pre Windows 2000 name? Alternatively, is there anyway to determine the machines that are online via AD, rather than via the Net View command? Alan Cuthbertson