[ActiveDir] Urgent:Access Denied to Password Resets
Hi All, We have a delegation model we just adopted and part of the responsibilites handed over to our helpdesk support staff is password reset of users accounts. However this delegated right goes off every 48 hrs and I had to redo the delegation again. We have a 2003 domain and I have searched the technet site to no avail for problems similiar to this. In addition, helpdesk is not prompted to force password change at next logon... Any ideas guys..?? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgent:Access Denied to Password Resets
Could be the AdminSDHolder: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199 ..and some words on this from Ulf: http://msmvps.com/ulfbsimonweidner/archive/2005/05/29/49659.aspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Monday, 22 August 2005 8:37 p.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Urgent:Access Denied to Password Resets Hi All, We have a delegation model we just adopted and part of the responsibilites handed over to our helpdesk support staff is password reset of users accounts. However this delegated right goes off every 48 hrs and I had to redo the delegation again. We have a 2003 domain and I have searched the technet site to no avail for problems similiar to this. In addition, helpdesk is not prompted to force password change at next logon... Any ideas guys..?? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
You can do it from active directory snap in, right click on the OU folder, and export list. If you need additional columns to be exported, just select from View menu, add/remove columns. Mine is W2K3 AD ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 20, 2005 2:42 AM To: activedirectory Subject: [ActiveDir] export to csv Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. The Laryngeal Mask Company (Singapore) Pte. Ltd. www.LMACO.com ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
Return Receipt Your RE: [ActiveDir] export to csv document : was Sudhir Kaushal/GIS/CSC received by: at: 08/22/2005 03:49:48 PM ZE5B List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
I am going to duplicate the users account (can't really be bothering them much more :-) and then remove half the groups they are in and trouble shoot from there. There are about 4 groups they have to be in to get this test working (ie log on locally perms etc) so Starting with one group isn't the easiest route forward. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 21 August 2005 18:46 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Well to rule out number of groups or the nesting, start with a single group and see if it works that way and then slowly back up to what you have that is failing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting Impersonate a client after authentication. I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the Impersonate a client after authentication setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some
[ActiveDir] Share files
Hi list, How can I share a file in dos prompt? It says that Net share is not supported in Windows XP and Windows 2003 family. What ma trying to do is a write a small file to make home directories for hundreds of users using mkdir, then set permssions with the xcacls then share them through do to be automated script. Thanks for any help List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
Return Receipt Your RE: [ActiveDir] export to csv document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:08/22/2005 08:26:07 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] IIS 6.0 Situation
My environment: Windows 2003 AD IIS 6.0 migration from server 1 to server 2 goes w/out a hitch. Both servers are Windows 2003 Web Version. Both are member servers. Old server is running Cold Fusion 4.51 and the new server is running Cold Fusion 7.0. My databases are very small. My problem is: For Annonymous Access, I cannot get the pages to load with any other accounts other than an administrative account. Yes the IIS account have Access from the network right. I am getting a 401.3 ACL access denied. The anonymous account has read access to the data, checked a few times. Works fine on the old server and both servers are running in IIS 5.0 Isolation mode. THX List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Share files
NET SHARE works just fine on my XP and 2003 boxes. You can also use RMTSHARE from the ResKit. http://www.ultratech-llc.com/KB/?File=Perms.TXT http://www.ultratech-llc.com/KB/?File=HomeDirs.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/22/05, rubix cube [EMAIL PROTECTED] wrote: Hi list, How can I share a file in dos prompt? It says that Net share is not supported in Windows XP and Windows 2003 family. What ma trying to do is a write a small file to make home directories for hundreds of users using mkdir, then set permssions with the xcacls then share them through do to be automated script. Thanks for any help List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
It sounds like you may want to consider changing your group/access strategy as well. If it takes this long to troubleshoot, I think it's worthwhile to see if it can be done better/more simply for future use. My $0.04 anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, August 22, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... I am going to duplicate the users account (can't really be bothering them much more :-) and then remove half the groups they are in and trouble shoot from there. There are about 4 groups they have to be in to get this test working (ie log on locally perms etc) so Starting with one group isn't the easiest route forward. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 21 August 2005 18:46 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Well to rule out number of groups or the nesting, start with a single group and see if it works that way and then slowly back up to what you have that is failing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting Impersonate a client after authentication. I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the Impersonate a client after authentication setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat: Results
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Thought I would let you know how my experience with this went: Server 2003 SP1 Exchange 2003 SP1 2 x 2.8GHz HT Xeons 4GB RAM Direct attached 5 X 73.4GB hard drives, RAID5---IBM 6M controller Both ran with the following syntax: eseutil.exe /d f:\blahblah\DB DatabaseA was 94GB before defrag 12GB after defrag Time elapsed: 76 minutes DatabaseB was 20GB before defrag 14GB after defrag Time elapsed: 99 minutes If there are any stats that I left out that you may find interesting, let me know. Thanks everyone for your comments and explanations with this. I learned a lot.
RE: [ActiveDir] Kinda OT: Advice welcomed
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat All this is good advice, but tends to accept as fact that there is a security risk involved. You wrote, you know nothing about (and for that reason do not trust) There are really two issues here: - your CIO is playing AD administrator, and for dealing with that there has been lots of good advice - you don't have all the security facts, so fear the worst consequences I'd suggest first finding out all you can about this application and its site because it sounds like you're going to have to deal with it for a long time. If you approach this as a control issue--well, the CIO is in charge as others have said. If you approach it wrong, the CIO may think you have a problem with change because this may be a new application in your environment or something in the business has dictated handling this in a new way. I think the real outcome you want is for the CIO to appreciate that he should keep you informed about changes and that you can help make them happen in a seamless and secure way. That way you can make his life easier and he won't have to deal with this sort of thing. Good luck! AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Better Administration through Active Directory -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Saturday, August 20, 2005 8:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kinda OT: Advice welcomed How big is your company? Do you have a security group that doesn't report through the CIO? This is almost certainly unacceptable corporate exposure that your CIO really doesn't have the right to expose the company too on his own in my opinion. This is the kind of thing that I would certainly really push up the ladder hard and would be willing to be terminated for. However, it completely depends on your feelings on the matter. Is it something you would quit over? If not, then it probably isn't something you would want to be fired for and making a stink of it other than simply reporting it to your direct manager is probably not what you want to do. In your shoes, I would consider locking down the traffic from that address or range of addresses with ipsec or something else under my complete control and report it to my management and security to make a call on what the next steps were. If your company is so small that the CIO is directly tasking you, I expect you don't have a separate security group and you may have very very little recourse other than to talk directly to the CIOand explain the risk he is putting the company in (he told you what to do directly, IMO, that gives you the right to question and explain why you think it isn't right). If he still says full speed ahead, say damn the torpedoes and go with it OR throw up the white flag and move on to bigger and better things. Again, if you don't have a separate security chain, it is a good chance that you have no leverage to fight so you could never "win" so the battle is not very appealing. Another way of looking at this is if something bad happens, whose ass is up on the firing line? If it is mine, I certainly would make it very clear how bad I thought this was so my rebuttal at the time of the decision to fire or not is "I told you this was stupid". Then again, I am very much about doing the right thing and have enough job security that I am not overly upset about losing a crappy position. As the others said, that AD and that company isn't yours. But, IMO,it is your job to make sure you speak up when things are not done properly. If not, you are admitting that you were simply hired to push buttons. Our jobs as admins is tohelpour management make gooddecisions and recover from stupid ones as well as implement all of them, smart or stupid. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Friday, August 19, 2005 11:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kinda OT: Advice welcomed Heres a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password. What do you do?
RE: [ActiveDir] Kinda OT: Advice welcomed
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat That way you can make his life easier and he won't have to deal with this sort of thing. Ah, that is the perfect sort of thing for me to say. Thanks everyone for your comments. I think I was taking it a little personally and need to get used to business logic. It means a lot to hear advice from people as knowledgeable and experienced as this list. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 22, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kinda OT: Advice welcomed All this is good advice, but tends to accept as fact that there is a security risk involved. You wrote, you know nothing about (and for that reason do not trust) There are really two issues here: - your CIO is playing AD administrator, and for dealing with that there has been lots of good advice - you don't have all the security facts, so fear the worst consequences I'd suggest first finding out all you can about this application and its site because it sounds like you're going to have to deal with it for a long time. If you approach this as a control issue--well, the CIO is in charge as others have said. If you approach it wrong, the CIO may think you have a problem with change because this may be a new application in your environment or something in the business has dictated handling this in a new way. I think the real outcome you want is for the CIO to appreciate that he should keep you informed about changes and that you can help make them happen in a seamless and secure way. That way you can make his life easier and he won't have to deal with this sort of thing. Good luck! AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Better Administration through Active Directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe Sent: Saturday, August 20, 2005 8:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kinda OT: Advice welcomed How big is your company? Do you have a security group that doesn't report through the CIO? This is almost certainly unacceptable corporate exposure that your CIO really doesn't have the right to expose the company too on his own in my opinion. This is the kind of thing that I would certainly really push up the ladder hard and would be willing to be terminated for. However, it completely depends on your feelings on the matter. Is it something you would quit over? If not, then it probably isn't something you would want to be fired for and making a stink of it other than simply reporting it to your direct manager is probably not what you want to do. In your shoes, I would consider locking down the traffic from that address or range of addresses with ipsec or something else under my complete control and report it to my management and security to make a call on what the next steps were. If your company is so small that the CIO is directly tasking you, I expect you don't have a separate security group and you may have very very little recourse other than to talk directly to the CIOand explain the risk he is putting the company in (he told you what to do directly, IMO, that gives you the right to question and explain why you think it isn't right). If he still says full speed ahead, say damn the torpedoes and go with it OR throw up the white flag and move on to bigger and better things. Again, if you don't have a separate security chain, it is a good chance that you have no leverage to fight so you could never win so the battle is not very appealing. Another way of looking at this is if something bad happens, whose ass is up on the firing line? If it is mine, I certainly would make it very clear how bad I thought this was so my rebuttal at the time of the decision to fire or not is I told you this was stupid. Then again, I am very much about doing the right thing and have enough job security that I am not overly upset about losing a crappy position. As the others said, that AD and that company isn't yours. But, IMO,it is your job to make sure you speak up when things are not done properly. If not, you are admitting that you were simply hired to push buttons. Our jobs as admins is tohelpour management make gooddecisions and recover from stupid ones as well as implement all of them, smart or stupid. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, August 19, 2005 11:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kinda OT: Advice welcomed Heres a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know
RE: [ActiveDir] User SIDs...
That is a good idea, and in my case, would mean re-training (or in some cases, training for the first time) a team of ppl, and going through various hoops and jumps. I am taking that approach as well as attempting to troble shoot this problem. One thing I would like to clarify for those still following, does the MaxToken setting of 12000 Vs the MaxToken (complete context) 1790 value mean that Group membership is not causing a problem here ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 22 August 2005 14:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... It sounds like you may want to consider changing your group/access strategy as well. If it takes this long to troubleshoot, I think it's worthwhile to see if it can be done better/more simply for future use. My $0.04 anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, August 22, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... I am going to duplicate the users account (can't really be bothering them much more :-) and then remove half the groups they are in and trouble shoot from there. There are about 4 groups they have to be in to get this test working (ie log on locally perms etc) so Starting with one group isn't the easiest route forward. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 21 August 2005 18:46 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Well to rule out number of groups or the nesting, start with a single group and see if it works that way and then slowly back up to what you have that is failing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting Impersonate a client after authentication. I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the Impersonate a client after authentication setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM
RE: [ActiveDir] Kinda OT: Advice welcomed
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat The unknown absolutelyis a security risk. It isn't safe to assume anything else. Basically it isn't a good case to presume innocent until proven guilty because you could find out the guilty verdict too late. Here you must, if thinking with a solid security hat on, presume guilty until you know enough to grant trust and know where the edge of that trust lies and make doublysure that the tech is bordered in the same spot. This isn't just to protect against someone purposely doing something bad to you, but also someone accidently doing something bad to you. The main security concerns I would have here would be information disclosure and denial of service;accidental or purposeful. Depending on what Douglas meant by the junior admin comment it could be much worse, what rights does this "test" account get and what is it doing in production? I expect something like this is more acceptable in smaller companies where the overall risk may not be as high, but the larger the company with the more sensitive data (such as email addresses of all users[1] as well as corporate structure, etc) the more risky this becomes especially if there is no formal review of everything end to end to put into place compensating controls and to understand the overall process, especially data flow and system requirements. I would have to say that in several large orgs I have consultedfor, the CIO would be stopped dead in his tracks on this until the proper complete security and architecture reviews were done. With today's information disclosure rules this gets more and more touchy. I would be far more likely to agree to granting access to ADAM or some other LDAP directory that can be properly locked down and any abuse of the directory could be easily cordoned off such as abusive queries or updates. Any updates that needed to make it back into the main directory would be handled by controls I, as the DA, owned and controlled. joe [1] How much, for instance, are the valid emails of all users as well as their titles and reporting structures and departments and addresses of a company say like Microsoft or Walmart or GM or Boeing or any of the Fortune 100? If a company has 100 or even 1000 people, unless it is a very particular company and that info is particularly sought after the value of that info is entirely different from the value of the info in the previous cases. Personally I wouldn't mind browsing the organizational structure ofa company say like IBM[2]and being able to pinpoint specific people to email if I chose to. With a full AD dump, it is highly likely that not only would you find the official email addresses of all execs but also the secret email addresseses of the mailboxes many keep for personal and family emails that they monitor themselves versus having an assistant manage. I can say from direct Fortune 5 experience, the execs treasure those secret email addresses far greater than their normal work address. I have been called out of bed more than once for issues with those accounts and I never got called out of bed for single user issues other than that. [2] Because I am an MS MVP I have fairly extensive access to Microsoft addresses and information, but then, I have been checked out and forced to sign multiple NDAs and accepted into a certain realm of trust. A realm of trust with very specific borders and in fact a year or two ago when it was discovered that those borders were not technically enforced as Microsoft initially thought was quite rapidly booted back out of them due to security saying no way. Point being, it wasn't just granted, there was a lot of work put into place to understand what needed to be done and what should be available. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, August 22, 2005 9:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kinda OT: Advice welcomed All this is good advice, but tends to accept as fact that there is a security risk involved. You wrote, you know nothing about (and for that reason do not trust) There are really two issues here: - your CIO is playing AD administrator, and for dealing with that there has been lots of good advice - you don't have all the security facts, so fear the worst consequences I'd suggest first finding out all you can about this application and its site because it sounds like you're going to have to deal with it for a long time. If you approach this as a control issue--well, the CIO is in charge as others have said. If you approach it wrong, the CIO may think you have a problem with change because this may be a new application in your environment or something in the business has dictated handling this in a new way. I think the real outcome you want is for the CIO to appreciate that he should keep you informed about changes and that you can help make them
[ActiveDir] Bulk users
What is the best easiest with most options user creation tool? I know csvde, ldifde, dsadduser, adduser, Anything else? which one is the most recommended tool? thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bulk users
Active Directory Users and Computers... Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of rubix cube Sent: Monday, August 22, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bulk users What is the best easiest with most options user creation tool? I know csvde, ldifde, dsadduser, adduser, Anything else? which one is the most recommended tool? thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Virtual Domain Controllers
It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Monday, August 08, 2005 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Sonntag, 7. August 2005 00:43 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Saturday, August 06, 2005 5:47 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being rolled back in time due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Brown *Sent:* Samstag, 6. August 2005 02:47 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ |
RE: [ActiveDir] Database Corruption
Both Steve, Hunter's, and your original advice is sound ... I think it is very likely if you call PSS, they'll tell you to do Steve's, yours, and Hunter's advice in about that order. My favorite disk sub-system diagnostics is jetstress, but dedicated disk sub-system stressers are better, as they try odd patterns of bits that they know buses, electrical systems, and disks get fouled up on. Also do not ignore RAM checkers, that is almost as likely, perhaps even more likely here. Do you have ECC or parity memory? Any events in system or app event log related to parity memory issues? BTW, how big is your ntds.dit file? Is it over 1.5-2.5 GBs? That increases the hypothesis of memory issues. So you have multiple of these events? If you do, do they always happen for the same page numbers (pgno) and offsets? If different, does thier frequency increase? If you haven't restored it already, I'd be curious if you felt like sharing, what the page looked like from: esentutl /m ntds.dit /p81184 /v ... then we could see how bad the header was corrupted. Also this will tell you if the page is an Index page, and thus likely to be fixed by an offline defrag. If you see primary or long value page, offline defrag probably won't fix it. Also get the previous page too (change 81184 to 81183 in the above command). But again, only if you feel like sharing. Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Sat, 20 Aug 2005, Coleman, Hunter wrote: I'd also look at running hardware diagnostics, particularly on the disk subsystem and controller. No point in restoring or repromoting if there is an unresolved hardware problem. -Original Message- From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/19/2005 8:18 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Database Corruption Well the first thing I always recommend is to try an offline defrag as it is possible that the corruption is in an index, i.e. metadata, that can be rebuilt. If the offline defrag fails then restoring from backup or repromoting will be your next step. Thanks, -Steve _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, August 19, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 19, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? I???m concerned that this may happen again and wasn???t able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source:NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date:8/19/2005 Time:2:00:24 PM User:N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] w2k sp4 Kerberos changes?
Al Lilianstrom wrote: Steve Linehan wrote: Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Same error but some new information. It turns out that one of the other domain admins rebooted one of the root DCs (in WIN) around 7:00am. The scheduled updates from the MIT side worked for a period of time. Once they started failing we rebooted that same dc and updates started working again. I didn't mention that we have a empty root (WIN) with the users and computers in a child domain (FERMI). The MIT realm trust is to WIN. I also just found out that a Fermi DC was patched and booted before a Win DC was up (another UNIX/AD application that had to be up ASAP) so we're thinking the trust isn't stable. We're rebooting the other root dc and then we're going to reboot the child DCs that the Unix app talks to and see what happens. The reboot of the parent DCs followed by a reboot of all the child DCs resolved the problem. In retrospect it makes sense but some kind of error or warning somewhere in a Windows event log would have been nice. Thanks again for all the advice. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat: Results
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Thanks for posting this Douglas. Any thoughts on why the smaller DB (DatabaseB) took longer to defrag that the larger one? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, 23 August 2005 1:50 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat: Results Thought I would let you know how my experience with this went: Server 2003 SP1 Exchange 2003 SP1 2 x 2.8GHz HT Xeons 4GB RAM Direct attached 5 X 73.4GB hard drives, RAID5---IBM 6M controller Both ran with the following syntax: eseutil.exe /d f:\blahblah\DB DatabaseA was 94GB before defrag 12GB after defrag Time elapsed: 76 minutes DatabaseB was 20GB before defrag 14GB after defrag Time elapsed: 99 minutes If there are any stats that I left out that you may find interesting, let me know. Thanks everyone for your comments and explanations with this. I learned a lot. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat: Results
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Just guessing, but it had more real data, note that it is 2GB bigger than the first when done. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 4:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat: Results Thanks for posting this Douglas. Any thoughts on why the smaller DB (DatabaseB) took longer to defrag that the larger one? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, 23 August 2005 1:50 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat: Results Thought I would let you know how my experience with this went: Server 2003 SP1 Exchange 2003 SP1 2 x 2.8GHz HT Xeons 4GB RAM Direct attached 5 X 73.4GB hard drives, RAID5---IBM 6M controller Both ran with the following syntax: eseutil.exe /d f:\blahblah\DB DatabaseA was 94GB before defrag 12GB after defrag Time elapsed: 76 minutes DatabaseB was 20GB before defrag 14GB after defrag Time elapsed: 99 minutes If there are any stats that I left out that you may find interesting, let me know. Thanks everyone for your comments and explanations with this. I learned a lot. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] Virtual Domain Controllers
For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Monday, August 08, 2005 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Sonntag, 7. August 2005 00:43 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue.
Re: [ActiveDir] Virtual Domain Controllers
Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the FP element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Monday, August 08, 2005 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have
RE: [ActiveDir] Virtual Domain Controllers
My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the FP element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ --- - *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may
Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Hi Peter, It could be NetBiosName that I am looking for. I tried it on my domain, but it had no value. However that could be because my domain was not built pre Windows 2000. I will try it on the offending domain and see what it returns. Alan C - Original Message - From: Peter Jessop [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, August 21, 2005 7:45 PM Subject: Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain If I understand you correctly you are looking for the Pre Windows 2000 name of computers (not the domain). The property name is sAMAccountName. i.e in order to find the pre Windows 2000 names of object in the DDD ou within domain BBB.CCC the script would be. Set objContainer = GetObject(LDAP://ou=DDD,dc=BBB,dc=CCC) For Each objcomputer In objContainer WScript.Echo objComputer.Name vbTab objComputer.sAMAccountName next The pre Windows 2000 name of the domain has a property called nETBIOSName. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Differentiating between NT4 Workstation and Server in AD?
Hi guys, Just thinking of a better way to search for NT4 workstations within AD. Filter below will return both ws and server (objectclass=computer) (objectcategory=computer) (operatingsystem=Windows NT) The hard way would be to integrate this with something like srvinfo to grep the Product Info, but those remote systems will eat up time :-( Anything else I can use to query them? WMI components may not be installed on the NT4 workstations so WMIC/Systeminfo and stuff may not be usable.. So far 3rd party non relevant utilities such as Quest Domain Migration Wizard is able to list separate out WS and SRV when I'm importing the files, but the above criteria will be used in scripts unfortunately... Ideas pls.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] export to csv
On 8/19/05, joe [EMAIL PROTECTED] wrote: After you export to a file, then you can use adcsv.pl (also in the zip) to convert the file to a delimited single liner per object file. Version 2.0.0, if I ever get to work on it, will have native delimited output capability. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, August 19, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] export to csv Yes. adfind -default -f displayname=Username cn streetaddress st co -noctl -nodn -nolabel outputfile.txt (or csv) You may have to play with the order in the output file to get what you want. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:42 AM To: activedirectory Subject: [ActiveDir] export to csv Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] export to csv
I ran adfind with simillar parameters to what Charlie suggested. Now, I think i got stoopid because i'm having issues with adcsv.pl. When i use the output of adfind as the inputfile for adcsv.pl, i just get a DN; and thats it. Using the switch for csv, doesn't seem to do anything. If my outputfile is called test.txt., adcsv.pl, just makes a test.txt.txt file with only the 1 entry- DN; This happens no matter what arguments I use or don't use. What am i doing wrong? Am i this dense? Thanks On 8/22/05, Tom Kern [EMAIL PROTECTED] wrote: On 8/19/05, joe [EMAIL PROTECTED] wrote: After you export to a file, then you can use adcsv.pl (also in the zip) to convert the file to a delimited single liner per object file. Version 2.0.0, if I ever get to work on it, will have native delimited output capability. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, August 19, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] export to csv Yes. adfind -default -f displayname=Username cn streetaddress st co -noctl -nodn -nolabel outputfile.txt (or csv) You may have to play with the order in the output file to get what you want. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:42 AM To: activedirectory Subject: [ActiveDir] export to csv Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f p instance. ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the FP element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-)
Re: [ActiveDir] hide an attribute
ok, say i want to hide streetAddress from all users except DA's,EA's,amdAO's. All auth users like DU's should NOT be able to see it in Entire Directory or using find or even dsa.msc or any admin tools. How would i do this? The Delegation Wizard is no help. Right clicking the entire domainDns object doesn't help because those properities don't show up as a attrib of that object. I don't want to muck with the property set because i just want the one attrib hidden. Do i have to modify the defaultSecurityDescriptor for the userClass and then see where inheritance is for users/groups I don't want and kill it there as well? What about Exchange? Is it the Exchange Domain Servers global group i should worry about or the Exchange Enterprise servers local group or Auth users? Which is it?Will hidding one attrib bring my email down or make it flaky at best? How would you go about just hidding the streetAddress ? Just as a purely academic exercise... Thanks On 8/21/05, joe [EMAIL PROTECTED] wrote: That's the thing Rick, it isn't some simple easy thing to say how to do. The simplest shortest answer is, it depends. It depends on how it is granted, who has access to the objects and what types of access, etc. Part of that depends is how things should be done overall and for the future, in the end there are lots of ways to hide it and lots of ways you may have to defeat trying to show it. Understanding the ways it could be granted and how it can be hidden are necessary to properly do it. In the end, no matter how it is done, there is a fair chance that PSS is not going to be thrilled about it because it isn't standard and if it isn't standard and documented the first recourse is to say it isn't supported. If you think there is an easy way to do this, I wouldn't mind seeing what your response would be. I guess the simplest that would effectively work would be to block the LDAP port on all DCs and GCs. However I don't think that accomplishes the true desired goal. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 21, 2005 3:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] hide an attribute Tom Kern said: Say i use one of the custom attribute fields that Exchange creates and put a value in there and hide it from Domain users. what would break? how would i go about hiding that? just as an example [RTK] Hey, joe Just a suggestion. If someone asks you what time it is - don't tell him how to build a frelling Rolex! :oD I think all Tom wanted to know (though the background and technical detail is good) was How do I hide the FRELLING ATTRIBUTE? And, IF I DO, will it BREAK ANYTHING? So, Sparky, what have you got to say now? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] hide an attribute Good good, that is what I like to hear. :o) You will want to buy copies for all your friends too. :o) The chapter may have been clear but it is was off on its examples as it didn't take into account inherited and explicit ACEs. That radically changes whether a delegation (or a denied delegation) will work or not. It still isn't perfect, but IMO, much better. It is a balance of time vs what needs to be done. The example you give is one of the harder things to clean up and no, I personally don't think it should be this hard, but then that is just my opinion. One thing to remember about Exchange, is that some of its access rights for reading attributes can be through Auth Users rights, especially on GCs in a multi-domain environment, I have been bitten by this in the past myself. Consider that permissions are granted to the Exchange Enterprise Servers group which is a domain local group so reading on a GC in another domain would be impacted unless there is some other access mechanism. An alternative would be to convert those DLGs to UGs as previously mentioned by Guido, again, MS PSS may have an issue with it so keep that in mind. The easiest way to handle this is to use the new confidentiality bit capability in SP1. The Exchange attributes shouldn't be Cat 1 attributes (systemflags 16 on their schema definition) so you should be able to lock them up that way. However, you will want to regrant access back to Exchange. Unfortunately, I am not aware of any tools MS has given to allow a good granular way to grant access BACK to this attribute after it is locked down. You will need to grant a CA to the attribute for the Exchange Servers global group in each domain (or grant to the DLGs but convert to UGs) so you maintain read across GCs in each domain. This will have to be done with script because you can't do it via dsacls or the GUI. Also once set, the GUI will have no clue how to display
RE: [ActiveDir] Virtual Domain Controllers
Hi Brian, Out of curiosity, how will LSASS steal memory from that which you have physically allocated to a specific virtual machine? Since VS2005 does not allow over committing of physical memory, this should not be possible. May be I am missing your point? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, August 22, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f p instance. ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the FP element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=FP Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is
RE: [ActiveDir] Virtual Domain Controllers
Steal was a bad word. What I was trying to say was lsass likes as much memory as you can give it. My personal inclination is to take all the available memory and divide it as you like amongst the two VMs. Rather than fire up one VM and then leave the leftovers for lsa os. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 7:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers Hi Brian, Out of curiosity, how will LSASS steal memory from that which you have physically allocated to a specific virtual machine? Since VS2005 does not allow over committing of physical memory, this should not be possible. May be I am missing your point? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, August 22, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f p instance. ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the FP element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To:
RE: [ActiveDir] Database Corruption
ECC memory, no errors in the event logs relating to memory. The ntds.dit is about 800MB. There are multiple events, the page number is always the same (81184). Haven't fixed it yet - it's limping along until this weekend when I'll dump the pages to see what the header shows - then either defrag or restore... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, August 22, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption Both Steve, Hunter's, and your original advice is sound ... I think it is very likely if you call PSS, they'll tell you to do Steve's, yours, and Hunter's advice in about that order. My favorite disk sub-system diagnostics is jetstress, but dedicated disk sub-system stressers are better, as they try odd patterns of bits that they know buses, electrical systems, and disks get fouled up on. Also do not ignore RAM checkers, that is almost as likely, perhaps even more likely here. Do you have ECC or parity memory? Any events in system or app event log related to parity memory issues? BTW, how big is your ntds.dit file? Is it over 1.5-2.5 GBs? That increases the hypothesis of memory issues. So you have multiple of these events? If you do, do they always happen for the same page numbers (pgno) and offsets? If different, does thier frequency increase? If you haven't restored it already, I'd be curious if you felt like sharing, what the page looked like from: esentutl /m ntds.dit /p81184 /v ... then we could see how bad the header was corrupted. Also this will tell you if the page is an Index page, and thus likely to be fixed by an offline defrag. If you see primary or long value page, offline defrag probably won't fix it. Also get the previous page too (change 81184 to 81183 in the above command). But again, only if you feel like sharing. Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Sat, 20 Aug 2005, Coleman, Hunter wrote: I'd also look at running hardware diagnostics, particularly on the disk subsystem and controller. No point in restoring or repromoting if there is an unresolved hardware problem. -Original Message- From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 8/19/2005 8:18 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Database Corruption Well the first thing I always recommend is to try an offline defrag as it is possible that the corruption is in an index, i.e. metadata, that can be rebuilt. If the offline defrag fails then restoring from backup or repromoting will be your next step. Thanks, -Steve _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, August 19, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 19, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? Iââ¬â¢m concerned that this may happen again and wasnââ¬â¢t able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source:NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date:8/19/2005 Time:2:00:24 PM User:N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the
[ActiveDir] Cross forest trust: universal groups
Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony
RE: [ActiveDir] Cross forest trust: universal groups
A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony
RE: [ActiveDir] Differentiating between NT4 Workstation and Server in AD?
You can't get any further info from AD, you need to ask the machine. Probably best bet is reg query of Key: HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions Value: ProductType Winnt Workstation Servernt Server Lanmannt Server Domain Controller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 22, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Differentiating between NT4 Workstation and Server in AD? Hi guys, Just thinking of a better way to search for NT4 workstations within AD. Filter below will return both ws and server (objectclass=computer) (objectcategory=computer) (operatingsystem=Windows NT) The hard way would be to integrate this with something like srvinfo to grep the Product Info, but those remote systems will eat up time :-( Anything else I can use to query them? WMI components may not be installed on the NT4 workstations so WMIC/Systeminfo and stuff may not be usable.. So far 3rd party non relevant utilities such as Quest Domain Migration Wizard is able to list separate out WS and SRV when I'm importing the files, but the above criteria will be used in scripts unfortunately... Ideas pls.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
When you want to convert to a CSV with adcsv you don't want to use -nodn and -nolabel with adfind or else it can't figure out what is in the file, it is just a bunch of text. I didn't notice that he had specified those options in his post when I responded. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, August 22, 2005 8:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] export to csv I ran adfind with simillar parameters to what Charlie suggested. Now, I think i got stoopid because i'm having issues with adcsv.pl. When i use the output of adfind as the inputfile for adcsv.pl, i just get a DN; and thats it. Using the switch for csv, doesn't seem to do anything. If my outputfile is called test.txt., adcsv.pl, just makes a test.txt.txt file with only the 1 entry- DN; This happens no matter what arguments I use or don't use. What am i doing wrong? Am i this dense? Thanks On 8/22/05, Tom Kern [EMAIL PROTECTED] wrote: On 8/19/05, joe [EMAIL PROTECTED] wrote: After you export to a file, then you can use adcsv.pl (also in the zip) to convert the file to a delimited single liner per object file. Version 2.0.0, if I ever get to work on it, will have native delimited output capability. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, August 19, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] export to csv Yes. adfind -default -f displayname=Username cn streetaddress st co -noctl -nodn -nolabel outputfile.txt (or csv) You may have to play with the order in the output file to get what you want. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:42 AM To: activedirectory Subject: [ActiveDir] export to csv Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Differentiating between NT4 Workstation and Server in AD?
Genius joe, just what I needed! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 23, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Differentiating between NT4 Workstation and Server in AD? You can't get any further info from AD, you need to ask the machine. Probably best bet is reg query of Key: HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions Value: ProductType Winnt Workstation Servernt Server Lanmannt Server Domain Controller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 22, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Differentiating between NT4 Workstation and Server in AD? Hi guys, Just thinking of a better way to search for NT4 workstations within AD. Filter below will return both ws and server (objectclass=computer) (objectcategory=computer) (operatingsystem=Windows NT) The hard way would be to integrate this with something like srvinfo to grep the Product Info, but those remote systems will eat up time :-( Anything else I can use to query them? WMI components may not be installed on the NT4 workstations so WMIC/Systeminfo and stuff may not be usable.. So far 3rd party non relevant utilities such as Quest Domain Migration Wizard is able to list separate out WS and SRV when I'm importing the files, but the above criteria will be used in scripts unfortunately... Ideas pls.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cross forest trust: universal groups
Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx "Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain." Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, 23 August 2005 1:46 p.m.To: Send - AD mailing listSubject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] Cross forest trust: universal groups
The documentation is wrong and I thought it had been cleaned up in all places but apparently not. A good summary of group scope for cross forest trusts is: Scenario: Forest A B have a cross forest trust. Security Group usage: Only the following security principals from Forest A can be used in Forest B: 1. User Accounts 2. Global Groups 3. Universal Groups The above can be added to only the following in Forest B: 1. Domain Local group 2. BuiltIn group on a local computer 3. BuiltIn group on a Domain Controller 4. Directly in an ACL Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cross forest trust: universal groups Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, 23 August 2005 1:46 p.m. To: Send - AD mailing list Subject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 9:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] Cross forest trust: universal groups
That's great. Thanks Steve. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Tuesday, 23 August 2005 5:21 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross forest trust: universal groups The documentation is wrong and I thought it had been cleaned up in all places but apparently not. A good summary of group scope for cross forest trusts is: Scenario: Forest A B have a cross forest trust. Security Group usage: Only the following security principals from Forest A can be used in Forest B: 1. User Accounts2. Global Groups 3. Universal Groups The above can be added to only the following in Forest B:1. Domain Local group 2. BuiltIn group on a local computer 3. BuiltIn group on a Domain Controller4. Directly in an ACL Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 11:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross forest trust: universal groups Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx "Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain." Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, 23 August 2005 1:46 p.m.To: Send - AD mailing listSubject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
