RE: [ActiveDir] dsHeuristics and list object access mode
right - thanks for the clarification Dean From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Donnerstag, 15. Dezember 2005 03:18To: Send - AD mailing listSubject: RE: [ActiveDir] dsHeuristics and list object access mode To clarify, note the syntax of dsHeuristics(Unicode string) ... it requires that you enter a sequence of characters (bytes not bits ... nor the decimal representation of those bits), e.g. - 01000. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Wednesday, December 14, 2005 2:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dsHeuristics and list object access mode The DSheuristics setting activates or de-activates the List Object permission, not the List Content permission - however, you have to use both in conjunction to reach most goals in respect to hiding data in AD. I've created this table for other stuff I'm working on to clarify the confusion a bit. (btw, the first two bits of this setting are also important, but not for permissioning - they control name resolution during AD searches.) /Guido Granted Permissions on Result Organizational Unit Child Objects List Contents and ListObject N/A The List Object permission on the OU makes the OU visible. As List Contents is also granted to the OU, this will take precedence over any missing List Object permissions for child objects and AD will automatically list all objects in the container. A delegated administrator can browse to the OU and all child objects with ADUC. An LDAP Query for all objects will return OU and ALL child objects. ListObject (List Contents not granted or denied) ListObject The List Object permission on the OU makes the OU visible. If List Contents is not granted or if it is denied AND if List Object is granted to the container object (OU), AD will evaluate the List Object permission for the child objects and only list those, where the List Object (or Read) permission has been granted. A delegated administrator can browse to the OU with ADUC and selected child objects. An LDAP Query for all objects will return OU and only those child objects, where List Object permissions have been granted ListContents (List Object not granted or denied) N/A The OU will NOT be visible. As List Contents is granted to the OU, this will take precedence over any missing List Object permissions for child objects and AD will automatically list all objects in the container. A delegated administrator cannot browse to the OU or child objects in ADUC. An LDAP Query for all objects will NOT return the OU object, but ALL of its child objects. Neither List Contents nor List Object is granted N/A The OU will NOT be visible. As neither List Contents nor List Object is granted to the container object (OU), AD will NOT evaluate any permission of the child objects. A delegated administrator cannot browse to the OU or child objects in ADUC. An LDAP Query for all objects will NOT return the OU or any of its child objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: Mittwoch, 14. Dezember 2005 16:07To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] dsHeuristics and list object access mode dsHeuristics can be used to control whether the 'list contents' ACE has an affect. So if the attribute is set to 001 then this means that if you haven't got list contents permission on a container then you can't see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list contents doesn't matter so much and you can see what's under a container without explicit list contents rights just as an authenticated user. At least this is what I've finally arrived at by reading different contradictary sources. I'm still a bit sceptical by all of this, indeed I reckon that somewhere along the various cut and paste jobs someone has got totally the wrong idea. So this has all started me off doing some experimenting. No matter what state the dsHeuristics attribute is set to not set, 000 or 001.(not set being theequiv if allzeros.).Removal of the list contents right stops someone looking at what lives under the object. Likewise granting it lets whoever has the permission go through the contents. So I'm looking for some clarification from practical experience as I no longer believe the spin that says you need
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Viewing delegates?
You can use this: acldiag OU=your_ou,DC=domain,DC=com /chkdeleg _skip This will check whether the Delegation of Control Wizard has been run for an object. Acldiag can be run by anybody, but the results of the output will depends on the users's right to view ACLs of the object you are querying. Cheers, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Craig Gauss Envoyé : mercredi 14 décembre 2005 23:12 À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Viewing delegates? Windows 2003 AD How do you go about viewing the users you have set as delegates for an OU? I setup a test earlier with a delegate on a test OU, it worked but I dont see where you can see who is a delegate. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Fully Own a User
Hi, What I do when I exmerge is that I set the Administrative account full mailbox access. The account must be enabled and the hide from exchange address book unchecked. Note that it takes some time to replicate the changes. Log in as administrative account to exmerge. Hope this helps From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, December 14, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Fully Own a User Hi I have about 10 users that left the company. Their AD accounts are disabled. I would like to use Exmerge to archive their email to PST and then delete them. However, Exmerge kicks back an error: Error opening message store (MSEMS). These accounts have the same permissions as the users for whom Exmerge worked fine. I tried enabling one of the accounts, logged in as that user, and then tried to configure Outlook to use the account. This last step (Outlook) got rejected saying the user did not have permission to access the mailbox. So, how can I completely own this account and give my admin account full control? Thanks. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
RE: [ActiveDir] Fully Own a User
You've hit the masterAccountSID problem that crops up when a mailbox-enabled account gets disabled. http://support.microsoft.com/default.aspx?scid=kb;en-us;278966 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, December 14, 2005 5:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Fully Own a User Hi I have about 10 users that left the company. Their AD accounts are disabled. I would like to use Exmerge to archive their email to PST and then delete them. However, Exmerge kicks back an error: Error opening message store (MSEMS). These accounts have the same permissions as the users for whom Exmerge worked fine. I tried enabling one of the accounts, logged in as that user, and then tried to configure Outlook to use the account. This last step (Outlook) got rejected saying the user did not have permission to access the mailbox. So, how can I completely own this account and give my admin account full control? Thanks. --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
RE: [ActiveDir] Fully Own a User
Hi there, looks like you've hit the problem of disabling accounts. basically, because you've disable the account(s) you want to exmerge no-one can access them. I think you'll be fine if you enable them and try again. One other thing to make sure of though: confirm they're not hidden from the GAL as exmerge can't find the mailbox if it is. Tim. -Original Message- From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Thu 15/12/2005 00:44 To: ActiveDir@mail.activedir.org Cc: Subject:[ActiveDir] Fully Own a User Hi – I have about 10 users that left the company. Their AD accounts are disabled. I would like to use Exmerge to archive their email to PST and then delete them. However, Exmerge kicks back an error: Error opening message store (MSEMS). These accounts have the same permissions as the users for whom Exmerge worked fine. I tried enabling one of the accounts, logged in as that user, and then tried to configure Outlook to use the account. This last step (Outlook) got rejected saying the user did not have permission to access the mailbox. So, how can I completely own this account and give my admin account full control? Thanks. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005 winmail.dat
RE: [ActiveDir] Reducing number of Global Catalogs
No we are sticking with the same names and so far we have had no issues. I make sure all records referring to the DC are removed before renaming the new machine and running dcpromo. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, December 14, 2005 5:39 PM To: ActiveDir.org Subject: Re: [ActiveDir] Reducing number of Global Catalogs Are you going to use new netbios names for the DC's ?. -Original Message- From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED] Date: Wed, 14 Dec 2005 16:07:52 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs Appreciate the input, it verified what I had thought. But when I started seeing if single domain, etc. well I had to ask. And yes refreshing = dcpromo out and dcpromo on new HW. Thanks Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, December 14, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs The IM is a domain FSMO role. SO the only concern is WITHIN the domain No matter what forest structure you have for each domain the following applies: * If all DCs in a domain are GC, there is no other choice where to put the IM. So no issue here * If at least other DCs in a domain (besides the IM) are not a GC, then the IM should not be on a GC your method will work as long as the last DC, that is not a GC, being refreshed (do you mean re-installed?) is also the IM cheers Jorge From: [EMAIL PROTECTED] on behalf of Simpsen, Paul A. (HSC) Sent: Wed 12/14/2005 8:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs Let me ask if there is any issue with IM if all your DCs are GCs in your domain, which is a child, but not all the DCs in the forest are GCs? We have been refreshing our DCs and making all GCs but the IM is running on the last one to refresh which is not a GC. We plan on transferring this role to a GC while we refreshing the DC it currently resides on. It will be a GC when finished. Should I/we rethink this? We are at function level 2003. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs Really, how so? I 'solve' it by insisting that all DCs be GCs. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 14 December 2005 16:15 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Reducing number of Global Catalogs The issue with IM on GCs is solved in Windows 2003 for multi-domain forests... Chuck PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win32Shutdown Method Win2003
Shutdown.Exe -l -t 0 But I'm sure that many other people have many other good tool to suggest. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, December 15, 2005 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 All of the below are correct. Im running the script by itself just to work out this part. On 2003(SP1) servers, we get the Generic Failure, on 2000 systems, it does nothing. What would be a good external tool in the meantime? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 10:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 Ok. I think we are facing a bug in the TS context with WMI. Let me investigate. I will file a bug about this. I gonna get back to you but this may take a little while. I understand that: -You are an admin of the box. - The WMI privileges are granted in the script - You are TSing into a 2003 server - You cannot logoff or even shutdown the system with the Win32Shutdown method even with the Force (4) flag. - In which context are you running that script? Not a logon script I presume, right? :) Can you give me more data about your scenario? - Are you 2003 RTM or SP1? Please answer these questions. In the meantime, you will have to shell an external tool ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 2:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 Force (4) also gives the same result. Generic Error. And does not log off the user. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Wednesday, December 14, 2005 3:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Win32Shutdown Method Win2003 YUP, you should add 4, Here is some codeConst LOGOFF = 0 Const SHUTDOWN = 1 Const REBOOT = 2 Const FORCE = 4 Const POWEROFF = 8 For Each objPC In GetObject("winmgmts:{(shutdown)}").ExecQuery("Select * from Win32_OperatingSystem") objPC.Win32Shutdown LOGOFF + FORCE Next On 12/15/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: Devon- Are you getting an actual error or just that it doesn't work? I ran your script on my test W2003 box and it worked just fine. I ran it as administrator at the server's console. How are you running this script? At the console or in a TS session? The latter may be problematic. Also, you might want to try: objSystem.Win32Shutdown 4 which I think is forced logoff. That would get around issues where some process is preventing the normal logoff. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 9:52 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 Same error From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 On 2003? Or 2000? Hmmm ... can you try with this :) objWMILocator.Security_.Privileges.AddAsString "SeRemoteShutdownPrivilege", True From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 7:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 I still get the same error running on a server: Generic Error It seem to be giving an error right at this point: objSystem.Win32Shutdown 0 Here is the whole script: Set objWMILocator = CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, strPassword) Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown Method Win2003 Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace,strUserID, strPassword) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent:
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI Neil, Essentially, you are correct. There's not a lot of difference. It does allow you to select the DC to transfer the role to where the ADUC just tells you where it's going to end up. That's the only thing I can think of that might have appeal and is different between the two interfaces. In my environment, ADUC takes time to open, so there's some value to me in having the single source tool. Want to measure that value? Probably need a nanometer. Time saved by the few times a year we'd need to do the role change vs. the time spent working up the app probably leads to an ROI in a galaxy far far away. At any rate, it was a learning opportunity for me. If anyone derives utility from it, so much the better! Thanks, JD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: 14 December 2005 17:27 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 15, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: 14 December 2005 17:27 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI Thanks. I didn't want to appear negative - I simply wanted to understand the motives for writing such a tool. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 15 December 2005 17:04To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] FSMO Role Transfer GUI Neil, Essentially, you are correct. There's not a lot of difference. It does allow you to select the DC to transfer the role to where the ADUC just tells you where it's going to end up. That's the only thing I can think of that might have appeal and is different between the two interfaces. In my environment, ADUC takes time to open, so there's some value to me in having the single source tool. Want to measure that value? Probably need a nanometer. Time saved by the few times a year we'd need to do the role change vs. the time spent working up the app probably leads to an ROI in a galaxy far far away. At any rate, it was a learning opportunity for me. If anyone derives utility from it, so much the better! Thanks, JD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI ... but this (new) tool cannot transfer the forest roles either. Hence my question. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 15 December 2005 17:05To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 15, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Reducing number of Global Catalogs
Have fun, I have had some great experiences reusing DC names. -Original Message- From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED] Date: Thu, 15 Dec 2005 09:48:53 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs No we are sticking with the same names and so far we have had no issues. I make sure all records referring to the DC are removed before renaming the new machine and running dcpromo. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, December 14, 2005 5:39 PM To: ActiveDir.org Subject: Re: [ActiveDir] Reducing number of Global Catalogs Are you going to use new netbios names for the DC's ?. -Original Message- From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED] Date: Wed, 14 Dec 2005 16:07:52 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs Appreciate the input, it verified what I had thought. But when I started seeing if single domain, etc. well I had to ask. And yes refreshing = dcpromo out and dcpromo on new HW. Thanks Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, December 14, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs The IM is a domain FSMO role. SO the only concern is WITHIN the domain No matter what forest structure you have for each domain the following applies: * If all DCs in a domain are GC, there is no other choice where to put the IM. So no issue here * If at least other DCs in a domain (besides the IM) are not a GC, then the IM should not be on a GC your method will work as long as the last DC, that is not a GC, being refreshed (do you mean re-installed?) is also the IM cheers Jorge From: [EMAIL PROTECTED] on behalf of Simpsen, Paul A. (HSC) Sent: Wed 12/14/2005 8:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs Let me ask if there is any issue with IM if all your DCs are GCs in your domain, which is a child, but not all the DCs in the forest are GCs? We have been refreshing our DCs and making all GCs but the IM is running on the last one to refresh which is not a GC. We plan on transferring this role to a GC while we refreshing the DC it currently resides on. It will be a GC when finished. Should I/we rethink this? We are at function level 2003. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 10:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Reducing number of Global Catalogs Really, how so? I 'solve' it by insisting that all DCs be GCs. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 14 December 2005 16:15 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Reducing number of Global Catalogs The issue with IM on GCs is solved in Windows 2003 for multi-domain forests... Chuck PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Fully Own a User
More info here too J http://www.activedir.org/article.aspx?aid=60 Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, 16 December 2005 3:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Fully Own a User You've hit the masterAccountSID problem that crops up when a mailbox-enabled account gets disabled. http://support.microsoft.com/default.aspx?scid=kb;en-us;278966 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, December 14, 2005 5:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Fully Own a User Hi I have about 10 users that left the company. Their AD accounts are disabled. I would like to use Exmerge to archive their email to PST and then delete them. However, Exmerge kicks back an error: Error opening message store (MSEMS). These accounts have the same permissions as the users for whom Exmerge worked fine. I tried enabling one of the accounts, logged in as that user, and then tried to configure Outlook to use the account. This last step (Outlook) got rejected saying the user did not have permission to access the mailbox. So, how can I completely own this account and give my admin account full control? Thanks. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005 This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
Re: [ActiveDir] [Way OT] DNS MX load balancing questions...
That right there is enough of a reason to not run secondary weighted MX records. There would be no point if you actually had increased traffic to that MX. In theory, if you increased the anti-spam measures to be equal, what would be the point of having lower MX records other than to put valid mail to an MX on the site with the biggest amount of users (and therefore most likely although not certainly going to get the most email volume?) With today's spammers and other phraudsters prowling looking for weaknesses, it takes away the need for a lower weighted mx in most cases. Using a backup mail delivery system service might be a reason to use lower weighted, but I can't think of any scenarios where I host my own where I'd put out anything other than equally available, powerful and connected systems. It no longer makes a lot of sense to me in today's environments since I can't predict where the load would be sent at a given point in time. My $0.04 anyway. Al On 12/15/05, Steve Rochford [EMAIL PROTECTED] wrote: Beware of the fact that many spammers now target low priority MX records on the assumption that they will be backup devices and perhaps doing less spam checking. Over the past 7 days, an average of 61% of all mail delivered to our secondary MX has been Spam compared to 39% of that to the 1y MX (and I suspect that the actual percentage of spam is higher - it's just not being picked up!) On the basis that nothing should be delivering to the 2y MX while the 1y is available, I've made sure that it's running ever fiercer spam catching rules in a bid to keep out the dross! Steve From: [EMAIL PROTECTED] on behalf of AdamT Sent: Mon 12/12/2005 18:13 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Way OT] DNS MX load balancing questions... On 12/11/05, Freddy HARTONO [EMAIL PROTECTED] wrote: That means it makes no sense to invest in having 1 backup MX of lower priorities? It makes perfect sense to have a backup MX of a lower priority. Most of your users may be located in New York, so you'd want most of your mail routed in that way, and would only want the mail server at your remote site in London to accept mail if NYC was down for some reason. Your London server might be sitting on a very slow connection to the outside world, or maybe it's a fairly old machine and not up to handling high loads, meaning you'd probably only want it to be used in an emergency. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ [EMAIL PROTECTED] ��V�r�y���-�÷¾4���i�b��b��
[ActiveDir] Interforest Password Migration
I am using ADMT v3.0 to migrate users from one 2000/2003 forest to another 2003 forest. I have no trouble migrating users however I cannot migrate passwords. I have the password migration service installed on the PDC of the source domain. I have generated a key in the target domain, then used it in the source domain during the installation of the Password Migration Service. When I use ADMT to migrate the password I get "unable to establish a session with the password export server. Access is denied" I have the password export service on the source machine running as the administrator on the target machine. The trusts seem to verify OK, anyone have any idea? Thanks Lloyd
RE: [ActiveDir] Interforest Password Migration
Is there a firewall between the target DC and the PDC with the PES on it? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams Sent: Thursday, December 15, 2005 7:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interforest Password Migration I am using ADMT v3.0 to migrate users from one 2000/2003 forest to another 2003 forest. I have no trouble migrating users however I cannot migrate passwords. I have the password migration service installed on the PDC of the source domain. I have generated a key in the target domain, then used it in the source domain during the installation of the Password Migration Service. When I use ADMT to migrate the password I get unable to establish a session with the password export server. Access is denied I have the password export service on the source machine running as the administrator on the target machine. The trusts seem to verify OK, anyone have any idea? Thanks Lloyd
RE: [ActiveDir] Interforest Password Migration
No there was a local firewall on both but I disabledthem as part of the troubleshooting process From: [EMAIL PROTECTED] on behalf of Brian DesmondSent: Thu 12/15/2005 8:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Interforest Password Migration Is there a firewall between the target DC and the PDC with the PES on it? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd WilliamsSent: Thursday, December 15, 2005 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Interforest Password Migration I am using ADMT v3.0 to migrate users from one 2000/2003 forest to another 2003 forest. I have no trouble migrating users however I cannot migrate passwords. I have the password migration service installed on the PDC of the source domain. I have generated a key in the target domain, then used it in the source domain during the installation of the Password Migration Service. When I use ADMT to migrate the password I get "unable to establish a session with the password export server. Access is denied" I have the password export service on the source machine running as the administrator on the target machine. The trusts seem to verify OK, anyone have any idea? Thanks Lloyd