RE: [ActiveDir] User Accounts
* DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this |... including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion |was the dblayer specifically referenced .. but it's moot for |the moment since I'm still mulling over whether my new-found |knowledge pertaining to link-pairs influences my opinion on |where DNTs lie; directory or database. | | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Setting Wireless Config via GPO
Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] Tombstone attributes
it all comes down to: - what are you trying to protect yourself from? - what are your procedures or tools for restoring the objects? - what are the risks involved and potential costs for recovery? protecting from accidental deletion of a single object is different from trying to protect yourself from accidental mass deletions (such as a whole OU containing many hundred or thousand objects). Planning recovery in a single-domain forest is different from planning recovery in multi-domain forests. Planning to use online recovery tools (tombstone reanimation) is different from planning to recover objects using the native recovery options (systemstate restore + NTDSUTIL authoritative restore). A combination of both approaches (online recovery + native tools) could be the right answer = no matter what tools you use, you'll always want to perform system state backups of at least 2 DCs in every domain anyways to be on the safe side and be prepared for a true forest recovery. But you couldn't care less to reboot a DC just to recover a single or very few objects (depends on size of your environment and if you have deliberately planned a recovery DC that's not used by users or apps). Online recovery tools do a perfect job of recovering these objects - and if it's only a few, then you're fine with setting the PW at recovery time. Logistics is the main pain here: you'll have to tell the recovered user the new PW so that he can logon again - and as Ulf mentioned, you'll have to rejoin computer accounts to the domain if you plan to recover them online as well, but for a few objects, this could be acceptable (yet painful). When planning recovery of accidental mass deletions, you could argue to do this via the native way, restoring a DC from a sys-state backup and performing an auth. restore. And since the PW is obviously stored in the sys-state backup you'll get (almost) everything back (ofcourse, you'll have the same trouble with passwords that just expired or that a user had just changed after doing your backup...). But in general, users' passwords will be recovered just fine and computers actually leverage the last two passwords during authentication so in general there's no issue with expired computer passwords either. You're main challenge with using the native tools now lies in correct recovery of the links between the various objects you've just restored - this is particularly painful for multi-domain environemnts. On the other side, if you plan to use the online recovery tools for mass recovery, you'd certainly wish to have the password in the tombstone since otherwise this would be a logistical nightmare - yet the tools to handle link recovery in multi-domain environments just fine, which is a big painpoint when recovering natively. So it's up to you to weight the risk of storing passwords in tombstones to allow easier recovery - or to choose native recovery when recovering from mass deletion. I don't consider storing the PW in a tombstone a particularily high risk - especially if you weight it against the cost you have to recover things correctly the native way. Realize, that you don't need to store all the PW related attributes, only Unicode-Pwd is required to successfully restore the PW (and using most online recovery tools you could still choose to have the user reset his PW at next logon). Some of this is discussed in more detail in the following guide: http://www.netpro.com/media/pdf/NetPro_ADDR_Guide.pdf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Mittwoch, 19. April 2006 00:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Tombstone attributes Ulf B. Simon-Weidner wrote: Unfortunately the passwords is the same attribute for users and computers. I thought recently to put the password in the tombstone to ease computer account reanimation - after the account is deleted the computer is not able to change it's password, and if it was deleted accidentally it's easy to reanimate the account and the computer will still be happy. I know that it'll be easy to put the computers in the domain again, however I've had a customer with hundreds of sites which lost a couple hundred computer accounts across those sites, and bandwidth didn't allow to remotly script the addition of the computer accounts to the domain via netdom. We were able to perform an authoritative restore, and were lucky that we lost almost no computer accounts due to changed password, however this was a unlikely event with the computers recently joined the newly created domain. In running domains we'd have to calculate an average of 1/15th of computers per day of the age of the backup to join manually. I agree on user objects - and if I'd decide to keep the password for computer account in the tombstone I'd would prefer to put a procedure in place to change a users password before deleting it. Jup, I can agree with it - but still I
RE: [ActiveDir] Setting Wireless Config via GPO
yep, and it works quite well From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Mittwoch, 19. April 2006 10:29To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] User Accounts
yep, thanks Dean - quite useful, as was the whole thread. It's always interesting to see how much discussion a simple question can cause :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Mittwoch, 19. April 2006 01:18 To: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Inline is my take on an IM conv. Brett and I just had, the result and content of which turned up some interesting (to me at least) implementation details. The short story is - * DNTs (to me) are _not_ a component of the directory - they _are_ a component of the layer that bridges the two (dblayer) - to Brett, I believe he sees them within the sum of what is the directory * DNTs (to both Brett and I) are not part of ESE * DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) * DNTs are not reusable I hope the summary and conversational text inline proves useful. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 18, 2006 5:11 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: RE: [ActiveDir] User Accounts Dean, I didn't understand this comment ... But, dude, seriously, you weren't aware that AD's ESE used a 32 bit DNT? Methinks perhaps you're muddling in the realms of personal interpretation ... though I'm quite certain you'll argue that too ... ESE purist :0p Are you claiming that ESE knows what a DNT is? Not at all ... but IMO, neither does the directory ... and per our IM, the dblayer knows what they are (after all, DNT = distinguished name tag ... blatantly not an ESE term ... and dblayer = database layer ... not a directory term ... hmmm) A DNT is an entirely AD concept, ESE has no idea what a DNT is. Nod. ESE also has no concept of linked-values, or the link_table. Now this was news to me, so here's the summary: ESE has tables + columns + indices over columns. The dblayer forms the bridge between two technologies, one molding the behavior of the other (dblayer molds ESE). ESE maintains no referential integrity, the dblayer does this ... including link-pairs -- this part was especially surprising to me. This is the 2nd time you've confused the AD dblayer (what maintains the AD schema on an ESE database) and the ESE database layer. Don't know that I'd agree with that since on neither occasion was the dblayer specifically referenced .. but it's moot for the moment since I'm still mulling over whether my new-found knowledge pertaining to link-pairs influences my opinion on where DNTs lie; directory or database. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Schema upgrades with Windows 2003 R2
Hi all I was wondering if anyone had any pointers for the following schema upgrade scenario: I have a single domain, single site forest with 2 DCs Both DCs are currently running Windows 2003 RTM code without Service Pack 1 but fully patched otherwise. Ive got two new IBM servers that I wish to promote to DCs to replace the current DCs. These machines are running Windows 2003 R2 X64 Standard Edition. If I want to DCPROMO these machines I will need to perform the schema update for 2003 R2 correct. If so can I simply insert the R2 32 bit CD into my current Schema master and do the schema updates.? Im assuming that theres no difference between the 64bit and 32 bit schema extensions? Anyone got any gotchas heads-up warnings etc for me. Any help is appreciated as this is quite a big step and I want as much info at hand as possible before I start. Thanks Peter Johnson P.S If anyone been having issues with Gigabyte Network cards and connecting to Domain controllers and Group Policy not applying should consult Technet Article 326152 for a possible resolution related to Medla Link State detection.
[ActiveDir] Permission to modify description
I have a logon script which changes the description of the current user when they logon, or rather it should do. Whenever I pop that script in to a logon script it fails with a general access denied error. The line it fails on it the last of these two; objUser.Description = strMessage objUser.SetInfo objUser is pointing to the correct user, and it can set the local cached description setting, it only fails when it trys to set that info on the server. I have tried giving Authenticated Users the Write General Information permission, but that doesn't help. Any ideas what permission I need to assign so that people are able to edit the description properties ? Is there an associated permission for using the setinfo method ? If it helps, this is win2k servers with xp desktops. Olly List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] stupid ldap queries
1. As mentioned, Partial Attribute Set (PAS) attributes are not necessarily indexed. These are not related in AD. However if you put something in the PAS because you want to do searches against that attribute, you will often see the object indexed as well. 2. Most every query that only specifies objectclass[1] in a default Active Directory is inefficient because objectclass is not indexed and it means AD will need to look at every object within the scope of the query to determine whether or not an object matches. This means if you generate a subtree search based at the domain NC down and you have 10,000 objects and you only have 14 objects of the needed class (for arguments sake, organizationalUnit), AD would have to look at 10,000 objects instead of 14 objects to figure out what to return. 3. I have had several discussions with folks on this on and offlist and pretty much am very strongly for indexing objectclass. I haven't personally seen a case where it turned out to be a bad thing. The more likely you are to run LDAP apps either run from or ported from UNIX counterparts the more likely this is going to help because objectclass usually appears to be indexed in other directories. This also used to help with Exchange 2000 because there were several bad queries that used no indexed attributes and indexing objectclass made it so those queries did use an indexed attribute, to my knowledge, those have mostly all been fixed however I can't say I have done a comprehensive study of all Exchange queries. Generating a list of all queries going against AD is more of a pain than it needs to be right now IMO. But anyway, I think that a general going in statement is that it is good to index objectclass, the investment is generally quite minimal (I had heard fear stories of possible DIT growth of 50% but have never seen anything over about 10%). The worst problem is if you happen to have a program that makes various assumptions based on an attribute being indexed and starts acting a little odd in some cases afterward. There was a product from a major vendor that used to do something unusual with how it displayed information once you indexed objectclass and selected the objectclass column for sorting (obviously sorting on a multivalue attribute is undefined and therefor disallowed) but that was straightened out some time ago. If someone from that company or someone who used to be with that company wants to out themselves I will let them do so. I will say that once they saw the issue, they responded quickly and well to it. 4. To determine if a specific attribute is indexed or not, you simply look at bit 0 (value 1) on the searchFlags attribute. If you want to quickly find indexed attributes in your directory, you can use ADFIND V01.31.00 do so with adfind -sc indexed Or adfind -sc indexedl 5. For completeness, if you want to quickly find PAS attributes in your directory, you can do so with adfind -sc pas Or adfind -sc pasl Note that there is more than one way that an attribute could be specified to be part of the PAS. There is the standard isMemberOfPartialAttributeSet=TRUE but there is also a systemFlags bit that corresponds to it for things that Microsoft wants in the PAS and doesn't want you changing. These switches properly find both items. Run the commands and add the -po switch to see exactly what it is querying for. No you cannot combine those switches and get all indexed attributes that are in the PAS. I stopped just short of inventing a new query language to ride on top of LDAP, it kind of bothered me when I saw myself moving in that direction. :) What would I call it? jQL?? joeLDAP??? RooBurger[2] 6. Oh, one question sort of asked was WHY did MS do this? Well as I understand it(tm), early pre-beta Windows 2000 AD revs did not handle indexing of multivalue and non-unique value attributes well. The fact that objectclass was both non-unique and multivalued is a double whammy if neither of those is good. MSFT fixed both issues but no one ever went back and corrected the schema def before release and I know some very bright folks in MSFT were like, oops, we should have done that. You will often hear this wives tale (or maybe urban legend) running around that you can't index non-unique or multivalue attributes and it is completely bogus. You _may_ not get as much bang for your buck doing it but will get some benefit at some level if you use that attribute to search with and don't have another index in the query. I have even heard MCS folks spout this urban legend and I usually ask them to join me in the corner for a quick chat for a moment when they say it (MCS are people too). There is a rumour that the default index state of objectclass may change in LongHorn Server, I recommend folks check for themselves. I think I have blogged on this once or twice and certainly the ADORG archives will have more than one post on this topic from myself and others. But again, if someone asks me if they
RE: [ActiveDir] stupid ldap queries
Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help. I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 19, 2006 12:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries Itd the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Tuesday, April 18, 2006 5:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 2:15 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. "objectClass=user") fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute
Re: [ActiveDir] Exchange rights slow to become available
Is that going to also address his problem? Al On 4/18/06, Michael B. Smith [EMAIL PROTECTED] wrote: See Microsoft KB 327378 (Exchange 2000 and Exchange 2003 mailbox size limits are not enforced in a reasonable period of time; fix requires Exchange 2000 SP3) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tim EgbertSent: Monday, April 17, 2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rights slow to become available Is anyone else experiencing this problem? I have a security group granting Exchange Server rights to group members (e.g. add/remove users). It takes about 30 minutes, however, after adding the user to the group before the rights become available to the user. How do I get the rights to become available to group members right away? Thanks, Tim
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefanoSent: Tue 4/18/2006 6:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You cant do an inplace upgrade from 5.5 to 2003 which is what it sounds like youre doing when you get the consistency error. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 8:10 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide
RE: [ActiveDir] User Accounts
DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this |... including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion |was the dblayer specifically referenced .. but it's moot for |the moment since I'm still mulling over whether my new-found |knowledge
[ActiveDir] automatic account disable
hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Exchange 5.5 Upgrade Problems
In place of Exchange 5.5 to Exchange 2003? Check the readme, release notesand migration path scenarios again. Last I checked, that was not a supported upgrade path (2000 to 2003 is supported although not always preferred). Al On 4/18/06, Dan DeStefano [EMAIL PROTECTED] wrote: We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 8:10 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error "Exchange… cannot be assigned the task "upgrade" because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state". However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the "Data collection" step in ADC tools on the new ws2k3 box, I receive the error "Server myserver:389 is not an Exchange 5.5 server or an SRS service". I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error "Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions". I am logged on with the Enterprise/Domain Administrator account and the ADC service is set to use the same service account as the ADC on the Ex5.5 server. If you need any more info please let me know. Any help that anyone can provide will be greatly appreciated. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 If you have received this message in error please notify the sender, disregard any content and remove it from your
RE: [ActiveDir] User Accounts
Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, April 19, 2006 2:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? Heh, depends since the dblayer _is_ the component that implements them, not ESE. * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. The DN of an AD object is the result of its DNT (or P[parent]DNT) ancestry, right the way back to a number of structural entries (I believe they're typically referred to as structural phantoms but don't quote me on that) that define the labels comprising the NC head. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server Since DNTs are not a natural component of ESE, the answer is implementation specific. , and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). The re-promotion aspect is of course true, assuming non-IFM. Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4 89-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some interesting (to me at least) |implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the two (dblayer) | - to Brett, I believe he sees them within the sum of what is the |directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per our IM, |the dblayer knows what they are (after all, DNT = distinguished name |tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of the other |(dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this ... |including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion was the |dblayer specifically referenced .. but it's moot for the
Re: [ActiveDir] automatic account disable
It's possible. What's your criteria? DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO. Scripts, etc can also be used successfully. Al On 4/19/06, Myke [EMAIL PROTECTED] wrote: hi guys,it's possible to make a automatic lockout in user accounts byinactivity, or I need a third party tool? thanksMykeList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting Wireless Config via GPO
Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] automatic account disable
one of the tools that could help you with that is OLDCMP from Joeware.net. But first you need to define for your own what the defintion is of period of inactivity and how long. Search the archives as previous threads are available that also mention the deprovisioning of accounts. cheers, jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Myke Sent: Wed 2006-04-19 16:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] automatic account disable
Third-party. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Myke Sent: Wed 4/19/2006 7:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Permission to modify description
What happens when you run the script interactively, as opposed to within the login script? You can (should?) tighten the security on this...granting Self allow on Write Description should be sufficient. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Wednesday, April 19, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Permission to modify description I have a logon script which changes the description of the current user when they logon, or rather it should do. Whenever I pop that script in to a logon script it fails with a general access denied error. The line it fails on it the last of these two; objUser.Description = strMessage objUser.SetInfo objUser is pointing to the correct user, and it can set the local cached description setting, it only fails when it trys to set that info on the server. I have tried giving Authenticated Users the Write General Information permission, but that doesn't help. Any ideas what permission I need to assign so that people are able to edit the description properties ? Is there an associated permission for using the setinfo method ? If it helps, this is win2k servers with xp desktops. Olly List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
What criteria are you using to determine that a user is inactive? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myke Sent: Wednesday, April 19, 2006 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
Would you not disable the account instead of locking
it?
A locked account may be unlocked in time (depends upon
policy), whereas a disabled account needs admin
intervention.
my 2 penneth,
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: 19 April 2006 15:52To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] automatic
account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this
pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO.
Scripts, etc can also be used successfully.
Al
On 4/19/06, Myke
[EMAIL PROTECTED] wrote:
hi
guys,it's possible to make a automatic lockout in user accounts
byinactivity, or I need a third party tool?
thanksMykeList info : http://www.activedir.org/List.aspxList
FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Setting Wireless Config via GPO
You really got that to work well? I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. Using Cisco 1220 x (27) with cisco 350 client cards x (80) Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone
Because this is AD-Integrated, I would more likely suspect that there's a problem with one of the records or a configuration issue vs. wholesale corruption. The recommendation to remove the entire zone would flush that problem out but as you mentioned it would likely throw the baby out with the bathwater. Since elephants are best eaten in small pieces, it would be best to isolate and troubleshoot. For example, on the domain controller, can you use nslookup to find the domain controller itself? What about SRV records? Is that the same with all domain controlled versions or just this one? What other events are logged at startup? When you open the DNS MMC, do you see anything odd? Removing the zone is not absolutely a bad idea if the zone is unusable anyway. The servers would re-register themselves in about the next 12-24 hours anyway (usually much much much quicker but you hate to give that kind of advice willy-nilly.) I'm out of cliches for now, but let me know what you get with those questions. It might also be a good idea to start considering calling Microsoft if you need faster resolution. Al On 4/18/06, Danny [EMAIL PROTECTED] wrote: On 4/17/06, Al Mulnick [EMAIL PROTECTED] wrote: When you talk about deleting and such are you thinking about the newsgroups posts like this one: http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-05/msg00245.html ???Yes, along those lines.But, the zone file in question in thisscenario is the forward lookup zone for AD.Since DNS plays a critical role in AD, I am sure that you can understand that I amhesitant to just delete the AD DNS zone without understanding exactlyhow a new zone will automatically create all the essential resourcerecords. Some questions: Is DNS AD-Integrated?Yes, the default. Software revisions in use?I am not sure what you mean, but there is a mix of Windows 2000 SP4and Windows Server 2003 SP1. When the client fails, what's the error logged and what are they looking for? (I assume nslookup vs. live clients - is that correct?)Example:hosts file only contains one server on the LAN DNS cache has been flushedDNS client points exclusivley to IP of DNS serverNIC has been restartednslookup default server displayed; try a hostname lookup and I receive:DNS request timed out.timeout was 2 seconds When I ping a hostname not previously looked up (or in the cache), ittakes a few seconds and then it finally resolves the name and pingshost successfully.Regardless, do you know what can be done to resolve the original issue?What I have just described is more than likely a result of theroot problem.Thanks,...DList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
Myke, You could write a script to do such a thing I suppose. Something to the effect of if lastLogonTimeStamp value is greater than 180 days, disable account kind of thing. We utilize MIIS in house for this and for SOX deactivations, but it is certainly something you could write a script or a quick .NET exe for if you wanted. Jef Date: Wed, 19 Apr 2006 11:38:58 -0300 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable higuys, it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool? thanks Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: [ActiveDir] stupid ldap queries
Adding indices will start you down the slippery slope that ultimately leads to custom schema extensions. Do you like new OIDs? J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 19, 2006 4:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help. I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 12:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries Itd the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Tuesday, April 18, 2006 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queries Date: Tue, 18 Apr 2006 17:03:35 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Tuesday, April 18, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how
RE: [ActiveDir] Permission to modify description
If I run it interactively as a normal user, it fails with the same error on the same line. If I run it as an admin, it works. Can I allow Write Description to SELF on an entire OU? I have hundreds of users to mod, and I don't fancy doing each one by hand :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: 19 April 2006 16:02 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Permission to modify description What happens when you run the script interactively, as opposed to within the login script? You can (should?) tighten the security on this...granting Self allow on Write Description should be sufficient. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Wednesday, April 19, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Permission to modify description I have a logon script which changes the description of the current user when they logon, or rather it should do. Whenever I pop that script in to a logon script it fails with a general access denied error. The line it fails on it the last of these two; objUser.Description = strMessage objUser.SetInfo objUser is pointing to the correct user, and it can set the local cached description setting, it only fails when it trys to set that info on the server. I have tried giving Authenticated Users the Write General Information permission, but that doesn't help. Any ideas what permission I need to assign so that people are able to edit the description properties ? Is there an associated permission for using the setinfo method ? If it helps, this is win2k servers with xp desktops. Olly List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting Wireless Config via GPO
We are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they get prompted to relogon periodically but too bad for them :) So far from what I hear, the response has been excellent since all the people have to do is walk into a conference room and they get access to the WLAN if their radio is on. Jef Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Wed, 19 Apr 2006 11:32:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org You really got that to work well? I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. Using Cisco 1220 x (27) with cisco 350 client cards x (80) Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk** Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
[ActiveDir] XP Workstation Accounts
Dear collective intelligence, Is there any difference in functionality if you join a workstation to a domain by specifying the old NT4 domain, as opposed to specifying the fully qualified domain? Eg - adding a machine to CORPDOM, rather than corporatedomain.com ? Cheers, -- AdamT A: Because it breaks the logical sequence of discussion Q: Why is top posting a bad thing? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] RDP Script
AD Gurus,
I am trying to create a script that adds TS accounts for W2K AD domain.
I have tried eolwtscom and wts_admin.dll with no luck.
Iam lookingforsomething like this below but this one
only works in 2003 server.
http://www.microsoft.com/technet/scriptcenter/scripts/ts/users/tsusvb01.mspx
"Const GUEST_ACCESS = 0
strComputer = "." Set objWMIService = GetObject("winmgmts:" _
"{impersonationLevel=impersonate}!\\"
strComputer "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_TSPermissionsSetting")
For Each objItem in colItems errResult =
objItem.AddAccount("fabrikam\bob", GUEST_ACCESS) Next"
Can someone please help? Adeel
RE: [ActiveDir] User Accounts
Ok - thinking over it it's understandable that IFM does not touch DNTs but rather use the backup as default dit to start from. Obviously you are not creating a default dit and open up a second dit to do a local sync. How are you handling server specific settings? Delete/change those right at the beginning of a IFM, then go ahead with the default replication to figure out the changes? Guess USNs and watermark vectors can be kept and are the same at the beginning of IFM. However, thanks Eric and Dean for verification and additional thoughts. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Eric |Fleischman |Sent: Wednesday, April 19, 2006 4:39 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | | DNTs are reusable in ESE, however ADs implementation does not allow |DNTs | to be released / reused on a single server, and the database |will only | reuse them if you recreate the DB by repromoting (cause |the data is | replicated from other servers into a virgin ESE, and DNTs |are assigned | from the beginning at this point). | |Basically, yes. Though I would point out, this is hardly |reusing DNTs...this is more starting over. :) For the sake of |clarity I would point out that such a re-promotion would need |to be over the wire and not IFM. IFM just picks up where the |last left off, as you are using the old database again, and so |the same AD level rules apply. | |~Eric | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Tuesday, April 18, 2006 11:40 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] User Accounts | |* DNTs (to me) are _not_ a component of the directory | |IIRC they are like a (primary/foreign) key in a database. |Technically not needed by the database layer, and not needed |by the application, but needed to keep the data together for |the application. So if you look at AD from the outside it |won't be referenced, if you look at ESE it's just a DB and |doesn't care about the data stored within, but you still need |it in between to store the AD in the ESE. |Right? | |* DNTs are not reusable | |Unique per Server and don't provide any reference across |servers. If AD looks for a parent object by looking up it's |known DNT (stored with the child), ESE would fail in that |moment, AD would not able to go to another server and look up |the same DNT in it's database. The AD is distributed, the ESE |is local, and DNTs are part of the local table. | |If I understand correctly: |DNTs are reusable in ESE, however ADs implementation does not |allow DNTs to be released / reused on a single server, and the |database will only reuse |them if you recreate the DB by repromoting (cause the data is |replicated from other servers into a virgin ESE, and DNTs are |assigned from the beginning at this point). | |Right? | |Gruesse - Sincerely, | |Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org | Profile: |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214 |C811 |D | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells ||Sent: Wednesday, April 19, 2006 1:18 AM ||To: Send - AD mailing list ||Subject: RE: [ActiveDir] User Accounts || ||Inline is my take on an IM conv. Brett and I just had, the result and ||content of which turned up some interesting (to me at least) ||implementation details. The short story is - || ||* DNTs (to me) are _not_ a component of the directory || - they _are_ a component of the layer that bridges the |two (dblayer) || - to Brett, I believe he sees them within the sum of |what is the ||directory ||* DNTs (to both Brett and I) are not part of ESE ||* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) ||* DNTs are not reusable || ||I hope the summary and conversational text inline proves useful. || ||-- ||Dean Wells ||MSEtechnology ||* Email: [EMAIL PROTECTED] ||http://msetechnology.com || || || || -Original Message- || From: [EMAIL PROTECTED] || [mailto:[EMAIL PROTECTED] On Behalf Of ||Brett Shirley || Sent: Tuesday, April 18, 2006 5:11 PM || To: ActiveDir@mail.activedir.org || Cc: Send - AD mailing list || Subject: RE: [ActiveDir] User Accounts || || || Dean, I didn't understand this comment ... || But, dude, seriously, you weren't aware that AD's ESE ||used a 32 bit || DNT? || Methinks perhaps you're muddling in the realms of personal || interpretation ... though I'm quite certain you'll argue |that too || ... ESE purist :0p || || Are you claiming that ESE knows what a DNT is? || ||Not at all ... but IMO, neither does the directory ... and |per our IM, ||the dblayer knows what they are (after all, DNT = distinguished name ||tag ...
RE: [ActiveDir] ExtraColumns attribute
Try editing the extraColumns attribute on the default-Display object, adding the property of your choosing as follows- LDAP name,display name,default visibility,pixel width,0 - IIRC, this is reserved and must be 0 for now. ... highlighting the Saved Query in question and selecting View--Add/Remove columns--Add the desired attribute. Does this achieve your goal? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, April 19, 2006 12:47 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] ExtraColumns attribute Hi all, Iam interested inaddingvalues to the 'extraColumns' attribute found on objects in the DisplaySpecifiers container. In particular, I'd like the option to display the value of OperatingSystem (etc...). The article about this attr in MSDN library describes it pretty well, but I'm wondering which DisplaySpecifier object to use in the case where you write a "Saved Query" (forothers to import into their ADUC). At present I see thatonly the "default-Display" and "lostAndFound-Display" objects have that attr populated. Should I just modify the default, or should I be more specific and modify another object which only applies to "Saved Queries" - if so, anybody know which one? Maybe since my filter specifies only to computer objects, the "computer-Display" object applies? Sorry if this sounds silly! Thanks... DaveCTo find out more about Reuters visit www.about.reuters.comAny views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Setting Wireless Config via GPO
With all access points set as root with WEP and MAC. The ol way..( I know, I know).we have a very stingy app that will drop you like a hot potato with even the slightest drop in network. We are also using the cico airnet client utilities on all machines. Seems if I don't use the airnet client the computers do not like to install computer based policies because the network doesn't stat until the user starts to log on (win2k). I personally would like to put an A bomb on all wireless networks with the small exception of internet acces. Wireless is a pain to manage. Give me a good ol piece of copper wire. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 1:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Samething here, AP to AP there is a short drop as it reauthenticates. We got questioned on it by new users sometimes but they get over it. That downside vs the upside makes it a no brainer for us. What system/setup would not have a short drop going from AP to AP? Yes using EAP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski, WilliamSent: Wednesday, April 19, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO You really got that to work well? I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. Using Cisco 1220 x (27) with cisco 350 client cards x (80) Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk** Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
The ADC is set to use port 38900 and the LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server level it is set to use 389 (when I change this, mail stops flowing). Regardless, when I try connecting in ADC tools to the Ex5.5 box it fails on either port. I am trying to build a new Ex2k3 server in the domain, but it will not join the organization because the ADC tools have not bee run, or at least that is the error message I am getting. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott Sent: Wednesday, April 19, 2006 10:25 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Tue 4/18/2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You cant do an inplace upgrade from 5.5 to 2003 which is what it sounds like youre doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domains only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
I am not trying to upgrade from Ex5.5 to Ex2k3, but rather from Ex5.5 to Ex2k, then, from Ex2k to Ex2k3. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, April 19, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange 5.5 Upgrade Problems In place of Exchange 5.5 to Exchange 2003? Check the readme, release notesand migration path scenarios again. Last I checked, that was not a supported upgrade path (2000 to 2003 is supported although not always preferred). Al On 4/18/06, Dan DeStefano [EMAIL PROTECTED] wrote: We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error Exchange cannot be assigned the task upgrade because the directory database is in an inconsistent state the private and or public stores are in an inconsistent state. However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported errors. However, nothing has worked and I am still getting the same errors when trying to upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect. Now my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5 box. While waiting for my maintenance window to upgrade the current ADC to the 2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try to run the Data collection step in ADC tools on the new ws2k3 box, I receive the error Server myserver:389 is not an Exchange 5.5 server or an SRS service. I realized that since it was installed on a DC that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools. However, I am now receiving the error Could not connect to server myserver:38900 with LDAP error 6. Check server name, port number and account permissions. I am logged on with the
[ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD
Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation. This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Exchange 5.5 Upgrade Problems
I missed the part about the ADC then. :) Try the event log - what do you see at startup of the machine? If you connect to tcp 389 of that machine, what answers? (try LDP and just connect - you should see what you're looking for there.) Until you can connect to the Exchange directory via LDAP, you're not going anywhere. Basically, be sure to check that the LDAP component is operational and work from there. Al On 4/19/06, Dan DeStefano [EMAIL PROTECTED] wrote: The ADC is set to use port 38900 and the LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server level it is set to use 389 (when I change this, mail stops flowing). Regardless, when I try connecting in ADC tools to the Ex5.5 box it fails on either port. I am trying to build a new Ex2k3 server in the domain, but it will not join the organization because the ADC tools have not bee run, or at least that is the error message I am getting. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ion GottSent: Wednesday, April 19, 2006 10:25 AMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Tue 4/18/2006 6:50 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 8:10 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the installation, I receive the error "Exchange… cannot be assigned the task "upgrade" because… the directory database is in an inconsistent state… the private and or public stores are in an inconsistent state". However, when using Eseutil to check database consistency of all 3 databases, it reports that they are consistent. Even so, I tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then ran every test/repair using isinteg, all of which completed successfully and only some of which reported
RE: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD
In general, I would make the decision based on who needed to be allowed access and who needed to control that access. Assuming that you want to have a point of control to be in the domain where the OU and groups are, then here's what I'd do. Admins can only be from the same domain as the OU: use a domain global group. Admins can be from any domain in the forest but not from trusted domains: use a universal group. Admins can be from any trusted domain: use a domain local group. If you want to retain control over exactly who gets rights over the OU, then you use an appropriately scoped group whose membership is controlled by you and add user accounts individually. If you want to delegate the membership issue, then you can populate your group with groups from other jurisdictions. Whoever owns those groups will now have a say in who has rights. You of course still retain some control since you can still add or remove other groups or users. If you don't want to have that local control, then you could just add groups from other domains directly, but the ACLs start getting messy very quickly. Better to at least aggregate all of those into a single group to keep the ACLs clean. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, April 19, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation. This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD
I think the rational for using domain local groups is that memberships can be from outside the domain and this group only exists for purposes within the domain of origin. The way I see it DLG's can act as a poor-person's Role based security model and as you point out be used to reduce the ACL's directly on the OU delegation, basically you can create delegations based on roles and then add the GG from other domains or the domain of origin to facilitate the delegation without having to create delegations repeatidly. Like I said earlier though, I have ran into third-party delegation software that doesn't like or doesn't function as expected using DLG's. So it got me to wondering is there limitations using a DLG for delegation that aren't obvious? Thanks for the feedback Wook, Todd -Original Message- From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD In general, I would make the decision based on who needed to be allowed access and who needed to control that access. Assuming that you want to have a point of control to be in the domain where the OU and groups are, then here's what I'd do. Admins can only be from the same domain as the OU: use a domain global group. Admins can be from any domain in the forest but not from trusted domains: use a universal group. Admins can be from any trusted domain: use a domain local group. If you want to retain control over exactly who gets rights over the OU, then you use an appropriately scoped group whose membership is controlled by you and add user accounts individually. If you want to delegate the membership issue, then you can populate your group with groups from other jurisdictions. Whoever owns those groups will now have a say in who has rights. You of course still retain some control since you can still add or remove other groups or users. If you don't want to have that local control, then you could just add groups from other domains directly, but the ACLs start getting messy very quickly. Better to at least aggregate all of those into a single group to keep the ACLs clean. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, April 19, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation. This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP Script
Would this help?
http://marcusoh.blogspot.com/2006/04/misc-enabling-terminal-services.html#links
Teo
On 4/19/06, Adeel Ansari [EMAIL PROTECTED] wrote:
AD Gurus,
I am trying to create a script that adds TS accounts for W2K AD domain. I have tried eolwtscom and wts_admin.dll with no luck.
Iam lookingforsomething like this below but this one only works in 2003 server.
http://www.microsoft.com/technet/scriptcenter/scripts/ts/users/tsusvb01.mspx
Const GUEST_ACCESS = 0
strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2)
Set colItems = objWMIService.ExecQuery _ (Select * from Win32_TSPermissionsSetting)
For Each objItem in colItems errResult = objItem.AddAccount(fabrikam\bob, GUEST_ACCESS) Next
Can someone please help? Adeel
[ActiveDir] Anomoly in application of Permissions by adminSDHolder
I have noticed what appears to be an anomoly in the way that adminSDHolder is applying object permissions and was wondering if anybody else has seen something similar or has a workaround. We want our internal helpdesk staff to be able to unlock any users account, even privliged accounts that are protected by adminSDHolder 'inheritance'. The HELPDESK group has been give Read/Write permissions on the lockoutTime attribute for User Objects protected by adminSDHolder. However, when members of HELPDESK go to unlock a locked account of this type, the choice is grayed out. (The same permissions given to the same group for accounts not protected by adminSDHolder allow the HELPDESK to unlock those accounts without any problem.) When I look at the permissions applied to the specific user object it shows that the HELPDESK group has Read/Write on the lockoutTime attribute as expected. The only way that members of the HELPDESK group can gain access to the account lockout box is to set the security on a specific account for the lockoutTime READ/WRITE permission to apply to 'This Object' rather than the User Objects' choice. Unfortunately, when setting the security on the adminSDHolder container, I cannot use the This object and all child objects choice because when that is selected, the lockoutTime attribute is not an available option. Rick Bowersox Rockwell Collins If you cannot convince them, confuse them. -- Harry S Truman List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] automatic account disable
LOL. You're right, it is often advisable to disable first. I got caught up in the moment ;)
Myke, there was a long conversation about such things a few months ago. You might want to search the archives to see what was said and see if you agree about what it says and suggests.
An additional point to consider: start with policy as Neil suggests. If you have a policy that says to disable accounts and then delete later, or delete based on disuse, enforcement is pretty much an easy thing to do. Without the policy first, it can be a difficult train to ride.
-ajm
On 4/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
Would you not disable the account instead of locking it?
A locked account may be unlocked in time (depends upon policy), whereas a disabled account needs admin intervention.
my 2 penneth,
neil
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: 19 April 2006 15:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better (
http://www.joeware.net ) for this task IMHO. Scripts, etc can also be used successfully.
Al
On 4/19/06, Myke
[EMAIL PROTECTED] wrote:
hi guys,it's possible to make a automatic lockout in user accounts byinactivity, or I need a third party tool?
thanksMykeList info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] ExtraColumns attribute
Hm...that's exactly what I was planning to do, and did do about 2 hours ago,but am a little suprised to find it hasn't worked (waited for repl). Hereyou can seemy edits [ "joeware automatic update service" hasn't kicked in on my machine yet : - ) ] I'm not sure how many pixels these things need to be displayed, so I just picked a number...hopefully that's not holding this up? As an additional test I modified the value in blue, just to see if it would display differently,but that didn't take effect either. I must be missing something. [note - if reading in plain text, it's the first 4 values of extraColumns below which contain my edits] Thanks again...DC $ adfind -b "CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=com" extracolumns AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005 Using server: dc.rootdomain.com:389Directory: Windows Server 2003 dn:CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=comextraColumns: company,Compenny,0,150,0extraColumns: operatingSystemVersion,O/S Version,0,100,0extraColumns: operatingSystemServicePack,Service Pack,0,100,0extraColumns: operatingSystem,Operating System,0,100,0extraColumns: postalCode,Zip Code,0,100,0extraColumns: textEncodedORAddress,X.400 E-Mail Address,0,130,0extraColumns: userPrincipalName,User Logon Name,0,200,0extraColumns: title,Job Title,0,100,0extraColumns: targetAddress,Target Address,0,100,0extraColumns: st,State,0,100,0extraColumns: physicalDeliveryOfficeName,Office,0,100,0extraColumns: whenChanged,Modified,0,130,0extraColumns: sn,Last Name,0,100,0extraColumns: msExchIMMetaPhysicalURL,Instant Messaging URL,0,140,0extraColumns: msExchIMPhysicalURL,Instant Messaging Home Server,0,170,0extraColumns: givenName,First Name,0,100,0extraColumns: homeMDB,Exchange Mailbox Store,0,100,0extraColumns: mailNickname,Exchange Alias,0,175,0extraColumns: mail,E-Mail Address,0,100,0extraColumns: sAMAccountName,Pre-Windows 2000 Logon Name,0,120,0extraColumns: displayName,Display Name,0,100,0extraColumns: department,Department,0,150,0extraColumns: c,Country,0,-1,0extraColumns: l,City,0,150,0extraColumns: telephoneNumber,Business Phone,0,100,0 1 Objects returned From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, April 19, 2006 1:42 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] ExtraColumns attribute Try editing the extraColumns attribute on the default-Display object, adding the property of your choosing as follows- LDAP name,display name,default visibility,pixel width,0 - IIRC, this is reserved and must be 0 for now. ... highlighting the Saved Query in question and selecting View--Add/Remove columns--Add the desired attribute. Does this achieve your goal? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, April 19, 2006 12:47 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] ExtraColumns attribute Hi all, Iam interested inaddingvalues to the 'extraColumns' attribute found on objects in the DisplaySpecifiers container. In particular, I'd like the option to display the value of OperatingSystem (etc...). The article about this attr in MSDN library describes it pretty well, but I'm wondering which DisplaySpecifier object to use in the case where you write a "Saved Query" (forothers to import into their ADUC). At present I see thatonly the "default-Display" and "lostAndFound-Display" objects have that attr populated. Should I just modify the default, or should I be more specific and modify another object which only applies to "Saved Queries" - if so, anybody know which one? Maybe since my filter specifies only to computer objects, the "computer-Display" object applies? Sorry if this sounds silly! Thanks... DaveCTo find out more about Reuters visit www.about.reuters.comAny views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Anomoly in application of Permissions by adminSDHolder
If you look through the archives, you will find links to external blogs documenting this behavior and how to overcome it. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Bowersox Sent: Wed 4/19/2006 1:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Anomoly in application of Permissions by adminSDHolder I have noticed what appears to be an anomoly in the way that adminSDHolder is applying object permissions and was wondering if anybody else has seen something similar or has a workaround. We want our internal helpdesk staff to be able to unlock any users account, even privliged accounts that are protected by adminSDHolder 'inheritance'. The HELPDESK group has been give Read/Write permissions on the lockoutTime attribute for User Objects protected by adminSDHolder. However, when members of HELPDESK go to unlock a locked account of this type, the choice is grayed out. (The same permissions given to the same group for accounts not protected by adminSDHolder allow the HELPDESK to unlock those accounts without any problem.) When I look at the permissions applied to the specific user object it shows that the HELPDESK group has Read/Write on the lockoutTime attribute as expected. The only way that members of the HELPDESK group can gain access to the account lockout box is to set the security on a specific account for the lockoutTime READ/WRITE permission to apply to 'This Object' rather than the User Objects' choice. Unfortunately, when setting the security on the adminSDHolder container, I cannot use the This object and all child objects choice because when that is selected, the lockoutTime attribute is not an available option. Rick Bowersox Rockwell Collins If you cannot convince them, confuse them. -- Harry S Truman List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
Still, there is nothing automatic natively in the OS to let him do this.
Policy or no policy, he is looking at external intervention - third-party or
a roll-your-own. Rolling his own may be burdensome because now he has to
account for the number of ways an account can be active without necessarily
logging in. Looking at Lastlogon or lastlogontimestamp is insufficient.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com - we know IT
www.akomolafe.com http://www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 4/19/2006 1:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
LOL. You're right, it is often advisable to disable first. I got caught up
in the moment ;)
Myke, there was a long conversation about such things a few months ago. You
might want to search the archives to see what was said and see if you agree
about what it says and suggests.
An additional point to consider: start with policy as Neil suggests. If you
have a policy that says to disable accounts and then delete later, or delete
based on disuse, enforcement is pretty much an easy thing to do. Without the
policy first, it can be a difficult train to ride.
-ajm
On 4/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Would you not disable the account instead of locking it?
A locked account may be unlocked in time (depends upon policy),
whereas a disabled account needs admin intervention.
my 2 penneth,
neil
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick
Sent: 19 April 2006 15:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this
pretty easily. Joeware tools are better ( http://www.joeware.net
http://www.joeware.net/ ) for this task IMHO. Scripts, etc can also be
used successfully.
Al
On 4/19/06, Myke [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
wrote:
hi guys,
it's possible to make a automatic lockout in user accounts by
inactivity, or I need a third party tool?
thanks
Myke
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential
and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent permitted
by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.
NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ExtraColumns attribute
OK, so the 1st trailing 0 says "don't show by default" ... which I assume is what you want on the default displaySpecifier. You may also find it useful to know that when these columns do appear, they have a habit of initially being 0 pixels wide so you have to go dragging columns widths around to find them (they default to the far right column I believe so start there). In addition, since you've used the trailing 0 mentioned above, all you've done is added these attributes to the list of those available in the Add/Remove columns dialog. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, April 19, 2006 5:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ExtraColumns attribute Hm...that's exactly what I was planning to do, and did do about 2 hours ago,but am a little suprised to find it hasn't worked (waited for repl). Hereyou can seemy edits [ "joeware automatic update service" hasn't kicked in on my machine yet : - ) ] I'm not sure how many pixels these things need to be displayed, so I just picked a number...hopefully that's not holding this up? As an additional test I modified the value in blue, just to see if it would display differently,but that didn't take effect either. I must be missing something. [note - if reading in plain text, it's the first 4 values of extraColumns below which contain my edits] Thanks again...DC $ adfind -b "CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=com" extracolumns AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005 Using server: dc.rootdomain.com:389Directory: Windows Server 2003 dn:CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=comextraColumns: company,Compenny,0,150,0extraColumns: operatingSystemVersion,O/S Version,0,100,0extraColumns: operatingSystemServicePack,Service Pack,0,100,0extraColumns: operatingSystem,Operating System,0,100,0extraColumns: postalCode,Zip Code,0,100,0extraColumns: textEncodedORAddress,X.400 E-Mail Address,0,130,0extraColumns: userPrincipalName,User Logon Name,0,200,0extraColumns: title,Job Title,0,100,0extraColumns: targetAddress,Target Address,0,100,0extraColumns: st,State,0,100,0extraColumns: physicalDeliveryOfficeName,Office,0,100,0extraColumns: whenChanged,Modified,0,130,0extraColumns: sn,Last Name,0,100,0extraColumns: msExchIMMetaPhysicalURL,Instant Messaging URL,0,140,0extraColumns: msExchIMPhysicalURL,Instant Messaging Home Server,0,170,0extraColumns: givenName,First Name,0,100,0extraColumns: homeMDB,Exchange Mailbox Store,0,100,0extraColumns: mailNickname,Exchange Alias,0,175,0extraColumns: mail,E-Mail Address,0,100,0extraColumns: sAMAccountName,Pre-Windows 2000 Logon Name,0,120,0extraColumns: displayName,Display Name,0,100,0extraColumns: department,Department,0,150,0extraColumns: c,Country,0,-1,0extraColumns: l,City,0,150,0extraColumns: telephoneNumber,Business Phone,0,100,0 1 Objects returned From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, April 19, 2006 1:42 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] ExtraColumns attribute Try editing the extraColumns attribute on the default-Display object, adding the property of your choosing as follows- LDAP name,display name,default visibility,pixel width,0 - IIRC, this is reserved and must be 0 for now. ... highlighting the Saved Query in question and selecting View--Add/Remove columns--Add the desired attribute. Does this achieve your goal? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, April 19, 2006 12:47 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] ExtraColumns attribute Hi all, Iam interested inaddingvalues to the 'extraColumns' attribute found on objects in the DisplaySpecifiers container. In particular, I'd like the option to display the value of OperatingSystem (etc...). The article about this attr in MSDN library describes it pretty well, but I'm wondering which DisplaySpecifier object to use in the case where you write a "Saved Query" (forothers to import into their ADUC). At present I see thatonly the "default-Display" and "lostAndFound-Display" objects have that attr populated. Should I just modify the default, or should I be more specific and modify another object which only applies to
RE: [ActiveDir] Anomoly in application of Permissions by adminSDHolder
Hi Richard, You can change the settings by delegating write access to lockoutTime on the adminSDHolder-Object in the system container. After doing that your helpdesk will be able to unlock any administrative account anywhere in the domain. For more information query my blog for adminSdHolder or use google, which will bring it up as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Richard Bowersox |Sent: Wednesday, April 19, 2006 10:09 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Anomoly in application of Permissions by |adminSDHolder | |I have noticed what appears to be an anomoly in the way that |adminSDHolder is applying object permissions and was wondering |if anybody else has seen something similar or has a workaround. | |We want our internal helpdesk staff to be able to unlock any |users account, even privliged accounts that are protected by |adminSDHolder 'inheritance'. |The HELPDESK group has been give Read/Write permissions on the |lockoutTime attribute for User Objects protected by |adminSDHolder. However, when members of HELPDESK go to unlock |a locked account of this type, the choice is grayed out. (The |same permissions given to the same group for accounts not |protected by adminSDHolder allow the HELPDESK to unlock those |accounts without any problem.) | |When I look at the permissions applied to the specific user |object it shows that the HELPDESK group has Read/Write on the |lockoutTime attribute as expected. The only way that members |of the HELPDESK group can gain access to the account lockout |box is to set the security on a specific account for the |lockoutTime READ/WRITE permission to apply to 'This Object' |rather than the User Objects' choice. | |Unfortunately, when setting the security on the adminSDHolder |container, I cannot use the This object and all child |objects choice because when that is selected, the lockoutTime |attribute is not an available option. | | | |Rick Bowersox |Rockwell Collins | |If you cannot convince them, confuse them. |-- |Harry S Truman | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
I'm curious, how would you show activitity other than the last time the user authenticated? Since disabling the account would only affect the ability to authenticate (not including any external logic or process built on account status), I'm curious what other ways you would show account inactivity if not by lastlogon or lastlogontimestamp?
Thanks,
Jef
Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policyornopolicy,heislookingatexternalintervention-third-partyor aroll-your-own.Rollinghisownmaybeburdensomebecausenowhehasto accountforthenumberofwaysanaccountcanbeactivewithoutnecessarily loggingin.LookingatLastlogonorlastlogontimestampisinsufficient. Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon From:[EMAIL PROTECTED]onbehalfofAlMulnick Sent:Wed4/19/20061:13PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisable LOL.You'reright,itisoftenadvisabletodisablefirst.Igotcaughtup inthemoment;) Myke,therewasalongconversationaboutsuchthingsafewmonthsago.You mightwanttosearchthearchivestoseewhatwassaidandseeifyouagree aboutwhatitsaysandsuggests. Anadditionalpointtoconsider:startwithpolicyasNeilsuggests.Ifyou haveapolicythatsaystodisableaccountsandthendeletelater,ordelete basedondisuse,enforcementisprettymuchaneasythingtodo.Withoutthe policyfirst,itcanbeadifficulttraintoride.-ajm On4/19/06,[EMAIL PROTECTED][EMAIL PROTECTED]wrote: Wouldyounotdisabletheaccountinsteadoflockingit? Alockedaccountmaybeunlockedintime(dependsuponpolicy), whereasadisabledaccountneedsadminintervention. my2penneth, neil From:[EMAIL PROTECTED][mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]OnBehalfOfAlMulnick Sent:19April200615:52 To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisableIt'spossible.What'syourcriteria? DSQUERY,DSMODaretwotoolsthataretoutedasbeingabletodothis prettyeasily.Joewaretoolsarebetter(http://www.joeware.net http://www.joeware.net/)forthistaskIMHO.Scripts,etccanalsobe usedsuccessfully. Al On4/19/06,Myke[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: higuys, it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool? thanks Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASEREAD:Theinformationcontainedinthisemailisconfidential and intendedforthenamedrecipient(s)only.Ifyouarenotanintended recipientofthisemailpleasenotifythesenderimmediatelyand deleteyour copyfromyoursystem.Youmustnotcopy,distributeortakeany further actioninrelianceonit.Emailisnotasecuremethodof communicationand NomuraInternationalplc('NIplc')willnot,totheextentpermitted bylaw, acceptresponsibilityorliabilityfor(a)theaccuracyor completenessof, or(b)thepresenceofanyvirus,wormorsimilarmaliciousor disabling codein,thismessageoranyattachment(s)toit.Ifverificationof this emailissoughtthenpleaserequestahardcopy.Unlessotherwise stated thisemail:(1)isnot,andshouldnotbetreatedorrelieduponas, investmentresearch;(2)containsviewsoropinionsthataresolely thoseof theauthoranddonotnecessarilyrepresentthoseofNIplc;(3)is intended forinformationalpurposesonlyandisnotarecommendation, solicitationor offertobuyorsellsecuritiesorrelatedfinancialinstruments. NIplc doesnotprovideinvestmentservicestoprivatecustomers.Authorised and regulatedbytheFinancialServicesAuthority.RegisteredinEngland no.1550505VATNo.447249235.RegisteredOffice:1St Martin's-le-Grand, London,EC1A4NP.AmemberoftheNomuragroupofcompanies. Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ExtraColumns attribute
Whoops...I should have clarified two items - sorry. 1 - What suprised me was that these three new "extras" don'teven show up in the "available columns" dialog to select them! 2 - I haven'ttested a "Saved Query" view yet. I figured that since this was default I would just pick any OU or container with computer objects in it to start off with. I've tried a few different ones with no luck seeing those columnsas available options to add. Strange. Thanks for your replies. -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, April 19, 2006 5:28 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] ExtraColumns attribute OK, so the 1st trailing 0 says "don't show by default" ... which I assume is what you want on the default displaySpecifier. You may also find it useful to know that when these columns do appear, they have a habit of initially being 0 pixels wide so you have to go dragging columns widths around to find them (they default to the far right column I believe so start there). In addition, since you've used the trailing 0 mentioned above, all you've done is added these attributes to the list of those available in the Add/Remove columns dialog. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Wednesday, April 19, 2006 5:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ExtraColumns attribute Hm...that's exactly what I was planning to do, and did do about 2 hours ago,but am a little suprised to find it hasn't worked (waited for repl). Hereyou can seemy edits [ "joeware automatic update service" hasn't kicked in on my machine yet : - ) ] I'm not sure how many pixels these things need to be displayed, so I just picked a number...hopefully that's not holding this up? As an additional test I modified the value in blue, just to see if it would display differently,but that didn't take effect either. I must be missing something. [note - if reading in plain text, it's the first 4 values of extraColumns below which contain my edits] Thanks again...DC $ adfind -b "CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=com" extracolumns AdFind V01.27.00cpp Joe Richards ([EMAIL PROTECTED]) November 2005 Using server: dc.rootdomain.com:389Directory: Windows Server 2003 dn:CN=default-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=rootdomain,DC=comextraColumns: company,Compenny,0,150,0extraColumns: operatingSystemVersion,O/S Version,0,100,0extraColumns: operatingSystemServicePack,Service Pack,0,100,0extraColumns: operatingSystem,Operating System,0,100,0extraColumns: postalCode,Zip Code,0,100,0extraColumns: textEncodedORAddress,X.400 E-Mail Address,0,130,0extraColumns: userPrincipalName,User Logon Name,0,200,0extraColumns: title,Job Title,0,100,0extraColumns: targetAddress,Target Address,0,100,0extraColumns: st,State,0,100,0extraColumns: physicalDeliveryOfficeName,Office,0,100,0extraColumns: whenChanged,Modified,0,130,0extraColumns: sn,Last Name,0,100,0extraColumns: msExchIMMetaPhysicalURL,Instant Messaging URL,0,140,0extraColumns: msExchIMPhysicalURL,Instant Messaging Home Server,0,170,0extraColumns: givenName,First Name,0,100,0extraColumns: homeMDB,Exchange Mailbox Store,0,100,0extraColumns: mailNickname,Exchange Alias,0,175,0extraColumns: mail,E-Mail Address,0,100,0extraColumns: sAMAccountName,Pre-Windows 2000 Logon Name,0,120,0extraColumns: displayName,Display Name,0,100,0extraColumns: department,Department,0,150,0extraColumns: c,Country,0,-1,0extraColumns: l,City,0,150,0extraColumns: telephoneNumber,Business Phone,0,100,0 1 Objects returned From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, April 19, 2006 1:42 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] ExtraColumns attribute Try editing the extraColumns attribute on the default-Display object, adding the property of your choosing as follows- LDAP name,display name,default visibility,pixel width,0 - IIRC, this is reserved and must be 0 for now. ... highlighting the Saved Query in question and selecting View--Add/Remove columns--Add the desired attribute. Does this achieve your goal? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
RE: [ActiveDir] automatic account disable
None. This is where the policy/process element come in. You know which of your accounts are Service accounts and which of your users are on vacation. You do a periodic query of your lastlogon/timestamp, you filter out your services accounts and your vacationing users from the list, send emails to the rest and wait for a response. If no response, you move them to a common staging area, and process them per your policy (change their passwords, disable them, lock them out, etc) It's a process thing. I want to assume that there is a product out there with this logic built-in. That product is simply not the OS - yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jef Kazimer Sent: Wed 4/19/2006 2:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] automatic account disable I'm curious, how would you show activitity other than the last time the user authenticated? Since disabling the account would only affect the ability to authenticate (not including any external logic or process built on account status), I'm curious what other ways you would show account inactivity if not by lastlogon or lastlogontimestamp? Thanks, Jef Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Still, there is nothing automatic natively in the OS to let him do this. Policy or no policy, he is looking at external intervention - third-party or a roll-your-own. Rolling his own may be burdensome because now he has to account for the number of ways an account can be active without necessarily logging in. Looking at Lastlogon or lastlogontimestamp is insufficient. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 4/19/2006 1:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] automatic account disable LOL. You're right, it is often advisable to disable first. I got caught up in the moment ;) Myke, there was a long conversation about such things a few months ago. You might want to search the archives to see what was said and see if you agree about what it says and suggests. An additional point to consider: start with policy as Neil suggests. If you have a policy that says to disable accounts and then delete later, or delete based on disuse, enforcement is pretty much an easy thing to do. Without the policy first, it can be a difficult train to ride. -ajm On 4/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Would you not disable the account instead of locking it? A locked account may be unlocked in time (depends upon policy), whereas a disabled account needs admin intervention. my 2 penneth, neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: 19 April 2006 15:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] automatic account disable It's possible. What's your criteria? DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better ( http://www.joeware.net http://www.joeware.net/ ) for this task IMHO. Scripts, etc can also be used successfully. Al On 4/19/06, Myke [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: hi guys, it's possible to make a automatic lockout in user accounts by inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from
RE: [ActiveDir] automatic account disable
Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :)
Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :)
Thanks,
Jef
Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:56:20 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org None.Thisiswherethepolicy/processelementcomein.Youknowwhichof youraccountsare"Serviceaccounts"andwhichofyourusersareonvacation. Youdoaperiodicqueryofyourlastlogon/timestamp,youfilteroutyour "servicesaccounts"andyourvacationingusersfromthelist,sendemailsto therestandwaitforaresponse.Ifnoresponse,youmovethemtoacommon stagingarea,andprocessthemperyourpolicy(changetheirpasswords, disablethem,lockthemout,etc) It'saprocessthing.Iwanttoassumethatthereisaproductouttherewith thislogicbuilt-in.ThatproductissimplynottheOS-yet. Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon From:[EMAIL PROTECTED]onbehalfofJefKazimer Sent:Wed4/19/20062:37PM To:ActiveDir@mail.activedir.org Subject:RE:[ActiveDir]automaticaccountdisableI'mcurious,howwouldyoushowactivitityotherthanthelasttimetheuser authenticated?Sincedisablingtheaccountwouldonlyaffecttheabilityto authenticate(notincludinganyexternallogicorprocessbuiltonaccount status),I'mcuriouswhatotherwaysyouwouldshowaccountinactivityifnot bylastlogonorlastlogontimestamp?Thanks,Jef Subject:RE:[ActiveDir]automaticaccountdisable Date:Wed,19Apr200614:25:24-0700 From:[EMAIL PROTECTED] To:ActiveDir@mail.activedir.org Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policyornopolicy,heislookingatexternalintervention-third-party or aroll-your-own.Rollinghisownmaybeburdensomebecausenowhehasto accountforthenumberofwaysanaccountcanbeactivewithoutnecessarily loggingin.LookingatLastlogonorlastlogontimestampisinsufficient. Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon From:[EMAIL PROTECTED]onbehalfofAlMulnick Sent:Wed4/19/20061:13PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisable LOL.You'reright,itisoftenadvisabletodisablefirst.Igotcaught up inthemoment;) Myke,therewasalongconversationaboutsuchthingsafewmonthsago. You mightwanttosearchthearchivestoseewhatwassaidandseeifyouagree aboutwhatitsaysandsuggests. Anadditionalpointtoconsider:startwithpolicyasNeilsuggests.If you haveapolicythatsaystodisableaccountsandthendeletelater,or delete basedondisuse,enforcementisprettymuchaneasythingtodo.Without the policyfirst,itcanbeadifficulttraintoride.-ajm On4/19/06,[EMAIL PROTECTED][EMAIL PROTECTED]wrote: Wouldyounotdisabletheaccountinsteadoflockingit? Alockedaccountmaybeunlockedintime(dependsuponpolicy), whereasadisabledaccountneedsadminintervention. my2penneth, neil From:[EMAIL PROTECTED][mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]OnBehalfOfAlMulnick Sent:19April200615:52 To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisableIt'spossible.What'syourcriteria? DSQUERY,DSMODaretwotoolsthataretoutedasbeingabletodothis prettyeasily.Joewaretoolsarebetter(http://www.joeware.net http://www.joeware.net/)forthistaskIMHO.Scripts,etccanalsobe usedsuccessfully. Al On4/19/06,Myke[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: higuys, it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool? thanks Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASEREAD:Theinformationcontainedinthisemailisconfidential and intendedforthenamedrecipient(s)only.Ifyouarenotanintended recipientofthisemailpleasenotifythesenderimmediatelyand deleteyour copyfromyoursystem.Youmustnotcopy,distributeortakeany further actioninrelianceonit.Emailisnotasecuremethodof communicationand NomuraInternationalplc('NIplc')willnot,totheextentpermitted bylaw, acceptresponsibilityorliabilityfor(a)theaccuracyor completenessof, or(b)thepresenceofanyvirus,wormorsimilarmaliciousor disabling codein,thismessageoranyattachment(s)toit.Ifverificationof this emailissoughtthenpleaserequestahardcopy.Unlessotherwise stated thisemail:(1)isnot,andshouldnotbetreatedorrelieduponas, investmentresearch;(2)containsviewsoropinionsthataresolely thoseof theauthoranddonotnecessarilyrepresentthoseofNIplc;(3)is
Re: [ActiveDir] Schema upgrades with Windows 2003 R2
Peter Johnson wrote: Hi all I was wondering if anyone had any pointers for the following schema upgrade scenario: I have a single domain, single site forest with 2 DC’s Both DC’s are currently running Windows 2003 RTM code without Service Pack 1 but fully patched otherwise. I’ve got two new IBM servers that I wish to promote to DC’s to replace the current DC’s. These machines are running Windows 2003 R2 X64 Standard Edition. If I want to DCPROMO these machines I will need to perform the schema update for 2003 R2 correct. If so can I simply insert the R2 32 bit CD into my current Schema master and do the schema updates.? I’m assuming that there’s no difference between the 64bit and 32 bit schema extensions? There are no differences between 64 and 32 bit version of ADPREP, so You can use any of these versions. As an alternative You may consider this solution: http://blogs.dirteam.com/blogs/tomek/archive/2006/04/17/787.aspx -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 5.5 Upgrade Problems
I can connect and bind successfully to the ex5.5 machine from the new ws2k3 machine using the domain admin account and the service account and via both ports: 389 and 38900. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, April 19, 2006 2:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange 5.5 Upgrade Problems I missed the part about the ADC then. :) Try the event log - what do you see at startup of the machine? If you connect to tcp 389 of that machine, what answers? (try LDP and just connect - you should see what you're looking for there.) Until you can connect to the Exchange directory via LDAP, you're not going anywhere. Basically, be sure to check that the LDAP component is operational and work from there. Al On 4/19/06, Dan DeStefano [EMAIL PROTECTED] wrote: The ADC is set to use port 38900 and the LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server level it is set to use 389 (when I change this, mail stops flowing). Regardless, when I try connecting in ADC tools to the Ex5.5 box it fails on either port. I am trying to build a new Ex2k3 server in the domain, but it will not join the organization because the ADC tools have not bee run, or at least that is the error message I am getting. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ion Gott Sent: Wednesday, April 19, 2006 10:25 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Tue 4/18/2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 9:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Tuesday, April 18, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However,
Re: [ActiveDir] Exchange 5.5 Upgrade Problems
Which directory answers though? They don't both answer on both ports do they? On 4/19/06, Dan DeStefano [EMAIL PROTECTED] wrote: I can connect and bind successfully to the ex5.5 machine from the new ws2k3 machine using the domain admin account and the service account and via both ports: 389 and 38900. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, April 19, 2006 2:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange 5.5 Upgrade Problems I missed the part about the ADC then. :) Try the event log - what do you see at startup of the machine? If you connect to tcp 389 of that machine, what answers? (try LDP and just connect - you should see what you're looking for there.) Until you can connect to the Exchange directory via LDAP, you're not going anywhere. Basically, be sure to check that the LDAP component is operational and work from there. Al On 4/19/06, Dan DeStefano [EMAIL PROTECTED] wrote: The ADC is set to use port 38900 and the LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server level it is set to use 389 (when I change this, mail stops flowing). Regardless, when I try connecting in ADC tools to the Ex5.5 box it fails on either port. I am trying to build a new Ex2k3 server in the domain, but it will not join the organization because the ADC tools have not bee run, or at least that is the error message I am getting. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ion GottSent: Wednesday, April 19, 2006 10:25 AMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems The Exchange 5.5 directory should be listening on another port since it is running on a DC that is already listening on 389 for AD LDAP operations. If possible it would probably be a lot safer and easier to build a new Exchange 2003 server and just migrate to the new machine...if possible. Ion From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Tue 4/18/2006 6:50 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems We are planning a complete domain migration and restructuring, but that takes a while and the client has not signed off yet, but they want ex2k3 features quickly. So we determined the fastest way to implement ex2k3 would be to do an in-place upgrade of their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Why are you doing this interim upgrade when your end goal is a 2k3 native environment? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Yes, I can connect to the dc/ex5.5 box from the new ex2k3 member server using ldp on both ports 389 and 38900. I can also bind using the enterprise/domain admin account and the ex service account. I am not trying to do a direct upgrade from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors when trying to do the ex2k upgrade. Note: I am not sure if it matters, but in ex5.5 administrator, the ldap protocol for the site is set to 38900, but for the server it is set to 389. I tried changing it in the server to 38900, but that stopped mail from flowing. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange 5.5 Upgrade Problems Could be all sorts of things here, but lets start simple. Can you do an ldap bind to the exchange box on port 38900 using the ldp tool (or similar) from the support tools? You can't do an inplace upgrade from 5.5 to 2003 which is what it sounds like you're doing when you get the consistency error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefanoSent: Tuesday, April 18, 2006 8:10 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange 5.5 Upgrade Problems I have taken over administration of a w2k AD domain running Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve all the errors in the event logs, but now they are just about all resolved and the DC/Ex5.5 server passes all netdiag/dcdiag tests. My current project is to upgrade the Ex5.5 server (which is also the domain's only DC) to Ex2k3, but I am running into problems. I have successfully run Forestprep and Domainprep. However, when I attempt to run the
Re: [ActiveDir] automatic account disable
Email? Hmm...
I'm going to assume that's a generality, right? :)
On 4/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
None. This is where the policy/process element come in. You know which ofyour accounts are Service accounts and which of your users are on vacation.
You do a periodic query of your lastlogon/timestamp, you filter out yourservices accounts and your vacationing users from the list, send emails tothe rest and wait for a response. If no response, you move them to a common
staging area, and process them per your policy (change their passwords,disable them, lock them out, etc)It's a process thing. I want to assume that there is a product out there withthis logic built-in. That product is simply not the OS - yet.
Sincerely,_(, /|/) /) /) /---| (/___ ___// _ //_) /|_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)(/
Microsoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com- we know IT
www.akomolafe.com http://www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anon
From: [EMAIL PROTECTED] on behalf of Jef KazimerSent: Wed 4/19/2006 2:37 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] automatic account disableI'm curious, how would you show activitity other than the last time the userauthenticated? Since disabling the account would only affect the ability to
authenticate (not including any external logic or process built on accountstatus), I'm curious what other ways you would show account inactivity if notby lastlogon or lastlogontimestamp?Thanks,
Jef Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From:
[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Still, there is nothing automatic natively in the OS to let him do this. Policy or no policy, he is looking at external intervention - third-party
or a roll-your-own. Rolling his own may be burdensome because now he has to account for the number of ways an account can be active without necessarily logging in. Looking at Lastlogon or lastlogontimestamp is insufficient.
Sincerely,_ (, /|/) /) /) /---| (/___ ___// _ //_) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /)
(/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com
- we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 4/19/2006 1:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] automatic account disable LOL.You're right, it is often advisable to disable first.I got caught
up in the moment ;) Myke, there was a long conversation about such things a few months ago.You might want to search the archives to see what was said and see if you agree about what it says and suggests.
An additional point to consider: start with policy as Neil suggests.Ifyou have a policy that says to disable accounts and then delete later, ordelete based on disuse, enforcement is pretty much an easy thing to do. Without
the policy first, it can be a difficult train to ride. -ajm On 4/19/06, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote: Would you not disable the account instead of locking it? A locked account may be unlocked in time (depends upon policy), whereas a disabled account needs admin intervention.
my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick
Sent: 19 April 2006 15:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] automatic account disable
It's possible.What's your criteria? DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily.Joeware tools are better ( http://www.joeware.net
http://www.joeware.net/) for this task IMHO. Scripts, etc can also be used successfully. Al On 4/19/06, Myke
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: hi guys, it's possible to make a automatic lockout in user accounts by
inactivity, or I need a third party tool? thanks Myke List info : http://www.activedir.org/List.aspx List FAQ:
http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and
delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted
by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it.
RE: [ActiveDir] stupid ldap queries
Its only been that one. Okay, maybe one other that was indexed, but that was because a very large network/voip vendor that required a schema extension subsequently used one of these attributes in all of their queries. In a large implementation (which they clearly had never seen) the query would take a year to complete. Of course, in their lab with 5 objects, it completed in milliseconds. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Wednesday, April 19, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries Adding indices will start you down the slippery slope that ultimately leads to custom schema extensions. Do you like new OIDs? J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 19, 2006 4:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help. I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 12:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries Itd the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Tuesday, April 18, 2006 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queries Date: Tue, 18 Apr 2006 17:03:35 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Tuesday, April 18, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, April 18, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. Theres an attribute (I think isIndexed) which says the attribute should be indexed in the database. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this
