Re: [ActiveDir] OT: NTLM troubleshooting info
Many thanks for the link mate. M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: there is at leastsome documentation on this found at http://davenport.sourceforge.net/ntlm.html .i i'm not sure if it will meet your needs or not. think there are some others around as well. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, August 01, 2006 12:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: NTLM troubleshooting info Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. Cheers M@ On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote: might sspi_workbench (from technet) be useful for this? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info Guys Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide. Cheers M@
Re: [ActiveDir] Different (open)LDAP Question
Check out Ryan's take on it... -- http://dunnry.com/blog/msDsUserAccountControlComputedNotSoSpiffy.aspx --Paul - Original Message - From: David Aragon [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 01, 2006 11:49 PM Subject: [ActiveDir] Different (open)LDAP Question Without getting into the politics involved that got us here, suffice it to say that someone with a lot of political clout, no Windows or Active Directory experience (though considerable MAC/OS X experience), and a PhD at the end of their name, made a decision to deploy openLDAP and Active Directory would be fed with information through a connector written specifically for that purpose. For the most part this works well. We have developed a web page that allows users to change passwords, incorporated various (homegrown) connectors to provide for single sign-on to most services, network drives, etc., all platform independent, allowing users to freely move from Windows (~85% total number of systems) to MAC OS-X systems (~15% total number of systems) using the same set of credentials. One of the few areas where issues have arisen is in the changing of a users status. I have told them to modify userAccountControl, the programmers (connector is written in oCamel so there is a separate group that handles this) have decided that msDs-User-Account-Control-Computed is the correct attribute to use in order to enable, disable, lock, unlock, etc. a user account. Can someone from this group tell me the differences between these attributes and which would be the correct one to use for the stated purposes? David Aragon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Automating GC promotion during dcpromo
Title: Automating GC promotion during dcpromo According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Automating GC promotion during dcpromo
[EMAIL PROTECTED] wrote: According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? This was discussed here some time ago if I remember correctly - this option is valid only with install from media DC promotion. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Different (open)LDAP Question
Thank you Tony and Paul. This is why I think so many people are on this list. The information provided is good, useful, and to the point. David Aragon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, August 01, 2006 5:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Different (open)LDAP Question msDs-User-Account-Control-Computed is a constructed attribute. Constructed attributes cannot be set manually because they are automatically maintained by the system. Tony -- Original Message -- From: David Aragon [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 1 Aug 2006 15:49:53 -0700 Without getting into the politics involved that got us here, suffice it to say that someone with a lot of political clout, no Windows or Active Directory experience (though considerable MAC/OS X experience), and a PhD at the end of their name, made a decision to deploy openLDAP and Active Directory would be fed with information through a connector written specifically for that purpose. For the most part this works well. We have developed a web page that allows users to change passwords, incorporated various (homegrown) connectors to provide for single sign-on to most services, network drives, etc., all platform independent, allowing users to freely move from Windows (~85% total number of systems) to MAC OS-X systems (~15% total number of systems) using the same set of credentials. One of the few areas where issues have arisen is in the changing of a users status. I have told them to modify userAccountControl, the programmers (connector is written in oCamel so there is a separate group that handles this) have decided that msDs-User-Account-Control-Computed is the correct attribute to use in order to enable, disable, lock, unlock, etc. a user account. Can someone from this group tell me the differences between these attributes and which would be the correct one to use for the stated purposes? David Aragon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Automating GC promotion during dcpromo
That's only partially true, you're correct in that the option is made available in the UI during an IFM promotion if the backup used was from a GC ... but a GC can also be born directly out of a non-forest-creating DCpromo by modifying the %windir%\system32\schema.ini file. Assuming you're comfortable editing the file - 1. Prior to promotion, edit the schema.ini mentioned above a. search on [DEFAULTADDLMACHINE] 2. Notice the Options=1 entry 5 or 6 lines above in the [DEFAULTFIRSTMACHINE] section a. this section controls the DCpromo's behavior during the creation of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] section 4. Run DCpromo Regards. Dean -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Automating GC promotion during dcpromo [EMAIL PROTECTED] wrote: According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? This was discussed here some time ago if I remember correctly - this option is valid only with install from media DC promotion. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Test Environments
I fully concur with the three environment approach. I typically run Production, Replica (aka Testing) and Sandpit (aka Development). One of the key tenants of my test environment is that when a change is tested, its associated back out plan is also tested and I do not sign off on any change that hasnt got a back out plan unless the risk associated with is accepted by those above. IMHO, this should be mandatory for any test environment. We have a resource in Exchange that can be booked the same way as a meeting room to ensure that everyone knows when it is free. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: 25 July 2006 21:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Test Environments Those were my thoughts as well on the issue and Ive had to tell several people not to expect production-like uptime. I really couldnt think of a better way to provide a test environment and theres no way Im going to build multiple environments like this. Even though its a test environment, it often requires more of my time to maintain than the production environment. I may tell people to create their own development environment as Jonathan suggested and allow testing to be performed when they feel their app has outgrown a development environment of their own creation. Thanks guys, its good to know Im on track here. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 12:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Test Environments It sounds like you have a good test environment. The only problem is that people may be scheduling their testing a little too tightly. They need to understand that this is a *TEST* environment. That means it's in a constant state of relative flux and that at any point in time, it could possibly go down for an hour or even possibly a day or two. It will largely be available, but it's not production and they shouldn't be expecting to receive the level of support and uptime that they receive in the production environment. If they expect that, they need to find a way to test outside your test environment. If their schedules are slipping because of the availability of the test environment, then they're not putting enough extra time into their plans and need to start consulting you before deciding when to test and how much time it's going to take. It may sound like I'm being harsh on them, but it sounds like they are really expecting too much from a test environment and that's because there isn't enough consulting occuring. It really sounds like you need to possibly make a Testing calendar so that everyone (or maybe even just you) have a list of applications that are being tested in the environment and when schema updates and other items which can affect multiple tests that are ongoing occur, the relevant persons can be notified so if they need to reschedule their testing or adjust their testing schedule, they can. On 7/25/06, WATSON, BEN [EMAIL PROTECTED] wrote: I was hoping to get some input from some of you to better understand how you handle the design of test environments for application testing. For example, I built a so-called Offnet which is a duplicate of our production domain. We have a couple domain controllers restored from tape backup, we have Exchange running, and various other production services using the same domain name and hostnames providing for a very production-like test environment. As time progressed, other production servers duplicated themselves into this test environment and we now have quite a number of people doing the majority of their testing in this environment. Unfortunately, as more and more people have begun to use this environment for testing, we have found that people are beginning to step on each others toes. For instance, I used this test environment to walk through the domain upgrade to 2003 and when there was some downtime other people were unable to do their own testing. So I was curious, how do you handle providing a working test environment for people that need it? At this point, we are trying to determine a better way for people to do their testing away from production. Thanks, ~Ben This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E Ltd to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: [ActiveDir] Automating GC promotion during dcpromo
Dean Wells wrote: That's only partially true, you're correct in that the option is made available in the UI during an IFM promotion if the backup used was from a GC ... but a GC can also be born directly out of a non-forest-creating DCpromo by modifying the %windir%\system32\schema.ini file. Assuming you're comfortable editing the file - 1. Prior to promotion, edit the schema.ini mentioned above a. search on [DEFAULTADDLMACHINE] 2. Notice the Options=1 entry 5 or 6 lines above in the [DEFAULTFIRSTMACHINE] section a. this section controls the DCpromo's behavior during the creation of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] section 4. Run DCpromo Nice, thank You for this tip Dean -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Automating GC promotion during dcpromo
Thanks Dean, altho I was looking for a way to automate the 'promotion' to GC for *every* DC, not just the first (which is a GC by default, as you point out.) I have a script which can achieve the above but was hoping it could be achieved via the answer file. I just hope this is finally exposed in Longhorn ... neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2006 16:00 To: Send - AD mailing list Subject: RE: [ActiveDir] Automating GC promotion during dcpromo That's only partially true, you're correct in that the option is made available in the UI during an IFM promotion if the backup used was from a GC ... but a GC can also be born directly out of a non-forest-creating DCpromo by modifying the %windir%\system32\schema.ini file. Assuming you're comfortable editing the file - 1. Prior to promotion, edit the schema.ini mentioned above a. search on [DEFAULTADDLMACHINE] 2. Notice the Options=1 entry 5 or 6 lines above in the [DEFAULTFIRSTMACHINE] section a. this section controls the DCpromo's behavior during the creation of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] section 4. Run DCpromo Regards. Dean -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Automating GC promotion during dcpromo [EMAIL PROTECTED] wrote: According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? This was discussed here some time ago if I remember correctly - this option is valid only with install from media DC promotion. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
My inbox continues to be bombarded with messages from your group. Not sure how I got included on this list, but what can I do to get off it???! Would be nice to get my inbox back... joe [EMAIL PROTECTED] wrote: Interesting thoughts there... My only tongue in cheek response right off (though this will bubble in my head for some time) is that most predators are brighter than many people doing admin work and we still need them to be able to find the systems... ;o) Raise your hand if in the last year you saw a postit with a password on it? Keep your hand up if you did anything about it like ripping it up and talking to the person? If your hand went down, was it yours by any chance? How many people now see a security problem and shake their head and say, wow that isn't good but there isn't anything I can do about it and then continue on your day. That is the kind of stuff that really needs to stop. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 01, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and Server Core On a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural 'protection' from their predators. Each animal has evolved to ensure they have some level of camouflage in the way of color/features etc so that when their predator targets them they attempt to blend into the background. Some plants and animals depend on other plants and animals to survive. There's a unique falcon that will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncers at the door and keep out the predators that prey on the Weaver birds. Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk? (call me wacko) but it seems to me that we do a lot of footballish type of security models.. offensive moves and defensive moves. (Isn't RODC a defensive move?) Do we and can we add lessons from nature into future networks? (1) Lessons learned from camping in a zoo...yes.. this high maintenance female stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the San Diego Zoo's Wild Animal Park's Roar and Snore is the way to do it. Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*. I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Isn't DSI being discussed in great detail at Blackhat starting tomorrow.. or am I mistaken and just thinking about the blog post again? http://blog.joeware.net/2006/07/11/445/ http://blog.joeware.net/2006/07/11/445/ Brett Shirley wrote: I've always followed a DSI[1] access model, it definately supercedes in every way what RBS[resource], RBS[role], ABS, CBS, NBC, ABC can provide ... [1] DSI = Defending Security Infrastructures -B List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Automating GC promotion during dcpromo
I'm not following, if you're creating an answer file to feed DCpromo when building new DCs ... why can you not also supply a modified schema.ini that contains the changes per my earlier post? -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 02, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating GC promotion during dcpromo Thanks Dean, altho I was looking for a way to automate the 'promotion' to GC for *every* DC, not just the first (which is a GC by default, as you point out.) I have a script which can achieve the above but was hoping it could be achieved via the answer file. I just hope this is finally exposed in Longhorn ... neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2006 16:00 To: Send - AD mailing list Subject: RE: [ActiveDir] Automating GC promotion during dcpromo That's only partially true, you're correct in that the option is made available in the UI during an IFM promotion if the backup used was from a GC ... but a GC can also be born directly out of a non-forest- creating DCpromo by modifying the %windir%\system32\schema.ini file. Assuming you're comfortable editing the file - 1. Prior to promotion, edit the schema.ini mentioned above a. search on [DEFAULTADDLMACHINE] 2. Notice the Options=1 entry 5 or 6 lines above in the [DEFAULTFIRSTMACHINE] section a. this section controls the DCpromo's behavior during the creation of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] section 4. Run DCpromo Regards. Dean -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Automating GC promotion during dcpromo [EMAIL PROTECTED] wrote: According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? This was discussed here some time ago if I remember correctly - this option is valid only with install from media DC promotion. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Automating GC promotion during dcpromo
Yeah, I'm in the same boat now. Got a requirement for fully autonomous DC deployment with a largish DIT. Single domain forest so everything is GC. I was frustrated to find out that one of the scripting guys told me that that option didn't work. I plan on working round this by promoting the DC (using a systems management tool, i.e. a package that runs DCPROMO with an answer file), rebooting and then running another script that connects to local DC and flips the options attribute on the NTDS object in question. We'll then wait for RootDSE's isGlobalCatalogReady to return true before moving on... It's still not clear to me why that switch doesn't work. There's no dependency on IFM (although if you are doing an IFM from a GC it's nice to use the restored PAS) or anything other than DNS and communications really... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 4:49 PM Subject: RE: [ActiveDir] Automating GC promotion during dcpromo Thanks Dean, altho I was looking for a way to automate the 'promotion' to GC for *every* DC, not just the first (which is a GC by default, as you point out.) I have a script which can achieve the above but was hoping it could be achieved via the answer file. I just hope this is finally exposed in Longhorn ... neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2006 16:00 To: Send - AD mailing list Subject: RE: [ActiveDir] Automating GC promotion during dcpromo That's only partially true, you're correct in that the option is made available in the UI during an IFM promotion if the backup used was from a GC ... but a GC can also be born directly out of a non-forest-creating DCpromo by modifying the %windir%\system32\schema.ini file. Assuming you're comfortable editing the file - 1. Prior to promotion, edit the schema.ini mentioned above a. search on [DEFAULTADDLMACHINE] 2. Notice the Options=1 entry 5 or 6 lines above in the [DEFAULTFIRSTMACHINE] section a. this section controls the DCpromo's behavior during the creation of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] section 4. Run DCpromo Regards. Dean -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Automating GC promotion during dcpromo [EMAIL PROTECTED] wrote: According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? This was discussed here some time ago if I remember correctly - this option is valid only with install from media DC promotion. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] Automating GC promotion during dcpromo
Sorry, Dean. Word wrap foiled me and I didn't read your response correctly :( This is a great find and tip which would have saved me loads of time in previous roles :) Nice one! neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2006 17:04 To: Send - AD mailing list Subject: RE: [ActiveDir] Automating GC promotion during dcpromo I'm not following, if you're creating an answer file to feed DCpromo when building new DCs ... why can you not also supply a modified schema.ini that contains the changes per my earlier post? -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 02, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automating GC promotion during dcpromo Thanks Dean, altho I was looking for a way to automate the 'promotion' to GC for *every* DC, not just the first (which is a GC by default, as you point out.) I have a script which can achieve the above but was hoping it could be achieved via the answer file. I just hope this is finally exposed in Longhorn ... neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2006 16:00 To: Send - AD mailing list Subject: RE: [ActiveDir] Automating GC promotion during dcpromo That's only partially true, you're correct in that the option is made available in the UI during an IFM promotion if the backup used was from a GC ... but a GC can also be born directly out of a non-forest- creating DCpromo by modifying the %windir%\system32\schema.ini file. Assuming you're comfortable editing the file - 1. Prior to promotion, edit the schema.ini mentioned above a. search on [DEFAULTADDLMACHINE] 2. Notice the Options=1 entry 5 or 6 lines above in the [DEFAULTFIRSTMACHINE] section a. this section controls the DCpromo's behavior during the creation of a new forest 3. Copy that entry into the [DEFAULTADDLMACHINE] section 4. Run DCpromo Regards. Dean -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Automating GC promotion during dcpromo [EMAIL PROTECTED] wrote: According to an article I read recently, a DC may be set as a GC automatically using the answer file entry 'ConfirmGC=Yes'. However, another technet article implies that this I only relevant if the DC is being built using a backup and not over the wire. Anyone have any views or experiences with this? This was discussed here some time ago if I remember correctly - this option is valid only with install from media DC promotion. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List
RE: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
At the bottom of every single message sent to this list, you'll see the following link: List FAQ: http://www.activedir.org/List.aspx ...which brings you to this: The list provides a discussion forum for those wishing to discuss aspects of Microsoft's Active Directory. It is intended for anyone with an interest in AD, except those whose sole interest is to sell something! Feel free to email any questions, tips and tricks, useful links or anything else you feel may be relevant. The idea here is for us to share our knowledge and experiences so that we can learn from each other. To subscribe send an email to [EMAIL PROTECTED] and type, SUBSCRIBE ActiveDir your name here (without using the quotation marks) in the message body To unsubscribe send an email to [EMAIL PROTECTED] and type, UNSUBSCRIBE ActiveDir your name here (without using the quotation marks) in the message body To subscribe to digest mode, send a message to [EMAIL PROTECTED] with no subject, and the phrase, SET MODE DIGEST ActiveDir in the body of the message. The List Server understands multiple commands in an email message, so this could be the second line in your subscribe message. To switch from digest mode to standard mode, send a message to [EMAIL PROTECTED] with no subject, and the phrase, SET MODE STANDARD ActiveDir Digest postings are sent once per day. If you have any problems subscribing or unsubscribing send an email to [EMAIL PROTECTED] with the details. When subscribed use the address ActiveDir@mail.activedir.org to post messages to the list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 02, 2006 12:04 PM To: ActiveDir@mail.activedir.org Cc: joe Subject: RE: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and Server Core My inbox continues to be bombarded with messages from your group. Not sure how I got included on this list, but what can I do to get off it???! Would be nice to get my inbox back... joe [EMAIL PROTECTED] wrote: Interesting thoughts there... My only tongue in cheek response right off (though this will bubble in my head for some time) is that most predators are brighter than many people doing admin work and we still need them to be able to find the systems... ;o) Raise your hand if in the last year you saw a postit with a password on it? Keep your hand up if you did anything about it like ripping it up and talking to the person? If your hand went down, was it yours by any chance? How many people now see a security problem and shake their head and say, wow that isn't good but there isn't anything I can do about it and then continue on your day. That is the kind of stuff that really needs to stop. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 01, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller and Server Core On a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural 'protection' from their predators. Each animal has evolved to ensure they have some level of camouflage in the way of color/features etc so that when their predator targets them they attempt to blend into the background. Some plants and animals depend on other plants and animals to survive. There's a unique falcon that will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncers at the door and keep out the predators that prey on the Weaver birds. Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk? (call me wacko) but it seems to me that we do a lot of footballish type of security models.. offensive moves and defensive moves. (Isn't RODC a defensive move?) Do we and can we add lessons from nature into future networks? (1) Lessons learned from camping in a zoo...yes.. this high maintenance female stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the
Re: [ActiveDir] Test Environments
Brad brings up some of the more important change control concepts. Remember that a dev environment *is* production for a developer. It should be controlled to some degree. I've often advocated many more test environments. Everything from sandbox (try whatever you want, but no control) to pristine production-mirror (hands -off - it's identical 'cause it was recently restored to make it so). Scalability labs have some steep hardware requirement costs (do you really want to know how well that app will perform on x hardware in our environment?) and is highly similar to production/pristine. There are several environments in between because of the exact issue you discuss.For example, you might have to duplicate aproduction like environment to facilitate development of workstation images and deployment scenarios, but that type of work might impactsomebody doing web design. Whatto do to meetboth?Create both. With virtualization you can make this happen more cost effectively. You can'tvirtualize the more pristine (all of it anyway) because you may be testing the upgrade on the DC's or the other app servers.That should be very similar and highlyisolated. My $0.04 anyway. I advocate a high level of testing where possible and where impact is otherwise not tolerable. On 8/2/06, Brad Smith [EMAIL PROTECTED] wrote: I fully concur with the three environment approach. I typically run Production, Replica (aka Testing) and Sandpit (aka Development). One of the key tenants of my test environment is that when a change is tested, it's associated back out plan is also tested and I do not sign off on any change that hasn't got a back out plan unless the risk associated with is accepted by those above. IMHO, this should be mandatory for any test environment. We have a resource in Exchange that can be booked the same way as a meeting room to ensure that everyone knows when it is free. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: 25 July 2006 21:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Test Environments Those were my thoughts as well on the issue and I've had to tell several people not to expect production-like uptime. I really couldn't think of a better way to provide a test environment and there's no way I'm going to build multiple environments like this. Even though it's a test environment, it often requires more of my time to maintain than the production environment. I may tell people to create their own development environment as Jonathan suggested and allow testing to be performed when they feel their app has outgrown a development environment of their own creation. Thanks guys, it's good to know I'm on track here. ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, July 25, 2006 12:04 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Test Environments It sounds like you have a good test environment. The only problem is that people may be scheduling their testing a little too tightly. They need to understand that this is a *TEST* environment. That means it's in a constant state of relative flux and that at any point in time, it could possibly go down for an hour or even possibly a day or two. It will largely be available, but it's not production and they shouldn't be expecting to receive the level of support and uptime that they receive in the production environment. If they expect that, they need to find a way to test outside your test environment. If their schedules are slipping because of the availability of the test environment, then they're not putting enough extra time into their plans and need to start consulting you before deciding when to test and how much time it's going to take. It may sound like I'm being harsh on them, but it sounds like they are really expecting too much from a test environment and that's because there isn't enough consulting occuring. It really sounds like you need to possibly make a Testing calendar so that everyone (or maybe even just you) have a list of applications that are being tested in the environment and when schema updates and other items which can affect multiple tests that are ongoing occur, the relevant persons can be notified so if they need to reschedule their testing or adjust their testing schedule, they can. On 7/25/06, WATSON, BEN [EMAIL PROTECTED] wrote: I was hoping to get some input from some of you to better understand how you handle the design of test environments for application testing. For example, I built a so-called Offnet which is a duplicate of our production domain. We have a couple domain controllers restored from tape backup, we have Exchange running, and various other production services using the same domain name and hostnames providing for a very production-like test environment. As time progressed, other production servers duplicated themselves into this test environment and we now have quite a number
Re: [ActiveDir] Automating GC promotion during dcpromo
[EMAIL PROTECTED] wrote: Thanks Dean, altho I was looking for a way to automate the 'promotion' to GC for *every* DC, not just the first (which is a GC by default, as you point out.) If I understand Dean's tip correctly (Dean correct me if I'm wrong) he suggests to take some entries from section [DEFAULTFIRSTMACHINE] of schema.ini and put it into [DEFAULTADDLMACHINE], which will cause that when this machine will be promoted as DC in existing forest this option will force it to behave in this aspect as first DC in forest. So it will be promoted as a GC. Not exactly the same as option available with IFM but if works - why not to use it. I just hope this is finally exposed in Longhorn ... In fact it is :) http://blogs.dirteam.com/blogs/carlos/archive/2006/06/27/1204.aspx -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] UAC Question
http://support.microsoft.com/kb/305144/ discusses the various property flags for the UserAccountControl (UAC). I have tried to set different flags using LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to set for a number of reasons (for example it will prevent a user from logging into a system, but not prevent them from getting their voicemail). Is this normal? Can it be set and if so, how? Is it dependent on other settings (ex. lockoutTime) to be set to remain set? David Aragon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] UAC Question
David Aragon wrote: http://support.microsoft.com/kb/305144/ discusses the various property flags for the UserAccountControl (UAC). I have tried to set different flags using LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to set for a number of reasons (for example it will prevent a user from logging into a system, but not prevent them from getting their voicemail). Is this normal? Can it be set and if so, how? Is it dependent on other settings (ex. lockoutTime) to be set to remain set? Yes, this is normal as lockout status is handled based on lockoutTime attribute in AD. If You want to check it in Windows 2003 domain You have to use msDS-User-Account-Control-Computed attribute. AFAIK You would not be able to lockout account via code. I don't know if it would work for You but If You need to prevent particular user from logging and keep his account alive You may specify some workstation he would never be able to get to as only workstation he is allowed to log on? -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Need some user/group tools...
I threw this together for ya to help out: :-) strUser = "groupname"strComputer = "domain"strPath = "WinNT://" strComputer "/" strUser ",group"wscript.echo "Path: " strPathwscript.echoSet objUser = GetObject(strPath)Set objClass = GetObject(objUser.Schema)'on error resume nextWScript.Echo "Mandatory properties for " objUser.Name ":"For Each property In objClass.MandatoryPropertieswscript.stdout.write property vbTabWScript.stdout.write objUser.Get(property)wscript.echoNextWScript.Echo "Optional properties for " objUser.Name ":"For Each property In objClass.OptionalPropertieswscript.stdout.write property vbTabWScript.stdout.write Typename (objUser.Get(property)) vbTabWScript.stdout.write objUser.Get(property)wscript.echoNext set arr = objUser.Membersfor each str in arrwscript.echo str.Class " " str.namenext From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 11:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Need some user/group tools... That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships? On 8/1/06, Michael B. Smith [EMAIL PROTECTED] wrote: You can certainly get all the piece parts from here: http://rallenhome.com/books/adcookbook/code.html And you can use joe's wonderful adfind (or dsquery if you were to insist) to do much of the gruntwork. I show you some examples here: http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some user/group tools... This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Ok, thanks for getting back to us RM. So my guestimate with 100k users was just slightly off ;-) But now I wonder what in the world you store in your AD to have the DIT grown to 650MB with your user and computer population. Is this 2000 or 2003? Have you disabled Distributed Link Tracking? /Guido -Original Message- From: RM [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 02, 2006 6:32 AM To: Grillenmeier, Guido Cc: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? On Tue, 1 Aug 2006 18:29:24 +0100, Grillenmeier, Guido [EMAIL PROTECTED] said: Richard doesn't seem to be too keen on giving us further details - too bad. Sorry, been busy... 400 unread msgs from this list, got some catching up to do. What does the current environment look like? How extensive is your Exchange deployment going to be? 4800 user accounts, 3500 computer accounts. Maybe 3000-ish Exchange users? I'm leaning towards doing 64-bit everywhere we possibly can. It does seem like the more forward looking option. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
No, I think the bigger problem with having lots of over-privileged admins is the same problem we have with organizations that make all of their users admins on their local machines--that of over-privileged users being targets for malware that take advantage of their privileges to do nasty things. And, while your at it, how about removing administrator rights from all of your end users I dont agree with your point regarding local admin rights. Yes I agree; having local admin rights is definitely a bad thing as far as security is concerned, but I can speak from experience that many times as much as I dreaded doing it, I had to give it to users. The reason was users were simply not able to do their work. Runas, etc. did not work or worked half of the time, and no matter how much time I spent, the quickest and most simple solution was to just give them admin rights. I tend to think most of the problem lies with MSFT Windows application developers for designing an OS and writing code, which require all or nothing admin privileges. Ironically most of those users were application developers themselves! Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 01, 2006 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Thanks Joe. Interestingly, I agree with what you're saying here, but not for exactlythe same reason. I happen to think that the badness of having lots of over-privileged admins is not the accidental stupidity (hmmm...is that an oxymoron?), although we know that happens. This actually gets to the heart of what I think is wrong with how some Windows shops are managed. When I worked in larger environments that had mainframes, there was rigorous change control over absolutely every little thing that was done. So, no matter how privileged an administrator was, nothing that they did went unseen, untested and didn't come with a rock-solid back out plan. Enter the distributed world of Windows and all bets are off. Having lots of domain admins is not a problem, in and of itself, if you follow good change management practices, because presumably none of those DAs would dare make a change for fear of having their heads chopped off. But that is a cultural thing that does not exist in most Windows shops. No, I think the bigger problem with having lots of over-privileged admins is the same problem we have with organizations that make all of their users admins on their local machines--that of over-privileged users being targets for malware that take advantage of their privileges to do nasty things. I'd be much less worried from a DA that accidentally deletes an OU than I would be from a DA who accidentally clicks on that website that downloads malicious code that is smart enough to take advantage of that user's DA status to get at or modifycorporate directory data that compromises security, privacy or other critical business stuff. I have yet to see such a targeted attack but I am guessing its only a matter of time. So, yes, absolutely get rid of all those extra DAs, but not just because they do stupid admin tricks, but also because they open up your AD to all kinds of nasty attacks. And, while your at it, how about removing administrator rights from all of your end users From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 31, 2006 7:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Yeah I know where you are coming from Darren but absolutely can't say it is ok because I do not believe it is ok at all. I think saying it is ok or that it is understandable will relax people about it and people absolutely should not be relaxed about it or feel that they can't do anything about it and that it isn't their responsibility to try and get corrected. It is a very bad thing and they need to always have that spectre over them where they know it. That helps, I think, in making it so it isn't a surprise when something inevitably screws up and no one can sit there saying, wow, I had no idea it was that bad of a thing. People need to be working towards locking down their environment every moment and looking for bad things and removing them every second. It is a long slow climb uphill but if the work isn't done, it will never happen until maybe, hopefully not, something absolutely blows and everyone has to jump and try to figure out how to do it in one fell swoop. I saw the same logic of the people really don't know what they can do... used for running an Enterprise Data Center back in 1999 and this was with hundreds of NT servers and many domains and application owners were just given admin rights over all of these boxes and it was status quo; none of the people had a clue what kind of rights they had and figured anything bad they were actually
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
RedEarth Software policypatrol.com Wizard and GUI The SBS way There are instructions at www.smallbizserver.net (I think they are still in the free docs) ...but I'm blonde and GUI and policy patrol works. If you are cheap GFI's mail scanner ...install the trial version and when it expires the disclaimer stays (or last I heard) Bart Van den Wyngaert wrote: Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Alex- I think you've proved my pointby saying, "having local admin rights is definitely a bad thing as far as security is concerned". :-). But of course you are pointing out the underlying dilemma that administrators have faced while trying to create a least-privileged user environment. Frankly, I agree with you. It is easier to grant local admin. rights in some cases rather than trying to work around it. I have had to do that myself in a past life. But I also managed to create and support an environment for around20,000 users (in NT 3.5 and 4.0 no less) that did not require most users to have local admin rights. But it was not easy and it was not a secure solution--it basically involved relaxing file system and registry permissions as needed to allow specific apps to run. Yes the problem is absolutely with how the OS and most applications are written--generally badly. And yes, the problem becomes a lot less painful to manage with Vista and UAC. But in the meantime, as the Internet has exposed the soft underbelly of an all-admin environment, people continue to get worms and other malware that has a serious effect on their business and its security. Frankly, I think that with some of the recent advances in ISV solutions around this--with products that let you selectively elevate privileges by application, that this problem can be managed. But then of course, you do have to spend money on it! Vista will provide an in-the-box solution that I suspect many will find irritating, but effective. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex AlborzfardSent: Wednesday, August 02, 2006 1:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? No, I think the bigger problem with having lots of over-privileged admins is the same problem we have with organizations that make all of their users admins on their local machines--that of over-privileged users being targets for malware that take advantage of their privileges to do nasty things. And, while your at it, how about removing administrator rights from all of your end users I dont agree with your point regarding local admin rights. Yes I agree; having local admin rights is definitely a bad thing as far as security is concerned, but I can speak from experience that many times as much as I dreaded doing it, I had to give it to users. The reason was users were simply not able to do their work. Runas, etc. did not work or worked half of the time, and no matter how much time I spent, the quickest and most simple solution was to just give them admin rights. I tend to think most of the problem lies with MSFT Windows application developers for designing an OS and writing code, which require all or nothing admin privileges. Ironically most of those users were application developers themselves! Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, August 01, 2006 4:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Revoke domain administrator's right to create GPO? Thanks Joe. Interestingly, I agree with what you're saying here, but not for exactlythe same reason. I happen to think that the "badness" of having lots of over-privileged admins is not the accidental stupidity (hmmm...is that an oxymoron?), although we know that happens. This actually gets to the heart of what I think is wrong with how some Windows shops are managed. When I worked in larger environments that had mainframes, there was rigorous change control over absolutely every little thing that was done. So, no matter how privileged an administrator was, nothing that they did went unseen, untested and didn't come with a rock-solid back out plan. Enter the distributed world of Windows and all bets are off. Having lots of domain admins is not a problem, in and of itself, if you follow good change management practices, because presumably none of those DAs would dare make a change for fear of having their heads chopped off. But that is a cultural thing that does not exist in most Windows shops. No, I think the bigger problem with having lots of over-privileged admins is the same problem we have with organizations that make all of their users admins on their local machines--that of over-privileged users being targets for malware that take advantage of their privileges to do nasty things. I'd be much less worried from a DA that accidentally deletes an OU than I would be from a DA who accidentally clicks on that website that downloads malicious code that is smart enough to take advantage of that user's DA status to get at or modifycorporate directory data that compromises security, privacy or other critical business stuff. I have yet to see such a targeted attack but I am guessing its only a matter of time. So, yes, absolutely get rid of all those extra DAs, but not just because
RE: [ActiveDir] Remove Defunct domains..
Thats a browser function not something in AD. Theres probably still computers joined to those domains (even though they dont exist) or computers in workgroups with the same names Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 02, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ? ADSI edit ? -- HBooGz:\
RE: [ActiveDir] Remove Defunct domains..
If you use WINS check for them in there and delete if required. Cheers, Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: 02 August 2006 22:46 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ? ADSI edit ? -- HBooGz:\
RE: [ActiveDir] Remove Defunct domains..
That would depend upon whether or not the domains are appearing because of metadata, or whether they're appearing because of "bad" browsing information. Do the domains appear anywhere besides Network Neighborhood? Is WINS in use? If so, are there entries in WINS representing the domains? Without knowing exactly where the defunct domains are appearing and where they aren't, it's tough to call whether or not it's a problem of metadata or browsing. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 6:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\
RE: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Loads of tools as Susan says, but just to note the GFI one no longer works - one of my engineers tried it a couple of months ago. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 02 August 2006 22:21 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box RedEarth Software policypatrol.com Wizard and GUI The SBS way There are instructions at www.smallbizserver.net (I think they are still in the free docs) ...but I'm blonde and GUI and policy patrol works. If you are cheap GFI's mail scanner ...install the trial version and when it expires the disclaimer stays (or last I heard) Bart Van den Wyngaert wrote: Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] UAC Question
Thank you Tomasz for the clarification on UAC. If I understand you, then if the lockoutTime were set to some non-0 value (a time say in the next year? or last year?) this would trigger the lockout bit to be set. The presumption being that the lockoutTime can be set. David Aragon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 02, 2006 12:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UAC Question David Aragon wrote: http://support.microsoft.com/kb/305144/ discusses the various property flags for the UserAccountControl (UAC). I have tried to set different flags using LDP, ADSIEdit, and vbScript. One flag in particular is giving me a lot of grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to set for a number of reasons (for example it will prevent a user from logging into a system, but not prevent them from getting their voicemail). Is this normal? Can it be set and if so, how? Is it dependent on other settings (ex. lockoutTime) to be set to remain set? Yes, this is normal as lockout status is handled based on lockoutTime attribute in AD. If You want to check it in Windows 2003 domain You have to use msDS-User-Account-Control-Computed attribute. AFAIK You would not be able to lockout account via code. I don't know if it would work for You but If You need to prevent particular user from logging and keep his account alive You may specify some workstation he would never be able to get to as only workstation he is allowed to log on? -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Granting Exchange Mailbox Access
In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
RE: [ActiveDir] Remove Defunct domains..
Ah right, I read the initial question wrong and thought you were trying to rid yourself of an old domain that no longer exists. It certainly sounds more like a browsing issue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Saturday, September 02, 2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove Defunct domains.. That would depend upon whether or not the domains are appearing because of metadata, or whether they're appearing because of bad browsing information. Do the domains appear anywhere besides Network Neighborhood? Is WINS in use? If so, are there entries in WINS representing the domains? Without knowing exactly where the defunct domains are appearing and where they aren't, it's tough to call whether or not it's a problem of metadata or browsing. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Wednesday, August 02, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ? ADSI edit ? -- HBooGz:\
RE: [ActiveDir] Remove Defunct domains..
dusting off old NT 4.0 sectors Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, August 02, 2006 3:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. Thats a browser function not something in AD. Theres probably still computers joined to those domains (even though they dont exist) or computers in workgroups with the same names Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\
RE: [ActiveDir] Granting Exchange Mailbox Access
The perm youre looking for is Receive As on the Mailbox store. The problem is that delegating Exchange Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that gets replicated all the way down to the mailboxes. So even if you grant your group the required perms, if theyve been delegated EFA, the Deny will override it. Id imagine you can remove the Deny ACE manually, but we just skipped the delegation wizard and added the ACE for Receive As for our Mailbox Admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, August 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Granting Exchange Mailbox Access In an effort to cut down on service account abuse, Ive been removing and reducing privileges left and right. I have delegated Exchange Full Administrator rights to a few users who had previously been using the service account we originally installed Exchange 2003. Sometimes, the Exchange Administrators will need to access a users mailbox to assist with various issues, and Im having trouble delegating that right to the members of the Exchange Full Administrators group. I have created a domain security group named simply Exchange Full Administrators, and I delegated Exchange Full Administrator rights to that security group at the organizational level. So anyone in that security group should have full administration rights. Ive had to delegate a few other rights in Active Directory for some other reasons to this new security group (for instance to give this security group rights to modify the dynamic mailing list OU); however Im having trouble finding exactly where to delegate rights to give this security group full access to everyones mailbox. Any thoughts? Thanks, ~Ben
[ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:
Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Remove Defunct domains..
hey guys - Yes, i'm using wins. Yes, they are appearing outside of network neighborhood. what exactly would i examine (node type) that would help me pinpoint where these are appearing ? and how to get rid of it ? definitely appears to be a browsing issue ? how can i force who is the master browser for the domain ? all workstations are windows 2000 and windows xp i'm also seeing workgroups that should have never been created and i'm now policing against -- any way to rid myself of this or detect where they are being generated ? Thanks On 8/2/06, Ayers, Diane [EMAIL PROTECTED] wrote: dusting off old NT 4.0 sectors Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db. Diane From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, August 02, 2006 3:10 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. That's a browser function not something in AD. There's probably still computers joined to those domains (even though they don't exist) or computers in workgroups with the same names… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ? -- HBooGz:\ -- HBooGz:\
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:
Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest:
You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx