RE: [ActiveDir] dsHeuristics and list object access mode

[Grillenmeier, Guido]

right - thanks for the clarification 
Dean


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Donnerstag, 15. Dezember 2005 03:18To: Send - 
AD mailing listSubject: RE: [ActiveDir] dsHeuristics and list object 
access mode

To 
clarify, note the syntax of dsHeuristics(Unicode string) ... it requires 
that you enter a sequence of characters (bytes not bits ... nor the decimal 
representation of those bits), e.g. - 01000.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Wednesday, December 14, 2005 2:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dsHeuristics and 
list object access mode

The DSheuristics setting activates or de-activates the 
List Object permission, not the List Content permission - however, you have to 
use both in conjunction to reach most goals in respect to hiding data in AD. 
I've created this table for other stuff I'm 
working on to clarify the confusion a bit. 

(btw, the first two bits 
of this setting are also important, but not for permissioning - they control 
name resolution during AD searches.)

/Guido




  
  

  Granted Permissions on

  Result
  

  Organizational Unit

  Child Objects
  
  

  List Contents and ListObject

  N/A

  The 
  List Object permission on the OU makes the OU visible. As List Contents is 
  also granted to the OU, this will take precedence over any missing List 
  Object permissions for child objects and AD will automatically list all 
  objects in the container. 
  A 
  delegated administrator can browse to the OU and all child objects with 
  ADUC.
  An 
  LDAP Query for all objects will return OU and ALL child 
  objects.
  

  ListObject
  (List Contents not granted or 
denied)

  ListObject

  The 
  List Object permission on the OU makes the OU visible. If List Contents is 
  not granted or if it is denied AND if List Object is granted to the 
  container object (OU), AD will evaluate the List Object permission for the 
  child objects and only list those, where the List Object (or Read) 
  permission has been granted.
  A 
  delegated administrator can browse to the OU with ADUC and selected child 
  objects.
  An 
  LDAP Query for all objects will return OU and only those child objects, 
  where List Object permissions have been 
granted
  

  ListContents
  (List Object not granted or denied)

  N/A

  The 
  OU will NOT be visible. As List Contents is granted to the OU, this will 
  take precedence over any missing List Object permissions for child objects 
  and AD will automatically list all objects in the container. 
  
  A 
  delegated administrator cannot browse to the OU or child objects in 
  ADUC.
  An 
  LDAP Query for all objects will NOT return the OU object, but ALL of its 
  child objects.
  

  Neither List Contents nor List Object is granted 
  

  N/A

  The 
  OU will NOT be visible. As neither List Contents nor List Object is 
  granted to the container object (OU), AD will NOT evaluate any permission 
  of the child objects.
  A 
  delegated administrator cannot browse to the OU or child objects in 
  ADUC.
  An 
  LDAP Query for all objects will NOT return the OU or any of its child 
  objects.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of PAUL 
MAYESSent: Mittwoch, 14. Dezember 2005 16:07To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] dsHeuristics and 
list object access mode


dsHeuristics can be used to control whether the 'list 
contents' ACE has an affect. So if the attribute is set to 001 then this means 
that if you haven't got list contents permission on a container then you can't 
see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list 
contents doesn't matter so much and you can see what's under a container without 
explicit list contents rights just as an authenticated user.

At least this is what I've finally arrived at by reading different 
contradictary sources. I'm still a bit sceptical by all of this, indeed I reckon 
that somewhere along the various cut and paste jobs someone has got totally the 
wrong idea. So this has all started me off doing some 
experimenting.

No matter what state the dsHeuristics attribute is set to not set, 
000 or 001.(not set being theequiv if 
allzeros.).Removal of the list contents right stops someone looking 
at what lives under the object. Likewise granting it lets whoever has the 
permission go through the contents.

So I'm looking for some clarification from practical experience as I no 
longer believe the spin that says you need 

RE: [ActiveDir] FSMO Role Transfer GUI

[neil.ruston]

Title: FSMO Role Transfer GUI



What are the advantages/benefits of this UI vs UC? 


I can transfer all domain roles from that UI 
today?

Thanks,
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, 
J.D.Sent: 14 December 2005 17:27To: 
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer 
GUI

Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and 
I'll send you a 
copy. 
Essentially a front end for the NETDOM and 
NTDSUTIL exe and was generally an exercise in 
working with external exe and discovering the McAfee sees some of the .net code 
as buffer overflows and keeps text from showing up in combo-boxes. That was fun. 
I'd rate the app 
towards the novelty side of the Novelty  
Useful continuum. But hey, it's a better use of email and 
time than Elf Bowling! Works in both my test and production 
environment.
Oh, also only transfers the domain 
roles. Does not transfer the schema owner 
or domain role owner, but does list the DCs holding those roles.
Thanks, 

JD
PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] Viewing delegates?

[TIROA YANN]

You can use this:

acldiag OU=your_ou,DC=domain,DC=com /chkdeleg _skip

This will check whether the Delegation of Control Wizard has been run for an 
object.
Acldiag can be run by anybody, but the results of the output will depends on 
the users's right to view ACLs of the object you are querying.

Cheers,

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Craig Gauss
Envoyé : mercredi 14 décembre 2005 23:12
À : ActiveDir@mail.activedir.org
Objet : [ActiveDir] Viewing delegates?

Windows 2003 AD

How do you go about viewing the users you have set as delegates for an OU?
 
I setup a test earlier with a delegate on a test OU, it worked but I dont see 
where you can see who is a delegate.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Fully Own a User

[Bruyere, Michel]

Hi, 

 What I do when I exmerge is that I set the
Administrative account full mailbox access. The account must be
enabled and the hide from exchange address book unchecked.



Note that it takes some time to replicate the changes. Log
in as administrative account to exmerge.



Hope this helps 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Wednesday, December 14, 2005
7:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Fully Own a
User





Hi 



I
have about 10 users that left the company. Their AD accounts are disabled. I
would like to use Exmerge to archive their email to PST and then delete them.
However, Exmerge kicks back an error: Error opening message store (MSEMS).
These accounts have the same permissions as the users for whom Exmerge worked
fine. I tried enabling one of the accounts, logged in as that user, and then
tried to configure Outlook to use the account. This last step (Outlook) got
rejected saying the user did not have permission to access the mailbox.



So,
how can I completely own this account and give my admin account full control?



Thanks.










--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
 

RE: [ActiveDir] Fully Own a User

[Coleman, Hunter]

You've hit the masterAccountSID problem that crops up when 
a mailbox-enabled account gets disabled. http://support.microsoft.com/default.aspx?scid=kb;en-us;278966


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, December 14, 2005 5:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Fully Own a 
User


Hi 


I have 
about 10 users that left the company. Their AD accounts are disabled. I would 
like to use Exmerge to archive their email to PST and then delete them. However, 
Exmerge kicks back an error: Error opening message store (MSEMS). These accounts 
have the same permissions as the users for whom Exmerge worked fine. I tried 
enabling one of the accounts, logged in as that user, and then tried to 
configure Outlook to use the account. This last step (Outlook) got rejected 
saying the user did not have permission to access the 
mailbox.

So, how 
can I completely own this account and give my admin account full 
control?

Thanks.
--No virus found in this outgoing message.Checked by AVG 
Free Edition.Version: 7.1.371 / Virus Database: 267.13.13/199 - Release 
Date: 12/13/2005

RE: [ActiveDir] Fully Own a User

[Tim Sutton]

Hi there,

looks like you've hit the problem of disabling accounts. basically, because 
you've disable the account(s) you want to exmerge no-one can access them. I 
think you'll be fine if you enable them and try again. 

One other thing to make sure of though: confirm they're not hidden from the GAL 
as exmerge can't find the mailbox if it is.

Tim.


-Original Message-
From:   [EMAIL PROTECTED] on behalf of Noah Eiger
Sent:   Thu 15/12/2005 00:44
To: ActiveDir@mail.activedir.org
Cc: 
Subject:[ActiveDir] Fully Own a User
Hi –

 

I have about 10 users that left the company. Their AD accounts are disabled.
I would like to use Exmerge to archive their email to PST and then delete
them. However, Exmerge kicks back an error: Error opening message store
(MSEMS). These accounts have the same permissions as the users for whom
Exmerge worked fine. I tried enabling one of the accounts, logged in as that
user, and then tried to configure Outlook to use the account. This last step
(Outlook) got rejected saying the user did not have permission to access the
mailbox.

 

So, how can I completely own this account and give my admin account full
control?

 

Thanks.


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005
 



winmail.dat

RE: [ActiveDir] Reducing number of Global Catalogs

[Simpsen, Paul A. \(HSC\)]

No we are sticking with the same names and so far we have had no issues.
I make sure all records referring to the DC are removed before renaming
the new machine and running dcpromo. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, December 14, 2005 5:39 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Reducing number of Global Catalogs

Are you going to use new netbios names for the DC's ?.
-Original Message-
From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED]
Date: Wed, 14 Dec 2005 16:07:52 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reducing number of Global Catalogs

Appreciate the input, it verified what I had thought. But when I started
seeing if single domain, etc. well I had to ask. And yes refreshing =
dcpromo out and dcpromo on new HW. 
 
Thanks
 
Paul
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
 Sent: Wednesday, December 14, 2005 2:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Reducing number of Global Catalogs
 
 
 
 
 
The IM is a domain FSMO role. SO the only concern is WITHIN the
domain
 
 
No matter what forest structure you have for each domain the following
applies:
 
 
* If all DCs in a domain are GC, there is no other choice where to put
the IM. So no issue here
 
 
* If at least other DCs in a domain (besides the IM) are not a GC, then
the IM should not be on a GC
 
 
 
 
 
your method will work as long as the last DC, that is not a GC, being
refreshed (do you mean re-installed?) is also the IM
 
 
 
 
 
cheers
 
 
Jorge
 
 
 
 
 
From: [EMAIL PROTECTED] on behalf of Simpsen, Paul A.
(HSC)
 Sent: Wed 12/14/2005 8:09 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Reducing number of Global Catalogs
 
 
Let me ask if there is any issue with IM if all your DCs are GCs in your
domain, which is a child, but not all the DCs in the forest are GCs? We
have been refreshing our DCs and making all GCs but the IM is running on
the last one to refresh which is not a GC. We plan on transferring this
role to a GC while we refreshing the DC it currently resides on. It will
be a GC when finished. Should I/we rethink this? We are at function
level 2003. 
 
 
 
Paul
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
 Sent: Wednesday, December 14, 2005 10:47 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Reducing number of Global Catalogs
 
 
 
Really, how so? 
 
 
 
I 'solve' it by insisting that all DCs be GCs.
 
 
 
neil
 
 
 
 
 
 
 
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
 Sent: 14 December 2005 16:15
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Reducing number of Global Catalogs
 
 
The issue with IM on GCs is solved in Windows 2003 for multi-domain
forests...
 
 
 
 
 
Chuck
 
 
 
 
 
PLEASE READ: The information contained in this email is confidential and

 
 
intended for the named recipient(s) only. If you are not an intended 
 
 
recipient of this email please notify the sender immediately and delete
your 
 
 
copy from your system. You must not copy, distribute or take any further

 
 
action in reliance on it. Email is not a secure method of communication
and 
 
 
Nomura International plc ('NIplc') will not, to the extent permitted by
law, 
 
 
accept responsibility or liability for (a) the accuracy or completeness
of, 
 
 
or (b) the presence of any virus, worm or similar malicious or disabling

 
 
code in, this message or any attachment(s) to it. If verification of
this 
 
 
email is sought then please request a hard copy. Unless otherwise stated

 
 
this email: (1) is not, and should not be treated or relied upon as, 
 
 
investment research; (2) contains views or opinions that are solely
those of 
 
 
the author and do not necessarily represent those of NIplc; (3) is
intended 
 
 
for informational purposes only and is not a recommendation,
solicitation or 
 
 
offer to buy or sell securities or related financial instruments. NIplc 
 
 
does not provide investment services to private customers. Authorised
and 
 
 
regulated by the Financial Services Authority. Registered in England 
 
 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
 
 
London, EC1A 4NP. A member of the Nomura group of companies. 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win32Shutdown Method Win2003

[Alain Lissoir]

Shutdown.Exe 
-l -t 0

But I'm sure 
that many other people have many other good tool to 
suggest.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Thursday, December 15, 2005 8:15 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003


All of the below are 
correct. Im running the script by itself just to work out this 
part. On 2003(SP1) servers, we get the Generic Failure, on 2000 systems, 
it does nothing.

What would be a good 
external tool in the meantime?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Alain 
LissoirSent: Wednesday, 
December 14, 2005 10:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003


Ok. I 
think we are facing a bug in the TS context with WMI. Let me investigate. I will 
file a bug about this. I gonna get back to you but this may take a little 
while.



I 
understand that:

-You 
are an admin of the box.

- The WMI 
privileges are granted in the script

- You are 
TSing into a 2003 server

- You 
cannot logoff or even shutdown the system with the Win32Shutdown method even 
with the Force (4) flag.

- In which 
context are you running that script? Not a logon script I presume, right? :) Can 
you give me more data about your scenario?

- Are you 
2003 RTM or SP1?



Please 
answer these questions.



In the 
meantime, you will have to shell an external tool 
...




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 2:13 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003
Force (4) 
also gives the same result. Generic Error. And does not log off the 
user.






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kamlesh 
ParmarSent: Wednesday, 
December 14, 2005 3:47 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Win32Shutdown 
Method  Win2003

YUP, you 
should add 4, Here is some codeConst LOGOFF = 0

Const SHUTDOWN = 1

Const REBOOT = 2

Const FORCE = 4

Const POWEROFF = 8

For Each objPC In GetObject("winmgmts:{(shutdown)}").ExecQuery("Select * from Win32_OperatingSystem")

 objPC.Win32Shutdown LOGOFF + FORCE

Next


On 12/15/05, 
Darren Mar-Elia [EMAIL PROTECTED] 
wrote:
Devon-
Are you 
getting an actual error or just that it doesn't work? I ran your script on my 
test W2003 box and it worked just fine. I ran it as administrator at the 
server's console. How are you running this script? At the console or in a TS 
session? The latter may be problematic. Also, you might want to 
try:

objSystem.Win32Shutdown 
4 


which I 
think is forced logoff. That would get around issues where some process is 
preventing the normal logoff.

Darren





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, December 14, 2005 9:52 
AM

To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003



Same 
error







From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On 
Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 11:26 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003


On 2003? Or 
2000?

Hmmm ... can you try 
with this :) 



objWMILocator.Security_.Privileges.AddAsString 
"SeRemoteShutdownPrivilege", True






From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On 
Behalf Of Harding, 
DevonSent: 
Wednesday, December 14, 2005 7:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003
I still get the same 
error running on a server:

Generic 
Error

It seem to be giving an 
error right at this point: objSystem.Win32Shutdown 
0

Here is the whole 
script:
Set objWMILocator = 
CreateObject ("WbemScripting.SWbemLocator") 
objWMILocator.Security_.Privileges.AddAsString 
"SeShutdownPrivilege", True 
Set objWMIServices = 
objWMILocator.ConnectServer(strComputerName, cWMINameSpace, strUserID, 
strPassword)

Set objSystemSet = 
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem")

For Each objSystem In 
objSystemSet
 
objSystem.Win32Shutdown 0
Next








From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On 
Behalf Of Alain LissoirSent: Wednesday, December 14, 2005 9:38 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Win32Shutdown 
Method  Win2003


Have you tried your 
script as a plain admin on server? I wonder if it is not a question of 
privileges ...



Try to add to your 
script the following before connecting to the Root\CIMv2 namespace. Then retry 
...



 Set 
objWMILocator=CreateObject 
("WbemScripting.SWbemLocator")

 
objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", 
True

 Set 
objWMIServices = objWMILocator.ConnectServer(strComputerName, 
cWMINameSpace,strUserID, strPassword)







From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On 
Behalf Of Harding, 
DevonSent: 

RE: [ActiveDir] FSMO Role Transfer GUI

[WILLIAMS, J.D.]

Title: FSMO Role Transfer GUI








Neil,



Essentially, you are correct. There's
not a lot of difference. It does allow you to select the DC to transfer
the role to where the ADUC just tells you where it's going to end up. That's
the only thing I can think of that might have appeal and is different between
the two interfaces. 



In my environment, ADUC takes time to
open, so there's some value to me in having the single source tool.
Want to measure that value? Probably need a nanometer. Time saved
by the few times a year we'd need to do the role change vs. the time
spent working up the app probably leads to an ROI in a galaxy far far away. 



At any rate, it was a learning opportunity
for me. If anyone derives utility from it, so much the better!



Thanks, 
JD 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 15, 2005
2:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO Role
Transfer GUI





What are the advantages/benefits of this
UI vs UC? 



I can transfer all domain roles from that
UI today?



Thanks,

neil









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.
Sent: 14 December 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] FSMO Role
Transfer GUI

Anyone
interested in testing a FSMO Role Transfer GUI? If so,
please email me at [EMAIL PROTECTED] and I'll
send you a copy. 

Essentially
a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in
working with external exe and discovering the McAfee sees some of the .net code
as buffer overflows and keeps text from showing up in combo-boxes. That
was fun. I'd rate the app towards the novelty side of the Novelty
 Useful
continuum. But hey, it's a better use of email and time than Elf
Bowling! Works in both my test and production environment.

Oh,
also only transfers the domain roles. Does not transfer the schema
owner
or domain role owner, but does list the DCs holding those roles.

Thanks,


JD



PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies. 

RE: [ActiveDir] FSMO Role Transfer GUI

[Brian Desmond]

Title: FSMO Role Transfer GUI








You cant transfer the schema or domain naming fsmos from
ADUC. Personally I just use ntdsutil and know the syntax off the top of my
head, but, if you dont do this often it might be useful to have a
central point of control.





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 15, 2005
3:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO Role
Transfer GUI





What are the advantages/benefits of this
UI vs UC? 



I can transfer all domain roles from that
UI today?



Thanks,

neil









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.
Sent: 14 December 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] FSMO Role
Transfer GUI

Anyone
interested in testing a FSMO Role Transfer GUI? If so,
please email me at [EMAIL PROTECTED] and I'll
send you a copy. 

Essentially
a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in
working with external exe and discovering the McAfee sees some of the .net code
as buffer overflows and keeps text from showing up in combo-boxes. That
was fun. I'd rate the app towards the novelty side of the Novelty
 Useful
continuum. But hey, it's a better use of email and time than Elf
Bowling! Works in both my test and production environment.

Oh,
also only transfers the domain roles. Does not transfer the schema
owner
or domain role owner, but does list the DCs holding those roles.

Thanks,


JD



PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the
Nomura group of companies. 

RE: [ActiveDir] FSMO Role Transfer GUI

[neil.ruston]

Title: FSMO Role Transfer GUI



Thanks. I didn't want to appear negative - I simply wanted 
to understand the motives for writing such a tool. 

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, 
J.D.Sent: 15 December 2005 17:04To: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] FSMO Role 
Transfer GUI


Neil,

Essentially, you are 
correct. There's not a lot of difference. It does allow you to 
select the DC to transfer the role to where the ADUC just tells you where it's 
going to end up. That's the only thing I can think of that might have 
appeal and is different between the two interfaces. 


In my environment, ADUC 
takes time to open, so there's some value to me in having the single source 
tool. Want to measure that value? Probably need a nanometer. 
Time saved by the few times a year we'd need to do the role change vs. the time 
spent working up the app probably leads to an ROI in a galaxy far far away. 


At any rate, it was a 
learning opportunity for me. If anyone derives utility from it, so much 
the better!

Thanks, JD 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 
2:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer 
GUI

What are the 
advantages/benefits of this UI vs UC? 

I can transfer all 
domain roles from that UI today?

Thanks,
neil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WILLIAMS, 
J.D.Sent: 14 December 2005 
17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer 
GUI
Anyone interested in 
testing a FSMO Role 
Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll 
send you a copy. 
Essentially a front end for the 
NETDOM and NTDSUTIL exe and was generally an exercise in working with external 
exe and discovering the McAfee sees some of the .net code as buffer overflows 
and keeps text from showing up in combo-boxes. That was fun. I'd rate the 
app towards the novelty side of the Novelty  Useful 
continuum. But hey, it's a better use of email and time than Elf 
Bowling! Works in both my test and production 
environment.
Oh, 
also only transfers the domain roles. Does not transfer the 
schema owner or domain role owner, but does 
list the DCs holding those roles.
Thanks, 

JD

PLEASE READ: The information 
contained in this email is confidential and 

intended for the named recipient(s) 
only. If you are not an intended 

recipient of this email please 
notify the sender immediately and delete your 


copy from your system. You must not 
copy, distribute or take any further 

action in reliance on it. Email is 
not a secure method of communication and 

Nomura International plc ('NIplc') 
will not, to the extent permitted by law, 

accept responsibility or liability 
for (a) the accuracy or completeness of, 

or (b) the presence of any virus, 
worm or similar malicious or disabling 

code in, this message or any 
attachment(s) to it. If verification of this 

email is sought then please request 
a hard copy. Unless otherwise stated 

this email: (1) is not, and should 
not be treated or relied upon as, 

investment research; (2) contains 
views or opinions that are solely those of 

the author and do not necessarily 
represent those of NIplc; (3) is intended 

for informational purposes only and 
is not a recommendation, solicitation or 

offer to buy or sell securities or 
related financial instruments. NIplc 

does not provide investment services 
to private customers. Authorised and 

regulated by the Financial Services 
Authority. Registered in England 


no. 1550505 VAT No. 447 2492 35. 
Registered Office: 1 St Martin's-le-Grand, 


London, 
EC1A 
4NP. A member of the Nomura group of 
companies. PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial 

RE: [ActiveDir] FSMO Role Transfer GUI

[neil.ruston]

Title: FSMO Role Transfer GUI



... but this (new) tool cannot transfer 
the forest roles either.

Hence my question.

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: 15 December 2005 17:05To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role 
Transfer GUI


You 
cant transfer the schema or domain naming fsmos from ADUC. Personally I just 
use ntdsutil and know the syntax off the top of my head, but, if you dont do 
this often it might be useful to have a central point of 
control.


Thanks,Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, December 15, 2005 3:45 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer 
GUI

What are the 
advantages/benefits of this UI vs UC? 

I can transfer all 
domain roles from that UI today?

Thanks,
neil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WILLIAMS, 
J.D.Sent: 14 December 2005 
17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer 
GUI
Anyone interested in 
testing a FSMO Role 
Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll 
send you a copy. 
Essentially a front end for the 
NETDOM and NTDSUTIL exe and was generally an exercise in working with external 
exe and discovering the McAfee sees some of the .net code as buffer overflows 
and keeps text from showing up in combo-boxes. That was fun. I'd rate the 
app towards the novelty side of the Novelty  Useful 
continuum. But hey, it's a better use of email and time than Elf 
Bowling! Works in both my test and production 
environment.
Oh, 
also only transfers the domain roles. Does not transfer the 
schema owner or domain role owner, but does 
list the DCs holding those roles.
Thanks, 

JD

PLEASE READ: The information 
contained in this email is confidential and 

intended for the named recipient(s) 
only. If you are not an intended 

recipient of this email please 
notify the sender immediately and delete your 


copy from your system. You must not 
copy, distribute or take any further 

action in reliance on it. Email is 
not a secure method of communication and 

Nomura International plc ('NIplc') 
will not, to the extent permitted by law, 

accept responsibility or liability 
for (a) the accuracy or completeness of, 

or (b) the presence of any virus, 
worm or similar malicious or disabling 

code in, this message or any 
attachment(s) to it. If verification of this 

email is sought then please request 
a hard copy. Unless otherwise stated 

this email: (1) is not, and should 
not be treated or relied upon as, 

investment research; (2) contains 
views or opinions that are solely those of 

the author and do not necessarily 
represent those of NIplc; (3) is intended 

for informational purposes only and 
is not a recommendation, solicitation or 

offer to buy or sell securities or 
related financial instruments. NIplc 

does not provide investment services 
to private customers. Authorised and 

regulated by the Financial Services 
Authority. Registered in England 


no. 1550505 VAT No. 447 2492 35. 
Registered Office: 1 St Martin's-le-Grand, 


London, 
EC1A 
4NP. A member of the Nomura group of 
companies. PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

Re: [ActiveDir] Reducing number of Global Catalogs

[Mark Parris]

Have fun, I have had some great experiences reusing DC names.
-Original Message-
From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED]
Date: Thu, 15 Dec 2005 09:48:53 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reducing number of Global Catalogs

No we are sticking with the same names and so far we have had no issues.
I make sure all records referring to the DC are removed before renaming
the new machine and running dcpromo. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, December 14, 2005 5:39 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] Reducing number of Global Catalogs

Are you going to use new netbios names for the DC's ?.
-Original Message-
From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED]
Date: Wed, 14 Dec 2005 16:07:52 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reducing number of Global Catalogs

Appreciate the input, it verified what I had thought. But when I started
seeing if single domain, etc. well I had to ask. And yes refreshing =
dcpromo out and dcpromo on new HW. 
 
Thanks
 
Paul
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
 Sent: Wednesday, December 14, 2005 2:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Reducing number of Global Catalogs
 
 
 
 
 
The IM is a domain FSMO role. SO the only concern is WITHIN the
domain
 
 
No matter what forest structure you have for each domain the following
applies:
 
 
* If all DCs in a domain are GC, there is no other choice where to put
the IM. So no issue here
 
 
* If at least other DCs in a domain (besides the IM) are not a GC, then
the IM should not be on a GC
 
 
 
 
 
your method will work as long as the last DC, that is not a GC, being
refreshed (do you mean re-installed?) is also the IM
 
 
 
 
 
cheers
 
 
Jorge
 
 
 
 
 
From: [EMAIL PROTECTED] on behalf of Simpsen, Paul A.
(HSC)
 Sent: Wed 12/14/2005 8:09 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Reducing number of Global Catalogs
 
 
Let me ask if there is any issue with IM if all your DCs are GCs in your
domain, which is a child, but not all the DCs in the forest are GCs? We
have been refreshing our DCs and making all GCs but the IM is running on
the last one to refresh which is not a GC. We plan on transferring this
role to a GC while we refreshing the DC it currently resides on. It will
be a GC when finished. Should I/we rethink this? We are at function
level 2003. 
 
 
 
Paul
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
 Sent: Wednesday, December 14, 2005 10:47 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Reducing number of Global Catalogs
 
 
 
Really, how so? 
 
 
 
I 'solve' it by insisting that all DCs be GCs.
 
 
 
neil
 
 
 
 
 
 
 
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
 Sent: 14 December 2005 16:15
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Reducing number of Global Catalogs
 
 
The issue with IM on GCs is solved in Windows 2003 for multi-domain
forests...
 
 
 
 
 
Chuck
 
 
 
 
 
PLEASE READ: The information contained in this email is confidential and

 
 
intended for the named recipient(s) only. If you are not an intended 
 
 
recipient of this email please notify the sender immediately and delete
your 
 
 
copy from your system. You must not copy, distribute or take any further

 
 
action in reliance on it. Email is not a secure method of communication
and 
 
 
Nomura International plc ('NIplc') will not, to the extent permitted by
law, 
 
 
accept responsibility or liability for (a) the accuracy or completeness
of, 
 
 
or (b) the presence of any virus, worm or similar malicious or disabling

 
 
code in, this message or any attachment(s) to it. If verification of
this 
 
 
email is sought then please request a hard copy. Unless otherwise stated

 
 
this email: (1) is not, and should not be treated or relied upon as, 
 
 
investment research; (2) contains views or opinions that are solely
those of 
 
 
the author and do not necessarily represent those of NIplc; (3) is
intended 
 
 
for informational purposes only and is not a recommendation,
solicitation or 
 
 
offer to buy or sell securities or related financial instruments. NIplc 
 
 
does not provide investment services to private customers. Authorised
and 
 
 
regulated by the Financial Services Authority. Registered in England 
 
 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
 
 
London, EC1A 4NP. A member of the Nomura group of companies. 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 

RE: [ActiveDir] Fully Own a User

[Tony Murray]

More info here too J



http://www.activedir.org/article.aspx?aid=60



Tony











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Friday, 16 December 2005 3:38 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Fully Own a User





You've hit the masterAccountSID
problem that crops up when a mailbox-enabled account gets disabled. http://support.microsoft.com/default.aspx?scid=kb;en-us;278966









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Wednesday, December 14, 2005 5:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Fully Own a User

Hi 



I have about 10 users that left the company. Their AD
accounts are disabled. I would like to use Exmerge to archive their email to
PST and then delete them. However, Exmerge kicks back an error: Error opening
message store (MSEMS). These accounts have the same permissions as the users
for whom Exmerge worked fine. I tried enabling one of the accounts, logged in
as that user, and then tried to configure Outlook to use the account. This last
step (Outlook) got rejected saying the user did not have permission to access
the mailbox.



So, how can I completely own this account and give my admin
account full control?



Thanks.



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.13/199 - Release Date: 12/13/2005




This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

Re: [ActiveDir] [Way OT] DNS MX load balancing questions...

[Al Mulnick]

That right there is enough of a reason to not run secondary weighted
MX records.  There would be no point if you actually had increased
traffic to that MX.  In theory, if you increased the anti-spam
measures to be equal, what would be the point of having lower MX
records other than to put valid mail to an MX on the site with the
biggest amount of users (and therefore most likely although not
certainly going to get the most email volume?)

With today's spammers and other phraudsters prowling looking for
weaknesses, it takes away the need for a lower weighted mx in most
cases.  Using a backup mail delivery system service might be a reason
to use lower weighted, but I can't think of any scenarios where I host
my own where I'd put out anything other than equally available,
powerful and connected systems.  It no longer makes a lot of sense to
me in today's environments since I can't predict where the load would
be sent at a given point in time.

My $0.04 anyway.

Al

On 12/15/05, Steve Rochford [EMAIL PROTECTED] wrote:
 Beware of the fact that many spammers now target low priority MX records on 
 the assumption that they will be backup devices and perhaps doing less spam 
 checking.

 Over the past 7 days, an average of 61% of all mail delivered to our 
 secondary MX has been Spam compared to 39% of that to the 1y MX (and I 
 suspect that the actual percentage of spam is higher - it's just not being 
 picked up!)

 On the basis that nothing should be delivering to the 2y MX while the 1y is 
 available, I've made sure that it's running ever fiercer spam catching rules 
 in a bid to keep out the dross!

 Steve

 

 From: [EMAIL PROTECTED] on behalf of AdamT
 Sent: Mon 12/12/2005 18:13
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] [Way OT] DNS MX load balancing questions...



 On 12/11/05, Freddy HARTONO [EMAIL PROTECTED] wrote:
 
  That means it makes no sense to invest in having 1 backup MX of lower
  priorities?
 
 It makes perfect sense to have a backup MX of a lower priority.  Most
 of your users may be located in New York, so you'd want most of your
 mail routed in that way, and would only want the mail server at your
 remote site in London to accept mail if NYC was down for some reason.
 Your London server might be sitting on a very slow connection to the
 outside world, or maybe it's a fairly old machine and not up to
 handling high loads, meaning you'd probably only want it to be used in
 an emergency.

 --
 AdamT
 Maidenhead is *not* in Kent
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




[EMAIL PROTECTED]   ��V�r�y���-�÷Š¾4���i�b��b��

[ActiveDir] Interforest Password Migration

[Lloyd Williams]

I am using ADMT v3.0 to migrate users from one 
2000/2003 forest to another 2003 forest. I have no trouble migrating users 
however I cannot migrate passwords. I have the password migration service 
installed on the PDC of the source domain. I have generated a key in the target 
domain, then used it in the source domain during the installation of the 
Password Migration Service. When I use ADMT to migrate the password I get 
"unable to establish a session with the password export server. Access is 
denied"
I have the password export service on the 
source machine running as the administrator on 
the target machine.
The trusts 
seem to verify OK, anyone have any 
idea?

Thanks
Lloyd

RE: [ActiveDir] Interforest Password Migration

[Brian Desmond]

Is there a firewall between the target DC and the PDC with the PES on it?





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lloyd Williams
Sent: Thursday, December 15, 2005
7:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Interforest
Password Migration





I am using ADMT v3.0 to migrate users from one 2000/2003
forest to another 2003 forest. I have no trouble migrating users however I
cannot migrate passwords. I have the password migration service installed on
the PDC of the source domain. I have generated a key in the target domain, then
used it in the source domain during the installation of the Password Migration
Service. When I use ADMT to migrate the password I get unable to
establish a session with the password export server. Access is denied

I have the password export service on the source machine
running as the administrator on the target machine.

The trusts seem to verify OK, anyone have any idea?



Thanks

Lloyd

RE: [ActiveDir] Interforest Password Migration

[Lloyd Williams]

No there was a local firewall 
on both but I disabledthem as part of the troubleshooting 
process


From: [EMAIL PROTECTED] on 
behalf of Brian DesmondSent: Thu 12/15/2005 8:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Interforest 
Password Migration


Is 
there a firewall between the target DC and the PDC with the PES on 
it?


Thanks,Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lloyd 
WilliamsSent: Thursday, 
December 15, 2005 7:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Interforest Password 
Migration

I am using ADMT v3.0 to migrate users from 
one 2000/2003 forest to another 2003 forest. I have no trouble migrating users 
however I cannot migrate passwords. I have the password migration service 
installed on the PDC of the source domain. I have generated a key in the target 
domain, then used it in the source domain during the installation of the 
Password Migration Service. When I use ADMT to migrate the password I get 
"unable to establish a session with the password export server. Access is 
denied"
I have the password export service on the 
source machine running as the administrator on the target 
machine.
The trusts seem to verify OK, anyone have 
any idea?

Thanks
Lloyd