RE: [ActiveDir] Change Auditor tools

[neil.ruston]

Does active admin extend to a 10,000+ user base tho? I have never seen
it deployed into a large org before now.

In larger orgs, simple setup is less important than is scalability.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi
Sent: 10 November 2005 18:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Auditor tools

I have both InTrust by Quest and Active Administrator by ScriptLogic on
my network now. I can tell you from real world side by side comparisons
that Active Administrator is MUCH easier to set up and get running out
of the box. It is also much easier to configure with regards to emailing
alerts and other settings. I will be removing InTrust within the next
week or so. InTrust does do what it is supposed to, it's just more
cumbersome IMHO.
HTH,
Tim 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Thursday, November 10, 2005 12:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Auditor tools

Intrust for Active Directory by quest software

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rascher,
Raymond
Sent: Tuesday, November 08, 2005 8:52 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Change Auditor tools

Hello, I am looking for a software product which can monitor, log and
alert when changes are made to Active Directory. If the product could
also archive security logs that would be a nice addition as well. If you
can suggest some products along with you experiences that would be
great.

Thanks,
Ray
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] CertSvc Error

[Harding, Devon]

This problem still exists on the CertServer.  All DC's are Windows 2003.  What 
else could be done to resolve this?  Would I have to uninstall CertSvc and 
reinstall again?


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

You'll also have to refresh the policy on the affected DCs (i.e. gpupdate.exe 
/force).  Are all of the DCs W2K3?


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

Hmm...I've enabled those settings and rebooted the CertSvc and am still getting 
these errors:

Event Type:   Warning
Event Source:    CertSvc
Event Category: None
Event ID:   53
Date:    11/10/2005
Time:    3:10:06 PM
User:    N/A
Computer: SWSAD1
Description:
Certificate Services denied request 1252 because The requested certificate 
template is not supported by this CA. 0x80094800 (-2146875392).  The request 
was for SWSCA\SWSADCA5$.  Additional information: Denied by Policy Module  
0x80094800, The request was for a certificate template that is not supported by 
the Certificate Services policy: DomainController.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005 2:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

If I remember correctly you will want to enable both the renew and update 
features (below) to help resolve your issue.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

And this

Public Key Policies/Autoenrollment Settingshide
Policy
Setting
Enroll certificates automatically
Enabled
Renew expired certificates, update pending certificates, and remove revoked 
certificates
Disabled
Update certificates that use certificate templates
Disabled




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Thursday, November 10, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

The "DomainController(v0.0): V1 Certificate Template" is not supported under 
Windows Server 2003.  You may be specifying that your DCs autoenroll for this 
certificate via GPO.  Check out your DDC GPO.  The new policy they should be 
autoenrolling for is "Domain Controller Authentication".


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005 9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

It was a Windows 2000 upgraded to Windows 2003


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, November 10, 2005 12:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

Is your CA on Windows Server 2003 in a Windows 2000 domain?


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 10, 2005 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CertSvc Error
I keep getting these errors on my root domain controller and any new DC's added 
are not being issued certificates.

Event Type:   Warning
Event Source:    CertSvc
Event Category: None
Event ID:   77
Date:    11/10/2005
Time:    3:00:36 AM
User:    N/A
Computer: SWSAD1
Description:
The "Windows default" Policy Module logged the following warning: The 
DomainController(v0.0): V1 Certificate Template could not be loaded.  Element 
not found. 0x80070490 (WIN32: 1168).

Event Type:   Warning
Event Source:    CertSvc
Event Category: None
Event ID:   53
Date:    11/10/2005
Time:    3:00:36 AM
User:    N/A
Computer: SWSAD1
Description:
Certificate Services denied request 1242 because The requested certificate 
template is not supported by this CA. 0x80094800 (-2146875392).  The request 
was for SWSGS\BSGAD1$.  Additional information: Denied by Policy Module  
0x80094800, The request was for a certificate template that is not supported by 
the Certificate Services policy: DomainController.

I looked at the following MS article but saw no resolution. 
http://support.microsoft.com/default.aspx?scid=kb;en-us;283218 

Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469

__

Re: [ActiveDir] CertSvc Error

[ChuckGaff]

It can't hurt to try the uninstall/reinstall approach since that might not 
be a component that is "upgradable" ...
 
Chuck
 

Re: [ActiveDir] Track User & Disk Space

[ASB]

http://www.ultratech-llc.com/KB/?File=DiskSpace.TXT

-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 11/10/05, Za Vue <[EMAIL PROTECTED]> wrote:
>
> Someone dumped 2 GB of data on a file server since two days ago. This is
> unlikely and not normal in my environment. What is the best way to find
> out other than comparing folders by folders?
>
> -Z.V.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] some users do not have allow "inheritable permissions" set

[Ben D. Kusa]

Thanks for the info.
It looks like the users were once part of a protected group, I reset the
inheritance flag and it holds on the users after that process that runs every
hour.







Hi Ben,

 

   
Putting aside AdminSDHolder for a momentmaybe
you were looking for the  /P:N  option instead?  Of course this
may increase the number of ACEs on the object more than what you'd like, but I
saw the  /I:T  thing and thought that's more applicable to the parent
object, rather than the leaf object.  Hopefully I understood correctly...

 

-DaveC

 







From: [EMAIL
PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Steve Linehan
Sent: Thursday, November 10, 2005
1:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] some
users do not have allow "inheritable permissions" set

Just out of curiosity when you go back an hour later is the
box unchecked?  This really sounds like the work of AdminSDHolder and the
users in question are likely members of protected groups.  If you have not
looked at the following Knowledge Base article you may want to see if
this is what you are running into: http://support.microsoft.com/default.aspx?scid=kb;en-us;817433.

 

Thanks,

 

-Steve

 







From: [EMAIL
PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ben D. Kusa
Sent: Wednesday, November 09, 2005
7:17 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] some users do
not have allow "inheritable permissions" set

some users do not have allow
"inheritable permissions" set. The only way I have found to reset
that setting is to open each user and check that option off.

 

I have tried running dsacls
OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that
option. Should that work? Or does anyone know any other way to set that option
on multiple users

 

Thanks

Ben 

 

Re: [ActiveDir] CertSvc Error

[steve patrick]

This is definitely an "upgradeable" component.

Can you gather the following data:

certutil -dstemplate > dstemplate.txt
certutil -ds > ds.txt

And make them available ( or email them to me )

thanks

steve

- Original Message - 
From: "Harding, Devon" <[EMAIL PROTECTED]>

To: 
Sent: Friday, November 11, 2005 6:49 AM
Subject: RE: [ActiveDir] CertSvc Error


This problem still exists on the CertServer.  All DC's are Windows 2003. 
What else could be done to resolve this?  Would I have to uninstall CertSvc 
and reinstall again?



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric

Sent: Thursday, November 10, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

You'll also have to refresh the policy on the affected DCs (i.e. 
gpupdate.exe /force). Are all of the DCs W2K3?



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon

Sent: Thursday, November 10, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

Hmm...I've enabled those settings and rebooted the CertSvc and am still 
getting these errors:


Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: 11/10/2005
Time: 3:10:06 PM
User: N/A
Computer: SWSAD1
Description:
Certificate Services denied request 1252 because The requested certificate 
template is not supported by this CA. 0x80094800 (-2146875392). The request 
was for SWSCA\SWSADCA5$. Additional information: Denied by Policy Module 
0x80094800, The request was for a certificate template that is not supported 
by the Certificate Services policy: DomainController.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric

Sent: Thursday, November 10, 2005 2:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

If I remember correctly you will want to enable both the renew and update 
features (below) to help resolve your issue.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon

Sent: Thursday, November 10, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

And this

Public Key Policies/Autoenrollment Settingshide
Policy
Setting
Enroll certificates automatically
Enabled
Renew expired certificates, update pending certificates, and remove revoked 
certificates

Disabled
Update certificates that use certificate templates
Disabled




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric

Sent: Thursday, November 10, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

The "DomainController(v0.0): V1 Certificate Template" is not supported under 
Windows Server 2003. You may be specifying that your DCs autoenroll for this 
certificate via GPO. Check out your DDC GPO. The new policy they should be 
autoenrolling for is "Domain Controller Authentication".



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon

Sent: Thursday, November 10, 2005 9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

It was a Windows 2000 upgraded to Windows 2003


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith

Sent: Thursday, November 10, 2005 12:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc Error

Is your CA on Windows Server 2003 in a Windows 2000 domain?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon

Sent: Thursday, November 10, 2005 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CertSvc Error
I keep getting these errors on my root domain controller and any new DC's 
added are not being issued certificates.


Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date: 11/10/2005
Time: 3:00:36 AM
User: N/A
Computer: SWSAD1
Description:
The "Windows default" Policy Module logged the following warning: The 
DomainController(v0.0): V1 Certificate Template could not be loaded. Element 
not found. 0x80070490 (WIN32: 1168).


Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: 11/10/2005
Time: 3:00:36 AM
User: N/A
Computer: SWSAD1
Description:
Certificate Services denied request 1242 because The requested certificate 
template is not supported by this CA. 0x80094800 (-2146875392). The request 
was for SWSGS\BSGAD1$. Additional information: Denied by Policy Module 
0x80094800, The request was for a certificate template that is not supported 
by the Certificate Services policy: DomainController.


I looked at the following MS article but saw no resolution. 
http://support

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

Definitely upgradeable and uninstall/reinstall
is not advisable if you have any amount of certs deployed from the CA.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
7:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



It can't hurt to try the
uninstall/reinstall approach since that might not be a component that is
"upgradable" ...





 





Chuck





 

Re: [ActiveDir] CertSvc Error

[ChuckGaff]

True if running in production -- thanks on the feedback of not needing to 
do a reinstall ...
 
Chuck
 

RE: [ActiveDir] CertSvc Error

[Bernard, Aric]

Was this an upgrade from W2K?

 

What error messages are you receiving on
the DC?









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



True if running in production -- thanks
on the feedback of not needing to do a reinstall ...





 





Chuck





 

[ActiveDir] Automatically created replication links

[Rimmerman, Russ]

We had one of our remote sites that had an automatically generated (by
KCC) replication link have its automatically generated link disappear.
Can this happen without anyone physically deleting it?  Also, what would
cause it to not automatically regenerate itself?  It's set up just like
all our other sites that automatically generated correctly. 

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Automatically created replication links

[Almeida Pinto, Jorge de]

The KCC manages auto created links which means it creates and deletes COs 
according to the then current replication topology. If it is the KCCs opinion 
it should delete the CO it will. This may happen if the repl. top. changes 
which can be new links, new DCs, etc.
 
One way to "force" generation of COs is to kick the KCC on the DC (Check 
replication topology option) and refresh. or just wait at least 15 min
 
Cheers,
jorge



From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Fri 11/11/2005 6:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automatically created replication links




We had one of our remote sites that had an automatically generated (by
KCC) replication link have its automatically generated link disappear.
Can this happen without anyone physically deleting it?  Also, what would
cause it to not automatically regenerate itself?  It's set up just like
all our other sites that automatically generated correctly.


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

RE: [ActiveDir] Automatically created replication links

[Rimmerman, Russ]

Title: [ActiveDir] Automatically created replication links



What if we think it should have left that replication link
there so we don't have to wait hours for our AD data to replicate
overseas?  Do we have to just manually create the replication link after it
decided to delete it without notifying us ? :(  How can we make sure it
automatically re-creates it?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, November 11, 2005 11:17 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automatically
created replication links


The KCC manages auto created
links which means it creates and deletes COs according to the then current
replication topology. If it is the KCCs opinion it should delete the CO it will.
This may happen if the repl. top. changes which can be new links, new DCs,
etc.
 
One way to "force" generation of COs is to
kick the KCC on the DC (Check replication topology option) and refresh. or just
wait at least 15 min
 
Cheers,
jorge


From: [EMAIL PROTECTED] on
behalf of Rimmerman, RussSent: Fri 11/11/2005 6:00 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automatically
created replication links

We had one of our remote sites that had an automatically
generated (byKCC) replication link have its automatically generated link
disappear.Can this happen without anyone physically deleting it?  Also,
what wouldcause it to not automatically regenerate itself?  It's set up
just likeall our other sites that automatically generated
correctly.~~This
e-mail is confidential, may contain proprietary informationof the Cooper
Cameron Corporation and its operating Divisionsand may be confidential or
privileged.This e-mail should be read, copied, disseminated and/or used
onlyby the addressee. If you have received this message in error
pleasedelete it, together with any attachments, from your
system.~~List
info   : http://www.activedir.org/List.aspxList
FAQ    : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Automatically created replication links

[David Adner]

Title: [ActiveDir] Automatically created replication links



By default, the KCC will try not to create redundant 
CO's.  So if you're describing a desire to have your DC maintain 2 CO's to 
two different hub locations, for example, then the KCC won't do 
that.
 
You can adjust this behavior via a couple options.  
One, if the default "failover" intervals from when the KCC detects its initial 
failure to hub1 before it creates a new CO to hub2 is too long, you can shorten 
them.
 
If you want the redundant CO's all the time (and you're 
2003) you can enable the redundant topology option.  Do a search on 
_IS_REDUNDANT_SERVER_TOPOLOGY_ENABLED for the syntax.  You also need to 
enable IS_TOPL_DETECT_STALE_DISABLED.
 
These options are typically used in large branch 
environments.  If that's not what yours is then I would reevaluate just how 
necessary all this is.  If you absolutely need it, then fine.  
Otherwise it's just more for you to administer, maintain and consider while 
troubleshooting issues.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
  RussSent: Friday, November 11, 2005 11:25 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automatically 
  created replication links
  
  What if we think it should have left that replication 
  link there so we don't have to wait hours for our AD data to replicate 
  overseas?  Do we have to just manually create the replication link after 
  it decided to delete it without notifying us ? :(  How can we make sure 
  it automatically re-creates it?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Friday, November 11, 2005 11:17 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automatically 
  created replication links
  
  
  The KCC manages auto 
  created links which means it creates and deletes COs according to the then 
  current replication topology. If it is the KCCs opinion it should delete the 
  CO it will. This may happen if the repl. top. changes which can be new links, 
  new DCs, etc.
   
  One way to "force" generation of COs is 
  to kick the KCC on the DC (Check replication topology option) and refresh. or 
  just wait at least 15 min
   
  Cheers,
  jorge
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Rimmerman, RussSent: Fri 11/11/2005 6:00 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automatically 
  created replication links
  
  We had one of our remote sites that had an automatically 
  generated (byKCC) replication link have its automatically generated link 
  disappear.Can this happen without anyone physically deleting it?  
  Also, what wouldcause it to not automatically regenerate itself?  
  It's set up just likeall our other sites that automatically generated 
  correctly.~~This 
  e-mail is confidential, may contain proprietary informationof the Cooper 
  Cameron Corporation and its operating Divisionsand may be confidential or 
  privileged.This e-mail should be read, copied, disseminated and/or 
  used onlyby the addressee. If you have received this message in error 
  pleasedelete it, together with any attachments, from your 
  system.~~List 
  info   : http://www.activedir.org/List.aspxList 
  FAQ    : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~

RE: [ActiveDir] CertSvc Error

[Harding, Devon]

Well all the CA’s were backed up
before the uninstall.  And no this did not resolve the issue.  When the service
is restarted, it states that none of the policies could be loaded; one Event ID
77 warning for each template, like so:

 

Event Type:   Warning

Event Source:    CertSvc

Event Category: None

Event ID:   77

Date:    11/11/2005

Time:    10:46:04 AM

User:    N/A

Computer: SWSAD1

Description:

The "Windows default" Policy
Module logged the following warning: The EFSRecovery(v2.0): V1 Certificate
Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

 

 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Friday, November 11, 2005
11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Was this an upgrade from
W2K?

 

What error messages are
you receiving on the DC?









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



True if
running in production -- thanks on the feedback of not needing to do a
reinstall ...





 





Chuck





 












__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] CertSvc Error

[Harding, Devon]

This WAS an upgrade from W2K

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Friday, November 11, 2005
11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Was this an upgrade from
W2K?

 

What error messages are
you receiving on the DC?









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



True if
running in production -- thanks on the feedback of not needing to do a
reinstall ...





 





Chuck





 












__This message and any attachments are solely for the intended recipientand may contain confidential or privileged information.  If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited.  If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments.  Thank You.

RE: [ActiveDir] CertSvc Error

[Bernier, Brandon \(.\)]

besides 
uninstalling the CA and going through all the issues around that, why don't you 
blow away the templetes? If you run certtmpl.msc after it will ask "This is the 
first time you have opened Certificate Templetes, would you like to publish them 
in Active Directory?"  say yes and then you get fresh templates. Then just 
pick your template and republish it. This doesn't have a horrible effect 
unless everything is re-autoenrolling at the time you do 
this. 
 
btw what 
kind of templates do you have published?
 
-brandon
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Friday, November 11, 2005 2:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error





Well all the CA’s were 
backed up before the uninstall.  And no this did not resolve the 
issue.  When the service is restarted, it states that none of the policies 
could be loaded; one Event ID 77 warning for each template, like 
so:
 
Event 
Type:   Warning
Event 
Source:    CertSvc
Event Category: 
None
Event 
ID:   
77
Date:    
11/11/2005
Time:    
10:46:04 AM
User:    
N/A
Computer: 
SWSAD1
Description:
The "Windows default" 
Policy Module logged the following warning: The EFSRecovery(v2.0): V1 
Certificate Template could not be loaded.  Element not found. 0x80070490 
(WIN32: 1168).
 
 
For more information, 
see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bernard, 
AricSent: Friday, November 11, 
2005 11:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
 
Was this 
an upgrade from W2K?
 
What error 
messages are you receiving on the DC?




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, November 11, 2005 8:43 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CertSvc 
Error
 

True if 
running in production -- thanks on the feedback of not needing to do a reinstall 
...

 

Chuck

 




__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You. 

RE: [ActiveDir] Automating NoMas

[deji]

sent.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Thu 11/10/2005 7:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automating NoMas



I would love to see this script.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 09, 2005 9:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automating NoMas

Me? I don't. I just change the password to a randomly-generated complex one,
make domain users its primary group, remove it from all groups except domain
users, hide it from GAL and move it to a "Terminated" OU.

That's where it stays until my monthly cleanup script runs, detects its
modified date, see if it's longer than "x number of days" (depending on
corporate retention policy), exmerges the mailbox and DELETEs the account.

I still have most of the scripts that does all that handy if you are
interested.

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Harding, Devon
Sent: Wed 11/9/2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automating NoMas



Ok with that said, what would be the correct way or tools to disable a mail
enabled account in Active Directory?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 09, 2005 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automating NoMas

Let me restate this just a little.

The issue are due to Exchange Dev having an incomplete understanding of how
people do things in the enterprise and assuming that the only time a
disabled account could have a mailbox is because it is a resource mailbox so
instead of having an attribute for it they assume and then after assuming
run into all sorts of issues with their assumption.

>From our side, it means that we have to adjust how we deprovision accounts
to properly populate the directory so Exchange doesn't get its panties in a
bunch. And yes, enough of these will get your Exchange server's panties in a
bunch. Lots of folks (primarily from MS) like to say these are meaningless
and can't hurt anything but I have seen multiple cases where they caused
store hangs and queues. I actually got an MS person to admin they were a
huge issue about 2-3 years ago but couldn't get the person to give me an
email stating that. I understood completely.

The interesting thing is that you would at least expect ADUC with the
Exchange extensions to properly disable these accounts but nope, we have to
handle it manually. But that is ok, we really shouldn't be using ADUC to
manage users in larger orgs anyway. No business rules, no decent logging,
too many people with too many permissions: you want to use provisioning
tools, either self written or purchased.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 09, 2005 10:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automating NoMas

Correct your deprovisioning process. Those issues are due to incorrectly
setting values on mailbox enabled users. Basically bad data is going in the
directory and then you are manually swinging back and correcting it.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, November 09, 2005 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automating NoMas

How can I prevent the Event ID error 9548(MSExchangeIS) from happening?  I
normally use NoMas to fix em, but I want to prevent them from happening.

Would it be possible to create a script that runs like every morning and
perform exactly what NoMas does for every child domain I have?


Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient and
may contain confidential or privileged information.  If you are not the
intended recipient, any disclosure, copying, use or distribution of the
information included in the message and any attachments is prohibited.  If
you have received this communication in error, please notify us by reply
e-mail and immediately and permanently delete this message and any
attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive

RE: [ActiveDir] CertSvc Error **RESOLVED**

[Harding, Devon]

When I logged on to the CertServ as a
Domain Admin in my child domain and ran certtmpl.msc,
it said I needed to be a Domain Admin and Enterprise Admin to publish new
templates.  I was an Enterprise Admin, but not a part of the Domain Admins
group in the root domain.  I then Logged on as a Domain Admin/Enterprise Admin
in the root domain and ran the command which then prompted me to Upgrade the
templates.  No more errors.

 

Now the question is this, can I now
restore my CA backup or will this cause a problem?

 

Thanks all!!!

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Friday, November 11, 2005
2:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 



besides
uninstalling the CA and going through all the issues around that, why don't you
blow away the templetes? If you run certtmpl.msc after it will ask "This
is the first time you have opened Certificate Templetes, would you like to
publish them in Active Directory?"  say yes and then you get fresh
templates. Then just pick your template and republish it. This doesn't have a
horrible effect unless everything is re-autoenrolling at the
time you do this. 





 





btw what kind of
templates do you have published?





 





-brandon





 





 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Friday, November 11, 2005
2:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



Well all the CA’s
were backed up before the uninstall.  And no this did not resolve the
issue.  When the service is restarted, it states that none of the policies
could be loaded; one Event ID 77 warning for each template, like so:

 

Event
Type:   Warning

Event Source:   
CertSvc

Event Category: None

Event
ID:   77

Date:   
11/11/2005

Time:   
10:46:04 AM

User:   
N/A

Computer:
SWSAD1

Description:

The "Windows
default" Policy Module logged the following warning: The
EFSRecovery(v2.0): V1 Certificate Template could not be loaded.  Element
not found. 0x80070490 (WIN32: 1168).

 

 

For more information, see
Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Friday, November 11, 2005
11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CertSvc
Error



 

Was this
an upgrade from W2K?

 

What
error messages are you receiving on the DC?













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005
8:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] CertSvc
Error



 



True if
running in production -- thanks on the feedback of not needing to do a
reinstall ...





 





Chuck





 









__
This message and any attachments are
solely for the intended recipient
and may contain confidential or privileged
information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] CertSvc Error **RESOLVED**

[Bernier, Brandon \(.\)]

you should be able to. 
I believe it only restores the CA database and since the templates are published 
in AD, they should be left alone. But, I've never done this so please triple 
guess me.
-Brandon


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Friday, November 11, 2005 3:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc Error 
**RESOLVED**


When I logged on to the 
CertServ as a Domain Admin in my child domain and ran certtmpl.msc, it said I needed to be a 
Domain Admin and Enterprise Admin to publish new templates.  I was an 
Enterprise Admin, but not a part of the Domain Admins group in the root 
domain.  I then Logged on as a Domain Admin/Enterprise Admin in the root 
domain and ran the command which then prompted me to Upgrade the 
templates.  No more errors.
 
Now the question is 
this, can I now restore my CA backup or will this cause a 
problem?
 
Thanks 
all!!!
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bernier, Brandon 
(.)Sent: Friday, November 11, 
2005 2:41 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
 

besides uninstalling 
the CA and going through all the issues around that, why don't you blow away the 
templetes? If you run certtmpl.msc after it will ask "This is the first time you 
have opened Certificate Templetes, would you like to publish them in Active 
Directory?"  say yes and then you get fresh templates. Then just pick your 
template and republish it. This doesn't have a horrible effect 
unless everything is re-autoenrolling at the time you do 
this. 

 

btw what kind of 
templates do you have published?

 

-brandon

 

 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: Friday, November 11, 2005 2:17 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
Well all 
the CA’s were backed up before the uninstall.  And no this did not resolve 
the issue.  When the service is restarted, it states that none of the 
policies could be loaded; one Event ID 77 warning for each template, like 
so:
 
Event 
Type:   Warning
Event 
Source:    CertSvc
Event 
Category: None
Event 
ID:   
77
Date:    
11/11/2005
Time:    
10:46:04 AM
User:    
N/A
Computer: 
SWSAD1
Description:
The 
"Windows default" Policy Module logged the following warning: The 
EFSRecovery(v2.0): V1 Certificate Template could not be loaded.  Element 
not found. 0x80070490 (WIN32: 1168).
 
 
For more 
information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bernard, 
AricSent: Friday, November 11, 
2005 11:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
 
Was this 
an upgrade from W2K?
 
What error 
messages are you receiving on the DC?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, November 11, 2005 8:43 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CertSvc 
Error
 

True if 
running in production -- thanks on the feedback of not needing to do a reinstall 
...

 

Chuck

 



__This 
message and any attachments are solely for the intended 
recipientand may 
contain confidential or privileged information. If you are 
notthe intended 
recipient, any disclosure, copying, use or distribution 
ofthe 
information included in the message and any attachments 
isprohibited. If 
you have received this communication in error, 
pleasenotify us 
by reply e-mail and immediately and permanently delete 
thismessage and 
any attachments. Thank You. 

[ActiveDir] dumping DL permissions

[Creamer, Mark]

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?

 

Thanks,

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Brian Desmond]

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. I’d just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, you’ll
still need to parse this information into something useable. 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions



 

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected. After
replying, please delete and otherwise erase it and any attachments from your
computer system. Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[joe]

Yep adfind will dump the ntsecuritydescriptor and decode it 
if you specify the attribute and add the -sddc option. Note it will be in SDDL 
format which is probably one of the easier formats for scripting but worse for 
reading.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Friday, November 11, 2005 3:53 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions


Dumping 
all the DLs is easy. Something like adfind from joeware.net would do the trick. 
I’d just query for groups with mail=* since you can have mail enabled security 
grups. The ACLs, I think adfind decodes ACLs, but, you’ll still need to parse 
this information into something useable. 
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, November 11, 
2005 3:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] dumping DL 
permissions
 
One of our Exchange account admins 
wants to know if there is a tool that would dump a list of the name of each 
distribution list in the GAL along with who has the ability to add or remove 
members on each one. Would I approach this with a script or is there a tool I 
should point him towards?
 
Thanks,
Mark
This e-mail transmission contains information that 
is intended to be confidential and privileged. If you receive this e-mail and 
you are not a named addressee you are hereby notified that you are not 
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the sender and that doing so is prohibited and may be 
unlawful. Please reply to the message immediately by informing the sender that 
the message was misdirected. After replying, please delete and otherwise erase 
it and any attachments from your computer system. Your assistance in correcting 
this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Creamer, Mark]

Thanks Joe & Brian,

 

Time to take the feet down off the desk
again…K

 

MC

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the
-sddc option. Note it will be in SDDL format which is probably one of the
easier formats for scripting but worse for reading.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. I’d just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
you’ll still need to parse this information into something useable. 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions



 

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Creamer, Mark]

GASP

Joeware.net is suddenly blocked by
SurfCONTROL. Not kidding unfortunately  Must be that opening pic.
:-/

 

Oh well, thank God for my super top secret
“testing” DSL connection so I can get to the usage documentation
again. Now where the heck is that surf admin…

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Thanks Joe & Brian,

 

Time to take the feet down off the desk
again…K

 

MC

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the
-sddc option. Note it will be in SDDL format which is probably one of the
easier formats for scripting but worse for reading.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. I’d just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
you’ll still need to parse this information into something useable. 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions



 

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[joe]

Interesting. Is that controlled locally or is that some 
blacklist service type item?
 
I am digging around also. I think with some small 
mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used 
for this to generate a CSV with DLs and their perms. It could probably further 
be filtered to only show ACEs with the ability to modify membership. It is going 
to be considerably slower than adfind though because it is using ADO and 
ADSI.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, November 11, 2005 4:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions


GASP
Joeware.net is suddenly 
blocked by SurfCONTROL. Not kidding unfortunately  Must be that 
opening pic. :-/
 
Oh well, thank God for 
my super top secret “testing” DSL connection so I can get to the usage 
documentation again. Now where the heck is that surf 
admin…
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, November 11, 
2005 4:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
 
Thanks Joe & 
Brian,
 
Time to take the feet 
down off the desk again…K
 
MC
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, November 11, 2005 4:13 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
 
Yep adfind will dump 
the ntsecuritydescriptor and decode it if you specify the attribute and add the 
-sddc option. Note it will be in SDDL format which is probably one of the easier 
formats for scripting but worse for reading.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian 
DesmondSent: Friday, November 
11, 2005 3:53 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
Dumping 
all the DLs is easy. Something like adfind from joeware.net would do the trick. 
I’d just query for groups with mail=* since you can have mail enabled security 
grups. The ACLs, I think adfind decodes ACLs, but, you’ll still need to parse 
this information into something useable. 
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, November 11, 
2005 3:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] dumping DL 
permissions
 
One of our Exchange account admins 
wants to know if there is a tool that would dump a list of the name of each 
distribution list in the GAL along with who has the ability to add or remove 
members on each one. Would I approach this with a script or is there a tool I 
should point him towards?
 
Thanks,
Mark
This e-mail transmission contains information that 
is intended to be confidential and privileged. If you receive this e-mail and 
you are not a named addressee you are hereby notified that you are not 
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the sender and that doing so is prohibited and may be 
unlawful. Please reply to the message immediately by informing the sender that 
the message was misdirected. After replying, please delete and otherwise erase 
it and any attachments from your computer system. Your assistance in correcting 
this error is appreciated.
This e-mail transmission contains information that 
is intended to be confidential and privileged. If you receive this e-mail and 
you are not a named addressee you are hereby notified that you are not 
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the sender and that doing so is prohibited and may be 
unlawful. Please reply to the message immediately by informing the sender that 
the message was misdirected. After replying, please delete and otherwise erase 
it and any attachments from your computer system. Your assistance in correcting 
this error is appreciated.This e-mail 
transmission contains information that is intended to be confidential and 
privileged. If you receive this e-mail and you are not a named addressee you are 
hereby notified that you are not authorized to read, print, retain, copy or 
disseminate this communication without the consent of the sender and that doing 
so is prohibited and may be unlawful. Please reply to the message immediately by 
informing the sender that the message was misdirected. After replying, please 
delete and otherwise erase it and any attachments from your computer system. 
Your assistance in correcting this error is appreciated.

RE: [ActiveDir] dumping DL permissions

[Brian Desmond]

I think they have a subscription type thing. The WebSense at work tells
you what the site is blocked under usually. Does SurfControl do that?

 

If I had to make a guess, I’d say somebody reported your postcard:

 


 
  
  Adult/Sexually
  Explicit 
  
  
  
   Adult products including sex
   toys, CD-ROMs, and videos 
   Child Pornography/Pedophilia*
   
   Adult services including
   videoconferencing, escort services, and strip clubs 
   Erotic stories and textual
   descriptions of sexual acts 
   Explicit cartoons and
   animation 
   Online groups, including
   newsgroups and forums, that are sexually explicit in nature 
   Sexually-oriented or erotic
   full or partial nudity 
   Depictions or images of
   sexual acts, including animals or inanimate objects used in a sexual
   manner 
   Sexually exploitive or
   sexually violent text or graphics 
   Bondage, fetishes, genital
   piercing 
   Naturist sites that feature
   nudity 
   Erotic or fetish photography,
   which depicts nudity 
  
  NOTE: We do not include sites regarding sexual health, breast cancer, or
  sexually transmitted diseases (except in graphic examples).
  
  * SurfControl sends
  all child-oriented erotic sites to global advocacy groups, including the
  Australian Broadcasting Authority (AU), Bundesministerium für Inneres
  (AT), Internet Watch Foundation (UK),
  Interpol, Meldpunt (NL) and the National
  Center for Missing and Exploited
  Children (US). 
  
 


 

 

 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Interesting. Is that controlled locally or
is that some blacklist service type item?

 

I am digging around also. I think
with some small mods, the script I wrote for dumping ACLs for AD objects
for AD3E could be used for this to generate a CSV with DLs and their perms. It
could probably further be filtered to only show ACEs with the ability to modify
membership. It is going to be considerably slower than adfind though because it
is using ADO
and ADSI.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

GASP

Joeware.net is suddenly blocked by
SurfCONTROL. Not kidding unfortunately  Must be that opening pic.
:-/

 

Oh well, thank God for my super top secret
“testing” DSL connection so I can get to the usage documentation
again. Now where the heck is that surf admin…

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Thanks Joe & Brian,

 

Time to take the feet down off the desk
again…K

 

MC

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc
option. Note it will be in SDDL format which is probably one of the easier
formats for scripting but worse for reading.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian
 Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. I’d just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
you’ll still need to parse this information into something useable. 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions



 

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the 

RE: [ActiveDir] dumping DL permissions

[Creamer, Mark]

It’s a filtering program that we use
attached to ISA server. Basically it looks at each request and lets it through
or redirects to our AUP internal web page.

 

I was on joeware.net earlier this week,
and it didn’t block me. So I just went to www.surfcontrol.com (“Test a Site”
link) to make sure it wasn’t mis-categorized, because they will change it
if found to be wrong. They have it as “Computing and Internet”.
Hmmm. So we’re blocking that category now? I don’t think so…..I’ve
asked our admin to take a look. Either way, we can override here locally.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Interesting. Is that controlled locally or
is that some blacklist service type item?

 

I am digging around also. I think
with some small mods, the script I wrote for dumping ACLs for AD objects
for AD3E could be used for this to generate a CSV with DLs and their perms. It
could probably further be filtered to only show ACEs with the ability to modify
membership. It is going to be considerably slower than adfind though because it
is using ADO
and ADSI.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

GASP

Joeware.net is suddenly blocked by
SurfCONTROL. Not kidding unfortunately  Must be that opening pic.
:-/

 

Oh well, thank God for my super top secret
“testing” DSL connection so I can get to the usage documentation
again. Now where the heck is that surf admin…

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Thanks Joe & Brian,

 

Time to take the feet down off the desk
again…K

 

MC

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005
4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions



 

Yep adfind will dump the
ntsecuritydescriptor and decode it if you specify the attribute and add the
-sddc option. Note it will be in SDDL format which is probably one of the
easier formats for scripting but worse for reading.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005
3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping
DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would
do the trick. I’d just query for groups with mail=* since you can have
mail enabled security grups. The ACLs, I think adfind decodes ACLs, but,
you’ll still need to parse this information into something useable. 

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005
3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL
permissions



 

One of our Exchange account admins wants to know if there is
a tool that would dump a list of the name of each distribution list in the GAL
along with who has the ability to add or remove members on each one. Would I
approach this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the sender
and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print

RE: [ActiveDir] dumping DL permissions

[deji]

I usually just look at the "managedby" attrib of any object where
objectclass='group'. If the attrib is populated, I then fetch that value and
dump it along with the displayname of the DL.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 11/11/2005 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions


Interesting. Is that controlled locally or is that some blacklist service
type item?
 
I am digging around also. I think with some small mods, the script I wrote
for dumping ACLs for AD objects for AD3E could be used for this to generate a
CSV with DLs and their perms. It could probably further be filtered to only
show ACEs with the ability to modify membership. It is going to be
considerably slower than adfind though because it is using ADO and ADSI.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions



GASP

Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately
 Must be that opening pic. :-/

 

Oh well, thank God for my super top secret "testing" DSL connection so I can
get to the usage documentation again. Now where the heck is that surf
admin...

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

 

Thanks Joe & Brian,

 

Time to take the feet down off the desk again...:-|

 

MC

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

 

Yep adfind will dump the ntsecuritydescriptor and decode it if you specify
the attribute and add the -sddc option. Note it will be in SDDL format which
is probably one of the easier formats for scripting but worse for reading.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would do
the trick. I'd just query for groups with mail=* since you can have mail
enabled security grups. The ACLs, I think adfind decodes ACLs, but, you'll
still need to parse this information into something useable. 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]  

 

c - 312.731.3132

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL permissions

 

One of our Exchange account admins wants to know if there is a tool that
would dump a list of the name of each distribution list in the GAL along with
who has the ability to add or remove members on each one. Would I approach
this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be unlawful. Please reply
to the message immediately by informing the sender that the message was
misdirected. After replying, please delete and otherwise erase it and any
attachments from your computer system. Your assistance in correcting this
error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be unlawful. Please reply
to the message immediately by informing the sender that the message was
misdirected. After replying, please delete and otherwise erase it and any
attachments from your computer system. Your assistance in correcting this
error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or d

Re: [ActiveDir] scripting file move issue(OT)

[Tom Kern]

Ok, I'm a scripting retard.
I can't seem to figure out how to write this-
 
the script should check the source dir which has many subdirs and look for files with an .eml extension(recurisively in all the sub dirs) and then copy them to the target dir but making sure the file count is less than a 1000 and then waiting/checking to make sure the target dir is empty and then continuning the process again- copy from source,under 1000,etc... ad infintium.

 
I think this is beyond my _vbscript_ knowldge.
can anyone point me to a good source for a guide on how to implement this?
 
Thanks alot.
sorry to be such a pest. 
On 11/9/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote:

Rich has outlined what you'll need to do. I'd probably include an initial check of the destination folder to make sure it's empty before starting any of the copies/moves.

 

http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/default.mspx has links to snippets that will show you how to list all files in a folder (and thus get a count), as well as how to move or copy files.

 
Hunter


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 1:00 PM 
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] scripting file move issue(OT) 


thanks
 
i think i might need a little more assistance here.
i'm a little out of my depth 
On 11/9/05, Rich Milburn <[EMAIL PROTECTED]
> wrote: 


Tom, 
Suggest you use FSO.MoveFile or Folder.MoveHere in _vbscript_ to do the moving rather than xcopy.  You could enumerate files, have a for each loop with a counter, and move files until the counter is divisible by 1000 (or = 1000 and reset), sleep for 15-20 seconds, and continue.  After your sleep you could check that the destination folder is empty and if not then sleep again. 

 
I'm assuming some familiarity with the _vbscript_ I'm talking about, if you need more specifics just ask.
 
Rich
 
 

---
 Rich Milburn 

MCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development 
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
 913-967-2819
 --
 
"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, November 09, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file move issue(OT)

 

the source dirs take awhile to refill as they are being filled by xcopy. it copies about 4gig a batch.

The destination dir empties in about 10-15secs.

also the destinantion dir can only handle 1000 files at a time before being emptied.

 

thanks

 

On 11/9/05, Coleman, Hunter <
 [EMAIL PROTECTED]> wrote: 
Yes, this is scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are most comfortable with.
 
 
How quickly are your source directories going to refill, and how quickly are is your destination directory going to get cleaned up by the different process? 

 



From: 
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 AMTo: activedirectory
Subject: [ActiveDir] scripting file move issue(OT) 


I'm having a problem trying to figure out how to script or batch file something.

 

I want to move N number of files from a series of sudirectories to another dir and then wait to make sure a different process that is running will remove the files i just moved from the other dir, before moving more N number of files from a series of subdirectories to that dir and continuing the process in this manner until the seires of subdirectories are empty. 


 

can i script something like this? 

would perl be better at this than _vbscript_?

 

can i do this with Robocopy? I read the docs and don't really think so but maybe someone else more familliar with it would know


 

thanks
 




---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's Intern

RE: [ActiveDir] dumping DL permissions

[Brian Desmond]

People can have the right to change DL membership through the ACL without
that managed by attribute so far as I know. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

I usually just look at the "managedby" attrib of any object where
objectclass='group'. If the attrib is populated, I then fetch that value and
dump it along with the displayname of the DL.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 11/11/2005 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions


Interesting. Is that controlled locally or is that some blacklist service
type item?
 
I am digging around also. I think with some small mods, the script I wrote
for dumping ACLs for AD objects for AD3E could be used for this to generate
a
CSV with DLs and their perms. It could probably further be filtered to only
show ACEs with the ability to modify membership. It is going to be
considerably slower than adfind though because it is using ADO and ADSI.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions



GASP

Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately
 Must be that opening pic. :-/

 

Oh well, thank God for my super top secret "testing" DSL connection so I can
get to the usage documentation again. Now where the heck is that surf
admin...

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

 

Thanks Joe & Brian,

 

Time to take the feet down off the desk again...:-|

 

MC

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

 

Yep adfind will dump the ntsecuritydescriptor and decode it if you specify
the attribute and add the -sddc option. Note it will be in SDDL format which
is probably one of the easier formats for scripting but worse for reading.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would do
the trick. I'd just query for groups with mail=* since you can have mail
enabled security grups. The ACLs, I think adfind decodes ACLs, but, you'll
still need to parse this information into something useable. 

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]  

 

c - 312.731.3132

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL permissions

 

One of our Exchange account admins wants to know if there is a tool that
would dump a list of the name of each distribution list in the GAL along
with
who has the ability to add or remove members on each one. Would I approach
this with a script or is there a tool I should point him towards?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be unlawful. Please reply
to the message immediately by informing the sender that the message was
misdirected. After replying, please delete and otherwise erase it and any
attachments from your computer system. Your assistance in correcting this
error is appreciated.


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be unlawful. Please reply
to the message immediately by informing the sender that the message was
mi

RE: [ActiveDir] scripting file move issue(OT)

[Brian Desmond]

Well, you’ll need a recursive function to do the tree walking. It
will need to take the path it should start in, and then it will call itself for
each directory in the supplied path.

 

Here’s some pseudo code, sorry I’m dead tired this week, so unless
someone translates this, you’ll have to paste in the missing bits - the
_vbscript_ should be easy, just look up FileSystemObject. 

 

Int copyCount

 

Sub DoStuff

 While (true) // run forever

  Int targetCount = 0

  targetCount = getTargetCount(); // Some code to find that # out

  

  while (targetCount > 0)

   Sleep(2500) //Sleep for 2500ms, aka 2.5 ms

   targetCount = getTargetCount();

  wend  

 

  copyCount = 0

  WalkTree(C:\)

 wend

End Sub

 

Sub WalkTree(StartIn) ‘ recursive function

    If copyCount < 1000 Then

 Foreach file in startin

   Copy(file)

   copyCount = copyCount + 1

  Next

 

  Foreach folder in startin

   WalkTree(folder)

  Next

 End If

End Sub

 

Sub CopyStuff(File)

 OSCopy (File) ‘ Call FSO CopyFile here

End Sub

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, November 11, 2005
5:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] scripting
file move issue(OT)



 



Ok, I'm a scripting retard.





I can't seem to figure out how to write this-





 





the script should check the source dir which has many subdirs and look
for files with an .eml extension(recurisively in all the sub dirs) and
then copy them to the target dir but making sure the file count is less than a
1000 and then waiting/checking to make sure the target dir is empty and then
continuning the process again- copy from source,under 1000,etc... ad infintium.






 





I think this is beyond my _vbscript_ knowldge.





can anyone point me to a good source for a guide on how to implement
this?





 





Thanks alot.





sorry to be such a pest.

 





On 11/9/05, Coleman,
Hunter <[EMAIL PROTECTED]>
wrote: 

Rich has outlined what you'll need to do.
I'd probably include an initial check of the destination folder to make sure
it's empty before starting any of the copies/moves. 

 

http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/default.mspx has
links to snippets that will show you how to list all files in a folder (and
thus get a count), as well as how to move or copy files. 

 

Hunter

 







From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, November 09, 2005
1:00 PM 




To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] scripting file move issue(OT)








 





thanks





 





i think i might need a little more assistance here.





i'm a little out of my depth

 





On 11/9/05, Rich
Milburn <[EMAIL PROTECTED] > wrote:




Tom, 

Suggest you use FSO.MoveFile or Folder.MoveHere in _vbscript_
to do the moving rather than xcopy.  You could enumerate files, have a for
each loop with a counter, and move files until the counter is divisible by 1000
(or = 1000 and reset), sleep for 15-20 seconds, and continue.  After your
sleep you could check that the destination folder is empty and if not then
sleep again. 

 

I'm assuming some familiarity with the _vbscript_ I'm talking
about, if you need more specifics just ask. 

Rich

 

 



--- 
Rich Milburn 
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development 
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207 
913-967-2819 
--

"I am always doing
that which I can not do, in order that I may learn how to do it." - Pablo
Picasso











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, November 09, 2005
12:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] scripting
file move issue(OT)





 



the
source dirs take awhile to refill as they are being filled by xcopy. it copies
about 4gig a batch.





The
destination dir empties in about 10-15secs.





also the
destinantion dir can only handle 1000 files at a time before being emptied.





 





thanks







 





On
11/9/05, Coleman, Hunter < [EMAIL PROTECTED]> wrote: 

Yes, this is scriptable. Perl vs VBS? Either will work, so
I'd go with whatever you are most comfortable with. 

 

How quickly are your source directories going to refill, and
how quickly are is your destination directory going to get cleaned up by the
different process? 

 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern
Sent: Wednesday, November 09, 2005
11:30 AM
To: activedirectory
Subject: [ActiveDir] sc

RE: [ActiveDir] dumping DL permissions

[deji]

Good point, Brian.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Fri 11/11/2005 2:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions



People can have the right to change DL membership through the ACL without
that managed by attribute so far as I know.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, November 11, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

I usually just look at the "managedby" attrib of any object where
objectclass='group'. If the attrib is populated, I then fetch that value and
dump it along with the displayname of the DL.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 11/11/2005 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions


Interesting. Is that controlled locally or is that some blacklist service
type item?

I am digging around also. I think with some small mods, the script I wrote
for dumping ACLs for AD objects for AD3E could be used for this to generate
a
CSV with DLs and their perms. It could probably further be filtered to only
show ACEs with the ability to modify membership. It is going to be
considerably slower than adfind though because it is using ADO and ADSI.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions



GASP

Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately
 Must be that opening pic. :-/



Oh well, thank God for my super top secret "testing" DSL connection so I can
get to the usage documentation again. Now where the heck is that surf
admin...





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions



Thanks Joe & Brian,



Time to take the feet down off the desk again...:-|



MC





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 11, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions



Yep adfind will dump the ntsecuritydescriptor and decode it if you specify
the attribute and add the -sddc option. Note it will be in SDDL format which
is probably one of the easier formats for scripting but worse for reading.





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, November 11, 2005 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dumping DL permissions

Dumping all the DLs is easy. Something like adfind from joeware.net would do
the trick. I'd just query for groups with mail=* since you can have mail
enabled security grups. The ACLs, I think adfind decodes ACLs, but, you'll
still need to parse this information into something useable.



Thanks,
Brian Desmond

[EMAIL PROTECTED] 



c - 312.731.3132







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 11, 2005 3:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dumping DL permissions



One of our Exchange account admins wants to know if there is a tool that
would dump a list of the name of each distribution list in the GAL along
with
who has the ability to add or remove members on each one. Would I approach
this with a script or is there a tool I should point him towards?



Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a
named addressee you are hereby notified that you are not authorized to read,
print, retain, copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be unlawful. Please reply
to the message immediately by informing the sender that the message was
misdirected. After replying, please delete and otherwise erase it and any
attachments from your computer system. Your assistance in correcting this
error is appreciated.


This e-mail transmission contai

Re: [ActiveDir] CertSvc Error **RESOLVED**

[steve patrick]

Depends -
 
If the backup was made on a DC  which was the 
CA - and it is a  System State backup ( recommended method for CA's ) then 
Yes
If the backup was made on a DC  which was the 
CA - and it is the CA database and key(s) then no.
If the backup was made on a member server CA - no. 

 
BTW here was the problem..
 
 
Via the certutil -ds output we see:
 
  DomainController    
Domain Controller
as opposed to what it should look like with the OID 
specified like:
 
  
DomainControllerAuthentication    
1.3.6.1.4.1.311.21.8.13579500.10062976.11224470.12361654.16117480.7.1.28    
Domain Controller Authentication
 
 
The DomainController template should have an 
attribute for msPKI-Cert-Template-OID - which it does not have.
 
I was curious - you can end up like this if you 
upgraded the CA to 2003 before you upgraded the schema to include the 2003 
schema.. was this the case?
 
steve
 

  - Original Message - 
  From: 
  Harding, Devon 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, November 11, 2005 12:19 
  PM
  Subject: RE: [ActiveDir] CertSvc Error 
  **RESOLVED**
  
  
  When I logged on to 
  the CertServ as a Domain Admin in my child domain and ran certtmpl.msc, it said I needed to be a 
  Domain Admin and Enterprise Admin to publish new templates.  I was an 
  Enterprise Admin, but not a part of the Domain Admins group in the root 
  domain.  I then Logged on as a Domain Admin/Enterprise Admin in the root 
  domain and ran the command which then prompted me to Upgrade the 
  templates.  No more errors.
   
  Now the question is 
  this, can I now restore my CA backup or will this cause a 
  problem?
   
  Thanks 
  all!!!
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Bernier, Brandon 
  (.)Sent: Friday, November 
  11, 2005 2:41 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
  Error
   
  
  besides uninstalling 
  the CA and going through all the issues around that, why don't you blow away 
  the templetes? If you run certtmpl.msc after it will ask "This is the first 
  time you have opened Certificate Templetes, would you like to publish them in 
  Active Directory?"  say yes and then you get fresh templates. Then just 
  pick your template and republish it. This doesn't have a horrible effect 
  unless everything is re-autoenrolling at the time you do 
  this. 
  
   
  
  btw what kind of 
  templates do you have 
  published?
  
   
  
  -brandon
  
   
  
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Harding, DevonSent: Friday, November 11, 2005 2:17 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
  Error
  Well all 
  the CA’s were backed up before the uninstall.  And no this did not 
  resolve the issue.  When the service is restarted, it states that none of 
  the policies could be loaded; one Event ID 77 warning for each template, like 
  so:
   
  Event 
  Type:   Warning
  Event 
  Source:    CertSvc
  Event 
  Category: None
  Event 
  ID:   
  77
  Date:    
  11/11/2005
  Time:    
  10:46:04 AM
  User:    
  N/A
  Computer: 
  SWSAD1
  Description:
  The 
  "Windows default" Policy Module logged the following warning: The 
  EFSRecovery(v2.0): V1 Certificate Template could not be loaded.  Element 
  not found. 0x80070490 (WIN32: 1168).
   
   
  For more 
  information, see Help and Support Center at 
  http://go.microsoft.com/fwlink/events.asp.
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Bernard, 
  AricSent: Friday, November 
  11, 2005 11:49 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
  Error
   
  Was this 
  an upgrade from W2K?
   
  What 
  error messages are you receiving on the DC?
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, November 11, 2005 8:43 
  AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CertSvc 
  Error
   
  
  True if 
  running in production -- thanks on the feedback of not needing to do a 
  reinstall ...
  
   
  
  Chuck
  
   
  
  
  
  __This 
  message and any attachments are solely for the intended 
  recipientand 
  may contain confidential or privileged information. If you are 
  notthe 
  intended recipient, any disclosure, copying, use or distribution 
  ofthe 
  information included in the message and any attachments 
  isprohibited. 
  If you have received this communication in error, 
  pleasenotify 
  us by reply e-mail and immediately and permanently delete 
  thismessage 
  and any attachments. Thank You. 
  

Re: [ActiveDir] CertSvc Error **RESOLVED**

[steve patrick]

clarification added to my Yes and No 
answers...
 
 

  - Original Message - 
  From: 
  steve 
  patrick 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, November 11, 2005 3:29 
  PM
  Subject: Re: [ActiveDir] CertSvc Error 
  **RESOLVED**
  
  Depends -
   
  If the backup was made on a DC  which was 
  the CA - and it is a  System State backup ( recommended method for CA's ) 
  then Yes ( you will have a problem ) 
  If the backup was made on a DC  which was 
  the CA - and it is the CA database and key(s) then no. ( you will not have a 
  problem ) 
  If the backup was made on a member server CA - 
  no.   ( you will not have a problem ) 
   
  BTW here was the problem..
   
   
  Via the certutil -ds output we see:
   
    DomainController    
  Domain Controller
  as opposed to what it should look like with the 
  OID specified like:
   
    
  DomainControllerAuthentication    
  1.3.6.1.4.1.311.21.8.13579500.10062976.11224470.12361654.16117480.7.1.28    
  Domain Controller Authentication
   
   
  The DomainController template should have an 
  attribute for msPKI-Cert-Template-OID - which it does not have.
   
  I was curious - you can end up like this if you 
  upgraded the CA to 2003 before you upgraded the schema to include the 
  2003 schema.. was this the case?
   
  steve
   
  
- Original Message - 
From: 
Harding, Devon 
To: ActiveDir@mail.activedir.org 

Sent: Friday, November 11, 2005 12:19 
PM
Subject: RE: [ActiveDir] CertSvc Error 
**RESOLVED**


When I logged on to 
the CertServ as a Domain Admin in my child domain and ran certtmpl.msc, it said I needed to be a 
Domain Admin and Enterprise Admin to publish new templates.  I was an 
Enterprise Admin, but not a part of the Domain Admins group in the root 
domain.  I then Logged on as a Domain Admin/Enterprise Admin in the 
root domain and ran the command which then prompted me to Upgrade the 
templates.  No more errors.
 
Now the question is 
this, can I now restore my CA backup or will this cause a 
problem?
 
Thanks 
all!!!
 




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon 
(.)Sent: Friday, November 
11, 2005 2:41 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
 

besides 
uninstalling the CA and going through all the issues around that, why don't 
you blow away the templetes? If you run certtmpl.msc after it will ask "This 
is the first time you have opened Certificate Templetes, would you like to 
publish them in Active Directory?"  say yes and then you get fresh 
templates. Then just pick your template and republish it. This doesn't have 
a horrible effect unless everything is re-autoenrolling at 
the time you do 
this. 

 

btw what kind of 
templates do you have 
published?

 

-brandon

 

 





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, November 11, 2005 2:17 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
Well 
all the CA’s were backed up before the uninstall.  And no this did not 
resolve the issue.  When the service is restarted, it states that none 
of the policies could be loaded; one Event ID 77 warning for each template, 
like so:
 
Event 
Type:   
Warning
Event 
Source:    CertSvc
Event 
Category: None
Event 
ID:   
77
Date:    
11/11/2005
Time:    
10:46:04 AM
User:    
N/A
Computer: 
SWSAD1
Description:
The 
"Windows default" Policy Module logged the following warning: The 
EFSRecovery(v2.0): V1 Certificate Template could not be loaded.  
Element not found. 0x80070490 (WIN32: 1168).
 
 
For 
more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
 





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, November 11, 2005 11:49 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CertSvc 
Error
 
Was 
this an upgrade from W2K?
 
What 
error messages are you receiving on the DC?





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, November 11, 2005 8:43 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CertSvc 
Error
 

True 
if running in production -- thanks on the feedback of not needing to do a 
reinstall ...

 

Chuck

 



__This 

[ActiveDir] OT: AD Manpower Needs

[David Aragon]

We have just had a major change in Upper Management and I have been given a
rather rare opportunity.  As the EA, I have been asked if I need hire more
people to better manage the AD environment.  My immediate answer was YES!
Then I got the bad news, my answer needs to have supporting documentation of
"industry standards".  I have never seen any documents relating to this
subject.  So the question is, has anyone else?  Can anyone point me to any
documents relating to "industry standards" for workload and management (e.g.
systems/tech, EA's/forest, etc.) of Active Directory (EA's, DA's, OU Admins,
Techs, etc)?  Anything published in the last couple of years would be
useful.

Thank you in advance.

David Aragon   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: AD Manpower Needs

[Brian Desmond]

Desk, Workstation, Access Codes, Telephone, Badge ... what else could they
possibly need?

I've yet to get a job where I'm given an industry standard 35 manhours of
work and 5 manhours of lunch per week. Let me know if you're hiring one of
those. I may be interested. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Aragon
Sent: Friday, November 11, 2005 8:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: AD Manpower Needs

We have just had a major change in Upper Management and I have been given a
rather rare opportunity.  As the EA, I have been asked if I need hire more
people to better manage the AD environment.  My immediate answer was YES!
Then I got the bad news, my answer needs to have supporting documentation of
"industry standards".  I have never seen any documents relating to this
subject.  So the question is, has anyone else?  Can anyone point me to any
documents relating to "industry standards" for workload and management (e.g.
systems/tech, EA's/forest, etc.) of Active Directory (EA's, DA's, OU Admins,
Techs, etc)?  Anything published in the last couple of years would be
useful.

Thank you in advance.

David Aragon   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: AD Manpower Needs

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

I'll find the threads and send them to you but on another listserve 
there was just this discussion of how many IT people per network not 
necessarily AD though.


The answer was .

It depends.

It depended on your industry, regulation, needs, software.

Would management stop looking for industry standards when there isn't 
anything like this please?


Bottom line... the more loosey goosey your desktops were, the more 
manpower you needed for a network was the consensus.


David Aragon wrote:

We have just had a major change in Upper Management and I have been given a
rather rare opportunity.  As the EA, I have been asked if I need hire more
people to better manage the AD environment.  My immediate answer was YES!
Then I got the bad news, my answer needs to have supporting documentation of
"industry standards".  I have never seen any documents relating to this
subject.  So the question is, has anyone else?  Can anyone point me to any
documents relating to "industry standards" for workload and management (e.g.
systems/tech, EA's/forest, etc.) of Active Directory (EA's, DA's, OU Admins,
Techs, etc)?  Anything published in the last couple of years would be
useful.

Thank you in advance.

David Aragon   


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: AD Manpower Needs

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

SecurityFocus:
http://www.securityfocus.com/archive/132/415186/30/30/threaded


Look for the threads regarding "IT Department Size"

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
I'll find the threads and send them to you but on another listserve 
there was just this discussion of how many IT people per network not 
necessarily AD though.


The answer was .

It depends.

It depended on your industry, regulation, needs, software.

Would management stop looking for industry standards when there isn't 
anything like this please?


Bottom line... the more loosey goosey your desktops were, the more 
manpower you needed for a network was the consensus.


David Aragon wrote:
We have just had a major change in Upper Management and I have been 
given a
rather rare opportunity.  As the EA, I have been asked if I need hire 
more
people to better manage the AD environment.  My immediate answer was 
YES!
Then I got the bad news, my answer needs to have supporting 
documentation of

"industry standards".  I have never seen any documents relating to this
subject.  So the question is, has anyone else?  Can anyone point me 
to any
documents relating to "industry standards" for workload and 
management (e.g.
systems/tech, EA's/forest, etc.) of Active Directory (EA's, DA's, OU 
Admins,

Techs, etc)?  Anything published in the last couple of years would be
useful.

Thank you in advance.

David Aragon  
List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


  




--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] dumping DL permissions

[Derek Harris]

We've been using SurfControl, but I'm in the process of 
switching to Websense, because SurfControl does flaky things like this a little 
too frequently. It inapropriately blocks or allows access to sites, even 
though they are correctly categorized.  Restart the SurfControl Webfilter 
service, and the problem will probably resolve.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Friday, November 11, 2005 2:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions


It’s a filtering 
program that we use attached to ISA server. Basically it looks at each request 
and lets it through or redirects to our AUP internal web 
page.
 
I was on joeware.net 
earlier this week, and it didn’t block me. So I just went to www.surfcontrol.com (“Test a Site” link) 
to make sure it wasn’t mis-categorized, because they will change it if found to 
be wrong. They have it as “Computing and Internet”. Hmmm. So we’re blocking that 
category now? I don’t think so…..I’ve asked our admin to take a look. Either 
way, we can override here locally.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, November 11, 2005 4:35 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
 
Interesting. Is that 
controlled locally or is that some blacklist service type 
item?
 
I am digging around 
also. I think with some small mods, the script I wrote for dumping ACLs for 
AD objects for AD3E could be used for this to generate a CSV with DLs and their 
perms. It could probably further be filtered to only show ACEs with the ability 
to modify membership. It is going to be considerably slower than adfind though 
because it is using ADO and ADSI.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, November 11, 
2005 4:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
GASP
Joeware.net is suddenly 
blocked by SurfCONTROL. Not kidding unfortunately  Must be that 
opening pic. :-/
 
Oh well, thank God for 
my super top secret “testing” DSL connection so I can get to the usage 
documentation again. Now where the heck is that surf 
admin…
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, November 11, 
2005 4:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
 
Thanks Joe & 
Brian,
 
Time to take the feet 
down off the desk again…K
 
MC
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, November 11, 2005 4:13 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
 
Yep adfind will dump 
the ntsecuritydescriptor and decode it if you specify the attribute and add the 
-sddc option. Note it will be in SDDL format which is probably one of the easier 
formats for scripting but worse for reading.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian 
DesmondSent: Friday, November 
11, 2005 3:53 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL 
permissions
Dumping 
all the DLs is easy. Something like adfind from joeware.net would do the trick. 
I’d just query for groups with mail=* since you can have mail enabled security 
grups. The ACLs, I think adfind decodes ACLs, but, you’ll still need to parse 
this information into something useable. 
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Friday, November 11, 
2005 3:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] dumping DL 
permissions
 
One of our Exchange account admins 
wants to know if there is a tool that would dump a list of the name of each 
distribution list in the GAL along with who has the ability to add or remove 
members on each one. Would I approach this with a script or is there a tool I 
should point him towards?
 
Thanks,
Mark
This e-mail transmission contains information that 
is intended to be confidential and privileged. If you receive this e-mail and 
you are not a named addressee you are hereby notified that you are not 
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the sender and that doing so is prohibited and may be 
unlawful. Please reply to the message immediately by informing the sender that 
the message was misdirected. After replying, please delete and otherwise erase 
it and any attachments from your computer system. Your assistance in correcting 
this error is appreciated.
This e-mail transmission contains information that 
is intended to be confidential and privileged. If you receive this e-mail and 
you are not a named addressee you are hereby notified that you are not 
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the sender and that doing so i

RE: [ActiveDir] OT: AD Manpower Needs

[David Adner]

I'd focus less on industry standards, despite that being what mgmt asked
for, and instead try to quantify what you actually need and how it would
benefit the org (ie: save money in the end, speed things up, improve
dependability, etc).  For example, you might say Projects A, B, C and D are
on hold or severely behind schedule because of a lack of engineering
resources and that if we had X more bodies we could ...

Or, hit them where it works.  Find a pet technology that they think they
can't live without and document how it can't happen without more staff.

If you've been hit by any major issues in the past that a lack of manpower
could be a factor, document that, too.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon
> Sent: Friday, November 11, 2005 7:06 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OT: AD Manpower Needs
> 
> We have just had a major change in Upper Management and I 
> have been given a rather rare opportunity.  As the EA, I have 
> been asked if I need hire more people to better manage the AD 
> environment.  My immediate answer was YES!
> Then I got the bad news, my answer needs to have supporting 
> documentation of "industry standards".  I have never seen any 
> documents relating to this subject.  So the question is, has 
> anyone else?  Can anyone point me to any documents relating 
> to "industry standards" for workload and management (e.g.
> systems/tech, EA's/forest, etc.) of Active Directory (EA's, 
> DA's, OU Admins, Techs, etc)?  Anything published in the last 
> couple of years would be useful.
> 
> Thank you in advance.
> 
> David Aragon   
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: AD Manpower Needs

[deji]

For staffing requirement, you'd want to model your needs against "Best
Practices" of AD operations and delegation, especially if you are being asked
for "industry standards".
 
If you do that, you'd want to read:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/act
ivedirectory/plan/addeladm.mspx#EFAA and
http://www.microsoft.com/resources/documentation/msa/edc/all/solution/en-us/r
ak/rag/edcrag08.mspx
 
to get an understand of the concepts of roles separation, things like
autonomy and isolation, data admin vs service admins, forest owner vs domain
owner, etc.
 
When you do that, then you can make an argument to management that "Best
Practices" dictate that you need to separate some functions that are
currently combined and you need to bring in more people to do that.
 
Of course, all this depends on the size of your enterprise.
 
Good luck.
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of David Aragon
Sent: Fri 11/11/2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: AD Manpower Needs



We have just had a major change in Upper Management and I have been given a
rather rare opportunity.  As the EA, I have been asked if I need hire more
people to better manage the AD environment.  My immediate answer was YES!
Then I got the bad news, my answer needs to have supporting documentation of
"industry standards".  I have never seen any documents relating to this
subject.  So the question is, has anyone else?  Can anyone point me to any
documents relating to "industry standards" for workload and management (e.g.
systems/tech, EA's/forest, etc.) of Active Directory (EA's, DA's, OU Admins,
Techs, etc)?  Anything published in the last couple of years would be
useful.

Thank you in advance.

David Aragon  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/