Re: [ActiveDir] OT: NTLM troubleshooting info

[Matheesha Weerasinghe]

Many thanks for the link mate.

M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote:



there is at leastsome documentation on this found at 
http://davenport.sourceforge.net/ntlm.html
.i i'm not sure if it will meet your needs or not. think there are some others around as well. 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Tuesday, August 01, 2006 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: NTLM troubleshooting info


Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. 

Cheers

M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED]
 wrote: 



might sspi_workbench (from technet) be useful for this?


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info


Guys

Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. 

I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. 


Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide.

Cheers

M@

Re: [ActiveDir] Different (open)LDAP Question

[Paul Williams]

Check out Ryan's take on it...
-- http://dunnry.com/blog/msDsUserAccountControlComputedNotSoSpiffy.aspx


--Paul

- Original Message - 
From: David Aragon [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 01, 2006 11:49 PM
Subject: [ActiveDir] Different (open)LDAP Question



Without getting into the politics involved that got us here, suffice it to
say that someone with a lot of political clout, no Windows or Active
Directory experience (though considerable MAC/OS X experience), and a PhD 
at

the end of their name, made a decision to deploy openLDAP and Active
Directory would be fed with information through a connector written
specifically for that purpose.

For the most part this works well.  We have developed a web page that 
allows

users to change passwords, incorporated various (homegrown) connectors to
provide for single sign-on to most services, network drives, etc., all
platform independent, allowing users to freely move from Windows (~85% 
total
number of systems) to MAC OS-X systems (~15% total number of systems) 
using

the same set of credentials. One of the few areas where issues have arisen
is in the changing of a users status.  I have told them to modify
userAccountControl, the programmers (connector is written in oCamel so 
there

is a separate group that handles this) have decided that
msDs-User-Account-Control-Computed is the correct attribute to use in 
order

to enable, disable, lock, unlock, etc. a user account.

Can someone from this group tell me the differences between these 
attributes

and which would be the correct one to use for the stated purposes?

David Aragon

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Automating GC promotion during dcpromo

[neil.ruston]

Title: Automating GC promotion during dcpromo






According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'.

However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire.

Anyone have any views or experiences with this?



Thanks,

neil


PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

Re: [ActiveDir] Automating GC promotion during dcpromo

[Tomasz Onyszko]

[EMAIL PROTECTED] wrote:
According to an article I read recently, a DC may be set as a GC 
automatically using the answer file entry 'ConfirmGC=Yes'.


However, another technet article implies that this I only relevant if 
the DC is being built using a backup and not over the wire.


Anyone have any views or experiences with this?


This was discussed here some time ago if I remember correctly - this 
option is valid only with install from media DC promotion.


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Different (open)LDAP Question

[David Aragon]

Thank you Tony and Paul.  This is why I think so many people are on this
list.  The information provided is good, useful, and to the point.

David Aragon
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
 Sent: Tuesday, August 01, 2006 5:42 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Different (open)LDAP Question
 
 msDs-User-Account-Control-Computed is a constructed 
 attribute.  Constructed attributes cannot be set manually 
 because they are automatically maintained by the system.
 
 Tony
 -- Original Message --
 From: David Aragon [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 Date:  Tue, 1 Aug 2006 15:49:53 -0700
 
 Without getting into the politics involved that got us here, 
 suffice it to say that someone with a lot of political clout, 
 no Windows or Active Directory experience (though 
 considerable MAC/OS X experience), and a PhD at the end of 
 their name, made a decision to deploy openLDAP and Active 
 Directory would be fed with information through a connector 
 written specifically for that purpose.
 
 For the most part this works well.  We have developed a web 
 page that allows users to change passwords, incorporated 
 various (homegrown) connectors to provide for single sign-on 
 to most services, network drives, etc., all platform 
 independent, allowing users to freely move from Windows (~85% 
 total number of systems) to MAC OS-X systems (~15% total 
 number of systems) using the same set of credentials. One of 
 the few areas where issues have arisen is in the changing of 
 a users status.  I have told them to modify 
 userAccountControl, the programmers (connector is written in 
 oCamel so there is a separate group that handles this) have 
 decided that msDs-User-Account-Control-Computed is the 
 correct attribute to use in order to enable, disable, lock, 
 unlock, etc. a user account.
 
 Can someone from this group tell me the differences between 
 these attributes and which would be the correct one to use 
 for the stated purposes?
 
 David Aragon
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
  
 
 
 
 
 
 Sent via the WebMail system at mail.activedir.org
 
 
  

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Automating GC promotion during dcpromo

[Dean Wells]

That's only partially true, you're correct in that the option is made
available in the UI during an IFM promotion if the backup used was from a GC
... but a GC can also be born directly out of a non-forest-creating DCpromo
by modifying the %windir%\system32\schema.ini file.

Assuming you're comfortable editing the file -

1. Prior to promotion, edit the schema.ini mentioned above
a. search on [DEFAULTADDLMACHINE]
2. Notice the Options=1 entry 5 or 6 lines above in the
[DEFAULTFIRSTMACHINE] section
a. this section controls the DCpromo's behavior during the creation
of a new forest
3. Copy that entry into the [DEFAULTADDLMACHINE] section
4. Run DCpromo

Regards.

Dean

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
 Sent: Wednesday, August 02, 2006 10:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Automating GC promotion during dcpromo
 
 [EMAIL PROTECTED] wrote:
  According to an article I read recently, a DC may be set as a GC
  automatically using the answer file entry 'ConfirmGC=Yes'.
 
  However, another technet article implies that this I only relevant if
  the DC is being built using a backup and not over the wire.
 
  Anyone have any views or experiences with this?
 
 This was discussed here some time ago if I remember correctly - this
 option is valid only with install from media DC promotion.
 
 --
 Tomasz Onyszko
 http://www.w2k.pl/blog/ - (PL)
 http://blogs.dirteam.com/blogs/tomek/ - (EN)
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Test Environments

[Brad Smith]

I fully concur with the three environment
approach. I typically run Production, Replica (aka Testing) and Sandpit (aka
Development). One of the key tenants of my test environment is that when a
change is tested, its associated back out plan is also tested and I do
not sign off on any change that hasnt got a back out plan unless the
risk associated with is accepted by those above. IMHO, this should be mandatory
for any test environment. We have a resource in Exchange that can be booked
the same way as a meeting room to ensure that everyone knows when it is free.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: 25 July 2006 21:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Test
Environments





Those were my thoughts as
well on the issue and Ive had to tell several people not to expect
production-like uptime. I really couldnt think of a better way to
provide a test environment and theres no way Im going to build
multiple environments like this. Even though its a test
environment, it often requires more of my time to maintain than the production
environment.



I may tell people to
create their own development environment as Jonathan suggested and allow
testing to be performed when they feel their app has outgrown a development
environment of their own creation.



Thanks guys, its
good to know Im on track here.



~Ben











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 12:04
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Test
Environments





It sounds like
you have a good test environment. The only problem is that people may be
scheduling their testing a little too tightly. They need to understand
that this is a *TEST* environment. That means it's in a constant state of
relative flux and that at any point in time, it could possibly go down for an
hour or even possibly a day or two. It will largely be available, but
it's not production and they shouldn't be expecting to receive the level of
support and uptime that they receive in the production environment. If
they expect that, they need to find a way to test outside your test
environment. If their schedules are slipping because of the availability
of the test environment, then they're not putting enough extra time into their
plans and need to start consulting you before deciding when to test and how
much time it's going to take. 

It may sound like I'm being harsh on them, but it sounds like they are really
expecting too much from a test environment and that's because there isn't
enough consulting occuring. It really sounds like you need to possibly
make a Testing calendar so that everyone (or maybe even just you) have
a list of applications that are being tested in the environment and when schema
updates and other items which can affect multiple tests that are ongoing occur,
the relevant persons can be notified so if they need to reschedule their
testing or adjust their testing schedule, they can. 



On 7/25/06, WATSON, BEN [EMAIL PROTECTED]
wrote:







I was hoping to get some input from some of you to better understand how
you handle the design of test environments for application testing. For
example, I built a so-called Offnet which is a duplicate of our
production domain. We have a couple domain controllers restored from tape
backup, we have Exchange running, and various other production services using
the same domain name and hostnames providing for a very production-like test
environment. As time progressed, other production servers duplicated
themselves into this test environment and we now have quite a number of people
doing the majority of their testing in this environment. Unfortunately,
as more and more people have begun to use this environment for testing, we have
found that people are beginning to step on each others toes. For
instance, I used this test environment to walk through the domain upgrade to
2003 and when there was some downtime other people were unable to do their own
testing.



So I was curious, how do you handle providing a working test environment
for people that need it? At this point, we are trying to determine a
better way for people to do their testing away from production.



Thanks,

~Ben
















This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E Ltd to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.

 

Re: [ActiveDir] Automating GC promotion during dcpromo

[Tomasz Onyszko]

Dean Wells wrote:

That's only partially true, you're correct in that the option is made
available in the UI during an IFM promotion if the backup used was from a GC
... but a GC can also be born directly out of a non-forest-creating DCpromo
by modifying the %windir%\system32\schema.ini file.

Assuming you're comfortable editing the file -

1. Prior to promotion, edit the schema.ini mentioned above
a. search on [DEFAULTADDLMACHINE]
2. Notice the Options=1 entry 5 or 6 lines above in the
[DEFAULTFIRSTMACHINE] section
a. this section controls the DCpromo's behavior during the creation
of a new forest
3. Copy that entry into the [DEFAULTADDLMACHINE] section
4. Run DCpromo


Nice, thank You for this tip Dean


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Automating GC promotion during dcpromo

[neil.ruston]

Thanks Dean, altho I was looking for a way to automate the 'promotion'
to GC for *every* DC, not just the first (which is a GC by default, as
you point out.)

I have a script which can achieve the above but was hoping it could be
achieved via the answer file.

I just hope this is finally exposed in Longhorn ...


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 02 August 2006 16:00
To: Send - AD mailing list
Subject: RE: [ActiveDir] Automating GC promotion during dcpromo

That's only partially true, you're correct in that the option is made
available in the UI during an IFM promotion if the backup used was from
a GC ... but a GC can also be born directly out of a non-forest-creating
DCpromo by modifying the %windir%\system32\schema.ini file.

Assuming you're comfortable editing the file -

1. Prior to promotion, edit the schema.ini mentioned above
a. search on [DEFAULTADDLMACHINE]
2. Notice the Options=1 entry 5 or 6 lines above in the
[DEFAULTFIRSTMACHINE] section
a. this section controls the DCpromo's behavior during the
creation of a new forest 3. Copy that entry into the
[DEFAULTADDLMACHINE] section 4. Run DCpromo

Regards.

Dean

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir- 
 [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
 Sent: Wednesday, August 02, 2006 10:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Automating GC promotion during dcpromo
 
 [EMAIL PROTECTED] wrote:
  According to an article I read recently, a DC may be set as a GC 
  automatically using the answer file entry 'ConfirmGC=Yes'.
 
  However, another technet article implies that this I only relevant 
  if the DC is being built using a backup and not over the wire.
 
  Anyone have any views or experiences with this?
 
 This was discussed here some time ago if I remember correctly - this 
 option is valid only with install from media DC promotion.
 
 --
 Tomasz Onyszko
 http://www.w2k.pl/blog/ - (PL)
 http://blogs.dirteam.com/blogs/tomek/ - (EN)
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core

[dbooth]

My inbox continues to be bombarded with messages from your group. Not sure how 
I got included on this list, but what can I do to get off it???! Would be 
nice to get my inbox back...

 joe [EMAIL PROTECTED] wrote: 
 Interesting thoughts there... 
 
 My only tongue in cheek response right off (though this will bubble in my
 head for some time) is that most predators are brighter than many people
 doing admin work and we still need them to be able to find the systems...
 ;o) 
 
 Raise your hand if in the last year you saw a postit with a password on it?
 Keep your hand up if you did anything about it like ripping it up and
 talking to the person? If your hand went down, was it yours by any chance? 
 
 How many people now see a security problem and shake their head and say, wow
 that isn't good but there isn't anything I can do about it and then continue
 on your day. That is the kind of stuff that really needs to stop. 
 
   joe
 
 
 
 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm 
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
 aka Ebitz - SBS Rocks [MVP]
 Sent: Tuesday, August 01, 2006 3:28 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and
 Server Core
 
 On a totally serious note to Joe's tongue in cheek posting Go to a 
 zoo(1).. and you'll hear stories of how each animal has natural 
 'protection' from their predators.
 
 Each animal has evolved to ensure they have some level of camouflage in 
 the way of color/features etc so that when their predator targets them 
 they attempt to blend into the background.  Some plants and animals 
 depend on other plants and animals to survive.  There's a unique falcon 
 that will only nest in leftover Weaver bird nests.. they don't build 
 their own..but by moving into a Weaver bird area, they act as bouncers 
 at the door and keep out the predators that prey on the Weaver birds.
 
 Given that here's what nature does to protect itself what (if 
 anything) has the computing industry done to camouflage to reduce risk?
 
 (call me wacko) but it seems to me that we do a lot of footballish 
 type of security models.. offensive moves and defensive moves.  (Isn't 
 RODC a defensive move?)  Do we and can we add lessons from nature into 
 future networks?
 
 (1)  Lessons learned from camping in a zoo...yes.. this high maintenance 
 female stayed in a tent in a zoo... if you are going to be without power 
 and electricity camping in a zoo at the San Diego Zoo's Wild Animal 
 Park's Roar and Snore is the way to do it.
 
 Matt Hargraves wrote:
  Joe's blog doesn't seem to say anything about what DSI actually *is*.  
  I'm not seeing it as a security model beyond my impression of it being 
  Don't tell anyone what your security infrastructure looks like or 
  something like that.
 
  On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:
 
  Isn't DSI being discussed in great detail at Blackhat starting
  tomorrow.. or am I mistaken and just thinking about the blog post
  again?
  http://blog.joeware.net/2006/07/11/445/
  http://blog.joeware.net/2006/07/11/445/
 
 
  Brett Shirley wrote:
   I've always followed a DSI[1] access model, it definately
  supercedes in
   every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can
  provide
   ...
  
   [1] DSI = Defending Security Infrastructures
  
   -B
  
  
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Automating GC promotion during dcpromo

[Dean Wells]

I'm not following, if you're creating an answer file to feed DCpromo when
building new DCs ... why can you not also supply a modified schema.ini that
contains the changes per my earlier post?

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
 Sent: Wednesday, August 02, 2006 11:50 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Automating GC promotion during dcpromo
 
 Thanks Dean, altho I was looking for a way to automate the 'promotion'
 to GC for *every* DC, not just the first (which is a GC by default, as
 you point out.)
 
 I have a script which can achieve the above but was hoping it could be
 achieved via the answer file.
 
 I just hope this is finally exposed in Longhorn ...
 
 
 neil
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 02 August 2006 16:00
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Automating GC promotion during dcpromo
 
 That's only partially true, you're correct in that the option is made
 available in the UI during an IFM promotion if the backup used was from
 a GC ... but a GC can also be born directly out of a non-forest-
 creating DCpromo by modifying the %windir%\system32\schema.ini file.
 
 Assuming you're comfortable editing the file -
 
 1. Prior to promotion, edit the schema.ini mentioned above
   a. search on [DEFAULTADDLMACHINE]
 2. Notice the Options=1 entry 5 or 6 lines above in the
 [DEFAULTFIRSTMACHINE] section
   a. this section controls the DCpromo's behavior during the
 creation of a new forest 3. Copy that entry into the
 [DEFAULTADDLMACHINE] section 4. Run DCpromo
 
 Regards.
 
 Dean
 
 --
 Dean Wells
 MSEtechnology
 t Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
  Sent: Wednesday, August 02, 2006 10:29 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Automating GC promotion during dcpromo
 
  [EMAIL PROTECTED] wrote:
   According to an article I read recently, a DC may be set as a GC
   automatically using the answer file entry 'ConfirmGC=Yes'.
  
   However, another technet article implies that this I only relevant
   if the DC is being built using a backup and not over the wire.
  
   Anyone have any views or experiences with this?
 
  This was discussed here some time ago if I remember correctly - this
  option is valid only with install from media DC promotion.
 
  --
  Tomasz Onyszko
  http://www.w2k.pl/blog/ - (PL)
  http://blogs.dirteam.com/blogs/tomek/ - (EN)
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ml/threads.aspx
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 
 
 PLEASE READ: The information contained in this email is confidential
 and intended for the named recipient(s) only. If you are not an
 intended recipient of this email please notify the sender immediately
 and delete your copy from your system. You must not copy, distribute or
 take any further action in reliance on it. Email is not a secure method
 of communication and Nomura International plc ('NIplc') will not, to
 the extent permitted by law, accept responsibility or liability for (a)
 the accuracy or completeness of, or (b) the presence of any virus, worm
 or similar malicious or disabling code in, this message or any
 attachment(s) to it. If verification of this email is sought then
 please request a hard copy. Unless otherwise stated this email: (1) is
 not, and should not be treated or relied upon as, investment research;
 (2) contains views or opinions that are solely those of the author and
 do not necessarily represent those of NIplc; (3) is intended for
 informational purposes only and is not a recommendation, solicitation
 or offer to buy or sell securities or related financial instruments.
 NIplc does not provide investment services to private customers.
 Authorised and regulated by the Financial Services Authority.
 Registered in England no. 1550505 VAT No. 447 2492 35.  Registered
 Office: 1 St Martin's-le-Grand, London, EC1A 4NP.  A member of the
 Nomura group of companies.
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Automating GC promotion during dcpromo

[Paul Williams]

Yeah, I'm in the same boat now.  Got a requirement for fully autonomous DC 
deployment with a largish DIT.  Single domain forest so everything is GC.  I 
was frustrated to find out that one of the scripting guys told me that that 
option didn't work.  I plan on working round this by promoting the DC (using 
a systems management tool, i.e. a package that runs DCPROMO with an answer 
file), rebooting and then running another script that connects to local DC 
and flips the options attribute on the NTDS object in question.  We'll then 
wait for RootDSE's isGlobalCatalogReady to return true before moving on...


It's still not clear to me why that switch doesn't work.  There's no 
dependency on IFM (although if you are doing an IFM from a GC it's nice to 
use the restored PAS) or anything other than DNS and communications 
really...



--Paul

- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 02, 2006 4:49 PM
Subject: RE: [ActiveDir] Automating GC promotion during dcpromo



Thanks Dean, altho I was looking for a way to automate the 'promotion'
to GC for *every* DC, not just the first (which is a GC by default, as
you point out.)

I have a script which can achieve the above but was hoping it could be
achieved via the answer file.

I just hope this is finally exposed in Longhorn ...


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 02 August 2006 16:00
To: Send - AD mailing list
Subject: RE: [ActiveDir] Automating GC promotion during dcpromo

That's only partially true, you're correct in that the option is made
available in the UI during an IFM promotion if the backup used was from
a GC ... but a GC can also be born directly out of a non-forest-creating
DCpromo by modifying the %windir%\system32\schema.ini file.

Assuming you're comfortable editing the file -

1. Prior to promotion, edit the schema.ini mentioned above
a. search on [DEFAULTADDLMACHINE]
2. Notice the Options=1 entry 5 or 6 lines above in the
[DEFAULTFIRSTMACHINE] section
a. this section controls the DCpromo's behavior during the
creation of a new forest 3. Copy that entry into the
[DEFAULTADDLMACHINE] section 4. Run DCpromo

Regards.

Dean

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Wednesday, August 02, 2006 10:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Automating GC promotion during dcpromo

[EMAIL PROTECTED] wrote:
 According to an article I read recently, a DC may be set as a GC
 automatically using the answer file entry 'ConfirmGC=Yes'.

 However, another technet article implies that this I only relevant
 if the DC is being built using a backup and not over the wire.

 Anyone have any views or experiences with this?

This was discussed here some time ago if I remember correctly - this
option is valid only with install from media DC promotion.

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete 
your

copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication 
and
Nomura International plc ('NIplc') will not, to the extent permitted by 
law,
accept responsibility or liability for (a) the accuracy or completeness 
of,

or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those 
of
the author and do not necessarily represent those of NIplc; (3) is 
intended
for informational purposes only and is not a recommendation, solicitation 
or

offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St 
Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List 

RE: [ActiveDir] Automating GC promotion during dcpromo

[neil.ruston]

Sorry, Dean. Word wrap foiled me and I didn't read your response
correctly :( 

This is a great find and tip which would have saved me loads of time in
previous roles :)

Nice one!


neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 02 August 2006 17:04
To: Send - AD mailing list
Subject: RE: [ActiveDir] Automating GC promotion during dcpromo

I'm not following, if you're creating an answer file to feed DCpromo
when building new DCs ... why can you not also supply a modified
schema.ini that contains the changes per my earlier post?

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir- 
 [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
 Sent: Wednesday, August 02, 2006 11:50 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Automating GC promotion during dcpromo
 
 Thanks Dean, altho I was looking for a way to automate the 'promotion'
 to GC for *every* DC, not just the first (which is a GC by default, as

 you point out.)
 
 I have a script which can achieve the above but was hoping it could be

 achieved via the answer file.
 
 I just hope this is finally exposed in Longhorn ...
 
 
 neil
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 02 August 2006 16:00
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Automating GC promotion during dcpromo
 
 That's only partially true, you're correct in that the option is made 
 available in the UI during an IFM promotion if the backup used was 
 from a GC ... but a GC can also be born directly out of a non-forest- 
 creating DCpromo by modifying the %windir%\system32\schema.ini file.
 
 Assuming you're comfortable editing the file -
 
 1. Prior to promotion, edit the schema.ini mentioned above
   a. search on [DEFAULTADDLMACHINE]
 2. Notice the Options=1 entry 5 or 6 lines above in the 
 [DEFAULTFIRSTMACHINE] section
   a. this section controls the DCpromo's behavior during the
creation 
 of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] 
 section 4. Run DCpromo
 
 Regards.
 
 Dean
 
 --
 Dean Wells
 MSEtechnology
 t Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir- 
  [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
  Sent: Wednesday, August 02, 2006 10:29 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Automating GC promotion during dcpromo
 
  [EMAIL PROTECTED] wrote:
   According to an article I read recently, a DC may be set as a GC 
   automatically using the answer file entry 'ConfirmGC=Yes'.
  
   However, another technet article implies that this I only relevant

   if the DC is being built using a backup and not over the wire.
  
   Anyone have any views or experiences with this?
 
  This was discussed here some time ago if I remember correctly - this

  option is valid only with install from media DC promotion.
 
  --
  Tomasz Onyszko
  http://www.w2k.pl/blog/ - (PL)
  http://blogs.dirteam.com/blogs/tomek/ - (EN)
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ml/threads.aspx
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 
 
 PLEASE READ: The information contained in this email is confidential 
 and intended for the named recipient(s) only. If you are not an 
 intended recipient of this email please notify the sender immediately 
 and delete your copy from your system. You must not copy, distribute 
 or take any further action in reliance on it. Email is not a secure 
 method of communication and Nomura International plc ('NIplc') will 
 not, to the extent permitted by law, accept responsibility or 
 liability for (a) the accuracy or completeness of, or (b) the presence

 of any virus, worm or similar malicious or disabling code in, this 
 message or any
 attachment(s) to it. If verification of this email is sought then 
 please request a hard copy. Unless otherwise stated this email: (1) is

 not, and should not be treated or relied upon as, investment research;
 (2) contains views or opinions that are solely those of the author and

 do not necessarily represent those of NIplc; (3) is intended for 
 informational purposes only and is not a recommendation, solicitation 
 or offer to buy or sell securities or related financial instruments.
 NIplc does not provide investment services to private customers.
 Authorised and regulated by the Financial Services Authority.
 Registered in England no. 1550505 VAT No. 447 2492 35.  Registered
 Office: 1 St Martin's-le-Grand, London, EC1A 4NP.  A member of the 
 Nomura group of companies.
 
 List info   : http://www.activedir.org/List.aspx
 List 

RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core

[Laura A. Robinson]

At the bottom of every single message sent to this list, you'll see the
following link:

List FAQ: http://www.activedir.org/List.aspx

...which brings you to this:

The list provides a discussion forum for those wishing to discuss aspects of
Microsoft's Active Directory. It is intended for anyone with an interest in
AD, except those whose sole interest is to sell something!

Feel free to email any questions, tips and tricks, useful links or anything
else you feel may be relevant. The idea here is for us to share our
knowledge and experiences so that we can learn from each other.







To subscribe send an email to [EMAIL PROTECTED] and type,

SUBSCRIBE ActiveDir your name here

(without using the quotation marks) in the message body







To unsubscribe send an email to [EMAIL PROTECTED] and type,

UNSUBSCRIBE ActiveDir your name here

(without using the quotation marks) in the message body







To subscribe to digest mode, send a message to [EMAIL PROTECTED] with
no subject, and the phrase, 

SET MODE DIGEST ActiveDir

in the body of the message. The List Server understands multiple commands in
an email message, so this could be the second line in your subscribe
message.

To switch from digest mode to standard mode, send a message to
[EMAIL PROTECTED] with no subject, and the phrase,

SET MODE STANDARD ActiveDir

Digest postings are sent once per day.







If you have any problems subscribing or unsubscribing send an email to
[EMAIL PROTECTED] with the details.







When subscribed use the address ActiveDir@mail.activedir.org to post
messages to the list.




 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Wednesday, August 02, 2006 12:04 PM
 To: ActiveDir@mail.activedir.org
 Cc: joe
 Subject: RE: [ActiveDir] 80/20 . Was: Read-Only Domain 
 Controller and Server Core
 
 My inbox continues to be bombarded with messages from your 
 group. Not sure how I got included on this list, but what can 
 I do to get off it???! Would be nice to get my inbox back...
 
  joe [EMAIL PROTECTED] wrote: 
  Interesting thoughts there... 
  
  My only tongue in cheek response right off (though this 
 will bubble in 
  my head for some time) is that most predators are brighter 
 than many 
  people doing admin work and we still need them to be able 
 to find the systems...
  ;o)
  
  Raise your hand if in the last year you saw a postit with a 
 password on it?
  Keep your hand up if you did anything about it like ripping 
 it up and 
  talking to the person? If your hand went down, was it yours 
 by any chance?
  
  How many people now see a security problem and shake their head and 
  say, wow that isn't good but there isn't anything I can do about it 
  and then continue on your day. That is the kind of stuff 
 that really needs to stop.
  
joe
  
  
  
  --
  O'Reilly Active Directory Third Edition - 
  http://www.joeware.net/win/ad3e.htm
   
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
  Bradley, CPA aka Ebitz - SBS Rocks [MVP]
  Sent: Tuesday, August 01, 2006 3:28 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain 
 Controller 
  and Server Core
  
  On a totally serious note to Joe's tongue in cheek 
 posting Go to a 
  zoo(1).. and you'll hear stories of how each animal has natural 
  'protection' from their predators.
  
  Each animal has evolved to ensure they have some level of 
 camouflage 
  in the way of color/features etc so that when their 
 predator targets 
  them they attempt to blend into the background.  Some plants and 
  animals depend on other plants and animals to survive.  There's a 
  unique falcon that will only nest in leftover Weaver bird nests.. 
  they don't build their own..but by moving into a Weaver 
 bird area, they act as bouncers
  at the door and keep out the predators that prey on the 
 Weaver birds.
  
  Given that here's what nature does to protect itself what (if
  anything) has the computing industry done to camouflage 
 to reduce risk?
  
  (call me wacko) but it seems to me that we do a lot of 
 footballish 
  type of security models.. offensive moves and defensive 
 moves.  (Isn't 
  RODC a defensive move?)  Do we and can we add lessons from 
 nature into 
  future networks?
  
  (1)  Lessons learned from camping in a zoo...yes.. this high 
  maintenance female stayed in a tent in a zoo... if you are 
 going to be 
  without power and electricity camping in a zoo at the 

Re: [ActiveDir] Test Environments

[Al Mulnick]

Brad brings up some of the more important change control concepts. 

Remember that a dev environment *is* production for a developer. It should be controlled to some degree. 

I've often advocated many more test environments. Everything from sandbox (try whatever you want, but no control) to pristine production-mirror (hands -off - it's identical 'cause it was recently restored to make it so). Scalability labs have some steep hardware requirement costs (do you really want to know how well that app will perform on x hardware in our environment?) and is highly similar to production/pristine. There are several environments in between because of the exact issue you discuss.For example, you might have to duplicate aproduction like environment to facilitate development of workstation images and deployment scenarios, but that type of work might impactsomebody doing web design. Whatto do to meetboth?Create both. With virtualization you can make this happen more cost effectively. You can'tvirtualize the more pristine (all of it anyway) because you may be testing the upgrade on the DC's or the other app servers.That should be very similar and highlyisolated.


My $0.04 anyway. I advocate a high level of testing where possible and where impact is otherwise not tolerable. 
On 8/2/06, Brad Smith [EMAIL PROTECTED] wrote:




I fully concur with the three environment approach. I typically run Production, Replica (aka Testing) and Sandpit (aka Development). One of the key tenants of my test environment is that when a change is tested, it's associated back out plan is also tested and I do not sign off on any change that hasn't got a back out plan unless the risk associated with is accepted by those above. IMHO, this should be mandatory for any test environment. We have a resource in Exchange that can be booked the same way as a meeting room to ensure that everyone knows when it is free.






From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: 25 July 2006 21:45
To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Test Environments 



Those were my thoughts as well on the issue and I've had to tell several people not to expect production-like uptime. I really couldn't think of a better way to provide a test environment and there's no way I'm going to build multiple environments like this. Even though it's a test environment, it often requires more of my time to maintain than the production environment.


I may tell people to create their own development environment as Jonathan suggested and allow testing to be performed when they feel their app has outgrown a development environment of their own creation.


Thanks guys, it's good to know I'm on track here.

~Ben





From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, July 25, 2006 12:04 PM
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Test Environments

It sounds like you have a good test environment. The only problem is that people may be scheduling their testing a little too tightly. They need to understand that this is a *TEST* environment. That means it's in a constant state of relative flux and that at any point in time, it could possibly go down for an hour or even possibly a day or two. It will largely be available, but it's not production and they shouldn't be expecting to receive the level of support and uptime that they receive in the production environment. If they expect that, they need to find a way to test outside your test environment. If their schedules are slipping because of the availability of the test environment, then they're not putting enough extra time into their plans and need to start consulting you before deciding when to test and how much time it's going to take. 
It may sound like I'm being harsh on them, but it sounds like they are really expecting too much from a test environment and that's because there isn't enough consulting occuring. It really sounds like you need to possibly make a Testing calendar so that everyone (or maybe even just you) have a list of applications that are being tested in the environment and when schema updates and other items which can affect multiple tests that are ongoing occur, the relevant persons can be notified so if they need to reschedule their testing or adjust their testing schedule, they can. 


On 7/25/06, WATSON, BEN 
[EMAIL PROTECTED] wrote:



I was hoping to get some input from some of you to better understand how you handle the design of test environments for application testing. For example, I built a so-called Offnet which is a duplicate of our production domain. We have a couple domain controllers restored from tape backup, we have Exchange running, and various other production services using the same domain name and hostnames providing for a very production-like test environment. As time progressed, other production servers duplicated themselves into this test environment and we now have quite a number 

Re: [ActiveDir] Automating GC promotion during dcpromo

[Tomasz Onyszko]

[EMAIL PROTECTED] wrote:

Thanks Dean, altho I was looking for a way to automate the 'promotion'
to GC for *every* DC, not just the first (which is a GC by default, as
you point out.)


If I understand Dean's tip correctly (Dean correct me if I'm wrong) he 
suggests to take some entries from section [DEFAULTFIRSTMACHINE] of 
schema.ini and put it into [DEFAULTADDLMACHINE], which will cause that 
when this machine will be promoted as DC in existing forest this option 
will force it to behave in this aspect as first DC in forest. So it will 
be promoted as a GC. Not exactly the same as option available with IFM 
but if works - why not to use it.


 I just hope this is finally exposed in Longhorn ...

In fact it is :)
http://blogs.dirteam.com/blogs/carlos/archive/2006/06/27/1204.aspx

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] UAC Question

[David Aragon]

http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC).  I have tried to set different flags using
LDP, ADSIEdit, and vbScript.  One flag in particular is giving me a lot of
grief, LOCKOUT.  I can clear the bit, but can not set it.  This is useful to
set for a number of reasons (for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail).  

Is this normal?  Can it be set and if so, how?  Is it dependent on other
settings (ex. lockoutTime) to be set to remain set?

David Aragon

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] UAC Question

[Tomasz Onyszko]

David Aragon wrote:

http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC).  I have tried to set different flags using
LDP, ADSIEdit, and vbScript.  One flag in particular is giving me a lot of
grief, LOCKOUT.  I can clear the bit, but can not set it.  This is useful to
set for a number of reasons (for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail).  


Is this normal?  Can it be set and if so, how?  Is it dependent on other
settings (ex. lockoutTime) to be set to remain set?

Yes, this is normal as lockout status is handled based on lockoutTime 
attribute in AD. If You want to check it in Windows 2003 domain You have 
to use msDS-User-Account-Control-Computed attribute.


AFAIK You would not be able to lockout account via code. I don't know if 
it would work for You but If You need to prevent particular user from 
logging and keep his account alive You may specify some workstation he 
would never be able to get to as only workstation he is allowed to log on?


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Need some user/group tools...

[Michael B. Smith]

I threw this together for ya to help out: 
:-)

strUser = "groupname"strComputer = 
"domain"strPath = "WinNT://"  strComputer  "/"  
strUser  ",group"wscript.echo "Path: "  
strPathwscript.echoSet objUser = GetObject(strPath)Set objClass = 
GetObject(objUser.Schema)'on error resume nextWScript.Echo "Mandatory 
properties for "  objUser.Name  ":"For Each property In 
objClass.MandatoryPropertieswscript.stdout.write property  
vbTabWScript.stdout.write 
objUser.Get(property)wscript.echoNextWScript.Echo "Optional 
properties for "  objUser.Name  ":"For Each property In 
objClass.OptionalPropertieswscript.stdout.write property  
vbTabWScript.stdout.write Typename (objUser.Get(property))  
vbTabWScript.stdout.write 
objUser.Get(property)wscript.echoNext

set arr = objUser.Membersfor each str in 
arrwscript.echo str.Class  " "  
str.namenext


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
HargravesSent: Tuesday, August 01, 2006 11:02 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Need some 
user/group tools...
That's not even fair I own that book already.I was hoping 
to avoid doing the scripting part... but that being said, how much of that will 
work in NT domains to get groups and their members/memberships?
On 8/1/06, Michael B. 
Smith [EMAIL PROTECTED] 
wrote:

  
  
  You can 
  certainly get all the piece parts from here:
  
  http://rallenhome.com/books/adcookbook/code.html 
  
  
  And you 
  can use joe's wonderful adfind (or dsquery if you were to insist) to do much 
  of the gruntwork. I show you some examples here:
  
  http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx 
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt 
  HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Need some user/group tools...
  
  This might be something that I can do with a combination of 
  scripts, though I'm not sure where I'd get them from.1) I need to be 
  able to export a list of users (the userID is fine) with their group 
  memberships. (AD objects) 2) I need to be able to export a list of 
  groups with their list of members and memberships. (AD objects)3) I 
  need to be able to export a list of groups with their list of members and 
  memberships. (NT objects) Once I get all of that information, I need 
  to 'connect the dots' between domains to determine overall group membership 
  (across domains), including nesting. If the tool doesn't exist to do 
  this last part I'm sure I can find someone to do the gruntwork of putting 
  together a _vbscript_ to do the grunt work of it in Access or something 
  like that.Preferably all of this would go into CSV files so that it 
  can go into Access or maybe pull it all into SQL.Thanks for any help 
  that can be provided. 
  

RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?

[Grillenmeier, Guido]

Ok, thanks for getting back to us RM.

So my guestimate with 100k users was just slightly off ;-)  But now I
wonder what in the world you store in your AD to have the DIT grown to
650MB with your user and computer population.

Is this 2000 or 2003?  Have you disabled Distributed Link Tracking?

/Guido

-Original Message-
From: RM [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 02, 2006 6:32 AM
To: Grillenmeier, Guido
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange rollout - How much larger does
NTDS.DIT become?

On Tue, 1 Aug 2006 18:29:24 +0100, Grillenmeier, Guido
[EMAIL PROTECTED] said:

Richard doesn't seem to be too keen on giving us further details - too
bad.

Sorry, been busy... 400 unread msgs from this list, got some catching up
to do.

 What does the current environment look like?
 How extensive is your Exchange deployment going to be?

4800 user accounts, 3500 computer accounts.  Maybe 3000-ish Exchange
users?

I'm leaning towards doing 64-bit everywhere we possibly can.  It does
seem like the more forward looking option.

RM
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Bart Van den Wyngaert]

Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Alex Alborzfard]

No, I think the bigger problem with having lots of
over-privileged admins is the same problem we have with organizations that make
all of their users admins on their local machines--that of over-privileged
users being targets for malware that take advantage of their privileges to do
nasty things. 

 And, while your at it, how about
removing administrator rights from all of your end users



I dont agree with your point
regarding local admin rights. Yes I agree; having local admin rights is
definitely a bad thing as far as security is concerned, but I can speak from
experience that many times as much as I dreaded doing it, I had to give it to users.
The reason was users were simply not able to do their work. Runas, etc. did not
work or worked half of the time, and no matter how much time I spent, the quickest
and most simple solution was to just give them admin rights. 

I tend to think most of the problem lies
with MSFT  Windows application developers for designing an OS and writing
code, which require all or nothing admin privileges.

Ironically most of those users were
application developers themselves!







Alex











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, August 01, 2006
4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Revoke
domain administrator's right to create GPO?





Thanks Joe. Interestingly, I agree with
what you're saying here, but not for exactlythe same reason. I happen to
think that the badness of having lots of over-privileged admins is
not the accidental stupidity (hmmm...is that an oxymoron?), although we know
that happens. This actually gets to the heart of what I think is wrong with how
some Windows shops are managed. When I worked in larger environments that had
mainframes, there was rigorous change control over absolutely every little
thing that was done. So, no matter how privileged an administrator was, nothing
that they did went unseen, untested and didn't come with a rock-solid back out
plan. Enter the distributed world of Windows and all bets are off. Having lots
of domain admins is not a problem, in and of itself, if you follow good change
management practices, because presumably none of those DAs would dare make a
change for fear of having their heads chopped off. But that is a cultural thing
that does not exist in most Windows shops. No, I think the bigger problem with
having lots of over-privileged admins is the same problem we have with
organizations that make all of their users admins on their local machines--that
of over-privileged users being targets for malware that take advantage of their
privileges to do nasty things. I'd be much less worried from a DA that
accidentally deletes an OU than I would be from a DA who accidentally clicks on
that website that downloads malicious code that is smart enough to take
advantage of that user's DA status to get at or modifycorporate directory
data that compromises security, privacy or other critical business stuff. I
have yet to see such a targeted attack but I am guessing its only a matter of
time. 



So, yes, absolutely get rid of all those
extra DAs, but not just because they do stupid admin tricks, but also because
they open up your AD to all kinds of nasty attacks. And, while your at it, how
about removing administrator rights from all of your end users













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 31, 2006 7:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Revoke
domain administrator's right to create GPO?

Yeah I know where you are coming from
Darren but absolutely can't say it is ok because I do not believe it is ok at
all. I think saying it is ok or that it is understandable will relax people
about it and people absolutely should not be relaxed about it or feel that they
can't do anything about it and that it isn't their responsibility to try and
get corrected. It is a very bad thing and they need to always have that spectre
over them where they know it. That helps, I think, in making it so it isn't a
surprise when something inevitably screws up and no one can sit there saying,
wow, I had no idea it was that bad of a thing. People need to be working
towards locking down their environment every moment and looking for bad things
and removing them every second. It is a long slow climb uphill but if the work
isn't done, it will never happen until maybe, hopefully not, something
absolutely blows and everyone has to jump and try to figure out how to do it in
one fell swoop.



I saw the same logic of the people
really don't know what they can do... used for running an Enterprise Data
Center back in 1999 and this was with hundreds of NT servers and many domains
and application owners were just given admin rights over all of these boxes and
it was status quo; none of the people had a clue what kind of rights they had
and figured anything bad they were actually 

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

RedEarth Software policypatrol.com

Wizard and GUI

The SBS way

There are instructions at www.smallbizserver.net (I think they are still 
in the free docs) ...but I'm blonde and GUI and policy patrol works.


If you are cheap GFI's mail scanner ...install the trial version and 
when it expires the disclaimer stays (or last I heard)


Bart Van den Wyngaert wrote:

Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Revoke domain administrator's right to create GPO?

[Darren Mar-Elia]

Alex-
I think you've proved my pointby saying, "having 
local admin rights is definitely a bad thing as far as security is concerned". 
:-). But of course you are pointing out the underlying dilemma that 
administrators have faced while trying to create a least-privileged user 
environment. Frankly, I agree with you. It is easier to grant local admin. 
rights in some cases rather than trying to work around it. I have had to do that 
myself in a past life. But I also managed to create and support an environment 
for around20,000 users (in NT 3.5 and 4.0 no less) that did not require 
most users to have local admin rights. But it was not easy and it was not a 
secure solution--it basically involved relaxing file system and registry 
permissions as needed to allow specific apps to run. Yes the problem is 
absolutely with how the OS and most applications are written--generally badly. 
And yes, the problem becomes a lot less painful to manage with Vista and UAC. 
But in the meantime, as the Internet has exposed the soft underbelly of an 
all-admin environment, people continue to get worms and other malware that has a 
serious effect on their business and its security. Frankly, I think that with 
some of the recent advances in ISV solutions around this--with products that let 
you selectively elevate privileges by application, that this problem can be 
managed. But then of course, you do have to spend money on it! 


Vista will provide an in-the-box solution that I suspect 
many will find irritating, but effective. 

Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Alex 
AlborzfardSent: Wednesday, August 02, 2006 1:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain 
administrator's right to create GPO?


No, I think the bigger problem 
with having lots of over-privileged admins is the same problem we have with 
organizations that make all of their users admins on their local 
machines--that of over-privileged users being targets for malware that take 
advantage of their privileges to do nasty things. 
 And, while your at it, how about 
removing administrator rights from all of your end 
users

I dont agree with your 
point regarding local admin rights. Yes I agree; having local admin rights is 
definitely a bad thing as far as security is concerned, but I can speak from 
experience that many times as much as I dreaded doing it, I had to give it to 
users. The reason was users were simply not able to do their work. Runas, etc. 
did not work or worked half of the time, and no matter how much time I spent, 
the quickest and most simple solution was to just give them admin rights. 

I tend to think most of 
the problem lies with MSFT  Windows application developers for designing an 
OS and writing code, which require all or nothing admin 
privileges.
Ironically most of 
those users were application developers themselves!



Alex




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren 
Mar-EliaSent: Tuesday, August 
01, 2006 4:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain 
administrator's right to create GPO?

Thanks Joe. 
Interestingly, I agree with what you're saying here, but not for 
exactlythe same reason. I happen to think that the "badness" of having 
lots of over-privileged admins is not the accidental stupidity (hmmm...is that 
an oxymoron?), although we know that happens. This actually gets to the heart of 
what I think is wrong with how some Windows shops are managed. When I worked in 
larger environments that had mainframes, there was rigorous change control over 
absolutely every little thing that was done. So, no matter how privileged an 
administrator was, nothing that they did went unseen, untested and didn't come 
with a rock-solid back out plan. Enter the distributed world of Windows and all 
bets are off. Having lots of domain admins is not a problem, in and of itself, 
if you follow good change management practices, because presumably none of those 
DAs would dare make a change for fear of having their heads chopped off. But 
that is a cultural thing that does not exist in most Windows shops. No, I think 
the bigger problem with having lots of over-privileged admins is the same 
problem we have with organizations that make all of their users admins on their 
local machines--that of over-privileged users being targets for malware that 
take advantage of their privileges to do nasty things. I'd be much less worried 
from a DA that accidentally deletes an OU than I would be from a DA who 
accidentally clicks on that website that downloads malicious code that is smart 
enough to take advantage of that user's DA status to get at or 
modifycorporate directory data that compromises security, privacy or other 
critical business stuff. I have yet to see such a targeted attack but I am 
guessing its only a matter of time. 

So, yes, absolutely get 
rid of all those extra DAs, but not just because 

RE: [ActiveDir] Remove Defunct domains..

[Brian Desmond]

Thats a browser function not something in AD. Theres probably
still computers joined to those domains (even though they dont exist) or
computers in workgroups with the same names





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove Defunct domains..







You can remove the orphaned domains through NTDSUTIL. Doing a
metadata cleanup.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Wednesday, August 02, 2006 2:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remove Defunct domains..





Whenever i browse Network Neighborhood or view the list of
availble networks, there are a few domains that appear that shouldn't. Is there
a way to remove these domain/domain entries manually ?

ADSI edit ?



-- 
HBooGz:\ 

RE: [ActiveDir] Remove Defunct domains..

[Robert Rutherford]

If you use WINS check for them in there
and delete if required.



Cheers,



Rob








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: 02 August 2006 22:46
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remove
Defunct domains..





Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way to
remove these domain/domain entries manually ?

ADSI edit ?



-- 
HBooGz:\ 

RE: [ActiveDir] Remove Defunct domains..

[Laura A. Robinson]

That 
would depend upon whether or not the domains are appearing because of metadata, 
or whether they're appearing because of "bad" browsing information. Do the 
domains appear anywhere besides Network Neighborhood? Is WINS in use? If so, are 
there entries in WINS representing the domains? Without knowing exactly where 
the defunct domains are appearing and where they aren't, it's tough to call 
whether or not it's a problem of metadata or browsing. 

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, 
  BENSent: Wednesday, August 02, 2006 6:05 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct 
  domains..
  
  
  You can remove the 
  orphaned domains through NTDSUTIL. Doing a metadata 
  cleanup.
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct 
  domains..
  
  Whenever i browse Network Neighborhood or view the 
  list of availble networks, there are a few domains that appear that shouldn't. 
  Is there a way to remove these domain/domain entries manually ?ADSI 
  edit ?-- HBooGz:\ 
  

RE: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Robert Rutherford]

Loads of tools as Susan says, but just to note the GFI one no longer
works - one of my engineers tried it a couple of months ago.

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 02 August 2006 22:21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

RedEarth Software policypatrol.com

Wizard and GUI

The SBS way

There are instructions at www.smallbizserver.net (I think they are still

in the free docs) ...but I'm blonde and GUI and policy patrol works.

If you are cheap GFI's mail scanner ...install the trial version and 
when it expires the disclaimer stays (or last I heard)

Bart Van den Wyngaert wrote:
 Hi guys,

 I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
 I'm using the EventSink with a .vbs to add the disclaimer. The box is
 configured with a default SMTP server and a SMTP connector which
 forwards all external email to the SMTP of the ISP.

 Anybody who has done the trick already? If so, can you please tell me
 the little secret for this? *g*

 Many thanks to all,
 Bart
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] UAC Question

[David Aragon]

Thank you Tomasz for the clarification on UAC.  If I understand you, then if
the lockoutTime were set to some non-0 value (a time say in the next year?
or last year?) this would trigger the lockout bit to be set.  The
presumption being that the lockoutTime can be set.

David Aragon
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Tomasz Onyszko
 Sent: Wednesday, August 02, 2006 12:35 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] UAC Question
 
 David Aragon wrote:
  http://support.microsoft.com/kb/305144/ discusses the 
 various property 
  flags for the UserAccountControl (UAC).  I have tried to 
 set different 
  flags using LDP, ADSIEdit, and vbScript.  One flag in particular is 
  giving me a lot of grief, LOCKOUT.  I can clear the bit, 
 but can not 
  set it.  This is useful to set for a number of reasons (for 
 example it 
  will prevent a user from logging into a system, but not 
 prevent them from getting their voicemail).
  
  Is this normal?  Can it be set and if so, how?  Is it dependent on 
  other settings (ex. lockoutTime) to be set to remain set?
  
 Yes, this is normal as lockout status is handled based on 
 lockoutTime attribute in AD. If You want to check it in 
 Windows 2003 domain You have to use 
 msDS-User-Account-Control-Computed attribute.
 
 AFAIK You would not be able to lockout account via code. I 
 don't know if it would work for You but If You need to 
 prevent particular user from logging and keep his account 
 alive You may specify some workstation he would never be able 
 to get to as only workstation he is allowed to log on?
 
 --
 Tomasz Onyszko
 http://www.w2k.pl/blog/ - (PL)
 http://blogs.dirteam.com/blogs/tomek/ - (EN)
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Granting Exchange Mailbox Access

[WATSON, BEN]

In an effort to cut down on service account abuse,
Ive been removing and reducing privileges left and right. I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.



Sometimes, the Exchange Administrators will need to access a
users mailbox to assist with various issues, and Im having
trouble delegating that right to the members of the Exchange Full
Administrators group.



I have created a domain security group named simply Exchange
Full Administrators, and I delegated Exchange Full Administrator rights
to that security group at the organizational level. So anyone in that
security group should have full administration rights. Ive
had to delegate a few other rights in Active Directory for some other reasons to
this new security group (for instance to give this security group rights to
modify the dynamic mailing list OU); however Im having trouble finding
exactly where to delegate rights to give this security group full access to
everyones mailbox.



Any thoughts?



Thanks,

~Ben

RE: [ActiveDir] Remove Defunct domains..

[WATSON, BEN]

Ah right, I read the initial question
wrong and thought you were trying to rid yourself of an old domain that no
longer exists. It certainly sounds more like a browsing issue.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Saturday, September 02, 2006
3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove
Defunct domains..







That would depend upon whether or not the
domains are appearing because of metadata, or whether they're appearing because
of bad browsing information. Do the domains appear anywhere besides
Network Neighborhood? Is WINS in use? If so, are there entries in WINS
representing the domains? Without knowing exactly where the defunct domains are
appearing and where they aren't, it's tough to call whether or not it's a
problem of metadata or browsing. 











Laura













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
6:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove
Defunct domains..

You can remove the orphaned domains
through NTDSUTIL. Doing a metadata cleanup.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: Wednesday, August 02, 2006
2:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remove
Defunct domains..





Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way to
remove these domain/domain entries manually ?

ADSI edit ?



-- 
HBooGz:\ 

RE: [ActiveDir] Remove Defunct domains..

[Ayers, Diane]

dusting off old NT 4.0 
sectors 

Check your WINS database if you are 
using WINS. Part of the browsing data comes from WINS and the database 
will tell you where those records are coming from. You can address 
it viathe hosts if it's coming from there or clean up your WINS 
db.

Diane


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Wednesday, August 02, 2006 3:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct 
domains..


Thats 
a browser function not something in AD. Theres probably still computers joined 
to those domains (even though they dont exist) or computers in workgroups with 
the same names


Thanks,
Brian 
Desmond
[EMAIL PROTECTED]

c 
- 312.731.3132




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Remove Defunct domains..

You can 
remove the orphaned domains through NTDSUTIL. Doing a metadata 
cleanup.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Remove Defunct domains..

Whenever i browse Network Neighborhood or view the list of 
availble networks, there are a few domains that appear that shouldn't. Is there 
a way to remove these domain/domain entries manually ?ADSI edit 
?-- HBooGz:\ 

RE: [ActiveDir] Granting Exchange Mailbox Access

[Crawford, Scott]

The perm youre looking for is Receive
As on the Mailbox store. The problem is that delegating Exchange Full
Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the way down to the mailboxes. So even if you grant
your group the required perms, if theyve been delegated EFA, the Deny
will override it.



Id imagine you can remove the Deny
ACE manually, but we just skipped the delegation wizard and added the ACE for
Receive As for our Mailbox Admins.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting
Exchange Mailbox Access





In an effort to cut down on service account abuse,
Ive been removing and reducing privileges left and right. I have delegated
Exchange Full Administrator rights to a few users who had previously been using
the service account we originally installed Exchange 2003.



Sometimes, the Exchange Administrators will need to access a
users mailbox to assist with various issues, and Im having
trouble delegating that right to the members of the Exchange Full
Administrators group.



I have created a domain security group named simply
Exchange Full Administrators, and I delegated Exchange Full
Administrator rights to that security group at the organizational level.
So anyone in that security group should have full administration
rights. Ive had to delegate a few other rights in Active Directory
for some other reasons to this new security group (for instance to give this
security group rights to modify the dynamic mailing list OU); however Im
having trouble finding exactly where to delegate rights to give this security
group full access to everyones mailbox.



Any thoughts?



Thanks,

~Ben

[ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Information about lingering objects in a Windows 2000-based forest or in 
a Windows Server 2003-based forest:

http://support.microsoft.com/?kbid=910205

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Remove Defunct domains..

[HBooGz]

hey guys -


Yes, i'm using wins.

Yes, they are appearing outside of network neighborhood.

what exactly would i examine (node type) that would help me pinpoint where these are appearing ? and how to get rid of it ?

definitely appears to be a browsing issue ?

how can i force who is the master browser for the domain ? all workstations are windows 2000 and windows xp


i'm also seeing workgroups that should have never been created and i'm now policing against -- any way to rid myself of this or detect where they are being generated ?

Thanks
On 8/2/06, Ayers, Diane [EMAIL PROTECTED] wrote:



dusting off old NT 4.0 sectors 

Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db.


Diane


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, August 02, 2006 3:10 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains..





That's a browser function not something in AD. There's probably still computers joined to those domains (even though they don't exist) or computers in workgroups with the same names…



Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132




From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent:
 Wednesday, August 02, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains..


You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup.





From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PM
To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains..


Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ?
-- HBooGz:\ 
-- HBooGz:\ 

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Joe Kaplan]

We actually use a script at work after having tried a few products and 
having terrible performance problems.  If you are interested, I'll ping one 
of the exchange guys and see if he can provide a little direction.


Once you actually get it working from a plumbing standpoint, the script 
itself is actually a bit trickier to implement than the trivial sample MS 
shows.  You have to decide if you are going to put HTML into HTML body 
parts, text into text body parts, both into messages that have both, and 
what to do about signed messages, as the disclaimer will change the data and 
invalidate the digital signature.  You also need to be careful you don't 
screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. 
You can also decide if you want to add the disclaimer to messages that 
already contain it (sometimes mail routing may cause a message to hit the 
sink more than once) or not, and if you care about that, how do you decide 
if the disclaimer is in there?  :)


Ours still has some issues with a few of these points, but some of the 
problems were too tough to deal with for the people who were trying to solve 
them, so they just slid.


Joe K.
- Original Message - 
From: Bart Van den Wyngaert [EMAIL PROTECTED]

To: ActiveDir ActiveDir@mail.activedir.org
Sent: Wednesday, August 02, 2006 3:41 PM
Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box



Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

This is an SBS box. we may have performance problems.. but it's 
certainly not caused by a SMTP sink event on that Exchange server  ;-)  
Remember at the most we're only hosting 75 users/devices on that server 
with a max of 75 gigs (remember no snickering from the Enterprise folks) 
of Store.


(and reading his message.. see why I went with Policypatrol?

Joe Kaplan wrote:
We actually use a script at work after having tried a few products and 
having terrible performance problems.  If you are interested, I'll 
ping one of the exchange guys and see if he can provide a little 
direction.


Once you actually get it working from a plumbing standpoint, the 
script itself is actually a bit trickier to implement than the trivial 
sample MS shows.  You have to decide if you are going to put HTML into 
HTML body parts, text into text body parts, both into messages that 
have both, and what to do about signed messages, as the disclaimer 
will change the data and invalidate the digital signature.  You also 
need to be careful you don't screw up the encoding of messages in 
non-ASCII or ISO-8859-1 character sets. You can also decide if you 
want to add the disclaimer to messages that already contain it 
(sometimes mail routing may cause a message to hit the sink more than 
once) or not, and if you care about that, how do you decide if the 
disclaimer is in there?  :)


Ours still has some issues with a few of these points, but some of the 
problems were too tough to deal with for the people who were trying to 
solve them, so they just slid.


Joe K.
- Original Message - From: Bart Van den Wyngaert 
[EMAIL PROTECTED]

To: ActiveDir ActiveDir@mail.activedir.org
Sent: Wednesday, August 02, 2006 3:41 PM
Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box



Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:

[Brett Shirley]

Susan, how on earth could _you_ get a lingering object?  Seems impossible
with only one DC, oh wait did you just forget to delete it?

From The Love,
-B

On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

 Information about lingering objects in a Windows 2000-based forest or in 
 a Windows Server 2003-based forest:
 http://support.microsoft.com/?kbid=910205
 
 -- 
 Letting your vendors set your risk analysis these days?  
 http://www.threatcode.com
 
 If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
 hunt you down...
 http://blogs.technet.com/sbs
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

You know us blondes

With barely a twig, let alone a tree in our forest...and I'll have you 
know this twig is clean installed 2k3 domain (I strongly believe in no 
inplace even in our twig domains down here).


(and for the record for everyones trivia tonightwhile I choose to 
have a single DC (at this time) ... SBS can support additional DCs in 
our domain hey.. I've even used ntdsutil and ADSIedit even down 
here  ;-)


Brett Shirley wrote:

Susan, how on earth could _you_ get a lingering object?  Seems impossible
with only one DC, oh wait did you just forget to delete it?

From The Love,
-B

On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

  
Information about lingering objects in a Windows 2000-based forest or in 
a Windows Server 2003-based forest:

http://support.microsoft.com/?kbid=910205

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Joe Kaplan]

Sure, I saw the message and remembered that we were still using a disclaimer 
script for this, so I thought I'd offer some help, but a word of caution 
about the fact that the script can get tricky.


With only that many users, many of those problems might never show up.  We 
have a few more users than that (ok, 4 orders of magnitude!), so we see a 
lot of weird stuff that is hard to even imagine when you are testing the 
code.  :)


The product is probably a better choice, especially if it is cheap.

We really did try to buy a product to do this as we wanted more features and 
fewer problems (or someone else to blame them on), but only the script had 
reasonable performance.  Everything else brought our gateways to their knees 
and had to be disabled.  I was shocked by this actually.  :)


Joe K.
- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 02, 2006 9:24 PM
Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box


This is an SBS box. we may have performance problems.. but it's 
certainly not caused by a SMTP sink event on that Exchange server  ;-) 
Remember at the most we're only hosting 75 users/devices on that server 
with a max of 75 gigs (remember no snickering from the Enterprise folks) 
of Store.


(and reading his message.. see why I went with Policypatrol?

Joe Kaplan wrote:
We actually use a script at work after having tried a few products and 
having terrible performance problems.  If you are interested, I'll ping 
one of the exchange guys and see if he can provide a little direction.


Once you actually get it working from a plumbing standpoint, the script 
itself is actually a bit trickier to implement than the trivial sample MS 
shows.  You have to decide if you are going to put HTML into HTML body 
parts, text into text body parts, both into messages that have both, and 
what to do about signed messages, as the disclaimer will change the data 
and invalidate the digital signature.  You also need to be careful you 
don't screw up the encoding of messages in non-ASCII or ISO-8859-1 
character sets. You can also decide if you want to add the disclaimer to 
messages that already contain it (sometimes mail routing may cause a 
message to hit the sink more than once) or not, and if you care about 
that, how do you decide if the disclaimer is in there?  :)


Ours still has some issues with a few of these points, but some of the 
problems were too tough to deal with for the people who were trying to 
solve them, so they just slid.


Joe K.
- Original Message - From: Bart Van den Wyngaert 
[EMAIL PROTECTED]

To: ActiveDir ActiveDir@mail.activedir.org
Sent: Wednesday, August 02, 2006 3:41 PM
Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box



Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I 
will hunt you down...

http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx