RE: [ActiveDir] Forest trust - domain drop down list
Thanks Guido (and others) It looks like the UPN and/or domain\userid approach with user education is going to be the way forward. It would be nice to collapse ForestB to a single domain infrastructure, but it won't happen any time soon. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, 15 July 2006 2:42 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trust - domain drop down list yes Tony, this is standard behaviour - you'll only see domains that are directly trusted. Trust type doesn't matter. Even though a forest trust will be transitive to all child domains by default, you'll have to use UPN to authenticate to a child domain. Which is another reason why empty placeholder roots don't really make an administrator's life easier... The challenges continue for viewing objects of a trusted child-domain accross a forest trust in the object picker - afaik, it will also just show you the root domain (but you can find objects in the child by searching the GC...) if you put in a normal external trust between your DomB and the DomA2, you'll lose the benefit of kerberos authentication from your forest trust (when choosing DomA2 in the logon window). If that's ok for you, this is a solution, but then you might as well get rid of the forest trust... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 14. Juli 2006 05:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trust - domain drop down list Here's the scenario Forest trust between ForestA and ForestB. ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one domain DomB Users from DomA2 sometimes log into DomB member machines. DomA2 is not shown in the drop-down list of domain names in the login dialog. DomA1 is shown. Users from DomB sometimes log into DomA2 member machines. DomB is not shown in the drop-down list of domain names ni the login dialog. Is it normal behaviour for the drop-down list not to show all the domains with trusts (including those that are transitive via the forest trust)? If so, is there any way to change the behaviour? The users can obviously login using UPN, but they are not used to doing this and there is talk of putting in an explicit domain trust between DomA2 and DomB simply to get around this. Ugh. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] IE temp folder location
For some reason, win SP2 and now our new win2003 SP1 w/ Citrix 4 servers are changing all (not confirmed could just be most users) to c:\windows\internet temp files How can a script or GPO to set them back to the standard c:\document and settings\username\local settings\temp internet files Thanks,jb -- Jason Benway Network Services Manager [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Home directories issue
The problem with XP clients mapping to the base of a share instead of the users folder can be solved by enabling Computer Configuration\Administrative Templates\System\Scripts\Run logon scripts synchronously. Depending on your environment you might also need to enable Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. Warning the latter policy can significantly increase login time depending on your GPO complexity, the first will increase login time if you have large, complex login scripts! As always test in a lab environment before rolling to production. Unfortunatly this particular issue is hard to reproduce in the lab so testing is difficult for a cure, but impact testing should be easier. Andrew Fidel Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/17/2006 07:42 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Home directories issue For some odd reason Google didn't show me your original message (it hides 'quoted' material for some messsages). I didn't see that portion of your message (that it was intermittent) and was trying to think of what all things would cause this. There are a few questions that I have: 1) Are they always connecting from the same computer. 2) Are you using DHCP or static mapping? 3) AD Integrated DNS? I'll look around and see what I run into. I haven't run into this personally (intermittent mapping of home drives) and just to be honest, I use a \\servername\driveletter$\directory mapping for my home drive (mostly so that I can always reach a particular drive location when on a network without having to share it out) and even I don't see it with this somewhat non-standard homedrive location type. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Taking everything you said, why would this problem be intermittent and not every single time the user logs in? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Sunday, July 16, 2006 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Home directories issue Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users Full Control at the share level. You don't need to grant them anything more than Read at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example: The \\server01\users share is located on the E drive in the directory users. You can have the perms on that directory to be Administrators: Full, System: Full, Everyone: Read, the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state Change or Read Only, then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has Full Control on his directory, if the share says Everyone: Change, then his effective permissions on everything in that share (including his directory) won't ever be more than Change. You could actually have E:\users shared out as \\server01\users and \\server01\home and if you have everyone as Change on the users share and Full Control on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to \\server01\home will work, while the people who are mapped to \\server01\users won't work. Change everyone's mapping to \\server01\home (or change \\server01\users to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into this in someone's network before, that was something like 6 years ago and haven't run into it since. I could be mistaken. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Has any headway been made with this problem? I can't find any solutions out there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Conrad, Daniel C Mr. Nortel PEC Solutions Sent: Tuesday, December 13, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue It's all AD on 2k3 with XP Pro clients, connecting to a real share (both by IP and NetBIOS to ensure name resolution isn't an issue. No DFS. On behalf of Jerry Dan Nortel PEC Solutions From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dan Holme Sent: Tuesday, December 13, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject:
RE: [ActiveDir] Home directories issue
Andrew, do you know of any documents that address this or support your resolution? Where do you get your information from? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, July 18, 2006 1:32 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Home directories issue The problem with XP clients mapping to the base of a share instead of the users folder can be solved by enabling Computer Configuration\Administrative Templates\System\Scripts\Run logon scripts synchronously. Depending on your environment you might also need to enable Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. Warning the latter policy can significantly increase login time depending on your GPO complexity, the first will increase login time if you have large, complex login scripts! As always test in a lab environment before rolling to production. Unfortunatly this particular issue is hard to reproduce in the lab so testing is difficult for a cure, but impact testing should be easier. Andrew Fidel "Matt Hargraves" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/17/2006 07:42 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Home directories issue For some odd reason Google didn't show me your original message (it hides 'quoted' material for some messsages). I didn't see that portion of your message (that it was intermittent) and was trying to think of what all things would cause this. There are a few questions that I have:1) Are they always connecting from the same computer.2) Are you using DHCP or static mapping?3) AD Integrated DNS?I'll look around and see what I run into. I haven't run into this personally (intermittent mapping of home drives) and just to be honest, I use a \\servername\driveletter$\directory mapping for my home drive (mostly so that I can always reach a particular drive location when on a network without having to share it out) and even I don't see it with this somewhat non-standard homedrive location type. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Taking everything you said, why would this problem be intermittent and not every single time the user logs in? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 16, 2006 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Home directories issue Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users "Full Control" at the share level. You don't need to grant them anything more than "Read" at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example:The "\\server01\users" share is located on the E drive in the directory "users". You can have the perms on that directory to be "Administrators: Full, System: Full, Everyone: Read", the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state "Change" or "Read Only", then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has "Full Control" on his directory, if the share says "Everyone: Change", then his effective permissions on everything in that share (including his directory) won't ever be more than "Change". You could actually have "E:\users" shared out as "\\server01\users" and "\\server01\home" and if you have everyone as "Change" on the users share and "Full Control" on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to "\\server01\home" will work, while the people who are mapped to "\\server01\users" won't work. Change everyone's mapping to "\\server01\home" (or change "\\server01\users" to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into this in someone's network before, that was something like 6 years ago and haven't run into it since. I could be mistaken. On 7/16/06, Arnold Arce [EMAIL PROTECTED]
[ActiveDir] root admin account able to be locked out?
Title: root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didnt lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes
[ActiveDir] User extraction
What is the adfind syntax that will extract all users in a domain to a text file and contains the following field? LastName, FirstName isDisabled -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] Home directories issue
MS KB 304970 addresses the need for Always wait for the network at computer startup and logon in conjunction with Run logon scripts synchronously, and using Run logon scripts synchronously comes from a forum post I read on the mapping problem. Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/18/2006 02:13 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Home directories issue Andrew, do you know of any documents that address this or support your resolution? Where do you get your information from? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 18, 2006 1:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Home directories issue The problem with XP clients mapping to the base of a share instead of the users folder can be solved by enabling Computer Configuration\Administrative Templates\System\Scripts\Run logon scripts synchronously. Depending on your environment you might also need to enable Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. Warning the latter policy can significantly increase login time depending on your GPO complexity, the first will increase login time if you have large, complex login scripts! As always test in a lab environment before rolling to production. Unfortunatly this particular issue is hard to reproduce in the lab so testing is difficult for a cure, but impact testing should be easier. Andrew Fidel Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/17/2006 07:42 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Home directories issue For some odd reason Google didn't show me your original message (it hides 'quoted' material for some messsages). I didn't see that portion of your message (that it was intermittent) and was trying to think of what all things would cause this. There are a few questions that I have: 1) Are they always connecting from the same computer. 2) Are you using DHCP or static mapping? 3) AD Integrated DNS? I'll look around and see what I run into. I haven't run into this personally (intermittent mapping of home drives) and just to be honest, I use a \\servername\driveletter$\directory mapping for my home drive (mostly so that I can always reach a particular drive location when on a network without having to share it out) and even I don't see it with this somewhat non-standard homedrive location type. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Taking everything you said, why would this problem be intermittent and not every single time the user logs in? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Sunday, July 16, 2006 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Home directories issue Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users Full Control at the share level. You don't need to grant them anything more than Read at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example: The \\server01\users share is located on the E drive in the directory users. You can have the perms on that directory to be Administrators: Full, System: Full, Everyone: Read, the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state Change or Read Only, then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has Full Control on his directory, if the share says Everyone: Change, then his effective permissions on everything in that share (including his directory) won't ever be more than Change. You could actually have E:\users shared out as \\server01\users and \\server01\home and if you have everyone as Change on the users share and Full Control on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to \\server01\home will work, while the people who are mapped to \\server01\users won't work. Change everyone's mapping to \\server01\home (or change \\server01\users to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into
Re: [ActiveDir] root admin account able to be locked out?
Well, I've seen in our AD when it was W2K, the administrator account was showing as locked in dsa.msc if you try too may incorrect auth attempts. But I was still able to logon with it as expected. I didnt check to see if any events were logged to indicate that it was. I cannot repro your setup as my lab is busy doing other work. Someone else might have something more sensible to add here. M@ On 7/18/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] User extraction
Hey, Theres no isDisabled attribute that I know of. You could run the adfind command below and use the userAccountControl attribute to determine if the account is disabled or not. adfind -b dc=yourdomain,dc=com -nodn -f ((objectCategory=person)(o bjectClass=user)) givenName SN userAccountControl filename.txt You can do some stuff in Excel if you need a report that says disabled. 512 is normal, 514 is disabled, etc. Check here for the details on the values for the userAccountControl attribute. http://support.microsoft.com/default.aspx?scid=kb;en-us;305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 18, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User extraction What is the adfind syntax that will extract all users in a domain to a text file and contains the following field? LastName, FirstName isDisabled -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/
RE: [ActiveDir] root admin account able to be locked out?
My experience with this is the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked you will even see and event ID 644 mentioning the account lockout HOWEVER here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didn't lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] User extraction
Cool. Wouldn't he need to run the bitwise query for every possible value to make sure he gets all the accounts in the domain? Like account disabled and password set to never expire? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, July 18, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User extraction You could also use the bit wise query operators to make a list of just disabled and just enabled accounts, then merge the two w/ the appopriate column ... -B On Tue, 18 Jul 2006, Mike Newell wrote: Hey, There's no isDisabled attribute that I know of. You could run the adfind command below and use the userAccountControl attribute to determine if the account is disabled or not. adfind -b dc=yourdomain,dc=com -nodn -f ((objectCategory=person)(o bjectClass=user)) givenName SN userAccountControl filename.txt You can do some stuff in Excel if you need a report that says disabled. 512 is normal, 514 is disabled, etc. Check here for the details on the values for the userAccountControl attribute. http://support.microsoft.com/default.aspx?scid=kb;en-us;305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 18, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User extraction What is the adfind syntax that will extract all users in a domain to a text file and contains the following field? LastName, FirstNameisDisabled -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] User extraction
No that is what bitwise filters are all about, so you can focus in on just the disabled bit which happens to be bit 1 which is value 2. So to find all disabled users in a domain you do something like adfind -default -bit -f (objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) -dn That will dump the DN of every disabled user, if you have a large domain with lots of objects that aren't users, especially say contacts, add -t 0 to disable the timeout for the query. To answer the original question though and get just first name and last name you need to strip out the -dn from the command and specify those attributes' ldapdisplayname values in the command and add in -nodn and -csv so it doesn't output the DN and puts it all in csv format... So something like adfind -default -bit -f (objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) -csv -nodn givenname sn And to get the enabled report adfind -default -bit -f (objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2)) -csv -nodn givenname sn Under ADAM (and theoretically under Longhorn AD) there is a new constructed attribute called msDS-UserAccountDisabled which will display the current disabled status of a user and note that userAccountControl IS NOT there. So on ADAM if you wanted to dump all user accounts in an instance including a field that would show TRUE if the account was disabled you could do something like adfind -h adamserver:port -b -pr -f (objectcategory=person)(objectclass=user) -csv -nodn givenname sn msDS-UserAccountDisabled The sad thing in ADAM though is that there is no easy way to query only for disabled accounts... You have no choice but to enumerate all of them. Some of you may think, so what, that shouldn't take long... Consider an ADAM instance with several million users... Ditto for locked and expired accounts. One step forward, 3 steps back... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Tuesday, July 18, 2006 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User extraction Cool. Wouldn't he need to run the bitwise query for every possible value to make sure he gets all the accounts in the domain? Like account disabled and password set to never expire? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, July 18, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User extraction You could also use the bit wise query operators to make a list of just disabled and just enabled accounts, then merge the two w/ the appopriate column ... -B On Tue, 18 Jul 2006, Mike Newell wrote: Hey, There's no isDisabled attribute that I know of. You could run the adfind command below and use the userAccountControl attribute to determine if the account is disabled or not. adfind -b dc=yourdomain,dc=com -nodn -f ((objectCategory=person)(o bjectClass=user)) givenName SN userAccountControl filename.txt You can do some stuff in Excel if you need a report that says disabled. 512 is normal, 514 is disabled, etc. Check here for the details on the values for the userAccountControl attribute. http://support.microsoft.com/default.aspx?scid=kb;en-us;305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 18, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User extraction What is the adfind syntax that will extract all users in a domain to a text file and contains the following field? LastName, FirstNameisDisabled -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should
OT: adfind feature request (was RE: [ActiveDir] User extraction)
Feature request: give me a way, in the attribute list, to specify arbitrary text for output. E.g., in this case for disabled: adfind -default -bit -f (objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) -csv -nodn givenname sn text:disabled -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 18, 2006 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User extraction No that is what bitwise filters are all about, so you can focus in on just the disabled bit which happens to be bit 1 which is value 2. So to find all disabled users in a domain you do something like adfind -default -bit -f (objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) -dn That will dump the DN of every disabled user, if you have a large domain with lots of objects that aren't users, especially say contacts, add -t 0 to disable the timeout for the query. To answer the original question though and get just first name and last name you need to strip out the -dn from the command and specify those attributes' ldapdisplayname values in the command and add in -nodn and -csv so it doesn't output the DN and puts it all in csv format... So something like adfind -default -bit -f (objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2) -csv -nodn givenname sn And to get the enabled report adfind -default -bit -f (objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2) ) -csv -nodn givenname sn Under ADAM (and theoretically under Longhorn AD) there is a new constructed attribute called msDS-UserAccountDisabled which will display the current disabled status of a user and note that userAccountControl IS NOT there. So on ADAM if you wanted to dump all user accounts in an instance including a field that would show TRUE if the account was disabled you could do something like adfind -h adamserver:port -b -pr -f (objectcategory=person)(objectclass=user) -csv -nodn givenname sn msDS-UserAccountDisabled The sad thing in ADAM though is that there is no easy way to query only for disabled accounts... You have no choice but to enumerate all of them. Some of you may think, so what, that shouldn't take long... Consider an ADAM instance with several million users... Ditto for locked and expired accounts. One step forward, 3 steps back... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Tuesday, July 18, 2006 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User extraction Cool. Wouldn't he need to run the bitwise query for every possible value to make sure he gets all the accounts in the domain? Like account disabled and password set to never expire? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, July 18, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User extraction You could also use the bit wise query operators to make a list of just disabled and just enabled accounts, then merge the two w/ the appopriate column ... -B On Tue, 18 Jul 2006, Mike Newell wrote: Hey, There's no isDisabled attribute that I know of. You could run the adfind command below and use the userAccountControl attribute to determine if the account is disabled or not. adfind -b dc=yourdomain,dc=com -nodn -f ((objectCategory=person)(o bjectClass=user)) givenName SN userAccountControl filename.txt You can do some stuff in Excel if you need a report that says disabled. 512 is normal, 514 is disabled, etc. Check here for the details on the values for the userAccountControl attribute. http://support.microsoft.com/default.aspx?scid=kb;en-us;305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 18, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User extraction What is the adfind syntax that will extract all users in a domain to a text file and contains the following field? LastName, FirstNameisDisabled -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this
RE: [ActiveDir] Forestprep Failure
Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m.In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported. You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values were multivalued and that the application was not referring to it by OID. Next you need to address the syntax of the UID attribute. We are expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable) 2.5.5.5. This problem is tougher as there is not a supported way to change the syntax of an attribute and renaming it will not work since the OID is the one we are expecting, yes there are ways it can be done but it would leave you in an unsupportable
RE: [ActiveDir] Forestprep Failure
Unless something else has extended the schema you should be able to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url=""> in your case you only care about the 2003 classes since that is the version of the schema that you are running. Remember to put these back once you are finished and of course as always test your procedure in a test environment to ensure success in production. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 18, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=.. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m. In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported. You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values
RE: [ActiveDir] Forestprep Failure
Also note you could use the schema documentation tool found here: http://msdn.microsoft.com/library/default.asp?url=""> if you feel that you may have a schema extension referring to this attribute as well. Simply look at the containedIn field for UID. Thanks, -Steve From: Steve Linehan Sent: Tuesday, July 18, 2006 10:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Unless something else has extended the schema you should be able to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url=""> in your case you only care about the 2003 classes since that is the version of the schema that you are running. Remember to put these back once you are finished and of course as always test your procedure in a test environment to ensure success in production. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 18, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=.. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m. In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new
Re: [ActiveDir] Forestprep Failure
adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with the base set to the schema and pass the following filter. ((objectcategory=classschema)(maycontain=uid)) The above tries to do a search for classes where the maycontain attribute contains uid. HTH M@ On 7/19/06, WATSON, BEN [EMAIL PROTECTED] wrote: Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m.In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported. You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values were multivalued and that the application was not referring to it by OID. Next you need to address the syntax of the UID attribute. We are expecting the syntax
RE: [ActiveDir] Forestprep Failure
Ah, excellent. Thank you for a couple different search queries as an example. That really helps me to have a better understanding of developing effective search queries for the future. From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe Sent: Tue 7/18/2006 8:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forestprep Failure adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with the base set to the schema and pass the following filter. ((objectcategory=classschema)(maycontain=uid)) The above tries to do a search for classes where the maycontain attribute contains uid. HTH M@ On 7/19/06, WATSON, BEN [EMAIL PROTECTED] wrote: Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m.In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow
RE: [ActiveDir] Forestprep Failure
Thank you Steve, those links are extremely helpful. Especially when trying to find where an attribute is used at the various domain levels. Thanks again, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Tue 7/18/2006 8:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Also note you could use the schema documentation tool found here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/schemadoc.asp if you feel that you may have a schema extension referring to this attribute as well. Simply look at the containedIn field for UID. Thanks, -Steve From: Steve Linehan Sent: Tuesday, July 18, 2006 10:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Unless something else has extended the schema you should be able to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_uid.asp in your case you only care about the 2003 classes since that is the version of the schema that you are running. Remember to put these back once you are finished and of course as always test your procedure in a test environment to ensure success in production. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 18, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i.
