RE: [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

why don't you ask on the Exchange2000 or Exchange2003 Yahoo group..

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile



I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.

 

The way I normally set the pagefile on my systems is to set it to be 
static and 1.5x physical RAM. I also create a pagefile on each disk and let 
Windows choose the best one (which will be the second logical drive). I do not 
want to disable the pagefile on C: because, from what I understand, this will 
disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com  
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

Re: [ActiveDir] TScmd help

[A P]

Thanks for the correction Joe.  Userparameters would be the attribute and the properties can be pulled using the sample code.  Of course, this works better if you have a small list or subset of target user IDs (which is how I used the sample code listed in the earlier post).  Inspecting the values for every user in the domain is another matter altogether.

 
Arden
 
On 5/4/06, joe <[EMAIL PROTECTED]> wrote:


And understanding completely that those aren't actually attributes, they are properties that are being exposed through a special Terminal Server COM interface that is in a special DLL. Why is that important or different? Try to pull those attribs with a search instead of an enumeration? There are other things too but that is a great one right up front that will put hair on your chest and see what the real world is like. :)


 

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of A PSent: Wednesday, May 03, 2006 11:19 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] TScmd help 


I have some code that sets TS parameters for users.  What you need to do is bind to the user object and check the TerminalServicesHomeDirectory attribute and TerminalServicesHomeDrive if needed.
 
Here is the a piece of sample code to set the values.  It should be easy enough to check the value and set it to something else, if needed.
 
  Set objUser = GetObject("LDAP://" & userDN) 
  objUser.TerminalServicesHomeDirectory = strHomeDir  objUser.TerminalServicesHomeDrive = strHomeDriveOf course, if you do not have a list of target users, you will need to loop through the above code to check and modify the settings if necessary. 

 
Here is a URL that may help as well.
 

http://www.msterminalservices.org/articles/Scripting-Server-Based-Computing-Terminal-Services-Attributes-Active-Directory-User-Objects.html 
 
 
Hope this helps.
 
Arden 
On 5/3/06, Jef Kazimer <[EMAIL PROTECTED]> wrote:
 


My first travesty with said blos, was when an admin could not reset a users password via the MMC.   After some PSS support, it turns out it was the NWCLIENT 
attributes stored in the userParameters field.   As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with 
ADMT to 2000, this nugget came with it.
 
The solution?   Just clear the userParameters attribute for all affected users if I remember.
 
I think there is a KB article on it now.


From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] TScmd help
Date: Wed, 3 May 2006 19:05:10 -0400

Joe? joe? me?
 
The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is kept in the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. 

 
Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. 

 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help 

Mike,
 
Scratch that.   It is not the string I was thinking about.
 
I'm sure Joe will know though :)


From: [EMAIL PROTECTED]To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500
Mike,
 
Can you use ADfind and ADmod for this?
 
ADfind -h  -Defaul

RE: [ActiveDir] which GC answers?

[adriaoramos]

I have a problema running that:

this is one of the objects I want to
delete, foudn with ldp
>> Dn: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br
       
1> canonicalName: esgoto.sabesp.com.br/Users/adriao; 
       
1> cn: adriao; 
       
1> distinguishedName: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br;

       
4> objectClass: top; person; organizationalPerson; user; 
       
1> name: adriao; 
what is the exactly DN I have to use?
I tried this ways

C:\>REPADMIN /SHOWOBJMETA GC: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br
> OUTPUTfile.TXT
C:\>REPADMIN /SHOWOBJMETA GC: Dn:
CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br :>
OUTPUTfile.TXT
C:\>REPADMIN /SHOWOBJMETA GC: >
> OUTPUTfile.TXT

none of them worked.

What is the right command?


what is wrong?

Tnaks a lot

___
Adrião Ferreira Ramos
[EMAIL PROTECTED]
Equipe Suporte Windows
(11) 3388-8193





"Almeida Pinto, Jorge
de" <[EMAIL PROTECTED]> 
Enviado Por: [EMAIL PROTECTED]
03/05/2006 11:20



Favor responder a
ActiveDir@mail.activedir.org





Para



cc



Assunto
RE: [ActiveDir] which GC answers?








a way to check this is:
 
REPADMIN /SHOWOBJMETA GC:  > OUTPUT.TXT
 
GC: targets ALL GCs in the forest
 
For each GC:
* you get the metadata of the object if it exists on the GC
OR
* you get "Directory object not found" if the object does not
exist
 
in addition to this you can wrap a script around this that takes away some
manual stuff you must do.
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel     : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 2006-05-03 14:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] which GC answers?



When I use ldp and I found a user (lingering) how can I know which GC of
many of them has that copy of the object? I use ADSIEDT, but I have many
GC´s. is there a easier way to discover in which of them it is? 


Thanks 

Adrião F Ramos 


This e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or
be subject to legal privilege. It should not be copied, disclosed to, retained
or used by, any other party. If you are not an intended recipient then
please promptly delete this e-mail and any attachment and all copies and
inform the sender. Thank you.



winmail.dat
Description: Binary data

RE: [ActiveDir] GPResult incorrectly reporting DC's security groups?

[Steve Linehan]

The "This Organization" security principal is used for selective
authentication.  More details on this can be found here:
http://technet2.microsoft.com/WindowsServer/en/Library/1f33e9a1-c3c5-431
c-a5cc-c3c2bd579ff11033.mspx

Thanks,

-Steve 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 04, 2006 9:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security
groups?

Have you any idea what the this organization thing is? I noticed that
when I went and did gpresult on one of mine in reference to this thread.


Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir- 
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, May 04, 2006 9:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security 
> groups?
> 
> That is odd. Here is what one of my DCs shows
> 
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> Windows Authorization Access Group
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
> This Organization
> ServerName$
> Domain Controllers
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
> 
> 
> The first thing I would do is look at that DC directly to make sure it

> has all the proper values on itself. If it does, then I would use 
> gpresult and ethereal and get a trace just to make sure that it is 
> using the info on the local machine. You can even set up the gateway 
> values so that you could see the traffic locally but mostly you just 
> want to see if the queries are going off the box and you don't need to

> change any IP config to capture that, just watch the traffic for all 
> LDAP packets. If it is going off the box for the info, go look at the 
> DC it is querying and find out what is dorked up.
> 
>   joe
> 
> 
> 
> 
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain
> Sent: Tuesday, May 02, 2006 5:35 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GPResult incorrectly reporting DC's security 
> groups?
> 
> I am currently looking at a forest which had some issues after 
> DCPromo'ing some of the DCs, most of the problems appear to be 
> resolved.
> 
> However, a few of the DCs (Windows 2003 SP1) have a rather odd entry
in
> GPResult (and GPMC) output :
> 
> The computer is a part of the following security groups
> ---
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
> This Organization
> $
> Domain Computers
> 
> So it is reporting to be a member of Domain Computers, when it should 
> not be.
> 
> More concerning is that it is not reporting as being a member of the 
> following groups :
> BUILTIN\Pre-Windows 2000 Compatible Access
> Windows Authorization Access Group
> Domain Controllers
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
> 
> Via Active Directory Users and Computers, group membership appears 
> correct.
> 
> Looking at the attributes of the DC's computer account, it can be seen

> that the "primaryGroupID" is 516 (Domain Controllers).
> 
> I have had a good look over the DC and can not see sign of any other 
> problems and the DC is being used by clients without issues.
> 
> Does anyone have any suggestions as to why the group membership
appears
> incorrect? Or how else to interrogate the computer's token?
> 
> 
> Also, something I have not noticed before : looking at the attributes 
> of a DC's computer account via LDP, "Domain Controllers" is not listed

> in memberOf.  Is that expected behaviour and if so why?
> 
> Many thanks,
> Ali.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] TScmd help

[Jef Kazimer]

I meant that was the advice we were given from PSS on how to solve the problem. :)
 
Though...we did end up clearing it after finding out they were not TS users.
 
 


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Thu, 4 May 2006 21:17:34 -0400



Yes some Novell stuff can be found in there as well as some other things I have heard of through the years. Just clearing that attribute is a great idea... especially if you use Novell stuff as well as TS stuff. :)
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help

My first travesty with said blos, was when an admin could not reset a users password via the MMC.   After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field.   As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it.
 
The solution?   Just clear the userParameters attribute for all affected users if I remember.
 
I think there is a KB article on it now.


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400


Joe? joe? me?
 
The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is kept in the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. 
 
Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. 
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help

Mike,
 
Scratch that.   It is not the string I was thinking about.
 
I'm sure Joe will know though :)


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500


Mike,
 
Can you use ADfind and ADmod for this?
 
ADfind -h  -Default  -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath
 
Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings.
 
just an Idea




> Subject: [ActiveDir] TScmd help> Date: Wed, 3 May 2006 15:12:42 -0600> From: [EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org> > I need to try and find users who have a certain TS Profile path and> change the server name.> > It is W2K/W2K3 mixed.> I have googled and have tscmd, but can tell I will be needing to do some> voodoo also. Any help is appreciated.> > Mike Hutchins> Sys Admin> [EMAIL PROTECTED] > List info   : http://www.activedir.org/List.aspx> List FAQ: http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

Enter the Windows Live Mail beta sweepstakes Upgrade today 

Join the next generation of Hotmail and you could win a trip to Africa Upgrade today Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: [ActiveDir] GC Provider

[joe]

adfind -gc -b -f somefilter
 
;o)
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Friday, February 24, 2006 1:10 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GC 
Provider


OK, 
what do I need to do in my code to simply query the global catalog for the 
entire forest?
 
I 
have New DirectoryEntry("GC://")
 
That seems 
not to work. If I inspect it 
 
?searchroot
{System.DirectoryServices.DirectoryEntry}
    
AuthenticationType: Secure {1}
    Children: 
{System.DirectoryServices.DirectoryEntries}
    Container: 
Nothing
    Guid: 
{"Unknown error (0x80005000)"}
    Name: 
{"Unknown error (0x80005000)"}
    
NativeGuid: {"Unknown error (0x80005000)"}
    
NativeObject: {"Unknown error (0x80005000)"}
    
ObjectSecurity: {"Unknown error (0x80005000)"}
    Options: 
{"Unknown error (0x80005000)"}
    Parent: 
{"Unknown error (0x80005000)"}
    Path: 
"GC://"
    
Properties: 
{System.DirectoryServices.PropertyCollection}
    
SchemaClassName: {"Unknown error (0x80005000)"}
    
SchemaEntry: {"Unknown error (0x80005000)"}
    Site: 
Nothing
    
UsePropertyCache: True
    Username: 
Nothing
 
We learn 
that it’s more or less null, lots of unknown COM Errors. I’m running this code 
as myself – I have Domain Admin an Enterprise Admin groups in my token, I had 
thought there was some reason something like Network Service couldn’t do this, 
but, that has obviously been ruled out. GC://mydomain.com works fine, but then I 
don’t get the stuff in GC://otherdomain.com which is in my forest. This is 
supposed to work … and it doesn’t. 
Ideas?
 
Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 
 

RE: [ActiveDir] GPResult incorrectly reporting DC's security groups?

[Brian Desmond]

Have you any idea what the this organization thing is? I noticed that
when I went and did gpresult on one of mine in reference to this thread.


Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, May 04, 2006 9:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security
> groups?
> 
> That is odd. Here is what one of my DCs shows
> 
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> Windows Authorization Access Group
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
> This Organization
> ServerName$
> Domain Controllers
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
> 
> 
> The first thing I would do is look at that DC directly to make sure it
> has all the proper values on itself. If it does, then I would use
> gpresult and ethereal and get a trace just to make sure that it is
> using the info on the local machine. You can even set up the gateway
> values so that you could see the traffic locally but mostly you just
> want to see if the queries are going off the box and you don't need to
> change any IP config to capture that, just watch the traffic for all
> LDAP packets. If it is going off the box for the info, go look at the
> DC it is querying and find out what is dorked up.
> 
>   joe
> 
> 
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain
> Sent: Tuesday, May 02, 2006 5:35 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GPResult incorrectly reporting DC's security
> groups?
> 
> I am currently looking at a forest which had some issues after
> DCPromo'ing some of the DCs, most of the problems appear to be
> resolved.
> 
> However, a few of the DCs (Windows 2003 SP1) have a rather odd entry
in
> GPResult (and GPMC) output :
> 
> The computer is a part of the following security groups
> ---
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
> This Organization
> $
> Domain Computers
> 
> So it is reporting to be a member of Domain Computers, when it should
> not be.
> 
> More concerning is that it is not reporting as being a member of the
> following groups :
> BUILTIN\Pre-Windows 2000 Compatible Access
> Windows Authorization Access Group
> Domain Controllers
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
> 
> Via Active Directory Users and Computers, group membership appears
> correct.
> 
> Looking at the attributes of the DC's computer account, it can be seen
> that the "primaryGroupID" is 516 (Domain Controllers).
> 
> I have had a good look over the DC and can not see sign of any other
> problems and the DC is being used by clients without issues.
> 
> Does anyone have any suggestions as to why the group membership
appears
> incorrect? Or how else to interrogate the computer's token?
> 
> 
> Also, something I have not noticed before : looking at the attributes
> of a DC's computer account via LDP, "Domain Controllers" is not listed
> in memberOf.  Is that expected behaviour and if so why?
> 
> Many thanks,
> Ali.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-
> archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GC Promotion

[joe]

Not sure how well that would scale, say you have 50 GCs in a site and only
one DC of a certain domain, all GCs would want to replicate with that one DC
which I wouldn't expect.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I thought that if there is a writable NC in the same site, it would try to
use that, but maybe that's just for PAS replication.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Yes a GC promotion can/will source readonly NCs from another GC, it does not
have to go back to a DC that maintains a writeable replica. If the DC is
already replicating with a DC that is also a GC, it is likely that it will
start pulling the additional NCs from that GC.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, April 28, 2006 12:28 PM
To: ActiveDir.org
Subject: [ActiveDir] GC Promotion

When elevating a DC to be a GC and say there are 3 domains, located say
located on 3 continents. Is the GC that already exists in each domain
authorative in the elevation of the DC to a GC or does each DC contact a DC
in the relevant domain for the GC information?

Make sense?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Robocopy(OT)

[joe]

Wonder if you have a dorked up ACL, what happens if you try 
to take ownership of it?
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Sunday, April 30, 2006 8:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)

Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
disappear.
 
I've run Process Explorer and Filemon and nothing is acessing this 
dir.
 
Yet I can delete it and its missing the security tab(its on an ntfs 
vol).
 
How the heck can I get rid of this dir?
 
Has anyone had an issue like this?
 
Thanks again 
 4/6/06, Bruyere, 
Michel <[EMAIL PROTECTED]> 
wrote: 

  
  
  Hi, 

      
  I got something similar but with a PDF file. The solution was to reboot the 
  server… 
   
   
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 
  AM
  To: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] Robocopy(OT) 
  
  
   
  
  No one 
  has this folder open.
  
  I've run 
  Process Explorer and Filemon and nothing is accessing this 
  folder.
  
   
  
  I can't 
  delete it or share it out and its missing the security 
  tab.
  
   
  
  anything 
  else I should look for?
  
   
  
  Thanks 
  
  On 
  4/5/06, Mark Parris < 
  [EMAIL PROTECTED]> wrote: 
  I have 
  seen this if another PC has explorer open on that folder and you try and 
  delete from another.Mark-Original Message-From: "Steve 
  Rochford" < [EMAIL PROTECTED]>Date: Wed, 5 Apr 2006 
  16:37:03To:< 
  ActiveDir@mail.activedir.org>Subject: RE: [ActiveDir] 
  Robocopy(OT)This seems to happen when the folder is in the process of 
  being deleted but hasn't quite gone. Sometimes, just waiting a while will 
  clear the problem - I suspect that a process is holding open the folder (or, 
  possibly, a file in the folder). More than once I've hit this and gone to use 
  Sysinternals process explorer to find out which process is guilty. By the time 
  I've run up the program and searched for the folder name there's nothing 
  there. going back to the folder finds that it's either gone or can now be 
  deleted. In your case, I'd guess that robocopy had started creating 
  folders and when it got interrupted, something took a while for things to get 
  tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using 
  then I think that this might help. 
  SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom 
  KernSent: 05 April 2006 15:45To: activedirectory Subject: 
  [ActiveDir] Robocopy(OT)I have a strange issue.I had a 
  help desk admin robocopy a dir from one server to another. During the 
  copy, for whatever reason, he canceled the robocopy job.When he went to 
  the target server a empty dir was created which now cannot be deleted.I 
  can't delete it through explorer or the command console at the server and get 
  an error of "cannot delete file:cannot read from the source file or disk". 
  If i do a RD /s, i get "The system cannot find the file 
  specified."However the dir shows up in a dir listing or 
  explorer.The weird thing is also, the dir has no "security" tab(and its on 
  an ntfs file system). Some backround on the robocopy job-the admin 
  mapped 2 drives from his local box(win2k).One drive to the root of the 
  volume on the source server and another to the root on the target.he then 
  CD'ed to the source and ran robocopy with the "/E" and "/V" switches. 
  after sometime, he killed the job and now I'm stuck with this undeletable 
  DIR.Any insight would be great.thanks
   
  

RE: [ActiveDir] OT: Windows Vista - Windows Defender

[joe]

Probably, but I expect that would be a mighty small command 
prompt. :)
 
I expect the stuff is there to make a normal transparent 
window as well, it just doesn't appear that MSFT went that direction for their 
apps for some reason.
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stewart, 
FitzSent: Monday, May 01, 2006 9:27 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows 
Vista - Windows Defender


Could you build a 
Sidebar app?  There’s transparency levels built in to those apps as a 
matter of course…
 

 
-fitz 
703-866-7473 703-626-5741 
(cell) 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Saturday, April 29, 2006 9:07 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows 
Vista - Windows 
Defender
 
LOL. The playboy women 
are all fake, don't do much for me. Now some of the SuicideGirls, they are 
pretty cute and better yet, realistic women. ;o)
 
Mostly I was thinking 
of backgrounds that quickly tell me something about the specific window sort of 
like bginfo on the desktop. I usually have different colors for different 
command prompts running in different security contexts doing different 
things. Unfortunately you don't have a huge number of colors to chose from 
so you start subcategorizing windows with text color plus sometimes in my old 
age I sit there thinking... hmmm what was magenta with green text again? If I 
could just build simple backgrounds that say, User ID this for accessing this 
this and that, etc. Maybe a nice tropical scene too so when it is 60 degrees out 
(That would be F not C) and I am a bit chilly I can smile at my command prompt 
window. Yes, sort of a cyber geek I know. ;o)
 
It just seems silly 
that they are so into the glass look but 99% of the window space isn't, it is 
just a little tiny bit around the edges, what is the point other than looking 
kind of fun. Sounds like it was a lot of work for that little bit of fun. I can 
make the gadgets go transparent, I think Windows would be 
logical.
 
If you do MCE, let me 
know how it performs, it might be considerably better now because this build as 
a whole is much more responsive.
 

 
--
O'Reilly Active 
Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian 
DesmondSent: Friday, April 28, 
2006 7:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows 
Vista - Windows 
Defender
What is it you’re 
going to put on the command prompt background anyway? A semi transparent playboy 
centerfold to look at while you program? 
 
I’m downloading 
5365 now since I busted my MCE I’m either going to fix it with that or revert to 
SP2. 
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, April 28, 2006 3:12 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows 
Vista - Windows 
Defender
 
If someone would just write some 
XBOX 360 Admin tools for Active Directory we would have a whole giant pool of 
amazing AD Admins. The way my brothers and cousins master those games it would 
be amazing to see them go after AD that way. 
 
Haven't tried the MCE stuff yet but 
was going to play for a week and then install, now Brian has scared me. 

 
I just have to say again that this 
interface is beautiful. I am a command prompt guy and think that if you log into 
a server all you should see is black and white (or black and green if 
you are one of those green screen weird types) text but the workstation should 
look amazing. 
 
Still want my transparent command 
prompts with custom backgrounds though... 
 
With all of the RSS stuff built in 
I have to start thinking about what cool kind of things I can publish through 
RSS from AD to have it just feed in and display for me. I am visualizing object 
add counts, etc that would normally be in a report you have to go chase down. 

 
 
--
O'Reilly Active 
Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jef 
KazimerSent: Friday, April 28, 
2006 1:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows 
Vista - Windows 
Defender
works nice...but still no Xbox 
360 support :(
 
I 
want to test that piece :)   
 
 

  
  
  
  Subject: RE: [ActiveDir] OT: 
  Windows Vista - Windows DefenderDate: 
  Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org
  
  Have you tested 
  MCE on it? 5342 MCE on a beefy box is like 
useless
   
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Michael B. 
  SmithSent: Friday, April 28, 
  2006 9:39

RE: [ActiveDir] Anyone knows how to fix this?

[joe]

What is the attribute definition?

2K/K3/ADAM?



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, April 30, 2006 11:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Anyone knows how to fix this?

Every 5 minutes, the following is logged in the event log:
 
--
Active Directory failed to create an index for the following attribute. 
Attribute identifier:
somenumbers
Attribute name:
some-custom-attrib
 
A schema cache update will occur 5 minutes after the logging of this event
and will attempt to create an index for the attribute. 
 
Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined
 
-
 
No one remembers the history of this event, and no one remembers how
"some-custom-attrib" was born.
 
Any pointers every much appreciated
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com   - we know IT
www.akomolafe.com  Do you now realize that Today
is the Tomorrow you were worried about Yesterday? -anon
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPResult incorrectly reporting DC's security groups?

[joe]

That is odd. Here is what one of my DCs shows

BUILTIN\Administrators
Everyone
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
ServerName$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS


The first thing I would do is look at that DC directly to make sure it has
all the proper values on itself. If it does, then I would use gpresult and
ethereal and get a trace just to make sure that it is using the info on the
local machine. You can even set up the gateway values so that you could see
the traffic locally but mostly you just want to see if the queries are going
off the box and you don't need to change any IP config to capture that, just
watch the traffic for all LDAP packets. If it is going off the box for the
info, go look at the DC it is querying and find out what is dorked up.

  joe

 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain
Sent: Tuesday, May 02, 2006 5:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPResult incorrectly reporting DC's security groups?

I am currently looking at a forest which had some issues after DCPromo'ing
some of the DCs, most of the problems appear to be resolved.

However, a few of the DCs (Windows 2003 SP1) have a rather odd entry in
GPResult (and GPMC) output :

The computer is a part of the following security groups
---
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
$
Domain Computers

So it is reporting to be a member of Domain Computers, when it should not
be.

More concerning is that it is not reporting as being a member of the
following groups :
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

Via Active Directory Users and Computers, group membership appears correct.

Looking at the attributes of the DC's computer account, it can be seen that
the "primaryGroupID" is 516 (Domain Controllers).

I have had a good look over the DC and can not see sign of any other
problems and the DC is being used by clients without issues.

Does anyone have any suggestions as to why the group membership appears
incorrect? Or how else to interrogate the computer's token?


Also, something I have not noticed before : looking at the attributes of a
DC's computer account via LDP, "Domain Controllers" is not listed in
memberOf.  Is that expected behaviour and if so why?

Many thanks,
Ali.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Query regarding Windows Time Service

[joe]

I would certainly check into it, it is implying the 
machines aren't syncing their time which could be bad for you. 

 
Normally I just set this with 
 
net time /setsntp:server
 
However it would appear they just do the same 
thing.
 
It used to be w32tm had a cool switch for testing the time 
sync process and outputting a verbose listing of all of the steps and values, 
that doesn't appear to be in there now. I would wonder how people are supposed 
to troubleshoot now. 
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of James 
CarterSent: Wednesday, May 03, 2006 3:47 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query regarding 
Windows Time Service

I have a query regarding the Windows Time Service.
Our environment is Windows 2003 FFL, Single Domain.
We have a Network Time Server which I have configured our PDCe to use. 
Having read other posts I also configured our Core DC's to use this Time Server 
so that if the PDCe failed, I could just seize the role to another DC and have 
one less thing to configure.
 
What I am receiving is Eventlog messages saying "the time provider 
NtpClient is configured to acquire a time from one or more time sources, however 
none of the sources are currently accessible. No attempt to contact a source 
will be made for 960 minutes. Ntpclient has no source of accurate time" Event ID 
29
 
This is received on all of the Core DC's that I have configured to use the 
Network Time Server rather than the PDCe.
 
All I did was run the following command on each DC that could potentially 
be used as a PDCe
 
w32tm /config /manualpeerlist:10.1.1.225 /syncfromflags:manual 
/reliable:yes /update
 
Anyone know why I would be receiving these event messages, should I be 
concerned?
 
James


Yahoo! Messenger with Voice. Make 
PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or 
less.

RE: [ActiveDir] which GC answers?

[joe]

> “Originating DC” is also the “owner” of the 
object, right? 
 
Originating DC is simply the DC that the originating write 
occurred on, contrast with a replicate write. What DSA was the attribute for the 
object modified on.
 
 
> But, if the “owner” is no longer around, the object is 
garbage
 
Nope because it isn't an owner. If this were the case you 
could have a lot of garbage everytime you lost or dcpromoed a 
DC.
 
 
> My question is this – 
why are lingeringobjects such a “bear” to clean out?
 
Because no one has made 
it easy yet and because I haven't personally run into a huge issue with them 
yet. :)
 
 
> existence of a 
“replfix” tool
 
Haven't heard of it. 

 
 
> it would really be 
helpful to include examples within the repadmin help 
 
Hehehe. The help is 
some of the most organized and easily readable parts of that program. 
;o)
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Wednesday, May 03, 2006 11:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] which GC 
answers?


Hi 
Jorge,
    I 
don’t mean to hijack this thread but I have also been having an issue with 
lingeringobjects.  I ran your repadmin command shown below on one of the 
lingering objects I have.  For the lingering object I specified, the output 
lists a GUID (“Originating DC”) that doesn’t exist any more.  An 
“Originating DC” is also the “owner” of the object, right?   The 
member DC/GCs) of the domain that once hosted this “Originating DC” produce a 
different output from the repadmin /showobjmeta command than the other GCs – 
namely “Directory Object not found”.  If a DC is demoted, the object would 
be “owned” by one of the remaining DCs.  But, if the “owner” is no longer 
around, the object is garbage.  Right?
 
My question is this – 
why are lingeringobjects such a “bear” to clean out?  It seems to me an 
admin should be able to use a “repadmin /removelingeringobjects GC: 
” –type of syntax to 
take care of all of the GCs at the same time.  My TAM has indicated the 
existence of a “replfix” tool, but I’m not sure how it works.  
Thoughts/comments?
 
Mike 
Thommes
 
Ps. For any MS folks 
out there, it would really be helpful to include examples within the repadmin 
help considering how powerful this command can be.
Pps.  I think 
“lingeringobjects” are synonymous with “headache”.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Almeida Pinto, Jorge 
deSent: Wednesday, May 03, 
2006 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] which GC 
answers?
 


a way to check this 
is:

 

REPADMIN /SHOWOBJMETA GC:  > OUTPUT.TXT

 

GC: targets ALL GCs in the 
forest

 

For each 
GC:

* you get the metadata of the 
object if it exists on the GC

OR

* you get "Directory object not 
found" if the object does not exist

 

in addition to this you can wrap a 
script around this that takes away some manual stuff you must 
do.

 



Met vriendelijke 
groeten / Kind regards,

Ing. Jorge de 
Almeida Pinto

Senior 
Infrastructure Consultant

MVP Windows 
Server - Directory Services

 


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)

( 
Tel 
: +31-(0)40-29.57.777

(    
Mobile 
: 
+31-(0)6-26.26.62.80
*   
E-mail 
: 

 



From: 
[EMAIL PROTECTED] on behalf of 
[EMAIL PROTECTED]Sent: 
Wed 2006-05-03 14:44To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] which GC 
answers?

When I use ldp and I found a user 
(lingering) how can I know which GC of many of them has that copy of the object? 
I use ADSIEDT, but I have many GC´s. is there a easier way to discover in which 
of them it is? Thanks Adrião F 
Ramos 

Re: [ActiveDir] Remotely Migrating Machines

[steve patrick]

If these are XP clients - check out WMI and 
JoinDomainOrWorkgroup  method - I *think* this will work for you ( 
specifically in the case where the domain it is currently joined to is no longer 
available)  but I havent tested this... 
 
 
steve
 

  - Original Message - 
  From: 
  joe 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, May 04, 2006 5:12 
PM
  Subject: RE: [ActiveDir] Remotely 
  Migrating Machines
  
  You may be on your own there Brian... 

   
  If you really start looking at writing something check 
  out the API call NetJoinDomain.
   
   
   
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian 
  DesmondSent: Thursday, May 04, 2006 7:25 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remotely Migrating 
  Machines
  
  
  I’ve got a good sized chunk of PCs which are joined to 
  domains which no longer exist. I’d like to migrate those machines into a 
  domain that does exist. I have local admin access to the boxes. I’d also like 
  to do this remotely (either running the commands remotely or psexec’ing 
  something out to the boxes).
   
  The obvious choice for this is netdom, and I’ve done this 
  successfully before with the caveat that the old domain has a PDC or DC 
  available. All of the netdom commands, remove and move both want to contact 
  the old domain and delete the computer from that, so they fail. There doesn’t 
  seem to be a force switch. This process works fine when you go in the My 
  Computer Properties dialog and do the operations.
   
  Does anyone know how to do this or do I need to look into 
  writing my own wrapper for the APIs?
   
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED]
   
  c - 
  312.731.3132
   
   
   

FW: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

[joe]

Title: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers?



Brian what did you do on that message, that came 
through blank for me unless I looked at it in OWA or forwarded it from OWA to 
myself again stripping something from it.
 
Anyway COM Bwa ha ha ha ha. No. In the I don't know 
how many years that I have been writing code for Windows and COM being available 
I have written maybe 3 COM interfaces and hated it each time. I have to spitting 
mad to use one in c/c++ code and the only places I do are in exchmbx because 
they really want you to use cdoexm and in admod for a mechanism for changing 
passwords. 
 
Wouldn't you rather just click, add tab in the app and 
then draw on the form telling it what you want where?
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 04, 2006 9:13 PMTo: 
joeSubject: FW: Re: [ActiveDir] ADAM Management Tool REQs and 
Desires.. WAS: Internet Authentication Concepts: 
Pointers?


 


From: [EMAIL PROTECTED] on 
behalf of Brian DesmondSent: Thu 5/4/2006 9:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] ADAM 
Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: 
Pointers?

How about some good COM Addins so you can be consistent like MS? 
Then I can implement IJoePlugin17 to add a tab to your thing.Addins with 
.net are rather easy to architect though - would be my 
preference.Thanks,Brian Desmond[EMAIL PROTECTED]c - 
312.731.3132> -Original Message-> From: 
[EMAIL PROTECTED] [mailto:ActiveDir-> [EMAIL PROTECTED] 
On Behalf Of joe> Sent: Thursday, May 04, 2006 8:56 PM> To: 
ActiveDir@mail.activedir.org> Subject: RE: Re: [ActiveDir] ADAM 
Management Tool REQs and> Desires.. WAS: Internet Authentication 
Concepts: Pointers?>> I was thinking of something a little more 
robust than ADUC with> extensions. More of a combination of ADUC, 
DSSITES, ADSIEDIT, Schema> Managemer, and some yet to be publicly seen 
ADAM specific management> stuff. Maybe some form of tie in to 
MIIS/IIFP/ADAMSynch for easily> configuring those products so you don't 
have to hurt your forehead> slamming the wall.>> I 
understand the desire for extension capability but even there, how> many 
people are actually taking advantage of it? Yes it is a pain now> for 
ADUC but it exists and if people wanted to use it bad enough, they> would 
figure it out. Next question, how do you do EASY extension> capability 
that is flexible and powerful and useable? Add to that not> requiring 
people to use NET to do things. I haven't completely shut the> door on 
NET but it is bottom of the pile for things I want to do or> require. I 
have had way too many people write me (some of whom I even> respect) and 
say that one of the beautiful things about my code is that> I am not 
using/requiring NET.>> I feel similar when I hear people say that 
NET and MONAD are going to> make most everyone scripters and programmers. 
I think we will see> Australian Ice Hockey becoming the next great global 
sport before we> see everyone or even a majority of admins becoming 
scripters and> programmers with NET unless MSFT dumbs it down 
considerably more, the> object model is enough to scare most people away. 
Don't get me wrong, I> think NET is going to be popular, just like JAVA 
was/is. But there are> a lot of coders who won't go near 
it.>> So the next question is What kind of extension model do 
you go> with? Honestly it would have to be some RAD drag and drop with 
field> tweak kind of extension in my opinion. I would visualize you 
saying ADD> TAB, then laying out the form the way you like to see data, 
specifying> the attribute to be displayed in the various fields and 
specifying HOW> it should be displayed with the schema being used to 
determine a> default and possibly helping control what other ways it 
could be> displayed. Possibly adding in data rules that control what can 
be typed> in the fields (like forcing a phone to fit to (xxx)xxx- 
or> something (yes I know I just pissed off every international person 
with> that example... It was an example)).>> Possibly it 
have some ability to call out to external pieces but most> likely not 
because that just adds all sorts of stability and> supportability issues. 
Of course that would piss off a some folks who> want to integrate some 
custom NET code or whatever but again I think> that would be the minority 
of the folks. If someone is so good with> NET, they are going to write 
their own tools anyway. Otherwise they are> just playing with it and you 
don't want someone playing with NET> writing extensions for your 
application, it would be a nightmare to> support for a large company let 
alone someone small like me, myself,> and I.>> So 
interesting. I expected more suggestions, are people just not really> 
using ADAM yet or is everyone just happy with th

RE: [ActiveDir] TScmd help

[joe]

Yes some Novell stuff can 
be found in there as well as some other things I have heard of through the 
years. Just clearing that attribute is a great idea... especially if you use 
Novell stuff as well as TS stuff. :)
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jef 
KazimerSent: Wednesday, May 03, 2006 10:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd 
help

My first travesty with said blos, was when an admin 
could not reset a users password via the MMC.   
After some PSS support, it turns out it was the NWCLIENT 
attributes stored in the userParameters field.   
As it turns out these users in the NT4 days had the 
Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it.
 
The solution?   Just clear the userParameters 
attribute for all affected users if I remember.
 
I think there is a KB article on it now.

  
  From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400
  
  

  Joe? 
  joe? me?
   
  The TS Attributes are 
  stored in an amazingly efficient and highly useful format called a blob. Blob 
  as you may or may not know stands for Big Lump of a, Ok, for now on we 
  will call what the TS attributes are stored in a Blos. So this Blos is 
  kept in the userParameters attribute. It is a form of a name value pair 
  setup but is entirely undocumented by MS and dorking with it is surely going 
  to impact how PSS supports you when you encounter an issue. Instead of hearing 
  the ubiquitous "That is By Design" or "I need you to crash the server and send 
  us a dump" you will hear the almost as ubiquitous "That is unsupported" or 
  "You are Unsupportable in that state". There have been some attempts in the 
  SAMBA space to decode that information and I am not at liberty to say how they 
  are doing on it but keep in mind, they may not have access to all different 
  configs using that attribute because TS attributes are not the only ones that 
  go in there. 
   
  Yes, Microsoft had the 
  opportunity to fix the issues with that and userAccountControl 6+ years ago 
  with the release of AD and yes they did refuse that opportunity. On the 
  positive side some thought is now going into userAccountControl nowadays with 
  ADAM though it is still quite quite. quite rough. TS attributes 
  unfortunately, are still dorked. I don't see that they are attempting to clean 
  it up either, maybe they (MSFT) are hoping they (the attributes) will just get 
  sick and tired of being treated like second class citizens and just go away. 
  When people ask me about setting them with admod I tend to say, go away, don't 
  come back until you grow up and become real attributes. You can set it with 
  admod right now, you just need to know the actual binary chunk to send into 
  admod to do it. 
   
    joe
   
  
  --
  O'Reilly Active Directory Third Edition - 
  http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jef 
  KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd 
  help
  
  Mike,
   
  Scratch that.   It is not the string I was thinking about.
   
  I'm sure Joe will know though :)
  

From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500


Mike,
 
Can you use ADfind and ADmod 
for this?
 
ADfind -h  
-Default  -f "(TSpath=Blah)" -dsq | 
ADMOD tspath::NewPath
 
Now I don't remember f TS path (I know it's not the 
attribute name so you will need to look at it) is a 
string value or if t's contained in that blob value with the other TS settings.
 
just an Idea




> Subject: [ActiveDir] TScmd help> Date: Wed, 3 May 2006 
15:12:42 -0600> From: [EMAIL PROTECTED]> To: 
ActiveDir@mail.activedir.org> > 
I need to try and find users who have a certain TS Profile path and> 
change the server name.> > 
It is W2K/W2K3 mixed.> 
I have googled and have tscmd, but can tell I will be needing to do some> 
voodoo also. Any help is appreciated.> 
> Mike Hutchins> Sys Admin> 
[EMAIL PROTECTED] > 
List info   : http://www.activedir.org/List.aspx> 
List FAQ: http://www.activedir.org/ListFAQ.aspx> 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Upgrade for free to Windows Live Mail beta and you could win an African 
Safari Learn more
  
  Enter the Windows Live Mail beta sweepstakes Upgrade today 


Join the next generation of Hotmail and you could win a trip to Africa Upgrade today 

RE: [ActiveDir] TScmd help

[joe]

And understanding completely that those aren't actually 
attributes, they are properties that are being exposed through a special 
Terminal Server COM interface that is in a special DLL. Why is that important or 
different? Try to pull those attribs with a search instead of an enumeration? 
There are other things too but that is a great one right up front that will put 
hair on your chest and see what the real world is like. :)
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of A 
PSent: Wednesday, May 03, 2006 11:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] TScmd 
help

I have some code that sets TS parameters for users.  What you need to 
do is bind to the user object and check the TerminalServicesHomeDirectory 
attribute and TerminalServicesHomeDrive if needed.
 
Here is the a piece of sample code to set the values.  It should be 
easy enough to check the value and set it to something else, if needed.
 
  Set objUser = GetObject("LDAP://" & userDN) 
  objUser.TerminalServicesHomeDirectory = 
strHomeDir  objUser.TerminalServicesHomeDrive = 
strHomeDriveOf course, if you do not have a list of target users, you 
will need to loop through the above code to check and modify the settings if 
necessary. 
 
Here is a URL that may help as well.
 
http://www.msterminalservices.org/articles/Scripting-Server-Based-Computing-Terminal-Services-Attributes-Active-Directory-User-Objects.html 

 
 
Hope this helps.
 
Arden 
On 5/3/06, Jef 
Kazimer <[EMAIL PROTECTED]> 
wrote: 

  
  My first travesty with said blos, was when an admin 
  could not reset a users password via the MMC.   
  After some PSS support, it turns out it was the NWCLIENT 
  attributes stored in the userParameters 
  field.   As it turns out these users in the NT4 
  days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it.
   
  The solution?   Just clear the userParameters attribute for all affected users if I 
  remember.
   
  I think there is a KB article on it now.
  

From: [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] TScmd 
  help
  Date: Wed, 3 May 2006 19:05:10 -0400
  
  Joe? joe? me?
   
  The TS Attributes are stored in an amazingly 
  efficient and highly useful format called a blob. Blob as you may or may not 
  know stands for Big Lump of a, Ok, for now on we will call what the TS 
  attributes are stored in a Blos. So this Blos is kept in the 
  userParameters attribute. It is a form of a name value pair setup but is 
  entirely undocumented by MS and dorking with it is surely going to impact how 
  PSS supports you when you encounter an issue. Instead of hearing the 
  ubiquitous "That is By Design" or "I need you to crash the server and send us 
  a dump" you will hear the almost as ubiquitous "That is unsupported" or "You 
  are Unsupportable in that state". There have been some attempts in the SAMBA 
  space to decode that information and I am not at liberty to say how they are 
  doing on it but keep in mind, they may not have access to all different 
  configs using that attribute because TS attributes are not the only ones that 
  go in there. 
   
  Yes, Microsoft had the opportunity to fix the 
  issues with that and userAccountControl 6+ years ago with the release of AD 
  and yes they did refuse that opportunity. On the positive side some thought is 
  now going into userAccountControl nowadays with ADAM though it is still quite 
  quite. quite rough. TS attributes unfortunately, are still dorked. I don't 
  see that they are attempting to clean it up either, maybe they (MSFT) are 
  hoping they (the attributes) will just get sick and tired of being treated 
  like second class citizens and just go away. When people ask me about setting 
  them with admod I tend to say, go away, don't come back until you grow up and 
  become real attributes. You can set it with admod right now, you just need to 
  know the actual binary chunk to send into admod to do it. 
   
    joe
   
  
  --
  O'Reilly Active 
  Directory Third Edition - 
  http://www.joeware.net/win/ad3e.htm 
   
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Jef 
  KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] TScmd help 
  
  Mike,
   
  Scratch that.   It is not the string I was thinking about.
   
  I'm sure Joe will know though :)
  

From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500
Mike,
 
Can you use ADfind and ADmod 
for this?
 
ADfind -h  
-Default  -f "(TSpath=Blah)" 
-dsq | ADMOD tspath::NewPath
 
Now I don't remember f TS path (I know it's not the 
attribute name so you will need to look at it) is a 
string v

RE: [ActiveDir] [OT] exporting list of members of a security group

[joe]

Wow, you are lucky you learned that lesson so painlessly. That is like
writing on some passed out person's face with crayon instead of permanent
marker.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, May 04, 2006 1:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] exporting list of members of a security group

I have just read "My" post - and the moral of the story is - do not leave
your Blackberry on the table with a bunch of geeks when you go to the bar.

G.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 02 May 2006 21:50
To: ActiveDir.org
Subject: Re: [ActiveDir] exporting list of members of a security group

Right click the group and say export list.

Mark
-Original Message-
From: "Antonio Aranda" <[EMAIL PROTECTED]>
Date: Tue, 2 May 2006 15:02:21
To:
Subject: [ActiveDir] exporting list of members of a security group

Is there a way to export to text file a list of the members of a security
group?

Thanks

Antonio


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

[Brian Desmond]

How about some good COM Addins so you can be consistent like MS? Then I can 
implement IJoePlugin17 to add a tab to your thing.

Addins with .net are rather easy to architect though - would be my preference. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, May 04, 2006 8:56 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and
> Desires.. WAS: Internet Authentication Concepts: Pointers?
> 
> I was thinking of something a little more robust than ADUC with
> extensions. More of a combination of ADUC, DSSITES, ADSIEDIT, Schema
> Managemer, and some yet to be publicly seen ADAM specific management
> stuff. Maybe some form of tie in to MIIS/IIFP/ADAMSynch for easily
> configuring those products so you don't have to hurt your forehead
> slamming the wall.
> 
> I understand the desire for extension capability but even there, how
> many people are actually taking advantage of it? Yes it is a pain now
> for ADUC but it exists and if people wanted to use it bad enough, they
> would figure it out. Next question, how do you do EASY extension
> capability that is flexible and powerful and useable? Add to that not
> requiring people to use NET to do things. I haven't completely shut the
> door on NET but it is bottom of the pile for things I want to do or
> require. I have had way too many people write me (some of whom I even
> respect) and say that one of the beautiful things about my code is that
> I am not using/requiring NET.
> 
> I feel similar when I hear people say that NET and MONAD are going to
> make most everyone scripters and programmers. I think we will see
> Australian Ice Hockey becoming the next great global sport before we
> see everyone or even a majority of admins becoming scripters and
> programmers with NET unless MSFT dumbs it down considerably more, the
> object model is enough to scare most people away. Don't get me wrong, I
> think NET is going to be popular, just like JAVA was/is. But there are
> a lot of coders who won't go near it.
> 
> So the next question is What kind of extension model do you go
> with? Honestly it would have to be some RAD drag and drop with field
> tweak kind of extension in my opinion. I would visualize you saying ADD
> TAB, then laying out the form the way you like to see data, specifying
> the attribute to be displayed in the various fields and specifying HOW
> it should be displayed with the schema being used to determine a
> default and possibly helping control what other ways it could be
> displayed. Possibly adding in data rules that control what can be typed
> in the fields (like forcing a phone to fit to (xxx)xxx- or
> something (yes I know I just pissed off every international person with
> that example... It was an example)).
> 
> Possibly it have some ability to call out to external pieces but most
> likely not because that just adds all sorts of stability and
> supportability issues. Of course that would piss off a some folks who
> want to integrate some custom NET code or whatever but again I think
> that would be the minority of the folks. If someone is so good with
> NET, they are going to write their own tools anyway. Otherwise they are
> just playing with it and you don't want someone playing with NET
> writing extensions for your application, it would be a nightmare to
> support for a large company let alone someone small like me, myself,
> and I.
> 
> So interesting. I expected more suggestions, are people just not really
> using ADAM yet or is everyone just happy with the command line tools
> they are using for it?
> 
>   joe
> 
> 
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Al Mulnick
> Sent: Sunday, April 30, 2006 12:45 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and
> Desires.. WAS: Internet Authentication Concepts: Pointers?
> 
> That really is the point of ADAM, isn't it? To be flexible and highly
> customizable?
> 
> 
> I have to agree with JoeK on this: it needs to be extensible in keeping
> with ADAM's charter.
> 
> Some of the basics would be cool, but then how do you make sense of an
> object in a customized directory unless you have a way to a) read it
> and b) get some sort of manifest that tells you the meaning and c) maps
> it for you to your task? To my knowledge, there is no standards based
> definition in that sense.  I can pick whatever I want to be a  type> object and define whatever rules I want as well.  How would a
> tool know that?
> 
> To make it easily extensible, i.e. create a totally easy language that
> plugs into a console would go a lot further in my opinion, than trying
> to capture an ADAM management tool that 

RE: [ActiveDir] "objects names cannot be shown in their user-friendly form"

[joe]

(3) Broken secure channel
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, May 04, 2006 2:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] "objects names cannot be shown in their
user-friendly form"


this error occurs if:
(1) the other domain is not available (meaning, not connected or name
resolution is bad, etc)
(2) the object in the other domain has been deleted
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Milton Sancho
Sent: Thu 2006-05-04 08:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "objects names cannot be shown in their user-friendly
form"


 
Message: 
"Some of the objects names cannot be shown in their user-friendly form. This
can happen if the object is from an external domain and that domain is not
available to translate the object's name"
 
 Example: CN= S-1-5-21--21253782) ;   it is the domain\user.
 
 Scenario:
 
  WIN2000 Domain   (IT has services installed   DHCP-DNS-WINS) 
  WIN2003 Domain   (It has just installed DNS)
 
 We have a trust relationship (bidirectional) between both domains in the
same subnet ranges,  then  if I add any user from the  
 
 Trusts =  domain1(Relationship= External)  ( Transitive=No)
   domain2(Relationship= External)  ( Transitive=No)
 
 
Thanks comments 
 
 
 
<>

RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

[joe]

I was thinking of something a little more robust than ADUC with extensions. 
More of a combination of ADUC, DSSITES, ADSIEDIT, Schema Managemer, and some 
yet to be publicly seen ADAM specific management stuff. Maybe some form of tie 
in to MIIS/IIFP/ADAMSynch for easily configuring those products so you don't 
have to hurt your forehead slamming the wall.

I understand the desire for extension capability but even there, how many 
people are actually taking advantage of it? Yes it is a pain now for ADUC but 
it exists and if people wanted to use it bad enough, they would figure it out. 
Next question, how do you do EASY extension capability that is flexible and 
powerful and useable? Add to that not requiring people to use NET to do things. 
I haven't completely shut the door on NET but it is bottom of the pile for 
things I want to do or require. I have had way too many people write me (some 
of whom I even respect) and say that one of the beautiful things about my code 
is that I am not using/requiring NET. 

I feel similar when I hear people say that NET and MONAD are going to make most 
everyone scripters and programmers. I think we will see Australian Ice Hockey 
becoming the next great global sport before we see everyone or even a majority 
of admins becoming scripters and programmers with NET unless MSFT dumbs it down 
considerably more, the object model is enough to scare most people away. Don't 
get me wrong, I think NET is going to be popular, just like JAVA was/is. But 
there are a lot of coders who won't go near it. 

So the next question is What kind of extension model do you go with? 
Honestly it would have to be some RAD drag and drop with field tweak kind of 
extension in my opinion. I would visualize you saying ADD TAB, then laying out 
the form the way you like to see data, specifying the attribute to be displayed 
in the various fields and specifying HOW it should be displayed with the schema 
being used to determine a default and possibly helping control what other ways 
it could be displayed. Possibly adding in data rules that control what can be 
typed in the fields (like forcing a phone to fit to (xxx)xxx- or something 
(yes I know I just pissed off every international person with that example... 
It was an example)). 

Possibly it have some ability to call out to external pieces but most likely 
not because that just adds all sorts of stability and supportability issues. Of 
course that would piss off a some folks who want to integrate some custom NET 
code or whatever but again I think that would be the minority of the folks. If 
someone is so good with NET, they are going to write their own tools anyway. 
Otherwise they are just playing with it and you don't want someone playing with 
NET writing extensions for your application, it would be a nightmare to support 
for a large company let alone someone small like me, myself, and I. 

So interesting. I expected more suggestions, are people just not really using 
ADAM yet or is everyone just happy with the command line tools they are using 
for it?

  joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, April 30, 2006 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: 
Internet Authentication Concepts: Pointers?

That really is the point of ADAM, isn't it? To be flexible and highly 
customizable?


I have to agree with JoeK on this: it needs to be extensible in keeping with 
ADAM's charter.

Some of the basics would be cool, but then how do you make sense of an object 
in a customized directory unless you have a way to a) read it and b) get some 
sort of manifest that tells you the meaning and c) maps it for you to your 
task? To my knowledge, there is no standards based definition in that sense.  I 
can pick whatever I want to be a  object and define whatever rules 
I want as well.  How would a tool know that?

To make it easily extensible, i.e. create a totally easy language that plugs 
into a console would go a lot further in my opinion, than trying to capture an 
ADAM management tool that goes beyond ADSIEDIT/ldp.
Today, it's write your own, or make do.  I'm sure some of that will continue, 
but having the ability to easily write your own and plug it into a well thought 
out graphical based administration system might be useful to some. At the 
least, I'm sure it would differentiate ADAM from other lightweight ldap 
directories that run on more platforms ;-)

-ajm


On 4/29/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
> The difficulty with building a tool like this is that it is a huge 
> leap to go from a low level editing tool like ADSI Edit to a high 
> level, task-based UI like ADUC.  The problem is that it is nearly 
> impossible to infer the semantic meaning of attributes in the 
> directory in a gen

RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

[joe]

That was in the original specs I saw for MONAD. They backed off of it, I think 
some part of it might have been too tough for MSFT in the few years they had 
available... 
 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Wednesday, May 03, 2006 2:36 PM
To: ActiveDir@mail.activedir.org
Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: 
Internet Authentication Concepts: Pointers?

That is the type of thing that would be pretty reasonable to build by writing a 
provider for MSH (Monad) that exposes an LDAP store like AD or ADAM as a 
"drive".  I think a few people have taken a swing at this already, but I'm not 
sure if anything is shipping yet.

Having this integrated into MSH is going to enable a huge number of scenarios.

Joe K.

- Original Message -
From: "Matheesha Weerasinghe" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 03, 2006 12:26 PM
Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. 
WAS: Internet Authentication Concepts: Pointers?


> personally, I'd like a command line tool thats interactive like
> ntdsutil or nslookup. I'd be able to use this to browse the ADAM
> instance from a command line. Have a prompt which allows me to
> navigate the hierachy. Execute commands such as create/delete
>  etc...
>
> M@
>
> On 4/28/06, Stewart, Fitz <[EMAIL PROTECTED]> wrote:
>>
>>
>>
>> Heck, just give a user the ability to create and otherwise manage 
>> objects –
>> users, groups, the basics.  Name, etc.  Nothing fancy, just not the
>> command-line-ishness of ADSIEDIT.
>>
>>
>>
>>
>>
>>
>> -fitz
>>
>>
>> 703-866-7473
>>  703-626-5741 (cell)
>>
>>
>>  
>>
>>
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of
>> joe
>>  Sent: Friday, April 28, 2006 3:46 PM
>>  To: ActiveDir@mail.activedir.org
>>  Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires..
>> WAS: Internet Authentication Concepts: Pointers?
>>
>>
>>
>> I have some curiosity in this realm...
>>
>>
>>
>> What would everyone consider good things and requirements for an ADAM
>> management tool. Even assuming, cough, GUI.
>>
>>
>>
>>   joe
>>
>>
>>
>>
>> --
>>
>> O'Reilly Active Directory Third Edition -
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>>
>>
>>
>>
>>  
>>
>>
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of
>> Jef Kazimer
>>  Sent: Friday, April 28, 2006 10:01 AM
>>  To: ActiveDir@mail.activedir.org
>>  Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
>>
>> Since it is "LDAP" I did look at some "friendlier" admin tools, but none
>> really hit the mark for me.   I believed that group looked at Softerra's
>> tool,  and there is the web based PHP LDAP manager, and also the C# LDAP
>> manager tool.  You can Live search the names or I can post the links here 
>> if
>> you want.
>>
>>
>>
>> In the end I wrote my own as a .NET web app since I found them lacking.
>> Yet as I said if I want to go global,  I don't know if I want to position
>> what I wrote without some major changes. :)
>>
>>
>>
>> J
>>
>>
>>
>>
>>
>>  
>>
>>
>> Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
>>  Date: Fri, 28 Apr 2006 09:44:55 -0400
>>  From: [EMAIL PROTECTED]
>>  To: ActiveDir@mail.activedir.org
>>
>>
>> That's a very good point.  Does anyone know of any 3rd parties which 
>> improve
>> the ADAM administrative UI "experience"?
>>
>>
>>
>>
>>
>>
>>
>> J. Fitzgerald (Fitz) Stewart
>>
>> Systems Architect
>>
>> IRM/OPS/ENM
>>
>> Worldwide Information Network Systems
>>
>> USAID/DoS IT Infrastructure Collaboration Program
>>
>> [EMAIL PROTECTED] 
>>
>> [EMAIL PROTECTED] 
>>
>> 703-866-7473
>>
>> 703-626-5741 (cell)
>>  
>>
>>
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of
>> Jef Kazimer
>>  Sent: Friday, April 28, 2006 9:27 AM
>>  To: ActiveDir@mail.activedir.org
>>  Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
>>
>>
>>
>> Mylo,
>>
>>
>>
>> Thanks for the information!
>>
>>
>>
>> I have setup ADAM utilizing a custom web UI utilizing AZman for a small
>> project before, but I have concerns about scalabilty.  The issues are not
>> with the ADAM instance at all, but the UI that is needed to manage ADAM.
>> ADSIedit is great for someone who understands the directory, but it's not
>> that user friendly for web application owners, helpdesk, etc.  This was 
>> for
>> a simple application of about 500 users, and it met their needs but I 
>> don't
>> see this as a scalable solution from a global perspective.
>>
>>
>>
>> This will be a backend data store that contains the user identity, but 
>> the
>> applications that utilize it will be of diffe

RE: [ActiveDir] Intermittent 680 events.

[joe]

If the machines are consistently sending auths then sit down with them and
watch them and start killing off processes. It is very likely software
specific to them or some process they are following.

Have fun! 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, May 04, 2006 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Intermittent 680 events.

So this one is puzzling me.

Brand new 2003 R2 AD, all XPSP2 workstations.  A few user accounts are
getting continually locked out with Event 680, error code 0x006a
(invalid password.)

The usual culprits don't seem to be at fault since there are no services or
scheduled tasks running under the credentials that are getting locked out.
It also doesn't seem to be workstation-specific, since the account lockouts
follow these unlucky few from one workstations to another.

Turning up USERENV logging to the "Oh holy schnikes that's going to generate
a lot of entries" setting on the PDCe produces entries such as the
following:

"04/27 14:05:23 [LOGON] : SamLogon: Transitive Network
logon of \ from  (via
) Returns 0xC06A"

as well as

04/27 14:06:56 [LOGON] : SamLogon: Network logon of
\ from  Returns
0xC06A

In both cases, the bad password event was generated from the correct
workstations while the users were logged on interactively.

The only KB I found that was even -close- to relevant (305822) talked about
disabling the XP "Welcome Screen", which isn't in use here.

This doesn't "feel" like a password attack is going on, but I can't figure
out where these errant bad passwords are coming from, or what else is
distinguishing these few accounts from their counterparts who aren't
experiencing lockout fun.

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP Matched DN: (Null)

[joe]

I am not a citrix (or even TS for that matter) person so 
you will have to bear with me. What do you mean you are trying to add user 
accounts? Is this a citrix thing? Add to what?
 
Is the citrix server a DC or is it a member in a domain? If 
you try to add user accounts to local groups on the server does that work? Do 
the accounts resolve? If not, have you chases the trust channels with nltest to 
see if there is a break somewhere?
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
HerasSent: Thursday, May 04, 2006 5:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: 
(Null)

We have a citrix server that where we're trying to add user accounts to 
from a trusted Windows 2000 domain.  When we add the user account, only the 
SID shows up.  In addition, we get an error when trying to save the 
permissions change.  A trace of the communication between the citrix server 
and the Windows 2000 domain controller shows the following: 
-LDAP Message - 
Matched DN: (null)
Error Message: (null)
Error: Couldn't parse LDAP Controls: Wrong type for that item
  -NTLMSSP-
   
-Lan Manager Response: 00 -
    
NTLM Response: Empty
Domain 
name: NULL
    
User name: Null
 
PSS has not been able to help with this nor has 
Citrix

RE: [ActiveDir] Remotely Migrating Machines

[joe]

You may be on your own there Brian... 
 
If you really start looking at writing something check out 
the API call NetJoinDomain.
 
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Thursday, May 04, 2006 7:25 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remotely Migrating 
Machines


I’ve got a good sized chunk of PCs which are joined to 
domains which no longer exist. I’d like to migrate those machines into a domain 
that does exist. I have local admin access to the boxes. I’d also like to do 
this remotely (either running the commands remotely or psexec’ing something out 
to the boxes).
 
The obvious choice for this is netdom, and I’ve done this 
successfully before with the caveat that the old domain has a PDC or DC 
available. All of the netdom commands, remove and move both want to contact the 
old domain and delete the computer from that, so they fail. There doesn’t seem 
to be a force switch. This process works fine when you go in the My Computer 
Properties dialog and do the operations.
 
Does anyone know how to do this or do I need to look into 
writing my own wrapper for the APIs?
 
Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 
 

RE: [ActiveDir] Exchange queue(OT)

[joe]

That would have been my logical response too; googling your 
error against the support site pulls that exact KB and you didn't mention 
it in your initial post... So what else have 
you done and discounted before a bunch of other responses come through? 

 
Some additional questions to make the brain juices flow a 
little... Is cat logging cranked up to 7? What other cat messages are coming 
through? Have you looked at the perms on the server objects to make sure they 
aren't incorrect? What is the disk config in that machine (physical and 
logical levels) and where is everything at (i.e. bins, logs, dbs, page 
files, etc)? How is the overall perf of the machine? What is the io load in iops 
and how does that stack up against the theoretical max of your disk layout? How 
do your dsaccess counters look? How does it compare with the normal 
baselines?  Are there any "Special" IDs in the list? Can anyone else send 
to that list and not get the error? Is there anything odd about the list or the 
user in terms of permissions or settings? How long has the issue been going on? 
Has the user or anyone ever been able to send to that list and not have a 
problem?
 
 joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Thursday, May 04, 2006 4:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange 
queue(OT)

No, I spent about 2 secs before finding that.
Alas, it doesn't apply to my enviorment.
 
I sometims have an itchy send finger but, I try not to waste your guys time 
fi I can help it.
 
Thanks 
On 5/4/06, Katherine 
Coombs <[EMAIL PROTECTED]> 
wrote: 

  
  Hi 
  Tom,
   
  I'm sure that you've 
  spent more than the 5 seconds that I did trying to find a solution, but I came 
  across this article:  http://support.microsoft.com/default.aspx?kbid=884996
   
  HTH,
  Katherine
  
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  Sent: 04 May 2006 20:35
  To: 
  activedirectorySubject: [ActiveDir] Exchange 
  queue(OT)
   
  
  
  I have an issue where a user sends an email to about 1800 recipients 
  using Outlook DL's.
   
  The email always gets stuck in the "messages awaiting directory lookup" 
  queue for hours(sometimes days).
   
  The only thing logged in the app log is-
   
  
  Event Type: WarningEvent Source: MSExchangeTransportEvent 
  Category: Categorizer Event 
  ID: 6004Date:  5/4/2006Time:  3:21:02 
  PMUser:  N/AComputer: EXNYC01Description:The 
  categorizer is unable to categorize messages due to a retryable error. There 
  is not enough space on the disk.  
  For more information, click http://www.microsoft.com/contentredirect.asp. 
  Data:: 70 00 00 
  00   
  p...    
   
  The server has about 80gig of free space.
   
  I tried moving the user's mailbox to another server but she still gets the 
  same issue.
   
  Has anyone had experience with this error?
   
  I'm running Exchange 2k in mixed mode ina AD 2000 native mode 
  enviorment.
   
  Thanks

[ActiveDir] Remotely Migrating Machines

[Brian Desmond]

I’ve got a good sized chunk of PCs which are joined to
domains which no longer exist. I’d like to migrate those machines into a
domain that does exist. I have local admin access to the boxes. I’d also like
to do this remotely (either running the commands remotely or psexec’ing
something out to the boxes).

 

The obvious choice for this is netdom, and I’ve done
this successfully before with the caveat that the old domain has a PDC or DC
available. All of the netdom commands, remove and move both want to contact the
old domain and delete the computer from that, so they fail. There doesn’t
seem to be a force switch. This process works fine when you go in the My
Computer Properties dialog and do the operations.

 

Does anyone know how to do this or do I need to look into
writing my own wrapper for the APIs?

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

RE: [ActiveDir] InetOrgPersonFix.... Do I need it?

[Lucas, Bryan]

Stretching my memory banks... seems to me one of the steps of upgrading
Exchange 2000-->2003 was to verify the changes made by the LDF import.
Why not just look at the schema and see if the changes have already been
made.

I interpret your email as you never had Exchange 2000, you started with
2003.  But I don't know if the InetOrg fix was put in the 2003
forestprep or not, sorry.
 
Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, May 04, 2006 3:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] InetOrgPersonFix Do I need it?

Quick question that I can't find a simple, definitive answer to with a
Google search...

I've got a AD 2000 Forest (2000 FFL).  We're preparing to upgrade our
first DC to Server 2003 (planning to use the ADPrep off the R2 CD).
I've already verified the AD, FRS, and other items are running well so
I'm just about ready to roll...

I've already got Exchange 2003 running on the forest/domain.  Do I need
to run the InetOrgPersonFix.ldf in this environment or were the fixes
incorporated into the Exchange 2003 forestprep/domainprep?   

Everything I've read does specify an Exchange 2000 environment
(including Joe & Robbie's 3rd edition book, p363). However, I thought it
better to ask than to be sorry later that I didn't run it.

Joe Pochedley
Software suppliers are trying to make their software packages more 
user-friendly... Their best approach, so far, has been to take all the
old brochures, and stamp the words, 'user-friendly' on the cover."   -
Bill Gates.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LDAP Matched DN: (Null)

[Teo De Las Heras]

We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain.  When we add the user account, only the SID shows up.  In addition, we get an error when trying to save the permissions change.  A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following:

-LDAP Message - 
Matched DN: (null)
Error Message: (null)
Error: Couldn't parse LDAP Controls: Wrong type for that item
  -NTLMSSP-
   -Lan Manager Response: 00 -
    NTLM Response: Empty
Domain name: NULL
    User name: Null
 
PSS has not been able to help with this nor has Citrix

RE: [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

If you have 4gig of RAM then you should get minimal paging. (I know this is a 
great generalization)
 
1) Log file access is sequential, database is random
2) Keeping Log files write queue down is key to performance
3) log files are write only
4) raid-5 tends to have poor write performance (again greate generalization).
 
So I would try and get another drive in the box so I could have a mirrored pair 
for OS & LOGS, and a mirrored pair for Databases. . Putting these on seperate 
drives will do far more for performance than changing the page file. RAID-5 is 
a real bad performer on write. These days I woudl avoid as far as possible...
 
I am sure other folks may disagree... 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 21:36 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Optimize Exchange Pagefile



Yes, far less than 100, on this box it is under 20.

You do not think it is necessary to mess with the page file, even if 
only to make it static?

 

 

Dan

 

 

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

 

There is no point in messing about with memory config if you only have 
a three drive RAID 5 array. Disk config is critical. How many users do you want 
to put on this box. less than 100?

 

 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile

I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.

 

The way I normally set the pagefile on my systems is to set it 
to be static and 1.5x physical RAM. I also create a pagefile on each disk and 
let Windows choose the best one (which will be the second logical drive). I do 
not want to disable the pagefile on C: because, from what I understand, this 
will disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

**

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. As a public body, the Council may be required to 
disclose this email, or any response to it, under the Freedom of Information 
Act 2000, unless the information in it is covered by one of the exemptions in 
the Act. 

If you receive this email in error please notify Stockport e-Services 
via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk

**

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com  
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com  
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 

<>

RE: [ActiveDir] InetOrgPersonFix.... Do I need it?

[David Adner]

When you installed Exchange 2003 you extended the schema and fixed the
problem then.  So no, you don't need the InetOrgPerson fix now.  Running the
Exchange 2003 schema extension (and allowing it to fully replicate out)
before the 2003 AD schema extension is a common recommendation to avoid
having to worry about this specific issue.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
> Sent: Thursday, May 04, 2006 3:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] InetOrgPersonFix Do I need it?
> 
> Quick question that I can't find a simple, definitive answer 
> to with a Google search...
> 
> I've got a AD 2000 Forest (2000 FFL).  We're preparing to 
> upgrade our first DC to Server 2003 (planning to use the 
> ADPrep off the R2 CD).
> I've already verified the AD, FRS, and other items are 
> running well so I'm just about ready to roll...
> 
> I've already got Exchange 2003 running on the forest/domain.  
> Do I need to run the InetOrgPersonFix.ldf in this environment 
> or were the fixes
> incorporated into the Exchange 2003 forestprep/domainprep?   
> 
> Everything I've read does specify an Exchange 2000 
> environment (including Joe & Robbie's 3rd edition book, 
> p363). However, I thought it better to ask than to be sorry 
> later that I didn't run it.
> 
> Joe Pochedley
> Software suppliers are trying to make their software packages 
> more user-friendly... Their best approach, so far, has been 
> to take all the
> old brochures, and stamp the words, 'user-friendly' on the cover."   -
> Bill Gates.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] InetOrgPersonFix.... Do I need it?

[Almeida Pinto, Jorge de]

I've already got Exchange 2003 running on the forest/domain.  Do I need
to run the InetOrgPersonFix.ldf in this environment or were the fixes
incorporated into the Exchange 2003 forestprep/domainprep? 
 
No need to run InetOrgPersonFix.ldf
Yes already incorporated into E2k3
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Joe Pochedley
Sent: Thu 2006-05-04 22:57
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] InetOrgPersonFix Do I need it?



Quick question that I can't find a simple, definitive answer to with a
Google search...

I've got a AD 2000 Forest (2000 FFL).  We're preparing to upgrade our
first DC to Server 2003 (planning to use the ADPrep off the R2 CD).
I've already verified the AD, FRS, and other items are running well so
I'm just about ready to roll...

I've already got Exchange 2003 running on the forest/domain.  Do I need
to run the InetOrgPersonFix.ldf in this environment or were the fixes
incorporated into the Exchange 2003 forestprep/domainprep?  

Everything I've read does specify an Exchange 2000 environment
(including Joe & Robbie's 3rd edition book, p363). However, I thought it
better to ask than to be sorry later that I didn't run it.

Joe Pochedley
Software suppliers are trying to make their software packages more
user-friendly... Their best approach, so far, has been to take all the
old brochures, and stamp the words, 'user-friendly' on the cover."   -
Bill Gates.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

[ActiveDir] InetOrgPersonFix.... Do I need it?

[Joe Pochedley]

Quick question that I can't find a simple, definitive answer to with a
Google search...

I've got a AD 2000 Forest (2000 FFL).  We're preparing to upgrade our
first DC to Server 2003 (planning to use the ADPrep off the R2 CD).
I've already verified the AD, FRS, and other items are running well so
I'm just about ready to roll...

I've already got Exchange 2003 running on the forest/domain.  Do I need
to run the InetOrgPersonFix.ldf in this environment or were the fixes
incorporated into the Exchange 2003 forestprep/domainprep?   

Everything I've read does specify an Exchange 2000 environment
(including Joe & Robbie's 3rd edition book, p363). However, I thought it
better to ask than to be sorry later that I didn't run it.

Joe Pochedley
Software suppliers are trying to make their software packages more 
user-friendly... Their best approach, so far, has been to take all the
old brochures, and stamp the words, 'user-friendly' on the cover."   -
Bill Gates.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Intermittent 680 events.

[Laura E. Hunter]

So this one is puzzling me.

Brand new 2003 R2 AD, all XPSP2 workstations.  A few user accounts are
getting continually locked out with Event 680, error code 0x006a
(invalid password.)

The usual culprits don't seem to be at fault since there are no
services or scheduled tasks running under the credentials that are
getting locked out. It also doesn't seem to be workstation-specific,
since the account lockouts follow these unlucky few from one
workstations to another.

Turning up USERENV logging to the "Oh holy schnikes that's going to
generate a lot of entries" setting on the PDCe produces entries such
as the following:

"04/27 14:05:23 [LOGON] : SamLogon: Transitive
Network logon of \ from
 (via ) Returns
0xC06A"

as well as

04/27 14:06:56 [LOGON] : SamLogon: Network logon of
\ from  Returns
0xC06A

In both cases, the bad password event was generated from the correct
workstations while the users were logged on interactively.

The only KB I found that was even -close- to relevant (305822) talked
about disabling the XP "Welcome Screen", which isn't in use here.

This doesn't "feel" like a password attack is going on, but I can't
figure out where these errant bad passwords are coming from, or what
else is distinguishing these few accounts from their counterparts who
aren't experiencing lockout fun.

--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Optimize Exchange Pagefile

[Dan DeStefano]

Yes, far less than 100, on this box it is
under 20.

You do not think it is necessary to mess
with the page file, even if only to make it static?

 

 

Dan

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 4:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize
Exchange Pagefile



 



There is no point in messing about with memory config if you
only have a three drive RAID 5 array. Disk config is critical. How many users
do you want to put on this box. less than 100?





 





 





-Original
Message- 
From: [EMAIL PROTECTED] on
behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org

Cc: 
Subject: [ActiveDir] Optimize
Exchange Pagefile





I was wondering if anyone can point me to any MS document
that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372,
but this article does not discuss the page file. I am running SBS 2003 on a 3
GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical
drives. I plan on installing the Exchange binaries on the first logical drive
(which will also contain the system and boot partitions) and the Exchange
databases, logs, queues, etc on the second logical drive.

 

The way I normally set the pagefile on my systems is to set
it to be static and 1.5x physical RAM. I also create a pagefile on each disk
and let Windows choose the best one (which will be the second logical drive). I
do not want to disable the pagefile on C: because, from what I understand, this
will disable crash dumps, which I do not want. However, I set the crash dump to
kernel only, not the entire pagefile. That being said, would it be appropriate
to set the pagefile on C: to something small like 256MB since the OS will be
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any
other differences between the memory/pagefile settings on a regular Exchange
box running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 





**





This email and any files transmitted with it are confidential and





intended solely for the use of the individual or entity to whom they





are addressed. As a public body, the Council may be required to
disclose this email, or any response to it, under the Freedom of Information
Act 2000, unless the information in it is covered by one of the exemptions in
the Act. 





If you receive this email in error please notify Stockport
e-Services via [EMAIL PROTECTED] and then permanently remove it from
your system. 





Thank you.





http://www.stockport.gov.uk





**








Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

Re: [ActiveDir] Exchange queue(OT)

[Tom Kern]

No, I spent about 2 secs before finding that.
Alas, it doesn't apply to my enviorment.
 
I sometims have an itchy send finger but, I try not to waste your guys time fi I can help it.
 
Thanks 
On 5/4/06, Katherine Coombs <[EMAIL PROTECTED]> wrote:


Hi Tom,
 
I'm sure that you've spent more than the 5 seconds that I did trying to find a solution, but I came across this article:  
http://support.microsoft.com/default.aspx?kbid=884996
 
HTH,
Katherine



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: 04 May 2006 20:35
To: activedirectorySubject: [ActiveDir] Exchange queue(OT)
 


I have an issue where a user sends an email to about 1800 recipients using Outlook DL's.
 
The email always gets stuck in the "messages awaiting directory lookup" queue for hours(sometimes days).
 
The only thing logged in the app log is-
 

Event Type: WarningEvent Source: MSExchangeTransportEvent Category: Categorizer Event ID: 6004Date:  5/4/2006Time:  3:21:02 PMUser:  N/AComputer: EXNYC01Description:The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk. 
 
For more information, click http://www.microsoft.com/contentredirect.asp. Data:
: 70 00 00 00   p...    
 
The server has about 80gig of free space.
 
I tried moving the user's mailbox to another server but she still gets the same issue.
 
Has anyone had experience with this error?
 
I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment.
 
Thanks

RE: [ActiveDir] Optimize Exchange Pagefile

[Dave Wade]

There is no point in messing about with memory config if you only have a three 
drive RAID 5 array. Disk config is critical. How many users do you want to put 
on this box. less than 100?
 
 
-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile



I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.

 

The way I normally set the pagefile on my systems is to set it to be 
static and 1.5x physical RAM. I also create a pagefile on each disk and let 
Windows choose the best one (which will be the second logical drive). I do not 
want to disable the pagefile on C: because, from what I understand, this will 
disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com  
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

 



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

<>

RE: [ActiveDir] Exchange queue(OT)

[Kennedy, Jim]

 
Had that once with a 1000 user dist. list on our exchange 
server. It was a bunch of nest groups, along with global groups tossed in. The 
groups, specifically the global groups seemed to be the cause. Took for ever to 
enumerate the addresses.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Thursday, May 04, 2006 3:35 PMTo: 
  activedirectorySubject: [ActiveDir] Exchange 
  queue(OT)
  
  I have an issue where a user sends an email to about 1800 recipients 
  using Outlook DL's.
   
  The email always gets stuck in the "messages awaiting directory lookup" 
  queue for hours(sometimes days).
   
  The only thing logged in the app log is-
   
  
  Event Type: WarningEvent Source: MSExchangeTransportEvent 
  Category: Categorizer Event 
  ID: 6004Date:  5/4/2006Time:  3:21:02 
  PMUser:  N/AComputer: EXNYC01Description:The 
  categorizer is unable to categorize messages due to a retryable error. There 
  is not enough space on the disk.  
  For more information, click http://www.microsoft.com/contentredirect.asp. 
  Data:: 70 00 00 
  00   
  p...    
   
  The server has about 80gig of free space.
   
  I tried moving the user's mailbox to another server but she still gets the 
  same issue.
   
  Has anyone had experience with this error?
   
  I'm running Exchange 2k in mixed mode ina AD 2000 native mode 
  enviorment.
   
  Thanks

RE: [ActiveDir] Exchange queue(OT)

[Katherine Coombs]

Hi Tom,
 
I'm sure that you've spent more than the 5 seconds that I did trying to 
find a solution, but I came across this article:  http://support.microsoft.com/default.aspx?kbid=884996
 
HTH,
Katherine


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: 04 May 2006 20:35To: 
activedirectorySubject: [ActiveDir] Exchange 
queue(OT)

I have an issue where a user sends an email to about 1800 recipients using 
Outlook DL's.
 
The email always gets stuck in the "messages awaiting directory lookup" 
queue for hours(sometimes days).
 
The only thing logged in the app log is-
 

Event Type: WarningEvent Source: MSExchangeTransportEvent 
Category: Categorizer Event 
ID: 6004Date:  5/4/2006Time:  3:21:02 
PMUser:  N/AComputer: EXNYC01Description:The 
categorizer is unable to categorize messages due to a retryable error. There is 
not enough space on the disk.  
For more information, click http://www.microsoft.com/contentredirect.asp. 
Data:: 70 00 00 
00   
p...    
 
The server has about 80gig of free space.
 
I tried moving the user's mailbox to another server but she still gets the 
same issue.
 
Has anyone had experience with this error?
 
I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment.
 
Thanks

[ActiveDir] Exchange queue(OT)

[Tom Kern]

I have an issue where a user sends an email to about 1800 recipients using Outlook DL's.
 
The email always gets stuck in the "messages awaiting directory lookup" queue for hours(sometimes days).
 
The only thing logged in the app log is-
 

Event Type: WarningEvent Source: MSExchangeTransportEvent Category: Categorizer Event ID: 6004Date:  5/4/2006Time:  3:21:02 PMUser:  N/AComputer: EXNYC01Description:The categorizer is unable to categorize messages due to a retryable error. There is not enough space on the disk.
 
For more information, click http://www.microsoft.com/contentredirect.asp. Data:: 70 00 00 00   p...    
 
The server has about 80gig of free space.
 
I tried moving the user's mailbox to another server but she still gets the same issue.
 
Has anyone had experience with this error?
 
I'm running Exchange 2k in mixed mode ina AD 2000 native mode enviorment.
 
Thanks

[ActiveDir] Optimize Exchange Pagefile

[Dan DeStefano]

I was wondering if anyone can point me to any MS document
that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372,
but this article does not discuss the page file. I am running SBS 2003 on a 3
GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical
drives. I plan on installing the Exchange binaries on the first logical drive
(which will also contain the system and boot partitions) and the Exchange
databases, logs, queues, etc on the second logical drive.

 

The way I normally set the pagefile on my systems is to set
it to be static and 1.5x physical RAM. I also create a pagefile on each disk and
let Windows choose the best one (which will be the second logical drive). I do
not want to disable the pagefile on C: because, from what I understand, this
will disable crash dumps, which I do not want. However, I set the crash dump to
kernel only, not the entire pagefile. That being said, would it be appropriate
to set the pagefile on C: to something small like 256MB since the OS will be
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any
other differences between the memory/pagefile settings on a regular Exchange
box running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] Query AD for Smartcard enforced users

[joe]

No problem James, I am happy to help.
 
None of this below is rocket science, anyone can start 
working out query efficiencies by testing various queries against Active 
Directory (or ADAM) and telling AD to return STATS info. There are two main 
tools available that I am aware of to allow you to do this in an AD HOC 
way. The first is LDP and the second is my adfind. Of the two, I highly 
recommend adfind as it is easier to use (IMO) and has the option to do a little 
bit of extra work on the STATS data that is returned. For instance, for the 
following query
 
anr=bob
 
The standard STATS output (as seen with -STATS or 
-STATSONLY) would look something like
 
Statistics=Elapsed 
Time: 10 (ms)Returned 5 entries of 5 visited - (100.00%)
 
Used Filter: ( |  (displayName=bob*)  
(mail=bob*)  (givenName=bob*)  (legacyExchangeDN=bob)  
(msDS-AdditionalSamAccountName=bob*)  (mailNickname=bob*)  
(physicalDeliveryOfficeName=bob*)  (proxyAddresses=bob*)  
(sAMAccountName=bob*)  (sn=bob*) )
 
Used 
Indices: idx_sn:100:N idx_sAMAccountName:90:N idx_proxyAddresses:80:N idx_physicalDeliveryOfficeName:70:N idx_mailNickname:60:N idx_msDS-AdditionalSamAccountName:50:N idx_legacyExchangeDN:40:N idx_givenName:30:N idx_mail:20:N idx_displayName:10:N
 
 
 
With -STATS+ or -STATS+ONLY you would see 

 
 
Statistics=Elapsed 
Time: 10 (ms)Returned 5 entries of 5 visited - (100.00%)
 
Used Filter: ( |  (displayName=bob*)  
(mail=bob*)  (givenName=bob*)  (legacyExchangeDN=bob)  
(msDS-AdditionalSamAccountName=bob*)  (mailNickname=bob*)  
(physicalDeliveryOfficeName=bob*)  (proxyAddresses=bob*)  
(sAMAccountName=bob*)  (sn=bob*) )
 
Used 
Indices: idx_sn:100:N idx_sAMAccountName:90:N idx_proxyAddresses:80:N idx_physicalDeliveryOfficeName:70:N idx_mailNickname:60:N idx_msDS-AdditionalSamAccountName:50:N idx_legacyExchangeDN:40:N idx_givenName:30:N idx_mail:20:N idx_displayName:10:N
 
Analysis-Hit Rate of 100.00% is 
Efficient
 
Indices 
used:
 
Index 
Name  : idx_snRecord Count: 100  (estimate)Index Type  : 
Normal Attribute Index
 
Index 
Name  : idx_sAMAccountNameRecord Count: 90  (estimate)Index 
Type  : Normal Attribute Index
 
Index 
Name  : idx_proxyAddressesRecord Count: 80  (estimate)Index 
Type  : Normal Attribute Index
 
Index 
Name  : idx_physicalDeliveryOfficeNameRecord Count: 70  
(estimate)Index Type  : Normal Attribute Index
 
Index 
Name  : idx_mailNicknameRecord Count: 60  (estimate)Index 
Type  : Normal Attribute Index
 
Index 
Name  : idx_msDS-AdditionalSamAccountNameRecord Count: 50  
(estimate)Index Type  : Normal Attribute Index
 
Index 
Name  : idx_legacyExchangeDNRecord Count: 40  (estimate)Index 
Type  : Normal Attribute Index
 
Index 
Name  : idx_givenNameRecord Count: 30  (estimate)Index 
Type  : Normal Attribute Index
 
Index 
Name  : idx_mailRecord Count: 20  (estimate)Index Type  : 
Normal Attribute Index
 
Index 
Name  : idx_displayNameRecord Count: 10  (estimate)Index 
Type  : Normal Attribute Index
 
Filter Breakdown:
 
(|  (displayName=bob*)  (mail=bob*)  
(givenName=bob*)  (legacyExchangeDN=bob)  
(msDS-AdditionalSamAccountName=bob*)  (mailNickname=bob*)  
(physicalDeliveryOfficeName=bob*)  (proxyAddresses=bob*)  
(sAMAccountName=bob*)  (sn=bob*))
 
 
 
Which is considerably more readable IMO. Especially the 
Filter breakdown.
 
 
 
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of James 
CarterSent: Thursday, May 04, 2006 1:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Query AD for 
Smartcard enforced users

Wow, thanks joe, I really appreciate the effort you've made to 
respond.
 
joe <[EMAIL PROTECTED]> wrote:

  
  Two quick items. 
   
  First the query can be simplified a little, there is an 
  unneeded level with the & operand in there. You only need 
  something of the format (&(something)(something)). It isn't a big deal, 
  the engine will strip it out when it optimizes the query but it does make it 
  look more foreboding/complex that it needs to be. 
   
  Second, __in general__ when you are going after 
  users you actually want to change (objectCategory=user) to 
  (objectCategory=person(objectclass=user) or sAMAccountType=805306368. 
  
   
  The user class is not an objectcategory, it is only an 
  objectclass. When you specify (objectCategory=user) the system looks up the 
  defaultObjectCategory of user and finds person. So (objectCategory=user) 
  becomes (objectCategory=person) which means depending on the rest of the query 
  it will be looking at all user and contact objects. If you have no contact 
  objects, this works itself out, however if you have lots of contacts, you will 
  feel the pinch in perf as the query looks over objects it doesn't need to. 
  
   
  With 
  this query, it is tough (at least for me as I understand things) to tell 
  if

RE: [ActiveDir] Query AD for Smartcard enforced users

[James Carter]

Thanks - this worked a treat!Kurzdorfer Michael TSgt 107CF/SCBN <[EMAIL PROTECTED]> wrote:  I am using this thru ADUC.   Using  LDIFDE you could use: (Change out the -s and -d to your site)  ldifde -f SCLEnabled.ldf -s 107ARW-DC-01 -d "OU=107 ARW,OU=NYNIAG,OU=ANG,DC=ang,DC=ds,DC=af,DC=mil" -l "userAccountControl:1.2.840.113556.1.4.803:=262144" -r "(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)))"     //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 7:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Query AD for Smartcard enforced usersThanks for responding Michael.     What would be the full command if you don't mind me asking?     JCKurzdorfer Michael TSgt 107CF/SCBN <[EMAIL PROTECTED]> wrote:  (&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick      //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064     From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for Smartcard enforced usersI would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account.     I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list     thanks     James  Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.   Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. 
		Love cheap thrills? Enjoy PC-to-Phone  calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.__Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around http://mail.yahoo.com 

RE: [ActiveDir] Query AD for Smartcard enforced users

[James Carter]

Wow, thanks joe, I really appreciate the effort you've made to respond.     joe <[EMAIL PROTECTED]> wrote:  Two quick items.      First the query can be simplified a little, there is an unneeded level with the & operand in there. You only need something of the format (&(something)(something)). It isn't a big deal, the engine will strip it out when it optimizes the query but it does make it look more
 foreboding/complex that it needs to be.      Second, __in general__ when you are going after users you actually want to change (objectCategory=user) to (objectCategory=person(objectclass=user) or sAMAccountType=805306368.      The user class is not an objectcategory, it is only an objectclass. When you specify (objectCategory=user) the system looks up the defaultObjectCategory of user and finds person. So (objectCategory=user) becomes (objectCategory=person) which means depending on the rest of the query it will be
 looking at all user and contact objects. If you have no contact objects, this works itself out, however if you have lots of contacts, you will feel the pinch in perf as the query looks over objects it doesn't need to.      With this query, it is tough (at least for me as I understand things) to tell if just using objectcategory=person will work out ok there or not... The reason being is that userAccountControl is also indexed and, it is possible, depending on the rough estimate of the number of objects with a useraccountcontrol value versus the rough estimate of the number of objects with person as the objectcategory that the useraccountcontrol index will be used as the main index for the query. You can tell for sure in a given situation by
 using the STATS control to see what AD really did.     You could also use samaccounttype=805306368. That tends to be more efficient than using the previously mentioned pairing as it is then a single indexed attribute value to look at.            As an example of what can happen based on my joe.com test forest.        (&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))  had to look over 7214 objects and used idx_userAccountControl.         (&(objectCategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)) had the same results.         (&(samaccounttype=805306368)(userAccountControl:1.2.840.113556.1.4.803:=262144)) had to look over 7168 objects and used idx_sAMAccountType.          joe      --  O'Reilly Active Directory
 Third Edition - http://www.joeware.net/win/ad3e.htm         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurzdorfer Michael TSgt 107CF/SCBNSent: Thursday, May 04, 2006 7:16 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Query AD for Smartcard enforced users(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick 
     //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 James CarterSent: Thursday, May 04, 2006 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for Smartcard enforced usersI would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account.     I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list     thanks     James  Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. __Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com 
		New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.

RE: [ActiveDir] Odd NtFrs warning

[Almeida Pinto, Jorge de]

how about:
http://www.eventid.net/display.asp?eventid=13562&eventno=662&source=NtFrs&phase=1
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of Steve Rochford
Sent: Thu 2006-05-04 16:01
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Odd NtFrs warning



I'm getting messages like the following in the event log at 24 hour
intervals. Is this really just an information message - ie a check was
carried out and there were no errors or is it trying to tell me
something but being very secretive about it??

Steve

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date:  02/05/2006
Time:  08:01:19
User:  N/A
Computer: WSTUD3
Description:
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
xx.student.cnwl.ac.uk for FRS replica set configuration information.


 


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
<>

[ActiveDir] Odd NtFrs warning

[Steve Rochford]

I'm getting messages like the following in the event log at 24 hour
intervals. Is this really just an information message - ie a check was
carried out and there were no errors or is it trying to tell me
something but being very secretive about it??

Steve

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date:  02/05/2006
Time:  08:01:19
User:  N/A
Computer: WSTUD3
Description:
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
xx.student.cnwl.ac.uk for FRS replica set configuration information.

 
  


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] "Several IMAP Accounts-Outlook fail"

[Bruyere, Michel]

I followed the MS recommendation to delete
and recreate the IMAP account; it didn't work in the first time but worked the
second one. 

It's the only resolution that I found. 

 

My 0.02$

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho
Sent: Wednesday, May 03, 2006 6:17
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "Several
IMAP Accounts-Outlook fail"



 

Your
Server Has Reported a UID Which Does Not Comply with the IMAP Standard"

I
received this error once I configured several IMAP email-accounts in the 
same profile, the worse point if I use ny other e-mail client 
(Thunderbird-Evolution, etc) set the sme e-mail accounts "works fine"


I refer
to this Kb: http://support.microsoft.com/?kbid=294779

However
the resolution is not very useful "To resolve this behavior, remove 
the IMAP account and create a new one"  



I am using Outlook 2003 client ,





 





 





Please help me to find a solution

RE: [ActiveDir] Query AD for Smartcard enforced users

[joe]

Two quick items. 
 
First the query can be simplified a little, there is an 
unneeded level with the & operand in there. You only need 
something of the format (&(something)(something)). It isn't a big deal, the 
engine will strip it out when it optimizes the query but it does make it look 
more foreboding/complex that it needs to be. 
 
Second, __in general__ when you are going after users 
you actually want to change (objectCategory=user) to 
(objectCategory=person(objectclass=user) or sAMAccountType=805306368. 

 
The user class is not an objectcategory, it is only an 
objectclass. When you specify (objectCategory=user) the system looks up the 
defaultObjectCategory of user and finds person. So (objectCategory=user) becomes 
(objectCategory=person) which means depending on the rest of the query it will 
be looking at all user and contact objects. If you have no contact objects, this 
works itself out, however if you have lots of contacts, you will feel the pinch 
in perf as the query looks over objects it doesn't need to. 
 
With 
this query, it is tough (at least for me as I understand things) to tell 
if just using objectcategory=person will work out ok there or not... 
The reason being is that userAccountControl is also indexed and, it is possible, 
depending on the rough estimate of the number of objects with a 
useraccountcontrol value versus the rough estimate of the number of objects with 
person as the objectcategory that the useraccountcontrol 
index will be used as the main index for the query. You can tell for sure 
in a given situation by using the STATS control to see what AD really 
did.
 
You 
could also use samaccounttype=805306368. That tends to be more efficient than 
using the previously mentioned pairing as it is then a single indexed attribute 
value to look at. 
 
 
 
As 
an example of what can happen based on my joe.com test 
forest.
 
 
(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))  
had to look over 7214 objects and used idx_userAccountControl. 

 
 
(&(objectCategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)) 
had the same results. 
 
 
(&(samaccounttype=805306368)(userAccountControl:1.2.840.113556.1.4.803:=262144)) 
had to look over 7168 objects and used idx_sAMAccountType.
 
 
  
joe
 
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kurzdorfer 
Michael TSgt 107CF/SCBNSent: Thursday, May 04, 2006 7:16 
AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: 
[ActiveDir] Query AD for Smartcard enforced users

(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick
 

 
//SIGNED//Michael 
Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls 
ANGBComm 716.236.3064 DSN 238.3064
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of James 
CarterSent: Thursday, May 04, 2006 4:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for 
Smartcard enforced users

I would like to find a way to extract all the users who have 'Smart card is 
required for interactive logon' ticked within their account.
 
I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve 
this list
 
thanks
 
James


Love cheap thrills? Enjoy PC-to-Phone calls 
to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. 

RE: [ActiveDir] Query AD for Smartcard enforced users

[Kurzdorfer Michael TSgt 107CF/SCBN]

I am using this thru ADUC.
 

Using  LDIFDE you could use: (Change out the -s 
and -d to your site)
ldifde -f SCLEnabled.ldf -s 107ARW-DC-01 -d "OU=107 
ARW,OU=NYNIAG,OU=ANG,DC=ang,DC=ds,DC=af,DC=mil" -l 
"userAccountControl:1.2.840.113556.1.4.803:=262144" -r 
"(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)))"
 
//SIGNED//Michael 
Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls 
ANGBComm 716.236.3064 DSN 238.3064
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of James 
CarterSent: Thursday, May 04, 2006 7:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Query AD for 
Smartcard enforced users

Thanks for responding Michael.
 
What would be the full command if you don't mind me asking?
 
JCKurzdorfer Michael TSgt 107CF/SCBN 
<[EMAIL PROTECTED]> wrote:

  
  (&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick
   
  
   
  //SIGNED//Michael 
  Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls 
  ANGBComm 716.236.3064 DSN 238.3064
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of James 
  CarterSent: Thursday, May 04, 2006 4:08 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for 
  Smartcard enforced users
  
  I would like to find a way to extract all the users who have 'Smart card 
  is required for interactive logon' ticked within their account.
   
  I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve 
  this list
   
  thanks
   
  James
  
  
  Love cheap thrills? Enjoy PC-to-Phone calls 
  to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. 



Yahoo! 
Messenger with Voice. PC-to-Phone calls for ridiculously low 
rates.


SCL Only Enabled.xml
Description: Binary data

RE: [ActiveDir] Query AD for Smartcard enforced users

[James Carter]

Thanks for responding Michael.     What would be the full command if you don't mind me asking?     JCKurzdorfer Michael TSgt 107CF/SCBN <[EMAIL PROTECTED]> wrote:  (&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick      //SIGNED//Michael Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls ANGBComm 716.236.3064 DSN 238.3064     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, May 04, 2006 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for Smartcard enforced usersI would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked
 within their account.     I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list     thanks     James  Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice. 
		Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.

RE: [ActiveDir] Query AD for Smartcard enforced users

[Kurzdorfer Michael TSgt 107CF/SCBN]

(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick
 

 
//SIGNED//Michael 
Kurzdorfer, TSgt, NYANGNetwork Administrator107CF/SCBN Niagara Falls 
ANGBComm 716.236.3064 DSN 238.3064
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of James 
CarterSent: Thursday, May 04, 2006 4:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query AD for 
Smartcard enforced users

I would like to find a way to extract all the users who have 'Smart card is 
required for interactive logon' ticked within their account.
 
I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve 
this list
 
thanks
 
James


Love cheap thrills? Enjoy PC-to-Phone calls 
to 30+ countries for just 2¢/min with Yahoo! Messenger with 
Voice.

Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

[Sem 3]

Normaly I just lurk but I just have to mention Monad.   
You can brows adam with it too.  and add and delete all at the cmd  (msh) prompt.
A Mr scriptos paradise :)
 
It is still in bete but you can download it from M$.
 
Hope this is usfull.
 
SEM 
On 5/3/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
That is the type of thing that would be pretty reasonable to build bywriting a provider for MSH (Monad) that exposes an LDAP store like AD or
ADAM as a "drive".  I think a few people have taken a swing at this already,but I'm not sure if anything is shipping yet.Having this integrated into MSH is going to enable a huge number ofscenarios.
Joe K.- Original Message -From: "Matheesha Weerasinghe" <[EMAIL PROTECTED]>To: Sent: Wednesday, May 03, 2006 12:26 PMSubject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires..WAS: Internet Authentication Concepts: Pointers?> personally, I'd like a command line tool thats interactive like
> ntdsutil or nslookup. I'd be able to use this to browse the ADAM> instance from a command line. Have a prompt which allows me to> navigate the hierachy. Execute commands such as create/delete>  etc...
>> M@>> On 4/28/06, Stewart, Fitz <[EMAIL PROTECTED]> wrote: Heck, just give a user the ability to create and otherwise manage
>> objects –>> users, groups, the basics.  Name, etc.  Nothing fancy, just not the>> command-line-ishness of ADSIEDIT.
>> -fitz>> 703-866-7473>>  703-626-5741 (cell)>>  >> From: 
[EMAIL PROTECTED]>> [mailto:[EMAIL PROTECTED]] On Behalf Of>> joe>>  Sent: Friday, April 28, 2006 3:46 PM
>>  To: ActiveDir@mail.activedir.org>>  Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires..>> WAS: Internet Authentication Concepts: Pointers?
 I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM>> management tool. Even assuming, cough, GUI.
   joe>> -- O'Reilly Active Directory Third Edition ->> 
http://www.joeware.net/win/ad3e.htm  >> From: 
[EMAIL PROTECTED]>> [mailto:[EMAIL PROTECTED]] On Behalf Of>> Jef Kazimer>>  Sent: Friday, April 28, 2006 10:01 AM
>>  To: ActiveDir@mail.activedir.org>>  Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is "LDAP" I did look at some "friendlier" admin tools, but none
>> really hit the mark for me.   I believed that group looked at Softerra's>> tool,  and there is the web based PHP LDAP manager, and also the C# LDAP>> manager tool.  You can Live search the names or I can post the links here
>> if>> you want. In the end I wrote my own as a .NET web app since I found them lacking.>> Yet as I said if I want to go global,  I don't know if I want to position
>> what I wrote without some major changes. :) J  >>
 Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?>>  Date: Fri, 28 Apr 2006 09:44:55 -0400>>  From: [EMAIL PROTECTED]
>>  To: ActiveDir@mail.activedir.org>> That's a very good point.  Does anyone know of any 3rd parties which>> improve
>> the ADAM administrative UI "experience"? J. Fitzgerald (Fitz) Stewart Systems Architect
 IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program 
[EMAIL PROTECTED] [EMAIL PROTECTED]> [EMAIL PROTECTED] 
[EMAIL PROTECTED]> 703-866-7473 703-626-5741 (cell)>>  >> From: 
[EMAIL PROTECTED]>> [mailto:[EMAIL PROTECTED]] On Behalf Of>> Jef Kazimer>>  Sent: Friday, April 28, 2006 9:27 AM
>>  To: ActiveDir@mail.activedir.org>>  Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?>>
>> Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small>> project before, but I have concerns about scalabilty.  The issues are not
>> with the ADAM instance at all, but the UI that is needed to manage ADAM.>> ADSIedit is great for someone who understands the directory, but it's not>> that user friendly for web application owners, helpdesk, etc.  This was
>> for>> a simple application of about 500 users, and it met their needs but I>> don't>> see this as a scalable solution from a global perspective.>>
>> This will be a backend data store that contains the user identity, but>> the>> applications that utilize it will be of different flavors from DMZ hosted>> web apps, to externally hosted apps.   The flavors of web apps will range
>> from websphere, ColdFusion,  .NET and I suspect some PHP apps. With AD,  I guess I was thinking it has a well known support interface>> (though I am sure I would need to customize anyway...so I'm not sure that
>> value is really there).   So I was expecting to maybe find 3rd parties>> that>>

[ActiveDir] Query AD for Smartcard enforced users

[James Carter]

  I would like to find a way to extract all the users who have 'Smart card is required for interactive logon' ticked within their account.     I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve this list     thanks     James
		Love cheap thrills? Enjoy PC-to-Phone  calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.