RE: [ActiveDir] Script to change owner?

2006-02-01 Thread Ulf B. Simon-Weidner 








You might have to VBS that yourself.

 

Here are some suggestion which should show you the path:

 

Set objDS = GetObject("LDAP:")

Set objAD = objDs.OpenDsObject(strDN,strUser,strPwd,1)

Set objSD = objAD.Get("ntSecurityDescriptor")

 

objSD.Owner = strNewOwner

 

objAD.Put "ntSecurityDescriptor", Array(objSD)objAD.SetInfo

 

 

There might be some settings or commands missing (for example you
can set how/what should be updated by using objAD.SetOption ), but it should
work as a starting point for you.



Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book
"Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:   http://mvp.support.microsoft.com/profile="">   











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, February 01, 2006 11:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to change owner?



 

Is
there anyway in script (preferred) or through the GUI to change the owner of an
object?  I realize I can seize ownership in ADUC, but I’d like to be
able to assign ownership to a 3rd party.  If need be, I can
login as that 3rd party to seize ownership, but I’d like to be
able to do it on a whole tree of objects, hence the desire to do it in script.

 

Thanks

Scotte

Re: [ActiveDir] User Account Lifecyle -- Best Practices

2006-02-01 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Dr. Jesper Johansson
Steve Riley

Up there with the Gibson titled "rogue developers" you know.

"Protecting your Windows Network"

http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx

Specifically
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx#ECAA

http://www.protectyourwindowsnetwork.com/listening_room.htm

Al Mulnick wrote:


Dr J?  Irving?
 
Riley = you mean Steve of the Northwest Riley Clan? Or somebody else?  
 
I can say there are others that disagree with the idea of not having 
account lockout settings (assuming that's what was exactly said and 
not knowing the context) as well, because that option exists in the 
products.  Somebody somewhere thinks it's of value. I happen to be one 
that finds value in being able to lockout an account after a certain 
number of bad attempts.  I'm also a person that believes that the 
account should become usable again after a predefined amount of time 
without human intervention.  Why?  Because people make mistakes.  That 
shouldn't cost valuable helpdesk time.  Besides, the idea is to 
prevent automated attacks, not access to the system for normal user 
usage patterns.
 
I have to say Susan, it's an interesting perspective that you bring.  
I believe that something that acts as a guideline vs. a checklist has 
value however.  I don't see this as something that would be a 
checklist.  I'm not a beancounter (although I've played one on the 
internet a few times) but I loathe doing things because somebody else 
thought it was a good idea.  I need more information than that.  A 
guide is sometimes helpful in doing that because if nothing else it 
helps to focus my thoughts.  I use some of the books that are out 
there that way as well. Some of the books are better suited to help me 
get that glass off the top shelf though.
 
Interesting.



 
On 2/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


The problem with some of this is that books become stale...and what is
"best practices" today is not tomorrow with regulation and law
changes.

Then my pet peeve is that I don't believe that you can have one best
practice. And as a beancounter who's industry and profession wrote the
book on "follow the checklist as that's the way to do things" do I
need
to remind folks of the Enron case going on?

This little SBSer thinks that best practices should be a discussion
item...not a checklist to follow. And it's my opinion that too many
times we check the box and don't think. But then again I can say that
because small firms have less politics than big ones.

Example of a recommendation that I disagree with ... Dr. J and
Riley say
all the time that they don't recomment account lockout settings as
it's
a $75 help desk call. In SBSland.. it's never been an issue and
puts a
smidge more protection given that we tend have less layers.

Some of these decision tree kind of stuff is also discussed in the MS
pdf "Threats and Countermeasures". But even then you have to
decide what
the risk is for your firm.

In my own firm, short term employees, I blew them off ages ago, long
term employees I kept the accounts around, employees that had an HR
problem... that mailbox is still sitting on my server (yeah I
should pst
park it but it's easier just to disable it and leave it there).

To me these policies need to be compared with what HR issues there are
with this terminated employee, in fact we had discussion in a SANS
course that you may even want to image his/her workstation and
leave it
intact for forensic purposes.


[EMAIL PROTECTED]
 wrote:

> Well they sure don't teach this in college courses! A list of
> questions to help define the scope of account management would
be very
> useful. You could then answer the questions with the pros and
cons of
> the various solutions. For example, address the Account Lockout
> policies and then answer with the options to lock out and never
> unlock, lock out and unlock after a specific time period, or not
lock
> out at all. All three are options but it would be great to have
a book
> that puts them all in one place with the pros/cons listed so people
> can make an informed decision and pick the option that is best for
> their situation. Tis better to give options and let someone make
their
> own decisions then to make the decision for them and get blamed
for it
> later down the road.
>

> *From:* [EMAIL PROTECTED]

> [mailto:[EMAIL PROTECTED]
] *On Behalf Of *Al Mulnick
> *Sent:* Wednesday, February 01, 2006 11:00 AM
> *To:* ActiveDir@mail.activedir.org
<

RE: [ActiveDir] Script to change owner?

2006-02-01 Thread Crawford, Scott 








Sorry, I meant an Active Directory object.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, February 01, 2006
6:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to
change owner?



 

subinacl.exe from microsoft.com/downloads

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, February 01, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to
change owner?

Is there anyway in script (preferred) or through the GUI to
change the owner of an object?  I realize I can seize ownership in ADUC,
but I’d like to be able to assign ownership to a 3rd
party.  If need be, I can login as that 3rd party to seize
ownership, but I’d like to be able to do it on a whole tree of objects,
hence the desire to do it in script.

 

Thanks

Scotte

RE: [ActiveDir] Script to change owner?

2006-02-01 Thread Michael B. Smith 



subinacl.exe from 
microsoft.com/downloads


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, 
ScottSent: Wednesday, February 01, 2006 5:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to change 
owner?


Is there anyway in script 
(preferred) or through the GUI to change the owner of an object?  I realize 
I can seize ownership in ADUC, but I’d like to be able to assign ownership to a 
3rd party.  If need be, I can login as that 3rd party 
to seize ownership, but I’d like to be able to do it on a whole tree of objects, 
hence the desire to do it in script.
 
Thanks
Scotte

RE: [ActiveDir] Getting name from IP address without reverese look up Zone.

2006-02-01 Thread beads 

www.dnsstuff.com

Probably more information than you'd
ever want but a good site nonetheless.



Brent Eads
Employee Technology Solutions, Inc.

Office: (312) 762-9224
Fax:     (312) 762-9275


The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology Solutions,
Inc.) does not warrant that the contents of any electronically transmitted
information will remain confidential. If the reader of this email is not
the intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the email in
error, please reply to us immediately and delete the document. 

Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system.
No warranty is made that this material is free from computer virus or any
other defect.

Any loss/damage incurred by using this material is not the sender's responsibility.
Liability will be limited to resupplying the material.






"Craig A. Mills"
<[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
02/01/2006 05:47 PM



Please respond to
ActiveDir@mail.activedir.org





To



cc



Subject
RE: [ActiveDir] Getting name from IP
address without reverese look up Zone.








NBTSTAT -A "ip address"
also nslookup
also sam spade
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Singh
Sent: Wednesday, February 01, 2006 3:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Getting name from IP address without reverese
look up Zone.

I want to get host name or DNS name
using IP address from a remote machine. I do not have reverse lookup configured
on my DNS.
 
Is there any other way to get this…
like from registry or somewhere else??
 
Thanks,
Manjeet



Message scanned by TrendMicro




Message scanned by TrendMicro

Re: [ActiveDir] Getting name from IP address without reverese look up Zone.

2006-02-01 Thread Tomasz Onyszko 

Craig A. Mills wrote:

NBTSTAT -A "ip address"
also nslookup


NSLOOKUP without reverse zones will not be very helpful here

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Script to change owner?

2006-02-01 Thread Crawford, Scott 








Thanks for the suggestion, but I looked at
dsacls originally.  The WO permission allows someone the ability take
ownership, but doesn’t change the owner.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Wednesday, February 01, 2006
5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to
change owner?



 

You can only take ownership of an object,
not push it onto another security principal. Look at dsacls and the
"wo" flag, running in the security context of the 3rd party.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, February 01, 2006
3:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to
change owner?

Is there anyway in script (preferred) or through the GUI to
change the owner of an object?  I realize I can seize ownership in ADUC,
but I’d like to be able to assign ownership to a 3rd
party.  If need be, I can login as that 3rd party to seize
ownership, but I’d like to be able to do it on a whole tree of objects,
hence the desire to do it in script.

 

Thanks

Scotte

RE: [ActiveDir] Getting name from IP address without reverese look up Zone.

2006-02-01 Thread Craig A. Mills 



NBTSTAT -A "ip address"
also nslookup
also sam spade
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet 
SinghSent: Wednesday, February 01, 2006 3:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting name from IP 
address without reverese look up Zone.


I want to get host name or 
DNS name using IP address from a remote machine. I do not have reverse lookup 
configured on my DNS.
 
Is there any other way to 
get this… like from registry or somewhere else??
 
Thanks,
Manjeet

Re: [ActiveDir] Getting name from IP address without reverese look up Zone.

2006-02-01 Thread Tomasz Onyszko 

Manjeet Singh wrote:
I want to get host name or DNS name using IP address from a remote 
machine. I do not have reverse lookup configured on my DNS.


 


Is there any other way to get this… like from registry or somewhere else??



Are You looking for a way to read the machine name if You know its IP 
address without performing DNS lookup.


If yes You can use few approaches (at least few):
- first, invoke hostname.exe on this machine remotely, You can use 
psexec for this: psexec \\ hostname.exe


- second You can query it with WMI
http://www.freevbcode.com/ShowCode.asp?ID=4571
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_reference.asp

If You aren't willing to write a script you can use wmic.exe


and probably few others methods

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Getting name from IP address without reverese look up Zone.

2006-02-01 Thread Manjeet Singh 








I want to get host name or DNS name using IP address
from a remote machine. I do not have reverse lookup configured on my DNS.

 

Is there any other way to get this… like from registry
or somewhere else??

 

Thanks,

Manjeet

RE: [ActiveDir] Script to change owner?

2006-02-01 Thread Coleman, Hunter 



You can only take ownership of an object, not push it onto 
another security principal. Look at dsacls and the "wo" flag, running in the 
security context of the 3rd party.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, 
ScottSent: Wednesday, February 01, 2006 3:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to change 
owner?


Is there anyway in script 
(preferred) or through the GUI to change the owner of an object?  I realize 
I can seize ownership in ADUC, but I’d like to be able to assign ownership to a 
3rd party.  If need be, I can login as that 3rd party 
to seize ownership, but I’d like to be able to do it on a whole tree of objects, 
hence the desire to do it in script.
 
Thanks
Scotte

[ActiveDir] Script to change owner?

2006-02-01 Thread Crawford, Scott 








Is there anyway in script (preferred) or through the GUI to
change the owner of an object?  I realize I can seize ownership in ADUC,
but I’d like to be able to assign ownership to a 3rd party. 
If need be, I can login as that 3rd party to seize ownership, but I’d
like to be able to do it on a whole tree of objects, hence the desire to do it
in script.

 

Thanks

Scotte

RE: [ActiveDir] NTFRS Problems

2006-02-01 Thread David Cliffe 
I can tell you that I used this KB as my guide to restore the SYSVOL
state on one of our domains about 4 months ago and it worked just fine.

 http://support.microsoft.com/kb/315457/en-us

If the journals on your DCs are inconsistent with each other, this may
be the best way to correct it.  Best advice is to ensure that there are
no underlying replication issues first, otherwise you might just be
wasting your time!

-DaveC

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Wednesday, February 01, 2006 5:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFRS Problems

Hello AD Experts,

Recently, I noticed in-consistencies in Sysvol among my domain
controllers and PDC while promoting a new replica DC in the domain and
it stucked on sysvol after 145 out of 250 policies. To test further, I
created a .txt file in the sysvol on PDC and it also didnt replicate to
other DCs either. To make things even worse, the number of policies on
PDC are not the same as in other DCs.

After hours of troubleshooting and a phone call to M$, I was told by
Microsoft to perform burflag authoritative (D4) restore on one Domain
controller with good policy contents in Sysvol and non-authoritative
(D2) restore on all the others.

Having a luxury of a AD replica lab, I performed the operation in the
lab environment but lost both the policies, scripts folders and now the
servers dont even have Sysvols. I am not comfortable doing this
operation in the production environment.

Can anyone please share their experience with burflag restores? Any best
practices? Is there another way that I can resolve this issue without
perform burflag restore?

Any ideas / suggestions are welcomed.


Regards,
Adeel

___
Adeel Ansari - Active Directory Admin.
SLB Enterprise Services
Houston, TX USA

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except 
where the sender specifically states them to be the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Permissions are resetting

2006-02-01 Thread Ulf B. Simon-Weidner 








See

http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

 

Ulf



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aguilar, Louis
Sent: Wednesday, February 01, 2006 11:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions are resetting



 



Everyone,





I've
come across a problem with permissions in Active Directory.  When
I modify a permission on a user account or when I delegate control to a
user group the permission reset to the original setting.  I've done some
research, but have come up with nothing.  Any input is appreciated.





 





Please
note that I'm running 2003 in Native Mode.





 





Thanks,





Louis



 

NOTICE OF CONFIDENTIALITY



This message, including attachments, is from Family Health
Partners.  This message contains information that may be confidential and
protected by HIPAA Privacy Regulations.  If you are not the intended
recipient, promptly delete this message and notify the sender of the delivery
error by return e-mail or call the FHP Compliance Department at
816-234-3946.  You may not forward, print, copy, distribute or use the
information in this message if you are not the intended recipient.

RE: [ActiveDir] NTFRS Problems

2006-02-01 Thread Almeida Pinto, Jorge de 
for the BURGFLAGS stuff see:
MS-KBQ290762_Using the BurFlags registry key to reinitialize File Replication 
Service replica sets
 
Jorge



From: [EMAIL PROTECTED] on behalf of Adeel Ansari
Sent: Wed 2006-02-01 23:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTFRS Problems



Hello AD Experts,

Recently, I noticed in-consistencies in Sysvol among my domain controllers
and PDC while promoting a new replica DC in the domain and it stucked on
sysvol after 145 out of 250 policies. To test further, I created a .txt file
in the sysvol on PDC and it also didnt replicate to other DCs either. To
make things even worse, the number of policies on PDC are not the same as in
other DCs.

After hours of troubleshooting and a phone call to M$, I was told by
Microsoft to perform burflag authoritative (D4) restore on one Domain
controller with good policy contents in Sysvol and non-authoritative (D2)
restore on all the others.

Having a luxury of a AD replica lab, I performed the operation in the lab
environment but lost both the policies, scripts folders and now the servers
dont even have Sysvols. I am not comfortable doing this operation in the
production environment.

Can anyone please share their experience with burflag restores? Any best
practices? Is there another way that I can resolve this issue without
perform burflag restore?

Any ideas / suggestions are welcomed.


Regards,
Adeel

___
Adeel Ansari - Active Directory Admin.
SLB Enterprise Services
Houston, TX USA

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

RE: [ActiveDir] Permissions are resetting

2006-02-01 Thread Almeida Pinto, Jorge de 
I guess it is the ADMINSDHOLDER object that is bugging you...
 
Every hour, the Microsoft Windows domain controller that has the primary domain 
controller (PDC) emulator operations master role verifies the ACLs on members 
of these administrative groups and compares them to the ACL on the 
AdminSDHolder object. If the ACL that is on the AdminSDHolder object is 
different, the ACLs on the members of the administrative group are reset to 
match the ACL on the AdminSDHolder object.
For more info on the ADMINSDHOLDER object see the following related KB articles 
(not all may apply to your situation!)
Description and Update of the Active Directory AdminSDHolder Object
--> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
--> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
Delegated permissions are not available and inheritance is automatically 
disabled
--> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
AdminSDHolder Object Affects Delegation of Control for Past Administrator 
Accounts
--> MS-KBQ306398 (http://support.microsoft.com/?id=306398)

Jorge



From: [EMAIL PROTECTED] on behalf of Aguilar, Louis
Sent: Wed 2006-02-01 23:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permissions are resetting


Everyone,
I've come across a problem with permissions in Active Directory.  When I modify 
a permission on a user account or when I delegate control to a user group the 
permission reset to the original setting.  I've done some research, but have 
come up with nothing.  Any input is appreciated.
 
Please note that I'm running 2003 in Native Mode.
 
Thanks,
Louis

 

NOTICE OF CONFIDENTIALITY

This message, including attachments, is from Family Health Partners.  This 
message contains information that may be confidential and protected by HIPAA 
Privacy Regulations.  If you are not the intended recipient, promptly delete 
this message and notify the sender of the delivery error by return e-mail or 
call the FHP Compliance Department at 816-234-3946.  You may not forward, 
print, copy, distribute or use the information in this message if you are not 
the intended recipient.




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

Re: [ActiveDir] Permissions are resetting

2006-02-01 Thread Kamlesh Parmar 
Most common "cause"http://support.microsoft.com/?id=817433On 2/2/06, Aguilar, Louis
 <[EMAIL PROTECTED]> wrote:




Everyone,
I've 
come across a problem with permissions in Active Directory.  When 
I modify a permission on a user account or when I delegate control to a 
user group the permission reset to the original setting.  I've done some 
research, but have come up with nothing.  Any input is 
appreciated.
 
Please 
note that I'm running 2003 in Native Mode.
 
Thanks,
Louis
 
NOTICE OF CONFIDENTIALITY
This message, including attachments, is from Family Health Partners.  
This message contains information that may be confidential and protected by 
HIPAA Privacy Regulations.  If you are not the intended recipient, promptly 
delete this message and notify the sender of the delivery error by return e-mail 
or call the FHP Compliance Department at 816-234-3946.  You may not 
forward, print, copy, distribute or use the information in this message if you 
are not the intended recipient.




-- ~"Be the change you want to see in the World"~

[ActiveDir] NTFRS Problems

2006-02-01 Thread Adeel Ansari 
Hello AD Experts,

Recently, I noticed in-consistencies in Sysvol among my domain controllers
and PDC while promoting a new replica DC in the domain and it stucked on
sysvol after 145 out of 250 policies. To test further, I created a .txt file
in the sysvol on PDC and it also didnt replicate to other DCs either. To
make things even worse, the number of policies on PDC are not the same as in
other DCs.

After hours of troubleshooting and a phone call to M$, I was told by
Microsoft to perform burflag authoritative (D4) restore on one Domain
controller with good policy contents in Sysvol and non-authoritative (D2)
restore on all the others.

Having a luxury of a AD replica lab, I performed the operation in the lab
environment but lost both the policies, scripts folders and now the servers
dont even have Sysvols. I am not comfortable doing this operation in the
production environment.

Can anyone please share their experience with burflag restores? Any best
practices? Is there another way that I can resolve this issue without
perform burflag restore?

Any ideas / suggestions are welcomed.


Regards,
Adeel

___
Adeel Ansari - Active Directory Admin.
SLB Enterprise Services
Houston, TX USA

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Permissions are resetting

2006-02-01 Thread Aguilar, Louis 



Everyone,
I've 
come across a problem with permissions in Active Directory.  When 
I modify a permission on a user account or when I delegate control to a 
user group the permission reset to the original setting.  I've done some 
research, but have come up with nothing.  Any input is 
appreciated.
 
Please 
note that I'm running 2003 in Native Mode.
 
Thanks,
Louis
 
NOTICE OF CONFIDENTIALITY
This message, including attachments, is from Family Health Partners.  
This message contains information that may be confidential and protected by 
HIPAA Privacy Regulations.  If you are not the intended recipient, promptly 
delete this message and notify the sender of the delivery error by return e-mail 
or call the FHP Compliance Department at 816-234-3946.  You may not 
forward, print, copy, distribute or use the information in this message if you 
are not the intended recipient.

Re: [ActiveDir] User Account Lifecyle -- Best Practices

2006-02-01 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
The problem with some of this is that books become stale...and what is 
"best practices" today is not tomorrow with regulation and law changes.


Then my pet peeve is that I don't believe that you can have one best 
practice. And as a beancounter who's industry and profession wrote the 
book on "follow the checklist as that's the way to do things" do I need 
to remind folks of the Enron case going on?


This little SBSer thinks that best practices should be a discussion 
item...not a checklist to follow. And it's my opinion that too many 
times we check the box and don't think. But then again I can say that 
because small firms have less politics than big ones.


Example of a recommendation that I disagree with ... Dr. J and Riley say 
all the time that they don't recomment account lockout settings as it's 
a $75 help desk call. In SBSland.. it's never been an issue and puts a 
smidge more protection given that we tend have less layers.


Some of these decision tree kind of stuff is also discussed in the MS 
pdf "Threats and Countermeasures". But even then you have to decide what 
the risk is for your firm.


In my own firm, short term employees, I blew them off ages ago, long 
term employees I kept the accounts around, employees that had an HR 
problem... that mailbox is still sitting on my server (yeah I should pst 
park it but it's easier just to disable it and leave it there).


To me these policies need to be compared with what HR issues there are 
with this terminated employee, in fact we had discussion in a SANS 
course that you may even want to image his/her workstation and leave it 
intact for forensic purposes.



[EMAIL PROTECTED] wrote:

Well they sure don't teach this in college courses! A list of 
questions to help define the scope of account management would be very 
useful. You could then answer the questions with the pros and cons of 
the various solutions. For example, address the Account Lockout 
policies and then answer with the options to lock out and never 
unlock, lock out and unlock after a specific time period, or not lock 
out at all. All three are options but it would be great to have a book 
that puts them all in one place with the pros/cons listed so people 
can make an informed decision and pick the option that is best for 
their situation. Tis better to give options and let someone make their 
own decisions then to make the decision for them and get blamed for it 
later down the road.


*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick

*Sent:* Wednesday, February 01, 2006 11:00 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] User Account Lifecyle -- Best Practices

There are several schools of thought on this concept. There are 
websites regarding identity management but I'm not sure it's what 
you're looking for. The idea of identity management is something that 
is inherent in any networked or even standalone system that has a 
computer. Your ATM, Television contract, Phone Service, and other 
identities are all included in the same concept. I have not seen 
anything specifically around this area of the concept, but I think 
that's more or less because it's so inherent in the ownership of the 
system that most people haven't really stopped to consider the pieces 
that make up the whole.
Do you think an article is warranted in this case? Or should it be 
book length? What would you want to see different from what the myriad 
of vendors put out there (vendors such as Microsoft, IBM, Cisco, 
Abridean, etc.)?
I'm curious what the thinking is here and how much of a need there 
really is for this type of discussion. I know that Tony has been after 
folks to blog some items and I know that Jorge did blog some of this. 
But if you think more is needed beyond what Jorge did, I'd be 
interested to know. I'd also bet that Jorge might be writing as we 
speak :)


On 2/1/06, [EMAIL PROTECTED] 
* < 
[EMAIL PROTECTED] 
> wrote:


Is there possibly a book or website that might contain more
in-depth documentation on this subject?


*From:* [EMAIL PROTECTED]
 [mailto:
[EMAIL PROTECTED]
] *On Behalf Of
[EMAIL PROTECTED] 
*Sent:* Wednesday, February 01, 2006 3:37 AM
*To:* ActiveDir@mail.activedir.org

*Subject:* RE: [ActiveDir] User Account Lifecyle -- Best Practices

Comments inline.

First, thanks for the very thoughtful responses. Al, I appreciate
the "business requirements" concept. Unfortunately, around here,
no one even thinks about this at all. I need to lead them in this
direction. So, given that a business process needs to be developed…

Questions:

- Can you

RE: [ActiveDir] User Account Lifecyle -- Best Practices

2006-02-01 Thread bonnie . pohlschneider 



Well they sure don't teach this in college 
courses! A list of questions to help define the scope of account 
management would be very useful. You 
could then answer the questions with the pros and cons of the various solutions. 
For example, address the Account Lockout policies and then answer with the 
options to lock out and never unlock, lock out and unlock after a specific 
time period, or not lock out at all. All three are options but it would be great 
to have a book that puts them all in one place with the pros/cons listed so 
people can make an informed decision and pick the option that is best for their 
situation. Tis better to give options and let someone make their own decisions 
then to make the decision for them and get blamed for it later down the 
road.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, February 01, 2006 11:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Account 
Lifecyle -- Best Practices

There are several schools of thought on this concept.  There are 
websites regarding identity management but I'm not sure it's what you're looking 
for. The idea of identity management is something that is inherent in any 
networked or even standalone system that has a computer.  Your ATM, 
Television contract, Phone Service, and other identities are all included in the 
same concept.  I have not seen anything specifically around this area of 
the concept, but I think that's more or less because it's so inherent in the 
ownership of the system that most people haven't really stopped to consider the 
pieces that make up the whole. 
 
Do you think an article is warranted in this case? Or should it be book 
length? What would you want to see different from what the myriad of vendors put 
out there (vendors such as Microsoft, IBM, Cisco, Abridean, etc.)? 
 
I'm curious what the thinking is here and how much of a need there really 
is for this type of discussion.  I know that Tony has been after folks to 
blog some items and I know that Jorge did blog some of this.  But if you 
think more is needed beyond what Jorge did, I'd be interested to know. I'd also 
bet that Jorge might be writing as we speak :)  
On 2/1/06, [EMAIL PROTECTED] 
< 
[EMAIL PROTECTED]> wrote: 

  Is there 
  possibly a book or website that might contain more in-depth documentation on 
  this subject?
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, 
  February 01, 2006 3:37 AM To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] 
  User Account Lifecyle -- Best 
Practices 
  
  
  Comments 
  inline.  
  
  
  First, thanks for the 
  very thoughtful responses. Al, I appreciate the "business requirements" 
  concept. Unfortunately, around here, no one even thinks about this at all. I 
  need to lead them in this direction. So, given that a business process needs 
  to be developed… 
   
  Questions:
  - Can you help me 
  tease out the pros and cons of: disable (Jorge and Al), expire (Al), or rename 
  (Neil)?[Neil Ruston] I prefer the rename 
  rather than move etc since (as you state below) if the user needs to be 
  'reanimated' it may prove difficult to configure him/her back to their 
  original state. I have seen many a user 'leave' only to re-join the firm 
  within weeks or months, or to not actually leave at all. Naturally, you need 
  to take your lead from HR, but they can sometimes 'jump the gun' :) 
   I therefore prefer to rename and 
  disable. 
  - What is the point 
  of removing a disabled/expired/renamed account from Security Groups? If you 
  need to re-enable the user, how will you know what groups to put it in? And, 
  isn't the account going to be deleted (and therefore removed from the groups) 
  anyway? [Neil Ruston] See above 
  comment. 
  - Do any of you push 
  the archived data off to other media (like DVD or tape)?[Neil Ruston] User data should be backed up regularly 
  anyway, so I have not encountered a need to perform additional archives.  
  
   
  Thanks 
  again.
   
  -- 
  nme
   
  
  
  
  
  
  From: Al 
  Mulnick [mailto: [EMAIL PROTECTED]] 
  Sent: Tuesday, January 31, 
  2006 6:23 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Account 
  Lifecyle -- Best Practices
   
  
  Noah, I 
  think by this point you can see that answers vary.  The variables are the 
  business requirements. 
  
   
  
  An 
  organization I did similar for looked at this as account lifecycle 
  management.  'Cradle to grave process.'
  
   
  
  Similar 
  to the other posts, I helped define a process and then semi-automate it.  
  The process definition is the important part.  Being able 
  to reconstruct the user object is the second most important after 
  that. Being able to automate it was the third priority because it was felt 
  that fewer mistakes would be made, it would require less effort to be 
  expended, and it would be a consistent proces

Re: [ActiveDir] x64 domain controller sizing?

2006-02-01 Thread Al Mulnick 
More is always better :)
One clarification if it helps: 
The 4:1 processor recommendation assumes that you have like processors.  Since it's a swag to begin with (although based on testing) it's usually OK.  The recommendation was supposed to read: "4 (MHZ) : 1 (MHZ)" and is there to reflect the cpu usage expected when introducing an Exchange server.  Since that recommendation, I'm sure there have been those that agree and those that disagree with that as an initial recommendation. DDG's also make a BIG difference in this sizing as does memory configuration on the Exchange servers and the GCs being used at the time.
 
 
"



•

All Exchange servers and users should have fast access to a global catalog server."
Hmm... I've seen some pretty fast WAN links lately.  Not sure I can tell the difference between a LAN, a CAN, a MAN, and a WAN connection these days. Latency, cost and available bandwidth are the only differentiators in many of the networks I've seen.  

 
The end of the day, just be sure that a GC is always available to your Exchange server.  Sizing is more of an art based on science.  
 
But don't take my word for it.  Ask around and do your own trials.  YMMMV.  
On 2/1/06, Ion Gott <[EMAIL PROTECTED]> wrote:


This may be helpful to everyone as well:
 

Global Catalog Servers
Global catalog servers are required for logon because they contain information about universal group membership. This membership grants or denies user access to resources. If a global catalog server cannot be contacted, a user's universal membership cannot be determined and log on access is denied.

  Note
Although Windows Server 2003 provides features that do not require a local global catalog server, you still need a local global catalog server for Exchange and Outlook to use. The global catalog server is critical for Exchange services (including log on, group membership, store services) and access to the global address list (GAL). Deploying global catalog servers locally to both servers and users makes address lookups more efficient. Contacting a global catalog server across a slow connection increases network traffic and impairs the user experience.

Consider the following when placing global catalog servers: 



•

All Exchange servers and users should have fast access to a global catalog server.

•

At least one global catalog server must be installed in each domain that contains Exchange servers.

•

There should generally be a 4:1 ratio of Exchange processors to global catalog server processors, assuming the processors are similar models and speeds. However, depending on your situation, higher global catalog server usage, a large Active Directory, or large distribution lists can necessitate more global catalog servers.

 




Ion V. Gott
 


From: [EMAIL PROTECTED] on behalf of Mauricio F. Funes
Sent: Wed 2/1/2006 10:25 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] x64 domain controller sizing? 



Many factors have to be taken into consideration.
1- Are you planning to have a dedicated AD site for Exchange, in other words are this GCs going to be dedicated for Exchange?
2- Are you planning  to allocate sufficient memory to hold the the DIT in memory?
3- Distribution group expansion, does you company realy on using large distribution lists? (DG expansion affects GC performance)
4- Are you looking at implementing Dual Core servers?
 
These are the things that might affect the number of GCs you implement.
 
 
 


Mauricio Funes
 


From: Al MulnickSent: Wed 2/1/2006 10:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] x64 domain controller sizing? 

Really?  I didn't get that from the documentatioin the same you mention.  I always took it that you wanted to put it on the same network to avoid network issues where possible, related to WAN connectivity or latency.  Basically, Exchange is so dependent on a GC that you want to provide the best possible situation for it to be able to communicate with as few opportunities as possible for something to go wrong.  Fewer moving parts as it were. 

 
Best bet is to follow the other post from Joe which mentions coming up with your own benchmarks.  That takes a lot of the ambiguity out of the equation. 
 
Be sure to put plenty of memory in the new machines.  ;) 
On 2/1/06, Ion Gott <[EMAIL PROTECTED]> wrote:
 


I believe the number of GC's would really still be dependent on your site topology, number of objects published to the GC, number of child domains in the forest etc.. and location of Exchange servers in relation to users. Also if clients are using applications that are directly dependent on the GC, like online Outlook GAL lookups. 

 
The Active Directory Sizer tool Microsoft released early during the Windows 2000 release really is pretty much useless as it references pretty old hardware such as 700Mhz Pentium II Xeon processors and there really isn't much else available on the MS site as far as specifics. They usually just say things like have

RE: [ActiveDir] UNIX intergation into W2K3 Domain

2006-02-01 Thread Simon Bembridge 








Sorry for not keeping up, but have been
away for a couple of days.

 

Just to say I have downloaded the eval
copy of Vintela Authentication Service and will be trying out over the next
couple of days. Al thanks again

 



Best Regards,

 

Simon 



 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 31 January 2006 06:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] UNIX
intergation into W2K3 Domain



 

To tie back in, if you have a single *nix
platform that you keep pretty standard for patches and such then your chances
are better at keeping up with making it work. The more platforms or versions of
a platform (or some combination) the stronger you need to be looking at a
packaged product. You could seriously have a full time job trying to keep up
with that stuff and working out the kinks every time there is an update if you
have quite a few platforms/revs you have to cover.



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Douglas M. Long
Sent: Tuesday, January 31, 2006
1:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] UNIX
intergation into W2K3 Domain

I have to agree. It seems that once you
have finally dorked around for what seems forever and have it working,
something (whether it be a samba vulnerability or some other *nix change;
especially in Solaris) breaks it and you have to dork around again. Vintela
honestly took me less than 10 minutes to get it working on the first Solaris
machine (including reading the instructions) and probably a minute for every
machine thereafter. I have used SFU and NIS
and it was pretty easy too, but does have a limited life, and is pretty
insecure (no less than all those pure LDAP implementations of authentication to
AD though). Now if you are talking something like RHEL 4 it doesn’t take
much to get it working at all, so maybe another solution would be to evaluate
why you use Solaris over another *nix platform. 

 

At least get a price quote and compare it
to 40 hours x 2 x your hourly rate, before going down the path of trying it
yourself. Could take less than 80 hours or more, but I would say a good
baseline for Solaris. The times 2 comes from the fact that for every hour you
are working on it, you take an hour away from something else that needs done.

 

On a side note, I did learn a lot when
messing around with trying it myself.

 

I apologize for my scattered way of
thinking and composing a message. 

 

 

   


 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 30, 2006
5:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] UNIX
intergation into W2K3 Domain



 

I would just say Centrify and Vintela
unless you want to spend a good amount of time dorking around with it. 

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 30, 2006
4:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] UNIX
intergation into W2K3 Domain



Not sure what you mean by redundant fsmo but...





As for integration:





 





opensource: samba was supposed to come out with a v4 of their product
that looked promising. 





Centrify and Vintella would be more of what I'd look for however. 
Much smoother integration. 





PAM modules could be used if you really wanted to, although it wouldn't
be my first choice.





NFS?  That doesn't solve your issue of single credentials. 





 





Al

 





On 1/30/06, Simon
Bembridge <[EMAIL PROTECTED]>
wrote: 



I
am  in the process of establishing a Single forest/domain,
with 2xDC both GC
FSMO split between both, at another site there will have another 2XDC 
(Redundant FSMO)
All DC will host DNS, DHCP service and WINS for (Exchange 2003 netbious 
legacy) is this still an issue??
Windows based FS

There is also a requirement for a couple of Solaris 8.x and Linux (Redhat ES 
3.x).

I require a single Windows sign on for the UNIX boxes,Can anybody give me 
advice also as to MS NFS and additional a PAM solution 

 

Best Regards,

 

Simon 

UK

 





 

RE: [ActiveDir] x64 domain controller sizing?

2006-02-01 Thread Ion Gott 




This may be helpful to 
everyone as well:
 

Global Catalog Servers
Global catalog servers are required for logon because they contain 
information about universal group membership. This membership grants or denies 
user access to resources. If a global catalog server cannot be contacted, a 
user's universal membership cannot be determined and log on access is 
denied.
  Note
Although Windows Server 2003 provides features that do not require a 
local global catalog server, you still need a local global catalog server for 
Exchange and Outlook to use. The global catalog server is critical for Exchange 
services (including log on, group membership, store services) and access to the 
global address list (GAL). Deploying global catalog servers locally to both 
servers and users makes address lookups more efficient. Contacting a global 
catalog server across a slow connection increases network traffic and impairs 
the user experience.
Consider the following when placing global catalog servers: 


  
  
•

  All Exchange servers and users should have fast access to a 
  global catalog server.
  
•

  At least one global catalog server must be installed in each 
  domain that contains Exchange servers.
  
•

  There should generally be a 4:1 ratio of Exchange processors to 
  global catalog server processors, assuming the processors are similar 
  models and speeds. However, depending on your situation, higher global 
  catalog server usage, a large Active Directory, or large distribution 
  lists can necessitate more global catalog 
  servers.
 




Ion V. 
Gott
 


From: [EMAIL PROTECTED] on 
behalf of Mauricio F. FunesSent: Wed 2/1/2006 10:25 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] x64 domain 
controller sizing?


Many 
factors have to be taken into consideration.
1- Are you planning to have a 
dedicated AD site for Exchange, in other words are this GCs going to be 
dedicated for Exchange?
2- Are you planning  to allocate 
sufficient memory to hold the the DIT in memory?
3- Distribution group expansion, does 
you company realy on using large distribution lists? (DG expansion affects GC 
performance)
4- Are you looking at implementing Dual 
Core servers?
 
These are the things that might affect the 
number of GCs you implement.
 
 
 


Mauricio Funes
 


From: Al MulnickSent: Wed 2/1/2006 
10:06 AMTo: ActiveDir@mail.activedir.orgSubject: Re: 
[ActiveDir] x64 domain controller sizing?

Really?  I didn't get that from the documentatioin the same you 
mention.  I always took it that you wanted to put it on the same network to 
avoid network issues where possible, related to WAN connectivity or 
latency.  Basically, Exchange is so dependent on a GC that you want to 
provide the best possible situation for it to be able to communicate with as few 
opportunities as possible for something to go wrong.  Fewer moving parts as 
it were. 
 
Best bet is to follow the other post from Joe which mentions coming up with 
your own benchmarks.  That takes a lot of the ambiguity out of the 
equation. 
 
Be sure to put plenty of memory in the new machines.  
;) 
On 2/1/06, Ion Gott 
<[EMAIL PROTECTED]> wrote: 

  
  I believe the number of 
  GC's would really still be dependent on your site topology, number of objects 
  published to the GC, number of child domains in the forest etc.. and 
  location of Exchange servers in relation to users. Also if clients are using 
  applications that are directly dependent on the GC, like online Outlook GAL 
  lookups. 
   
  The Active Directory Sizer tool Microsoft 
  released early during the Windows 2000 release really is pretty much useless 
  as it references pretty old hardware such as 700Mhz Pentium II Xeon processors 
  and there really isn't much else available on the MS site as far as specifics. 
  They usually just say things like have a GC located close to clients that use 
  GC dependent processes such as the GAL and having redundant GC's in sites that 
  contain Exchange servers. 
   
   
  
  
  
  
  Ion V. 
  Gott
   
   
  
  
  From: [EMAIL PROTECTED] on behalf of Jeremy Olson 
  Sent: Tue 1/31/2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  x64 domain controller sizing? 
  
  Is there any recommondations for the number of x64 GC to exchange 2003 
  servers?  We are about to start deploying 2003 domain controllers.  
  I would rather use fewer x64 servers.  The dit file is about 4.6 
  gigs.Thanks 
Jeremy 

RE: [ActiveDir] Group Policy Trusted Sites

2006-02-01 Thread Doug Ferguson 
Title: Group Policy Trusted Sites








User Configuration -> Administrative
Templates -> Internet Explorer -> Internet Control Panel -> Trusted
Sites Zone Template

 

Is this what you are referring to?  Your
question was a little vague.

 

 

Doug Ferguson

Windows Systems Administrator

Hynix Semiconductor Manufacturing America,
Inc.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Conrad, Daniel C Mr. Nortel
Government Solutions
Sent: Wednesday, February 01, 2006
10:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy
Trusted Sites



 

Does
anyone have any good tips or links explaining the way Group Policy manages
trusted sites?  I can see the config in GPMC settings but not in
GPOE.  The clients are receiving the settings but I can’t edit them.

Any
suggestions are appreciated.

Dan Conrad

Nortel Government Solutions 

Active Directory/Exchange Engineering

[ActiveDir] Group Policy Trusted Sites

2006-02-01 Thread Conrad, Daniel C Mr. Nortel Government Solutions 
Title: Group Policy Trusted Sites






Does anyone have any good tips or links explaining the way Group Policy manages trusted sites?  I can see the config in GPMC settings but not in GPOE.  The clients are receiving the settings but I can’t edit them.

Any suggestions are appreciated.

Dan Conrad

Nortel Government Solutions 

Active Directory/Exchange Engineering

RE: [ActiveDir] x64 domain controller sizing?

2006-02-01 Thread Mauricio F. Funes 



Many factors have to be taken into consideration.
1- Are you planning to have a dedicated AD site for Exchange, in other words are this GCs going to be dedicated for Exchange?
2- Are you planning  to allocate sufficient memory to hold the the DIT in memory?
3- Distribution group expansion, does you company realy on using large distribution lists? (DG expansion affects GC performance)
4- Are you looking at implementing Dual Core servers?
 
These are the things that might affect the number of GCs you implement.
 
 
 


Mauricio Funes
 


From: Al MulnickSent: Wed 2/1/2006 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] x64 domain controller sizing?

Really?  I didn't get that from the documentatioin the same you mention.  I always took it that you wanted to put it on the same network to avoid network issues where possible, related to WAN connectivity or latency.  Basically, Exchange is so dependent on a GC that you want to provide the best possible situation for it to be able to communicate with as few opportunities as possible for something to go wrong.  Fewer moving parts as it were. 
 
Best bet is to follow the other post from Joe which mentions coming up with your own benchmarks.  That takes a lot of the ambiguity out of the equation. 
 
Be sure to put plenty of memory in the new machines.  ;) 
On 2/1/06, Ion Gott <[EMAIL PROTECTED]> wrote: 


I believe the number of GC's would really still be dependent on your site topology, number of objects published to the GC, number of child domains in the forest etc.. and location of Exchange servers in relation to users. Also if clients are using applications that are directly dependent on the GC, like online Outlook GAL lookups. 
 
The Active Directory Sizer tool Microsoft released early during the Windows 2000 release really is pretty much useless as it references pretty old hardware such as 700Mhz Pentium II Xeon processors and there really isn't much else available on the MS site as far as specifics. They usually just say things like have a GC located close to clients that use GC dependent processes such as the GAL and having redundant GC's in sites that contain Exchange servers. 
 
 




Ion V. Gott
 
 


From: [EMAIL PROTECTED] on behalf of Jeremy Olson Sent: Tue 1/31/2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] x64 domain controller sizing? 

Is there any recommondations for the number of x64 GC to exchange 2003 servers?  We are about to start deploying 2003 domain controllers.  I would rather use fewer x64 servers.  The dit file is about 4.6 gigs.Thanks Jeremy 

Re: [ActiveDir] x64 domain controller sizing?

2006-02-01 Thread Al Mulnick 
Really?  I didn't get that from the documentatioin the same you mention.  I always took it that you wanted to put it on the same network to avoid network issues where possible, related to WAN connectivity or latency.  Basically, Exchange is so dependent on a GC that you want to provide the best possible situation for it to be able to communicate with as few opportunities as possible for something to go wrong.  Fewer moving parts as it were. 

 
Best bet is to follow the other post from Joe which mentions coming up with your own benchmarks.  That takes a lot of the ambiguity out of the equation. 
 
Be sure to put plenty of memory in the new machines.  ;) 
On 2/1/06, Ion Gott <[EMAIL PROTECTED]> wrote:


I believe the number of GC's would really still be dependent on your site topology, number of objects published to the GC, number of child domains in the forest etc.. and location of Exchange servers in relation to users. Also if clients are using applications that are directly dependent on the GC, like online Outlook GAL lookups. 

 
The Active Directory Sizer tool Microsoft released early during the Windows 2000 release really is pretty much useless as it references pretty old hardware such as 700Mhz Pentium II Xeon processors and there really isn't much else available on the MS site as far as specifics. They usually just say things like have a GC located close to clients that use GC dependent processes such as the GAL and having redundant GC's in sites that contain Exchange servers.

 
 




Ion V. Gott
 
 



From: [EMAIL PROTECTED] on behalf of Jeremy Olson
Sent: Tue 1/31/2006 4:22 PMTo: ActiveDir@mail.activedir.org
Subject: [ActiveDir] x64 domain controller sizing? 

Is there any recommondations for the number of x64 GC to exchange 2003 servers?  We are about to start deploying 2003 domain controllers.  I would rather use fewer x64 servers.  The dit file is about 4.6 gigs.
Thanks Jeremy 

RE: [ActiveDir] OT: Change Tracking Database

2006-02-01 Thread Noah Eiger 
Thanks all (esp. Susan). It will take me a little bit to look through this.
One thought I had was to repurpose a web-based db from a customer management
system. Each physical (server, switch, etc.) or logical (AD, DNS, DFS, etc)
asset would equal a "customer" and the logs for the phone conversations,
letters mailed, etc would be the actions taken on the asset.

-- nme

> -Original Message-
> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 31, 2006 12:04 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: Change Tracking Database
> 
> Download details: Windows SharePoint Services Applications Template:
> Change Management:
> http://www.microsoft.com/downloads/details.aspx?familyid=8481322A-88EA-
> 44CF-9DB2-63B43A03FEB2&displaylang=en
> 
> Or that one.
> 
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> 
> > Sharepoint.
> >
> > Download details: Windows SharePoint Services Applications Template:
> > HelpDesk Dashboard:
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=82e86a1d-c818-
> 496b-8ad4-818aaf1c2fed&DisplayLang=en
> >
> >
> >
> > Download details: Windows SharePoint Services Applications Template:
> > Project Team Management:
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=8c580176-09b4-
> 4001-9c2b-2ad5b7ec2a12&DisplayLang=en
> >
> >
> >
> > Public folders are so old fashioned ;-)
> >
> > Aimless Ramblings from a Blithering Lunatic . . . : WOW! It's
> > Christmas in August on the Microsoft Download Site . . .:
> > http://msmvps.com/blogs/cgross/archive/2005/08/03/61320.aspx
> >
> >
> >
> > Dryden, Karen wrote:
> >
> >> We just send the notes for changes to a public folder that forwards
> >> to all of our admins. We keep the notes in the PF forever. We have a
> >> separate folder for problems.
> >>
> >> ---
> -
> >> *From:* [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger
> >> *Sent:* Tuesday, January 31, 2006 12:54 AM
> >> *To:* ActiveDir@mail.activedir.org
> >> *Subject:* RE: [ActiveDir] OT: Change Tracking Database
> >>
> >> Thanks, Gil. I can appreciate that NetPro is not free ;-)
> >>
> >> I was looking more for something that simply allows admins to write
> >> notes about what they changed. This would then create a running log
> >> of what happened.
> >>
> >> -- nme
> >>
> >> ---
> -
> >>
> >> *From:* Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
> >> *Sent:* Monday, January 30, 2006 8:18 PM
> >> *To:* ActiveDir@mail.activedir.org
> >> *Subject:* RE: [ActiveDir] OT: Change Tracking Database
> >>
> >> You’ve pretty much described ChangeAuditor from NetPro. Its not
> >> freeware though. See
> >> http://www.netpro.com/products/changeauditor/index.cfm.
> >>
> >> -gil
> >>
> >> ---
> -
> >>
> >> *From:* [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger
> >> *Sent:* Monday, January 30, 2006 8:05 PM
> >> *To:* ActiveDir@mail.activedir.org
> >> *Subject:* [ActiveDir] OT: Change Tracking Database
> >>
> >> Hi –
> >>
> >> I am looking for a database (preferably with a web interface) to
> >> track all changes made in the network/directory infrastructure.
> >> Change something in DNS? Log it. Make some registry changes on a
> >> server? Log it. Change a recipient policy in Exchange? Log it. You
> >> get the picture. Right now we are using a somewhat-clunky, homegrown,
> >> MySQL database. Anything off the shelf or free/shareware?
> >>
> >> TIA
> >>
> >> -- nme
> >>
> >>
> >> --
> >> No virus found in this outgoing message.
> >> Checked by AVG Free Edition.
> >> Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date:
> >> 1/30/2006
> >>
> >>
> >> --
> >> No virus found in this incoming message.
> >> Checked by AVG Free Edition.
> >> Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date:
> >> 1/30/2006
> >>
> >>
> >> --
> >> No virus found in this outgoing message.
> >> Checked by AVG Free Edition.
> >> Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date:
> >> 1/30/2006
> >>
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.14.25/246 - Release Date: 1/30/2006
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 1/31/2006
 

List info   : http://www.activedir.org/List.aspx
List FAQ

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Hutchins, Mike 



You said a bad word...
 
"toasted" is a forbidden word on the list. 
:-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Wednesday, February 01, 2006 8:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] help creating 
backup strategy for AD and exchange.


You 
boot some sort of CD and it then restores over the LAN from the media 
server/tape to your box, laying down the OS and data and such as it goes. You’re 
of course fucked if your media server is toasted because you’ve got a circular 
reference now.
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tom KernSent: Wednesday, February 01, 2006 9:33 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] help creating 
backup strategy for AD and exchange.
 

I thought IDR was pretty much the same thing as 
ASR?

 

Thanks 

On 2/1/06, Brian 
Desmond <[EMAIL PROTECTED]> 
wrote: 

Or 
buy the Veritas bare-metal option, I think its called Intelligent Disaster 
Recovery. It doesn't always work though. 

 

Thanks, 
Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of sdgesa gaeharthSent: Wednesday, February 01, 2006 9:11 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] help creating 
backup strategy for AD and exchange.
 

2) Then how 
do I do an emergency boot if the boot files are 
corrupted?Brian 
Desmond <[EMAIL PROTECTED]> 
wrote:

  Yes, 
  you should be backing up your DCs and Exchange from Backup Exec. You'll need 
  to license the remote agent for each machine you want to backup and then push 
  it out from the Tools>Serial Numbers/Installation menu in BE. For the DCs, 
  System 
  State backup is ample. 
  For Exchange, you need to grab the MS Information Store and System State. 


 

  No… 
  

 

  Not 
  sure what it grabs, honestly. 

 


Thanks, 
Brian 
Desmond

[EMAIL PROTECTED]

 

c - 
312.731.3132

 

 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of sdgesa gaeharthSent: Wednesday, February 01, 2006 8:26 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] help creating backup 
strategy for AD and exchange.

 

We currently have four file servers, two domain 
controllers, and one exhange 2003 server(all on Windows 2003). Three 
questions:1)I  have Veritas Backup Exec 10 which is backing up only 
the file servers.  Is it a good idea to have Backup Exec backup my domain 
controllers and Exchange server as well  or should those be done another 
way? 2)If I used Backup Exec to backup exchange and the DCs, do I stil 
need to do ASR for the emergency floppy disks. If so what do I do with the 2GB 
ASR files that ASR creates and that I assume I need in an emergency. 
3)Does ASR backup everything that needs to be backed up on a domain 
controller?thanks




Do you 
Yahoo!?With a free 1 GB, there's more in store with Yahoo! Mail.
 



Bring words 
and photos together (easily) withPhotoMail - it's free and works with Yahoo! 
Mail.
 

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Brian Desmond 








You boot some sort of CD and it then restores over the LAN from the media
server/tape to your box, laying down the OS and data and such as it goes. You’re
of course fucked if your media server is toasted because you’ve got a circular
reference now.

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, February 01, 2006
9:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] help
creating backup strategy for AD and exchange.



 



I thought IDR was pretty much the same thing as ASR?





 





Thanks

 





On 2/1/06, Brian Desmond <[EMAIL PROTECTED]> wrote:




Or buy the
Veritas bare-metal option, I think its called Intelligent Disaster Recovery. It
doesn't always work though. 



 



Thanks, 
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] help
creating backup strategy for AD and exchange.



 



2) Then
how do I do an emergency boot if the boot files are corrupted?


Brian
 Desmond <[EMAIL PROTECTED]>
wrote:


 Yes, you should be backing up your DCs and Exchange from
 Backup Exec. You'll need to license the remote agent for each machine you
 want to backup and then push it out from the Tools>Serial
 Numbers/Installation menu in BE. For the DCs, System State
 backup is ample. For Exchange, you need to grab the MS Information Store
 and System State. 




 




 No… 




 




 Not sure what it grabs, honestly. 




 







Thanks, 
Brian Desmond





[EMAIL PROTECTED]





 





c -
312.731.3132





 





 

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
8:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] help creating
backup strategy for AD and exchange.







 





We currently have four file servers, two domain
controllers, and one exhange 2003 server(all on Windows 2003). Three questions:

1)I  have Veritas Backup Exec 10 which is backing up only the file
servers.  Is it a good idea to have Backup Exec backup my domain
controllers and Exchange server as well  or should those be done another
way? 

2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do
ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files
that ASR creates and that I assume I need in an emergency. 

3)Does ASR backup everything that needs to be backed up on a domain controller?

thanks













Do you
Yahoo!?
With a free 1 GB, there's more in store with Yahoo! Mail.





 









Bring
words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.











 

RE: [ActiveDir] exchange tool

2006-02-01 Thread Hutchins, Mike 



Asked and asnwered yesterday


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, 
AlexSent: Tuesday, January 31, 2006 9:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] exchange 
tool


Where can I get ADMAP 
and ExMap?
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Hutchins, 
MikeSent: Monday, January 30, 
2006 10:02 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] exchange 
tool
 
There is also an 
Exchange version called ExMap...
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of shereen 
naserSent: Monday, January 30, 
2006 6:15 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange 
tool

i tried ADMAP, very simple and basic information, I will 
try the BPA 

thanks 

On 1/30/06, Mark Parris <[EMAIL PROTECTED]> 
wrote: 
The EXBPA will detail a lot of this information for 
you.Mark-Original Message-From: "Victor W." <[EMAIL PROTECTED]>Date: Mon, 30 Jan 
2006 12:32:14To: 
Subject: RE: [ActiveDir] exchange toolThere is a tool called ADMAP 
which draws the Exchange Organization but I doesnt go as far as drawing ALL 
settings on all mailbox stores.-Oorspronkelijk bericht- 
Van:   [EMAIL PROTECTED]   
[mailto:[EMAIL PROTECTED]]namens 
shereen   naser Verzonden: maandag 30 januari 2006 
12:28Aan:   ActiveDir@mail.activedir.orgOnderwerp: 
[ActiveDir] exchange   toolIs there a tool to draw the 
exchange organization and list all settings   on all mailbox stores? 
List info   : http://www.activedir.org/List.aspxList 
FAQ: http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

Re: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Tom Kern 
I thought IDR was pretty much the same thing as ASR?
 
Thanks 
On 2/1/06, Brian Desmond <[EMAIL PROTECTED]> wrote:


Or buy the Veritas bare-metal option, I think its called Intelligent Disaster Recovery. It doesn't always work though.


 

Thanks,
Brian Desmond

[EMAIL PROTECTED]
 
c - 312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of sdgesa gaeharthSent: Wednesday, February 01, 2006 9:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] help creating backup strategy for AD and exchange.
 

2) Then how do I do an emergency boot if the boot files are corrupted?Brian Desmond
 <[EMAIL PROTECTED]>
 wrote:

Yes, you should be backing up your DCs and Exchange from Backup Exec. You'll need to license the remote agent for each machine you want to backup and then push it out from the Tools>Serial Numbers/Installation menu in BE. For the DCs, System State backup is ample. For Exchange, you need to grab the MS Information Store and System State.
 

 

No… 

 

Not sure what it grabs, honestly. 

 


Thanks,
Brian Desmond


[EMAIL PROTECTED]

 

c - 312.731.3132

 

 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of sdgesa gaeharthSent: Wednesday, February 01, 2006 8:26 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] help creating backup strategy for AD and exchange.

 

We currently have four file servers, two domain controllers, and one exhange 2003 server(all on Windows 2003). Three questions:1)I  have Veritas Backup Exec 10 which is backing up only the file servers.  Is it a good idea to have Backup Exec backup my domain controllers and Exchange server as well  or should those be done another way?
2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files that ASR creates and that I assume I need in an emergency.
3)Does ASR backup everything that needs to be backed up on a domain controller?thanks




Do you Yahoo!?With a free 1 GB, there's more in store with 
Yahoo! Mail.
 



Bring words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread neil.ruston 



Boot off a w2k3 CD and run a repair(?)
 
Is this something that happens frequently? I'd suspect 
hardware issues if so.
 
neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of sdgesa 
gaeharthSent: 01 February 2006 14:11To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] help creating 
backup strategy for AD and exchange.

2) Then how do I do an emergency boot if the boot files are 
corrupted?Brian Desmond <[EMAIL PROTECTED]> 
wrote:

  
  
  
  
  
Yes, 
you should be backing up your DCs and Exchange from Backup Exec. You’ll need 
to license the remote agent for each machine you want to backup and then 
push it out from the Tools>Serial Numbers/Installation menu in BE. For 
the DCs, System State backup is ample. For Exchange, 
you need to grab the MS Information Store and System State. 

  
  
No… 

  
  
Not 
sure what it grabs, honestly. 
  
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of sdgesa 
  gaeharthSent: Wednesday, 
  February 01, 2006 8:26 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] help creating backup 
  strategy for AD and exchange.
  
  We currently have four file servers, two 
  domain controllers, and one exhange 2003 server(all on Windows 2003). Three 
  questions:1)I  have Veritas Backup Exec 10 which is backing up 
  only the file servers.  Is it a good idea to have Backup Exec backup my 
  domain controllers and Exchange server as well  or should those be done 
  another way?2)If I used Backup Exec to backup exchange and the DCs, do 
  I stil need to do ASR for the emergency floppy disks. If so what do I do with 
  the 2GB ASR files that ASR creates and that I assume I need in an 
  emergency.3)Does ASR backup everything that needs to be backed up on a 
  domain controller?thanks
  
  
  
  Do you Yahoo!?With a free 1 GB, there's more in 
  store with Yahoo! 
  Mail.


Bring words and photos together (easily) withPhotoMail 
- it's free and works with Yahoo! Mail.PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

Re: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Al Mulnick 
Just to add: 
It doesn't hurt to have an ERD handy.  Never a bad idea.  ASR?  Not sure you'd find that useful. If you're using Veritas to back this up, they have a lot of recommended best practices.  Have you seen them yet? 

Be sure that you're using Exchange aware backups vs. the file level backups. 
 
If you haven't done so already, be absolutely sure to practice your restores.  This ensures you are familiar with the concept when really needed and it ensures that your backup media is valid (i.e. you are capturing valid information for the task at hand and the media is valid.)

 
Otherwise, "what he said" :)
-ajm 
On 2/1/06, Brian Desmond <[EMAIL PROTECTED]> wrote:


Rebuild it and do a system state restore…
 

Thanks,
Brian Desmond

[EMAIL PROTECTED]
 
c - 312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of sdgesa gaeharthSent: Wednesday, February 01, 2006 9:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] help creating backup strategy for AD and exchange.

 

2) Then how do I do an emergency boot if the boot files are corrupted?Brian Desmond
 <[EMAIL PROTECTED]>
 wrote:

Yes, you should be backing up your DCs and Exchange from Backup Exec. You'll need to license the remote agent for each machine you want to backup and then push it out from the Tools>Serial Numbers/Installation menu in BE. For the DCs, System State backup is ample. For Exchange, you need to grab the MS Information Store and System State.
 

 

No… 

 

Not sure what it grabs, honestly. 

 


Thanks,
Brian Desmond


[EMAIL PROTECTED]

 

c - 312.731.3132

 

 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of sdgesa gaeharthSent: Wednesday, February 01, 2006 8:26 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] help creating backup strategy for AD and exchange.

 

We currently have four file servers, two domain controllers, and one exhange 2003 server(all on Windows 2003). Three questions:1)I  have Veritas Backup Exec 10 which is backing up only the file servers.  Is it a good idea to have Backup Exec backup my domain controllers and Exchange server as well  or should those be done another way?
2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files that ASR creates and that I assume I need in an emergency.
3)Does ASR backup everything that needs to be backed up on a domain controller?thanks




Do you Yahoo!?With a free 1 GB, there's more in store with 
Yahoo! Mail.
 



Bring words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Brian Desmond 








Or buy the Veritas bare-metal option, I think its called Intelligent
Disaster Recovery. It doesn’t always work though.

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] help
creating backup strategy for AD and exchange.



 



2) Then how do I do an emergency boot if the boot files are corrupted?


Brian
 Desmond <[EMAIL PROTECTED]> wrote:


 Yes,
 you should be backing up your DCs and Exchange from Backup Exec.
 You’ll need to license the remote agent for each machine you want to
 backup and then push it out from the Tools>Serial Numbers/Installation
 menu in BE. For the DCs, System State
 backup is ample. For Exchange, you need to grab the MS Information Store
 and System State.




 




 No…




 




 Not sure what it grabs,
 honestly.




 







Thanks,
Brian Desmond







[EMAIL PROTECTED]







 





c -
312.731.3132







 





 

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
8:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] help creating
backup strategy for AD and exchange.







 





We currently have four file servers, two domain controllers, and one
exhange 2003 server(all on Windows 2003). Three questions:

1)I  have Veritas Backup Exec 10 which is backing up only the file
servers.  Is it a good idea to have Backup Exec backup my domain
controllers and Exchange server as well  or should those be done another
way?

2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do
ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files
that ASR creates and that I assume I need in an emergency.

3)Does ASR backup everything that needs to be backed up on a domain controller?

thanks
















Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo!
Mail.





 









Bring words and photos together (easily) with
PhotoMail
- it's free and works with Yahoo! Mail.

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Brian Desmond 








Rebuild it and do a system state restore…

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
9:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] help
creating backup strategy for AD and exchange.



 



2) Then how do I do an emergency boot if the boot files are corrupted?


Brian
 Desmond <[EMAIL PROTECTED]> wrote:


 Yes,
 you should be backing up your DCs and Exchange from Backup Exec.
 You’ll need to license the remote agent for each machine you want to
 backup and then push it out from the Tools>Serial Numbers/Installation
 menu in BE. For the DCs, System State
 backup is ample. For Exchange, you need to grab the MS Information Store
 and System State.




 




 No…




 




 Not sure what it grabs,
 honestly.




 







Thanks,
Brian Desmond







[EMAIL PROTECTED]







 





c -
312.731.3132







 





 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
8:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] help creating
backup strategy for AD and exchange.







 





We currently have four file servers, two domain controllers, and one
exhange 2003 server(all on Windows 2003). Three questions:

1)I  have Veritas Backup Exec 10 which is backing up only the file
servers.  Is it a good idea to have Backup Exec backup my domain
controllers and Exchange server as well  or should those be done another
way?

2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do
ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files
that ASR creates and that I assume I need in an emergency.

3)Does ASR backup everything that needs to be backed up on a domain controller?

thanks
















Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo!
Mail.





 









Bring words and photos together (easily) with
PhotoMail
- it's free and works with Yahoo! Mail.

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread sdgesa gaeharth 
2) Then how do I do an emergency boot if the boot files are corrupted?  Brian Desmond <[EMAIL PROTECTED]> wrote: Yes, you should be backing   up your DCs and Exchange from Backup Exec. You’ll need to license   the remote agent for each machine you want to backup and then push it out   from the Tools>Serial Numbers/Installation menu in BE. For the DCs, System State backup is ample. For   Exchange, you need to grab the MS Information Store and System State.      No…      Not sure what it grabs,   honestly.   Thanks,  Brian Desmond[EMAIL PROTECTED] c - 312.731.3132  From: [EMAIL PROTECTED]  [mailto:[EMAIL PROTECTED] On  Behalf Of sdgesa gaeharth  Sent: Wednesday, February 01, 2006  8:26 AM  To: ActiveDir@mail.activedir.org  Subject: [ActiveDir] help creating  backup strategy for AD and exchange. We currently have four  file servers, two domain controllers, and one exhange 2003 server(all on  Windows 2003). Three questions:1)I  have Veritas Backup Exec 10 which is backing up only the file  servers.  Is it a good idea to have Backup Exec backup my domain  controllers and Exchange server as well  or should those be done another  way?2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do  ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files  that ASR creates and that I assume I need in an emergency.3)Does ASR backup everything that needs to be backed up on a domain controller?thanks  
  Do you Yahoo!?  With a free 1 GB, there's more in store with Yahoo!  Mail.
		Bring words and photos together (easily) with 
PhotoMail  - it's free and works with Yahoo! Mail.

[ActiveDir] Configure Automatic Updates

2006-02-01 Thread Harding, Devon 










I have my WSUS server working with a GPO to have critical updates
automatically downloaded and installed (option 4 under Configure Automatic
Updates) for my servers.  I also have ‘No
auto-restart for scheduled Automatic Updates installations’
enabled.  The problem is that the no auto-restart seem to only work if a user
is logged into the server, otherwise, it’ll reboot the server after the
installation is complete.  Is there a way I can have it download, install but
NOT reboot the server no matter what?

 

Devon Harding

Windows Systems Engineer

Southern Wine & Spirits
- BSG

954-602-2469

 










__
This message and any attachments are solely for the intended
recipient and may contain confidential or privileged information.
If you are not the intended recipient, any disclosure, copying, use
or distribution of the information included in the message and any
attachments is prohibited.  If you have received this communication
in error, please notify us by reply e-mail and immediately and
permanently delete this message and any attachments.  Thank You.

RE: [ActiveDir] OT: AD Search via web

2006-02-01 Thread Freddy HARTONO 
Title: OT: AD Search via web



Ah splendid :)
 
Thanks Jerry!
 
Thank you and have a splendid 
day! 
Kind Regards, 
Freddy Hartono 
Group Support 
Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] 
phone: (+65) 
6330-9785 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry 
WelchSent: Wednesday, February 01, 2006 7:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: AD Search 
via web

Try Namescape  ( www.namescape.com )  

https://www.iowaonline.state.ia.us/rdirectory/rDirectory.aspx 
is a good example of product in action.  FREE version provides basic web 
lookup, as you describe.  Co$t version provides for editing, with group 
policies.
Jerry
 
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 
GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
HARTONOSent: Wednesday, February 01, 2006 6:18 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] OT: AD Search via 
web

Hi guys, 
Just trying to generate some basic searches of AD for 
the extranet users to access via webpage - say for example for phone or email 
directories.
Found this software below, but is there any better 
ones out there which doesn't cost much of a bomb :) 
http://www.extsoft.com/products/extview/index.asp 
Simply for view only directory not for adding or 
removing objects such of what Quest Activeroles kind.. 
Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: 
[EMAIL PROTECTED] phone: 
(+65) 6330-9785

RE: [ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread Brian Desmond 









 Yes, you should be backing
 up your DCs and Exchange from Backup Exec. You’ll need to license
 the remote agent for each machine you want to backup and then push it out
 from the Tools>Serial Numbers/Installation menu in BE. For the DCs, System State backup is ample. For
 Exchange, you need to grab the MS Information Store and System State.


 


 No…


 


 Not sure what it grabs,
 honestly.


 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of sdgesa gaeharth
Sent: Wednesday, February 01, 2006
8:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] help creating
backup strategy for AD and exchange.



 

We currently have four
file servers, two domain controllers, and one exhange 2003 server(all on
Windows 2003). Three questions:

1)I  have Veritas Backup Exec 10 which is backing up only the file
servers.  Is it a good idea to have Backup Exec backup my domain
controllers and Exchange server as well  or should those be done another
way?

2)If I used Backup Exec to backup exchange and the DCs, do I stil need to do
ASR for the emergency floppy disks. If so what do I do with the 2GB ASR files
that ASR creates and that I assume I need in an emergency.

3)Does ASR backup everything that needs to be backed up on a domain controller?

thanks









Do you Yahoo!?
With a free 1 GB, there's more in store with Yahoo!
Mail.

RE: [ActiveDir] User Account Lifecyle -- Best Practices

2006-02-01 Thread bonnie . pohlschneider 



Is there possibly a book or website that might contain more 
in-depth documentation on this subject?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, February 01, 2006 3:37 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
User Account Lifecyle -- Best Practices

Comments 
inline. 


First, thanks for the 
very thoughtful responses. Al, I appreciate the “business requirements” concept. 
Unfortunately, around here, no one even thinks about this at all. I need to lead 
them in this direction. So, given that a business process needs to be 
developed…
 
Questions:
- Can you help me tease 
out the pros and cons of: disable (Jorge and Al), expire (Al), or rename 
(Neil)?[Neil 
Ruston] I prefer the rename rather than move etc since (as you state below) 
if the user needs to be 'reanimated' it may prove difficult to configure him/her 
back to their original state. I have seen many a user 'leave' only to 
re-join the firm within weeks or months, or to not actually leave at all. 
Naturally, you need to take your lead from HR, but they can sometimes 'jump the 
gun' :)  I therefore prefer to rename 
and disable. 
- What is the point of 
removing a disabled/expired/renamed account from Security Groups? If you need to 
re-enable the user, how will you know what groups to put it in? And, isn’t the 
account going to be deleted (and therefore removed from the groups) 
anyway?[Neil 
Ruston] See above comment. 
- Do any of you push 
the archived data off to other media (like DVD or tape)?[Neil Ruston] User data should 
be backed up regularly anyway, so I have not encountered a need to perform 
additional archives. 
 
Thanks 
again.
 
-- 
nme
 





From: Al 
Mulnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 31, 2006 6:23 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Account 
Lifecyle -- Best Practices
 

Noah, I think by this point you can see that answers 
vary.  The variables are the business requirements. 


 

An organization I did similar for looked at this as 
account lifecycle management.  'Cradle to grave 
process.'

 

Similar to the other posts, I helped define a process 
and then semi-automate it.  The process definition is the important 
part.  Being able to reconstruct the user object is the 
second most important after that. Being able to automate it was the third 
priority because it was felt that fewer mistakes would be made, it would 
require less effort to be expended, and it would be a consistent 
process.   

In that environment, the process all started with 
an authoritative notification of expiry.  From there, the accounts 
were removed from groups, moved to a new OU, marked with the deletion date, 
disabled, etc.  Everything that was done was logged in such a way that it 
was easy to put this back with a minimal of effort and with audit capability in 
mind.  No task was done without logging because of the compliance 
requirements surrounding the company's business.  


 

This is a repetitive task and should be automated as 
much as possible. How exactly you decide to do this is more a question for 
your business leaders.  Automating it is something you can either 
do or not do, but once it's a defined process I see no reason to manually do 
anything in this situation.  

 

Additionally, I've always broken the whole lifecycle 
into several parts: 

1) provisioning 
(cradle) 

2) De-provisioning 
(grave) 

3) modifications (all that stuff in 
between)

 

Automating provisioning of a new account is something 
that should be automated.  Automating removal of accounts should also be 
automated in my opinion.  Whenever possible, modifications should be 
semi-automated so you can capture what tasks were performed with 
a minimal of effort on the part of the administration team.  In a 
perfect world, it should be so routine and easy that either the user can do it 
or my least trained and experienced staff member can do it without error. That 
just about screams automation to me.  


 

Start by defining the process requirements.  Does 
your company require that the account be immediately unable to be effective? 
Expiring the account alone has some drawbacks in terms of time.  Disabling 
has some other trade-offs.  But removing the user's ability to be used 
immediately upon notification is a security best practice. Archival depends on 
your company needs, but it's typically something that you want to have happen 
after a decent amount of time.  Why? Because users tend to leave and come 
back.  Similar to backups, you want to reduce the amount of time to perform 
a restoration of any kind.  This is no different.  Tune the process to 
accomdate the way your organization works and you'll save yourself a lot of 
time. 

 

My 0.04 (USD) worth 
anyway,

 

Al  

On 1/31/06, [EMAIL PROTECTED] 
<[EMAIL PROTECTED] 
> wrote: 
Just my 2 penneth, but 
I have found that a rename of the user rather than a user move can work bette

RE: [ActiveDir] Using IPSec on Domain Controllers?

2006-02-01 Thread Steele, Aaron [BSD] - ADM 
Title: Using IPSec on Domain Controllers?



We are using it in our AD, between 5 dc's across 2 
sites.  So far, no problems if we confine ourselves to DC to DC 
traffic.  That is relatively easy, just configure the proper IPSec Policies 
and push them out via GPO to the Domain Controllers OU.
We have not had any real success with built-in windows 
IPSec / kerberized IPSec between a client workstation and the domain 
controller.  Seems to mostly be a chicken & egg 
thing.
Hope that helps.
/aaron

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, 
  Brandon (.)Sent: Wednesday, February 01, 2006 07:31To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using IPSec on 
  Domain Controllers? 
  
  Is anyone using IPSec for DC to DC communication 
  in a moderately large environment? I'm curious to see what kind of support 
  issues people are running into... Thanks!
  -Brandon This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

[ActiveDir] Using IPSec on Domain Controllers?

2006-02-01 Thread Bernier, Brandon \(.\) 
Title: Using IPSec on Domain Controllers? 







Is anyone using IPSec for DC to DC communication in a moderately large environment? I'm curious to see what kind of support issues people are running into... Thanks!


-Brandon

[ActiveDir] help creating backup strategy for AD and exchange.

2006-02-01 Thread sdgesa gaeharth 
We currently have four file servers, two domain controllers, and one exhange 2003 server(all on Windows 2003). Three questions:1)I  have Veritas Backup Exec 10 which is backing up only the file  servers.  Is it a good idea to have Backup Exec backup my domain  controllers and Exchange server as well  or should those be done  another way?2)If I used Backup Exec to backup exchange and the DCs, do I stil need  to do ASR for the emergency floppy disks. If so what do I do with the  2GB ASR files that ASR creates and that I assume I need in an emergency.3)Does ASR backup everything that needs to be backed up on a domain controller?thanks  
		Do you Yahoo!? 
With a free 1 GB, there's more in store with Yahoo! Mail.

RE: [ActiveDir] ADAM ADSIEDIT ? - SOLVED

2006-02-01 Thread Jerry Welch 
BINGO - refresh solved the problem.  Many thanks !
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 01, 2006 6:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

1. Add a flush entry to the LDIF file used to extend the schema, example
below:
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

or 

2. Use the schema snap-in. Right click root of node and choose 'reload
schema'

This may not solve your issue, however :)

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 11:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Neil -
Not as daft as my not having a clue as to how to do this :) Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 01, 2006 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

I'm sure this is a daft suggestion :) but have you flushed the schema cache?


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 10:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Joe,
I have posted the attribute definition, INetOrgPerson and User attribute
lists, and ADAM ADSIEdit (missing attribute) at:
http://cps11.dnsalias.net/adam
Perhaps I need (and would be glad to) buy the book :) Thanks for any
suggestions.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Hey Jerry, could you post the definitions of user and inetorgperson and a
couple of the attributes that aren't showing up? I tried to duplicate with a
single joewaretest attribute and it worked fine. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Tuesday, January 31, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM ADSIEDIT ?

I have an ADAM instance installed on a Windows 2003 server.  Have extended
the scema to include all of the Extension Attributes for Exchange.
When
using ADAM ADSIEDIT to view INetOrgPerson objects I can see all of these new
attributes, but when viewing a User object they do not appear.  The
attributes have been added to the User Class, but still no luck.
Suggestions ?
Thanks,
Jerry

Jerry Welch

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2) contains
views or opinions that are solely those of the author and do not necessarily
represent those of NIplc; (3) is intended for informational purposes only
and is not a recommendation, solicitation or offer to buy or sell securities
or related financial instruments.  NIplc does not provide investment
services

RE: [ActiveDir] OT: AD Search via web

2006-02-01 Thread Jerry Welch 
Title: OT: AD Search via web



Try Namescape  ( www.namescape.com )  

https://www.iowaonline.state.ia.us/rdirectory/rDirectory.aspx 
is a good example of product in action.  FREE version provides basic web 
lookup, as you describe.  Co$t version provides for editing, with group 
policies.
Jerry
 
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 
GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
HARTONOSent: Wednesday, February 01, 2006 6:18 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] OT: AD Search via 
web

Hi guys, 
Just trying to generate some basic searches of AD for 
the extranet users to access via webpage - say for example for phone or email 
directories.
Found this software below, but is there any better 
ones out there which doesn't cost much of a bomb :) 
http://www.extsoft.com/products/extview/index.asp 
Simply for view only directory not for adding or 
removing objects such of what Quest Activeroles kind.. 
Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: 
[EMAIL PROTECTED] phone: 
(+65) 6330-9785

Re: [ActiveDir] IIS 6 Urgent Help

2006-02-01 Thread Za Vue 

Thanks Ken.

-Z.V.

Ken Schaefer wrote:


You have entered the command incorrectly. From the screenshot you have
entered ISSuba (there is a missing I). 


The actual command you need to run is:
rundll %windir%\system32\iissuba.dll, RegisterIISSUBA

Cheers
Ken


F
 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADAM ADSIEDIT ?

2006-02-01 Thread Jerry Welch 
Thanks, will try option 2.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 01, 2006 6:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

1. Add a flush entry to the LDIF file used to extend the schema, example
below:
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

or 

2. Use the schema snap-in. Right click root of node and choose 'reload
schema'

This may not solve your issue, however :)

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 11:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Neil -
Not as daft as my not having a clue as to how to do this :) Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 01, 2006 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

I'm sure this is a daft suggestion :) but have you flushed the schema cache?


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 10:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Joe,
I have posted the attribute definition, INetOrgPerson and User attribute
lists, and ADAM ADSIEdit (missing attribute) at:
http://cps11.dnsalias.net/adam
Perhaps I need (and would be glad to) buy the book :) Thanks for any
suggestions.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Hey Jerry, could you post the definitions of user and inetorgperson and a
couple of the attributes that aren't showing up? I tried to duplicate with a
single joewaretest attribute and it worked fine. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Tuesday, January 31, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM ADSIEDIT ?

I have an ADAM instance installed on a Windows 2003 server.  Have extended
the scema to include all of the Extension Attributes for Exchange.
When
using ADAM ADSIEDIT to view INetOrgPerson objects I can see all of these new
attributes, but when viewing a User object they do not appear.  The
attributes have been added to the User Class, but still no luck.
Suggestions ?
Thanks,
Jerry

Jerry Welch

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2) contains
views or opinions that are solely those of the author and do not necessarily
represent those of NIplc; (3) is intended for informational purposes only
and is not a recommendation, solicitation or offer to buy or sell securities
or related financial instruments.  NIplc does not provide investment
services to private customers.  A

RE: [ActiveDir] ADAM ADSIEDIT ?

2006-02-01 Thread neil.ruston 
1. Add a flush entry to the LDIF file used to extend the schema, example
below:
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

or 

2. Use the schema snap-in. Right click root of node and choose 'reload
schema'

This may not solve your issue, however :)

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 11:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Neil -
Not as daft as my not having a clue as to how to do this :) Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 01, 2006 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

I'm sure this is a daft suggestion :) but have you flushed the schema
cache?


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 10:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Joe,
I have posted the attribute definition, INetOrgPerson and User attribute
lists, and ADAM ADSIEdit (missing attribute) at:
http://cps11.dnsalias.net/adam
Perhaps I need (and would be glad to) buy the book :) Thanks for any
suggestions.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Hey Jerry, could you post the definitions of user and inetorgperson and
a couple of the attributes that aren't showing up? I tried to duplicate
with a single joewaretest attribute and it worked fine. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Tuesday, January 31, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM ADSIEDIT ?

I have an ADAM instance installed on a Windows 2003 server.  Have
extended the scema to include all of the Extension Attributes for
Exchange.
When
using ADAM ADSIEDIT to view INetOrgPerson objects I can see all of these
new attributes, but when viewing a User object they do not appear.  The
attributes have been added to the User Class, but still no luck.
Suggestions ?
Thanks,
Jerry

Jerry Welch

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised
and regulated by the Financial Services Authority.  Registered in
England no.
1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

L

[ActiveDir] OT: AD Search via web

2006-02-01 Thread Freddy HARTONO 
Title: OT: AD Search via web





Hi guys,


Just trying to generate some basic searches of AD for the extranet users to access via webpage - say for example for phone or email directories.

Found this software below, but is there any better ones out there which doesn't cost much of a bomb :)


http://www.extsoft.com/products/extview/index.asp


Simply for view only directory not for adding or removing objects such of what Quest Activeroles kind..


Thank you and have a splendid day!


Kind Regards,


Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785

RE: [ActiveDir] ADAM ADSIEDIT ?

2006-02-01 Thread Jerry Welch 
Neil -
Not as daft as my not having a clue as to how to do this :)
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 01, 2006 5:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

I'm sure this is a daft suggestion :) but have you flushed the schema cache?


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 10:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Joe,
I have posted the attribute definition, INetOrgPerson and User attribute
lists, and ADAM ADSIEdit (missing attribute) at:
http://cps11.dnsalias.net/adam
Perhaps I need (and would be glad to) buy the book :) Thanks for any
suggestions.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Hey Jerry, could you post the definitions of user and inetorgperson and a
couple of the attributes that aren't showing up? I tried to duplicate with a
single joewaretest attribute and it worked fine. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Tuesday, January 31, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM ADSIEDIT ?

I have an ADAM instance installed on a Windows 2003 server.  Have extended
the scema to include all of the Extension Attributes for Exchange.
When
using ADAM ADSIEDIT to view INetOrgPerson objects I can see all of these new
attributes, but when viewing a User object they do not appear.  The
attributes have been added to the User Class, but still no luck.
Suggestions ?
Thanks,
Jerry

Jerry Welch

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England no.
1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADAM ADSIEDIT ?

2006-02-01 Thread neil.ruston 
I'm sure this is a daft suggestion :) but have you flushed the schema
cache? 

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: 01 February 2006 10:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Joe,
I have posted the attribute definition, INetOrgPerson and User attribute
lists, and ADAM ADSIEdit (missing attribute) at:
http://cps11.dnsalias.net/adam
Perhaps I need (and would be glad to) buy the book :) Thanks for any
suggestions.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Hey Jerry, could you post the definitions of user and inetorgperson and
a
couple of the attributes that aren't showing up? I tried to duplicate
with a
single joewaretest attribute and it worked fine. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Tuesday, January 31, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM ADSIEDIT ?

I have an ADAM instance installed on a Windows 2003 server.  Have
extended
the scema to include all of the Extension Attributes for Exchange.
When
using ADAM ADSIEDIT to view INetOrgPerson objects I can see all of these
new
attributes, but when viewing a User object they do not appear.  The
attributes have been added to the User Class, but still no luck.
Suggestions ?
Thanks,
Jerry

Jerry Welch

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Changing the scope of a built-in group

2006-02-01 Thread neil.ruston 
Title: Changing the scope of a built-in group






Having discussed potential issues [in this forum] with DLG and GG combinations (and even GG and UG combinations) I am now considering the use of only UGs across the forest.

Whilst discussing a DNS admin service admin role, we debated whether we should use the existing built-in DLG groups [DNSAdmins] in each domain, or create new UGs which mimic these existing DLGs or should we change the scope of the existing DLGs so that they are UGs.

The plan is to create a forest-wide DNS service admin role and then grant that rights to manage DNS across the forest. The original idea was to simply place that new role group into all the DNSAdmins DLG groups. Having decided to use UG only, I am now looking for alternatives / suggestions.

Does anyone have any comments on this last option [change scope of DNSAdmins from DLG to UG}?


Does anyone have any experience of performing the above change?


Thanks in advance,

neil



PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] ADAM ADSIEDIT ?

2006-02-01 Thread Jerry Welch 
Joe,
I have posted the attribute definition, INetOrgPerson and User attribute
lists, and ADAM ADSIEdit (missing attribute) at:
http://cps11.dnsalias.net/adam 
Perhaps I need (and would be glad to) buy the book :)
Thanks for any suggestions.
Jerry 


Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net )

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM ADSIEDIT ?

Hey Jerry, could you post the definitions of user and inetorgperson and a
couple of the attributes that aren't showing up? I tried to duplicate with a
single joewaretest attribute and it worked fine. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Tuesday, January 31, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM ADSIEDIT ?

I have an ADAM instance installed on a Windows 2003 server.  Have extended
the scema to include all of the Extension Attributes for Exchange.   When
using ADAM ADSIEDIT to view INetOrgPerson objects I can see all of these new
attributes, but when viewing a User object they do not appear.  The
attributes have been added to the User Class, but still no luck.
Suggestions ?
Thanks,
Jerry

Jerry Welch

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Problem in assigning permissions to the user in parent domain over the shared folder in child domain

2006-02-01 Thread lakshmi venkat 
Hi,

We are presently working on the Parent , child setup
of active directory.

The setup which were trying is as follows:

1- We have a parent domain and a workstation as a part
of parent domain. 

2- We have one more domain which is a child domain of
the previously mentioned domain. A workstation is
added to the child domain and there is a shared folder
in the work station belonging to the child domain.

We login to the workstation in the parent domain as a
user in the parent domain and try to map the fileshare
present in the workstation in the child domain. This
operation fails saying access denied.

We are unable to give permissions to the user in
parent domain to the file share in child domain as it
does not allow to add the user, in both permissions
and security of the properties of the shared folder.

We are able to select the parent domain in the
locations field of the "Select users or groups"
dialog. But when we enter the username in the object
name field, we get an error that the object name
cannot be found.

Any help will be appreciated.



Thanks
Lakshmi

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Account Lifecyle -- Best Practices

2006-02-01 Thread neil.ruston 



Comments 
inline. 


First, thanks for the 
very thoughtful responses. Al, I appreciate the “business requirements” concept. 
Unfortunately, around here, no one even thinks about this at all. I need to lead 
them in this direction. So, given that a business process needs to be 
developed…
 
Questions:
- Can you help me tease 
out the pros and cons of: disable (Jorge and Al), expire (Al), or rename 
(Neil)?[Neil 
Ruston] I prefer the rename rather than move etc since (as you state below) 
if the user needs to be 'reanimated' it may prove difficult to configure him/her 
back to their original state. I have seen many a user 'leave' only to 
re-join the firm within weeks or months, or to not actually leave at all. 
Naturally, you need to take your lead from HR, but they can sometimes 'jump the 
gun' :)  I therefore prefer to rename 
and disable. 
- What is the point of 
removing a disabled/expired/renamed account from Security Groups? If you need to 
re-enable the user, how will you know what groups to put it in? And, isn’t the 
account going to be deleted (and therefore removed from the groups) 
anyway?[Neil 
Ruston] See above comment. 
- Do any of you push 
the archived data off to other media (like DVD or tape)?[Neil Ruston] User data should 
be backed up regularly anyway, so I have not encountered a need to perform 
additional archives. 
 
Thanks 
again.
 
-- 
nme
 





From: Al 
Mulnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 31, 2006 6:23 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Account 
Lifecyle -- Best Practices
 

Noah, I think by this point you can see that answers 
vary.  The variables are the business requirements. 


 

An organization I did similar for looked at this as 
account lifecycle management.  'Cradle to grave 
process.'

 

Similar to the other posts, I helped define a process 
and then semi-automate it.  The process definition is the important 
part.  Being able to reconstruct the user object is the 
second most important after that. Being able to automate it was the third 
priority because it was felt that fewer mistakes would be made, it would 
require less effort to be expended, and it would be a consistent 
process.   

In that environment, the process all started with 
an authoritative notification of expiry.  From there, the accounts 
were removed from groups, moved to a new OU, marked with the deletion date, 
disabled, etc.  Everything that was done was logged in such a way that it 
was easy to put this back with a minimal of effort and with audit capability in 
mind.  No task was done without logging because of the compliance 
requirements surrounding the company's business.  


 

This is a repetitive task and should be automated as 
much as possible. How exactly you decide to do this is more a question for 
your business leaders.  Automating it is something you can either 
do or not do, but once it's a defined process I see no reason to manually do 
anything in this situation.  

 

Additionally, I've always broken the whole lifecycle 
into several parts: 

1) provisioning 
(cradle) 

2) De-provisioning 
(grave) 

3) modifications (all that stuff in 
between)

 

Automating provisioning of a new account is something 
that should be automated.  Automating removal of accounts should also be 
automated in my opinion.  Whenever possible, modifications should be 
semi-automated so you can capture what tasks were performed with 
a minimal of effort on the part of the administration team.  In a 
perfect world, it should be so routine and easy that either the user can do it 
or my least trained and experienced staff member can do it without error. That 
just about screams automation to me.  


 

Start by defining the process requirements.  Does 
your company require that the account be immediately unable to be effective? 
Expiring the account alone has some drawbacks in terms of time.  Disabling 
has some other trade-offs.  But removing the user's ability to be used 
immediately upon notification is a security best practice. Archival depends on 
your company needs, but it's typically something that you want to have happen 
after a decent amount of time.  Why? Because users tend to leave and come 
back.  Similar to backups, you want to reduce the amount of time to perform 
a restoration of any kind.  This is no different.  Tune the process to 
accomdate the way your organization works and you'll save yourself a lot of 
time. 

 

My 0.04 (USD) worth 
anyway,

 

Al  

On 1/31/06, [EMAIL PROTECTED] 
<[EMAIL PROTECTED] 
> wrote: 
Just my 2 penneth, but 
I have found that a rename of the user rather than a user move can work better. 

 
If the user is moved 
and then needs to be moved back to the original location, you may encounter 
issues without a record of their original OU. 
 
Consider adding a 
suffix to the user name - e.g. bloggsj_left_31012006 (I've used ddmm but of 
course mmdd is acceptable too :) 
 
neil
 



From: [EMAIL PROTECTED