RE: [ActiveDir] Handling different schemas - managing maintaining updates
The AD schema analyzer is quite useful for comparing schemas to find missing attributes and classes (and to export them to LDIF so as to allow an import to the target schema). Note however, that it doesn’t find differences at the level of properties you have set for your schema objects, for example it doesn’t find the difference in the searchFlags for an attribute that exists in both schemas. As such you need to know how close you want your schema to match and likely need to an exact compare either using custom scripts or LDIF dumps of the complete schema coupled with text-compare tools. In general I would want to question what your goal is – like Al I am assuming you want to make the schema more manageable. Basically a convenience so you don’t have to worry about managing and documenting the differences. That’s quite different from a technical necessity, where you may need to fully replicate all objects in your AD along with all attributes (except the ones managed by the system) – in this case, you may need to keep your schemas fully in sync. I would not much discuss the security with respect to the Schema classes and attributes stored in the different Forest schemas – I would not say that there is much of a risk in knowing you have XYZ attributes defined in either schema. The discussion is much more relevant as to which data do you plan to replicate between the two? Let’s assume you are storing sensitive data in one of your forests, for example, you may store the social security number of your employees in a company specific attribute called “MyCompany-Employee-SSN”, and you have even done everything to hide this data from normal read access (i.e. you’ve configured it as a confidential attribute). Do you want this data to be replicated to the other forests? If not, then I would also not suggest to add the special schema attribute to your other forests schema, since this way you hinder it from being synced by accident (not saying you couldn’t sync it elsewhere). If later there is a necessity to replicate the data across to the other forest(s) you could add a simple procedure in your ITIL processes that would ensure that the target schemas need to be updated appropriately prior to replicating the data. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, September 14, 2006 3:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Handling different schemas - managing maintaining updates Yep, the schema analyzer would be a good tool to have hold of. I have to ask though: is the goal to make this mish-mosh manageable by making it all the same (i.e. cookie-cutter?) Or is there some other goal you're describing? I'm assuming that you want it to be the same across the enterprise to make it more manageable. Often this is done so that a central team to can control it and /or so that people can implement workable IdM systems. Realistically, such a system cannot be implemented without some known similarities so it makes sense. I don't see any particular security related issues with schema entries unless your schema gives away company secrets of some sort. It's just a holder for the most part, and it's the data/information that it contains that would be of value. Knowing that it may exist is of lesser value, but is a risk that must be addressed. ITIL? Nice to have. Of course the term, trust, but verify keeps ringing in my head but it's still nice to have such a process in use. Al On 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote: I like this advice as well.In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository.As such,I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Isolating a DC
Agree, isolating by site is often confused with requiring a separate subnet and thus extra efforts on the networking infrastructure. Thats actually not the case. You can create your AD site and just assign it a 32bit masked IP address as the subnet if the other sites are properly configured, this will ensure that no client will try to leverage the DC in this special site. Realize that a separate site doesnt take care of the generic DC lookups performed by clients (e.g. when they join the domain or when all DCs in their site fail) however, adjusting the priorities in DNS and configuring the DNS mnemonics appropriately for the DC in the special site will also take care of this extra challenge (should be described in the Exchange Server Site doc for which Brian previously provided the link). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 8:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything. The IPSec solution just seems like serious overkill that's unnecessary. On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I thought his original request was to make sure that no other client talks to the isolated server except those permitted. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt Hargraves Sent: Wed 9/13/2006 7:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a keep it simple perspective. Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. I think what you're referring to is the excellent Server and Domain Isolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech
RE: [ActiveDir] Block Inheritance on DC OU
Are we actually talking blocking GPO inheritance, or ACL inheritance? If GPO I tend to agree with Darren (as with anything on GPO J), as I dont think that any change in either the Default Domain or the Default Domain Controller policy should be implemented without testing (so if blocking the GPOs was setup to protect the DCs it should give you more headaches than benefits as youd need to apply all policy settings from the domain policy separately to the default DC policy). If ACLs on the OU, I wouldnt say its a big deal. All the ACLs required for the DCs to do their work are set explicitly at the DC OU level. The inheritance really only matters for the pre-win2k compatible group ACE, which is not required on the DC OU (just happens to be set for inheritance from the root of the domain). Not saying its a good idea to block ACL inheritance on this OU, but it doesnt hurt you. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controllers OU and apparently whoever enabled this setting is no longer with the company (or they wont fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controllers OU pose? And what reason would you have to enable this setting on the Domain Controllers OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben
RE: [ActiveDir] Block Inheritance on DC OU
You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controllers OU and apparently whoever enabled this setting is no longer with the company (or they wont fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controllers OU pose? And what reason would you have to enable this setting on the Domain Controllers OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
[ActiveDir] CSVDE Export
Morning,I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis.the syntax is csvde -f accusers.csv -d "OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet" -l "name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName"on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times.Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV filesmany thanksmark
[ActiveDir] Any impacts to domain controller when changingits IP?
Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao
RE: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ Thank you Is he in NY? Thanks Russ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Wednesday, September 13, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in the DMZ Hi Russ, I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested. BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone. Rezuma They should only open port 443 from the internet and use SSL if it will be used with AD users. If its dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection. When connecting servers in the DMZ to servers on the inside, the best way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because its a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server. I dont have an opinion on using a child domain, it will work fine but if security is the reason, Id build a separate domain and use a trust maybe. What do you think? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Tuesday, September 12, 2006 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I dont know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
RE: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ No problem at all, he is actually living in MD. Let me know if you would like his contact info. Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Thursday, September 14, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in the DMZ Thank you Is he in NY? Thanks Russ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Wednesday, September 13, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in the DMZ Hi Russ, I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested. BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone. Rezuma They should only open port 443 from the internet and use SSL if it will be used with AD users. If its dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection. When connecting servers in the DMZ to servers on the inside, the best way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because its a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server. I dont have an opinion on using a child domain, it will work fine but if security is the reason, Id build a separate domain and use a trust maybe. What do you think? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Tuesday, September 12, 2006 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I dont know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
Re: [ActiveDir] Any impacts to domain controller when changingits IP?
In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
If you're running a Certificate Authority on that DC, you can't change the computer name without first uninstalling Certificate Services. I'm not sure what the impact would be on the chain of trust if you reinstall CertSvcs after the name change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 10:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Any impacts to domain controller when changingits IP?
If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again. This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address. Make sure DNS functions correctly. Regards Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: McClure, David (MED US) [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 10:12:54 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you're running a Certificate Authority on that DC, you can't change the computer name without first uninstalling Certificate Services. I'm not sure what the impact would be on the chain of trust if you reinstall CertSvcs after the name change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 10:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
I am about to embark on a similar task. I have a root DC running DNS that is slowly dying. I have a fresh server to take it's place. The fresh server will use a new hostname. Two scenarios I envision: (1) Promote and install DNS on the fresh server, using a temporary IP Address. Make the fresh box a GC. Migrate FMSO's from the dead server, remove it's GC, demote, remove DNS and remove it from the domain, and then shutdown the dying server. Ensure all replication and computer objects are gone. Assign the dying server's IP to the fresh server. -or- (2) Demote, remove DNS and shutdown the dying server. Assign it's IP to the fresh server. Promote and install DNS on the fresh box. I am thinking scenario (1) would be the cleanest, albiet more time consuming, scenario. Any thoughts? Thanks! McClure, David (MED US) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/14/2006 10:12 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you're running a Certificate Authority on that DC, you can't change the computer name without first uninstalling Certificate Services. I'm not sure what the impact would be on the chain of trust if you reinstall CertSvcs after the name change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 10:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL. FREE TRIAL AT HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
[ActiveDir] OT: Protecting against Spyware/Adware
Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
have at look at: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx which might help you on your way Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Jobsz Sent: Thu 2006-09-14 14:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Any impacts to domain controller when changingits IP? Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] CSVDE Export
Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need toDEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Mark ParrisSent: Thu 2006-09-14 16:35To: ActiveDir.orgSubject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again.This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address.Make sure DNS functions correctly.RegardsMark ParrisBase IT LtdActive Directory ConsultancyTel +44(0)7801 690596-Original Message-From: "McClure, David (MED US)" [EMAIL PROTECTED]Date: Thu, 14 Sep 2006 10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?If you're running a Certificate Authority on that DC, you can't changethe computer name without first uninstalling Certificate Services. I'mnot sure what the impact would be on the chain of trust if you reinstallCertSvcs after the name change.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, September 14, 2006 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain controller whenchangingits IP?In SBSland they made a change IP address wizard for our DCs becauseinvariably we forget something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou can see what the wizard does.. which is are the changes you willneed to doJobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computername. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.ZhaoList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx---This message and any included attachments are from Siemens Medical SolutionsUSA, Inc. and are intended only for the addressee(s).The information contained herein may include trade secrets or privileged orotherwise confidential information. Unauthorized review, forwarding, printing,copying, distributing, or using such information is strictly prohibited and maybe unlawful. If you received this message in error, or have reason to believeyou are not authorized to receive it, please promptly delete this message andnotify the sender by e-mail with a copy to [EMAIL PROTECTED]Thank youList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx.ÿÁ²§²B§Ã¶v®§²rz§Ã¶v®± This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] OT: Protecting against Spyware/Adware
We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I "okayed" that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chris PohlschneiderSent: Thursday, September 14, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Had Trend OfficeScan with Damage Cleanup Service on somewhere between 60K and 90K devices. Worked great, they had graphs showing how well it worked based on some custom data collection they did. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider Sent: Thursday, September 14, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Chris, I gather we tweaked ours so it only used a certain % of system resources (20% I think) and while it does have some impact on performance it does seem "livable with" now they have done that.. Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris PohlschneiderSent: 14 September 2006 15:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
I'm not disregarding what has happened in this thread since Matt asked if he couldwildcardthe IWAM account name. In fact, I can't even answer that question authoritatively, but my gut feeling says that it won't work. Matt can, however, delegate the logon locally right to a group, then add the IWAM accounts to that group. This should be easier that adding every server's IWAM account to the policy. In both cases, you will still have to add any new IWAM accounts, whether it's to the policy or to the group. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Wednesday, September 13, 2006 11:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it
RE: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ Can you send me his resume offline? Thanks Russ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, September 14, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in the DMZ No problem at all, he is actually living in MD. Let me know if you would like his contact info. Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Thursday, September 14, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in the DMZ Thank you Is he in NY? Thanks Russ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Wednesday, September 13, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in the DMZ Hi Russ, I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested. BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone. Rezuma They should only open port 443 from the internet and use SSL if it will be used with AD users. If its dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection. When connecting servers in the DMZ to servers on the inside, the best way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because its a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server. I dont have an opinion on using a child domain, it will work fine but if security is the reason, Id build a separate domain and use a trust maybe. What do you think? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Tuesday, September 12, 2006 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I dont know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
[ActiveDir] Elevating privileges from DA to EA
Title: Elevating privileges from DA to EA It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [EMAIL PROTECTED] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC - Inject code into lsass As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
FW: [ActiveDir] CSVDE Export
And if you need the DN in the csv to import, remove the -nodn. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Thursday, September 14, 2006 9:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] CSVDE Export
Just so you know that query will get you more than user accounts. To get just users do ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Thursday, September 14, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Glad I could help ;) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Thu 9/14/2006 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. I think we discovered the problem... things were just locked down a *tad* too much. On 9/13/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond mailto:[EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Nobody runs as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] winmail.dat
Re: [ActiveDir] OT: Protecting against Spyware/Adware
Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
Ulf did a really nice write up a while back that's worth reading:http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/26/39841.aspx here's the KB I was referring to: http://support.microsoft.com/?id=816592On 9/14/06, Ravi Dogra [EMAIL PROTECTED] wrote: Al this in not a priority for us now. Earlier i was unaware of our VPNBox settings thats why i was a bit confuse about why these machinesare registring there own records in my DNS.Also i am not going to uncheck Register in DNS check box on Client machine as this is not required as if now.I have already set lease period as per our organizational requirementso, again i will not do any change unless it is a must required thingto do.Al i would surely want to have a look on KB you refered to. If possible, do me this favor.Thanks for all your help!!!Ravi DograOn 9/14/06, Al Mulnick [EMAIL PROTECTED] wrote: Personally, for a shop with more than 30 machines I wouldn't recommend this approach.DHCP half-life registrations would start to fly all over the place.That and the DHCP server is not registering for the remote users. On 9/13/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine?There would be a small amount of vulnerability, but it would go away after the client's reservation expires. On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and when they are on site its DHCP. On machines Register in DNS option Is checked, hence machines are attempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS. Credentials used are abviously my Administrator Account. But Al, The Issue we had is laptop users are using LAN DHCP as well as using VPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious. But the thing is SOPHOS gave us this as one of the reasons for my laptop machines not showing in Sophos Enterprise Console because it uses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable. but still there are other machines which are only in our network using only my LAN DHCP and are not showing up in EC. Sophos Support team is working on this. Thanks and Regards Ravi Dogra On 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You areobviously allowing the user's machine to update it's own records, but isthat consistent or is the DHCP server on the lan registering the records foryou possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients ( i.e. mobile usersthat traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that relyon reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote: According to Sophos Support if one host has 2 DNS Entries, Sophos Enterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend to Sophos as our Antivirus Solution. Working on a solution will update soon. Thanks Ravi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi,As Rob said, If your VPN box is forwarding requests to your internal networkthe your DNS will automatically update the records according to thenew IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing dueto this? Regards,Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote: 1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly.
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Return Receipt Your RE: [ActiveDir] OT: Protecting against Spyware/Adware document: was[EMAIL PROTECTED] received by: at:09/14/2006 02:14:14 PM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
I have not done a lot of research on this, but if you have users in either the power users or regular users group, wont that cut down tremendously on the potential of getting adware/spyware? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Thursday, September 14, 2006 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chris Pohlschneider Sent: Thursday, September 14, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] OT: Protecting against Spyware/Adware
We use TrendMicro as well. Probably not quite as good as Webroot as Trend is a bit more conservative than is Webroot. Then again, Webroot is very agressive as spyware is all they do. Eventually, I think you'll see them acquired by one of the top three A/V folks (Symantec, McAffee or TrendMicro). But they (Webroot) has resisted such in the past. As far as overall performance I still recommend TrendMicro in the Enterprise. It simply works well together. Besides we are small enough to see any actual leaks from spyware, etc. I haven't found anything that I cannot account for leaving the network. I tell people to think of us as a medium sized business with only a few internal people. That's why I can see (Ethereal) anything leaving or not leaving the network - when I want. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Brian Desmond [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/14/2006 10:05 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] OT: Protecting against Spyware/Adware Had Trend OfficeScan with Damage Cleanup Service on somewhere between 60K and 90K devices. Worked great, they had graphs showing how well it worked based on some custom data collection they did. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider Sent: Thursday, September 14, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] Message scanned by TrendMicro Message scanned by TrendMicro
RE: [ActiveDir] DNS zones expiring
I guess if you have "Widows", then someone must have "expired" :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\
Re: [ActiveDir] CSVDE Export
Mike, Thanks I will give it a go later, I always seem to forget about ADfind. ADfind is a bit like a potato - you can do so many different things with it. Regards Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Mike Newell [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 07:55:52 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Any impacts to domain controller when changingits IP?
Really - must have missed that. Whoops. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Almeida Pinto, Jorge de [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 16:50:13 To:ActiveDir@mail.activedir.org, ActiveDir.org ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to DEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 2006-09-14 16:35 To: ActiveDir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again. This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address. Make sure DNS functions correctly. Regards Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: McClure, David (MED US) [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 10:12:54 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you're running a Certificate Authority on that DC, you can't change the computer name without first uninstalling Certificate Services. I'm not sure what the impact would be on the chain of trust if you reinstall CertSvcs after the name change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 10:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0: http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] OT: RAID-5 expansion problem
Esteemed colleagues, We can't get the RAID configuration utility to give us the amount of disk space we think we ought to have on our main file server. We used to have 4 72Gb drives in a RAID-5. We put two more 72Gb drives into the server, and followed the directions to expand the array using HP's ACU-XE program. The directions say this can take 10-15 minutes per Gb, and it took lots more time than that, but finally, it was done. So, here are the figures for drive space we are now working with, and they just don't add up. In ACU-XE: - The original drive space is listed as 208378 Mb This is roughly equivalent to 69460, which is the physical drive capacity reported by the System Management Homepage, times 3, leaving out the 4th drive to make the RAID-5, which comes out to 208380. This is fine. - The new unused space is listed as 166707 Mb This is actually quite a bit more than 69460 times the two drives we added, which would be 138920. This is confusing to me, and the figures do not add up. - When I go to extend size in ACU-XE, the maximum size I can extend the array to is 261116. This is not even as much space as adding one drive to the array should give us, and we've added two drives! This really doesn't add up. More figures: If you add the two numbers in ACU-XE (original plus unused), I come up with 375085. If you figure out what 5 times 69460 would be, it comes up to 347300. Either one of these numbers would be fine with us, but 261116 is just plain not enough! Thanks in advance for your help. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Elevating privileges from DA to EA
Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [ [EMAIL PROTECTED]] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC - Inject code into lsass As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP? Yep, that was Win2k – once you’ve reached Win2k3 domain functional level, you can start adding another name to your DC, make it primary, reboot, ensure everything replicates well and registers in DNS, then remove the old name. Use NETDOM to do so. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, September 14, 2006 4:50 PM To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need toDEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 2006-09-14 16:35 To: ActiveDir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again. This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address. Make sure DNS functions correctly. Regards Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: McClure, David (MED US) [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 10:12:54 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you're running a Certificate Authority on that DC, you can't change the computer name without first uninstalling Certificate Services. I'm not sure what the impact would be on the chain of trust if you reinstall CertSvcs after the name change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 10:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and
RE: [ActiveDir] Elevating privileges from DA to EA
Title: Elevating privileges from DA to EA Oh its easier than you think go look at the ACLs on some objects and think about what the various system accounts run as over the network on the DCs. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Elevating privileges from DA to EA It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [EMAIL PROTECTED] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC - Inject code into lsass As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Are all of your users in power user group or user group of their workstation? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Thursday, September 14, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
Re: [ActiveDir] OT: Protecting against Spyware/Adware
Nope. Crawford, Scott wrote: Nobody runs as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Controlled user access, i.e. no admin rights, and use a good class firewall with spyware/av protection on the gateway... no issues. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 14 September 2006 20:11 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS zones expiring
No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AMUser: N/A Computer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have Widows, then someone must have expired :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] CSVDE Export
Yep, nice catch. I guess I got lazy as the OU I ran that against in the lab only has user and computer accounts in it ;-) Thanks again. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, September 14, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Just so you know that query will get you more than user accounts. To get just users do ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Thursday, September 14, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Elevating privileges from DA to EA
Title: Elevating privileges from DA to EA Simple is a relative term but yes, there are mechanisms that could be and aretermed simple. No I don't think people shouldn't be sharing details even offline. If someonecannot come up with a method on their own it doesn't mean someone else who is aware of a method should supply it. It doesn't help anything knowing how itcan bedone. You are a smart guy though Neil, I have no doubt if you sat down and gave yourself an hour to think out the ways an attack could be perpetrated you could work out a couple of methods that you would consider simple. Hopefully folks don't start dropping hints, etc as it is a can of worms we don't generally want opened up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, September 14, 2006 12:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Elevating privileges from DA to EA It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [EMAIL PROTECTED] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC - Inject code into lsass As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods. Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] OT: Protecting against Spyware/Adware
I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Thursday, September 14, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobody runs as a local administrator. We have zero issues with spyware. Coincidence? _ From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] attachment: winmail.dat
RE: [ActiveDir] OT: Protecting against Spyware/Adware
All regular users. Dont get me wrong it was tough to get to this point, but its sooo worth it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider Sent: Thursday, September 14, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Are all of your users in power user group or user group of their workstation? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Thursday, September 14, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] OT: Protecting against Spyware/Adware
I didn't think so :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 3:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nope. Crawford, Scott wrote: Nobody runs as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] CSVDE Export
And if AdFind doesn't keep them in order, let me know as that would be a featur... Err I mean bug. For -csv and -oao options I maintain the order specified on purpose. I can't speak to CSVDE and how it works, I actually have never looked at the source for that program. I expect you may be getting different orders based on the DC you are querying possibly. There is no guarantee on the order returned from the DCs so if you want that guarantee, the tool outputting the results has to be aware to do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Thursday, September 14, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] CSVDE Export
A potato Interesting analogy... Once I get past the image of a brown lump buried in the dirt in the backyard (or your ears if you are a kid and don't listen to your mom) it starts to grow on me... I may actually have to post that quote on my blog... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 11:32 AM To: ActiveDir.org Subject: Re: [ActiveDir] CSVDE Export Mike, Thanks I will give it a go later, I always seem to forget about ADfind. ADfind is a bit like a potato - you can do so many different things with it. Regards Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Mike Newell [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 07:55:52 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CSVDE Export Hey, Don't know why csvde would change the order but try adfind from www.joeware.net. So far for me, it's always kept the fields in the order that I list them in the query. Below gets just the user accounts in the OU. If you want everything in the OU remove the -f ((objectcategory=person)) reference. adfind -csv -nodn -b OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f ((objectcategory=person)) name mail givenname sn userprincip alname physicaldeliveryofficename filename.csv From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 14, 2006 6:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] CSVDE Export Morning, I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis. the syntax is csvde -f accusers.csv -d OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times. Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV files many thanks mark This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿö+v*®—û汫 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS zones expiring
Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master". If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AMUser: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have "Widows", then someone must have "expired" :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Yes. You run Mac. LOL Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Thursday, September 14, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris PohlschneiderSent: Thu 9/14/2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Block Inheritance on DC OU
I did it a couple years ago, and found out that it does block the password policy. It seemsintuitive thatit shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Thursday, September 14, 2006 3:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controllers OU and apparently whoever enabled this setting is no longer with the company (or they wont fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controllers OU pose? And what reason would you have to enable this setting on the Domain Controllers OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben**This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] Handling different schemas - managing maintaining updates
Use adfind -sc sdump or adfind -sc sdump:csv to dump a schema suitable for comparison with say Windiff I am pretty sure it captures all of the critical info and it definitely maintains the order of the attributes so you don't have to worry about the text analyzer resyncing when lines are out of order... The output for the first command looks like dn:CN=account,SCHEMAadminDescription: The account object class is used to define entries representing computer accounts.adminDisplayName: accountattributeID: NOT SETattributeSecurityGUID: NOT SETattributeSyntax: NOT SETauxiliaryClass: NOT SETcn: accountdefaultHidingValue: TRUEdefaultObjectCategory: CN=account,SCHEMAdefaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)description: NOT SETextendedCharsAllowed: NOT SETgovernsID: 0.9.2342.19200300.100.4.5isDefunct: NOT SETisMemberOfPartialAttributeSet: NOT SETisSingleValued: NOT SETlDAPDisplayName: accountlinkID: NOT SETmAPIID: NOT SETmayContain: uidmayContain: hostmayContain: oumayContain: omayContain: lmayContain: seeAlsomayContain: descriptionmustContain: NOT SETobjectClass: topobjectClass: classSchemaobjectClassCategory: 1oMSyntax: NOT SETpossSuperiors: organizationalUnitpossSuperiors: containerrangeLower: NOT SETrangeUpper: NOT SETrDNAttID: cnschemaIDGUID: {2628A46A-A6AD-4AE0-B854-2B12D9FE6F9E}searchFlags: NOT SETshowInAdvancedViewOnly: TRUEsubClassOf: topsystemAuxiliaryClass: NOT SETsystemFlags: NOT SETsystemMayContain: NOT SETsystemMustContain: NOT SETsystemOnly: FALSEsystemPossSuperiors: NOT SET The output for the second command looks like (well it looks pretty ugly here but is great for scripts...) "dn","adminDescription","adminDisplayName","attributeID","attributeSecurityGUID","attributeSyntax","auxiliaryClass","cn","defaultHidingValue","defaultObjectCategory","defaultSecurityDescriptor","description","extendedCharsAllowed","governsID","isDefunct","isMemberOfPartialAttributeSet","isSingleValued","lDAPDisplayName","linkID","mAPIID","mayContain","mustContain","objectClass","objectClassCategory","oMSyntax","possSuperiors","rangeLower","rangeUpper","rDNAttID","schemaIDGUID","searchFlags","showInAdvancedViewOnly","subClassOf","systemAuxiliaryClass","systemFlags","systemMayContain","systemMustContain","systemOnly","systemPossSuperiors""CN=account,CN=Schema,CN=Configuration,DC=pg,DC=com","The account object class is used to define entries representing computer accounts.","account","NOT SET","NOT SET","NOT SET","NOT SET","account","TRUE","CN=account,SCHEMA","D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","NOT SET","NOT SET","0.9.2342.19200300.100.4.5","NOT SET","NOT SET","NOT SET","account","NOT SET","NOT SET","uid;host;ou;o;l;seeAlso;description","NOT SET","top;classSchema","1","NOT SET","organizationalUnit;container","NOT SET","NOT SET","cn","{2628A46A-A6AD-4AE0-B854-2B12D9FE6F9E}","NOT SET","TRUE","top","NOT SET","NOT SET","NOT SET","NOT SET","FALSE","NOT SET""CN=Account-Expires,CN=Schema,CN=Configuration,DC=pg,DC=com","Account-Expires","Account-Expires","1.2.840.113556.1.4.159","{4C164200-20C0-11D0-A768-00AA006E0529}","2.5.5.16","NOT SET","Account-Expires","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","TRUE","accountExpires","NOT SET","NOT SET","NOT SET","NOT SET","top;attributeSchema","NOT SET","65","NOT SET","NOT SET","NOT SET","NOT SET","{BF967915-0DE6-11D0-A285-00AA003049E2}","16","TRUE","NOT SET","NOT SET","16","NOT SET","NOT SET","FALSE","NOT SET""CN=Account-Name-History,CN=Schema,CN=Configuration,DC=pg,DC=com","Account-Name-History","Account-Name-History","1.2.840.113556.1.4.1307","NOT SET","2.5.5.12","NOT SET","Account-Name-History","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","NOT SET","FALSE","accountNameHistory","NOT SET","NOT SET","NOT SET","NOT SET","top;attributeSchema","NOT SET","64","NOT SET","NOT SET","NOT SET","NOT SET","{031952EC-3B72-11D2-90CC-00C04FD91AB1}","0","TRUE","NOT SET","NOT SET","16","NOT SET","NOT SET","FALSE","NOT SET" for the curious, the -sc sdump shortcut simply combines the following switches Selected Switches -f (name=*) -oao NOT SET -po -replacedn _schema;_config -s one -sc sdump -schema -sort name Selected Attributes adminDescription adminDisplayName attributeID attributeSecurityGUID attributeSyntax auxiliaryClass cn defaultHidingValue defaultObjectCategory defaultSecurityDescriptor description extendedCharsAllowed governsID isDefunct isMemberOfPartialAttributeSet isSingleValued lDAPDisplayName linkID mAPIID mayContain mustContain objectClass objectClassCategory oMSyntax possSuperiors rangeLower rangeUpper rDNAttID schemaIDGUID searchFlags showInAdvancedViewOnly subClassOf systemAuxiliaryClass systemFlags systemMayContain systemMustContain systemOnly systemPossSuperiors
RE: [ActiveDir] dsget error
Yep, the new version of AdMod, in beta testing now, will leverage the info that you get from an adfind query to do what I call partial data attribute updates. That is when there is something in the current value you need to generate the new value. DSMOD has to make a call to the DC for every DN it is passed to get the current useraccountcontrol value in order to enable/disable objects as it is simply clearing the #1 bit which has a value of 2. There is no mechanism to tell AD just clear the second bit, you retrieve the old value, clear the bit, then write the whole value back. So AdMod, takes the -adcsv output from AdFind which would include the current value of useraccountcontrol with the DN of the object. That means it works like 1 LDAP Query requeststo match x objects (done from AdFind) Loop through X objects { LDAP Mod requests to update thecurrent object (done from AdMod) } Now dsquery/dsmod has to do it this way 1 LDAP Query requeststo match x objects (done from dsquery) Loop through X objects { LDAP Query requests to get UAC value for the currentobject LDAP Mod requests to update thecurrent object (done from dsMod) } You could consider it cheating. It is something I always had in mind in doing when I wanted to combine adfind/admod into a single tool. Once I added CSV capability to adfind I realized I could pull it off with the two separate tools now for people. Maybe I should patent this technology... ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 13, 2006 4:05 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] dsget error It must be some kind of issue with the DS* tools. I was using a combination of ADFIND and DSMOD last week to enable ~200,000 user objects (I forgot to set a password in a scrpit that created a bunch of objects and therefore had a shed load of objects with uac of 546) and it would die every time with that error after a couple of thousand objects. I figured, but didn't look into it, it's something to do with the fact that DSMOD queries the DN you pass it to check for object type, etc. which means there's loads of queries hitting the DC (one for each mod). This is why Joe's ADMOD (1.7)is going to be loads better, as he only does one extra query which means there's only n + 1 LDAP requests hitting the DC as opposed ton x 2 with DSMOD. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 2:45 AM Subject: RE: [ActiveDir] dsget error The query is probably timing out. Get Joes ADfind and run something like this: Adfind default f ((objectCategory=person)(objectClass=user)) displayName samAccountName pwdLastSet You can tag a csv on there too Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Tuesday, September 12, 2006 9:29 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] dsget error Any time I try to run a large query using dsquery and dsget where I pipe it to a text file for output, I eventually get a dsget failed:The server is not operational. error from dsget. Ive searched the Internet for this and seen posts from a couple of other people who have had this issue, with no resolution. Am I doing something wrong? Am I stupid? (yes, I probably am) Am I missing some limitation of stdout? Heres the command I was using: dsquery user -name * -limit 0 | dsget -display -samid pwdneverexpires Thnx, JC ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] OT: Protecting against Spyware/Adware
No, not yet. I am looking at the MAC Notebooks though. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 6:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Yes. You run Mac. LOL Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Thursday, September 14, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris PohlschneiderSent: Thu 9/14/2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] dsget error
Yep and if you get the timeouts, adfind should tell you that pretty clearly. You can then use the -t switch to modify the timeout value. I often use -t 0 to disable the timeouts on really large (like get every user object in the 200k user forest) queries. If you are still getting other errors, add the -exterr switch and post the info as that can help troubleshoot it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, September 12, 2006 9:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dsget error The query is probably timing out. Get Joes ADfind and run something like this: Adfind default f ((objectCategory=person)(objectClass=user)) displayName samAccountName pwdLastSet You can tag a csv on there too Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Tuesday, September 12, 2006 9:29 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] dsget error Any time I try to run a large query using dsquery and dsget where I pipe it to a text file for output, I eventually get a dsget failed:The server is not operational. error from dsget. Ive searched the Internet for this and seen posts from a couple of other people who have had this issue, with no resolution. Am I doing something wrong? Am I stupid? (yes, I probably am) Am I missing some limitation of stdout? Heres the command I was using: dsquery user -name * -limit 0 | dsget -display -samid pwdneverexpires Thnx, JC ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] [OT] Date Modification not same on the folder and subfolder level
This is OT for this forum and you didn't prefix with OT which could be why I don't see any responses... In the meanwhile, I would say no, if you just modify an existing file in a folder, it shouldn't update the folder modification date because there has been no change to the folder. Consider a folder is a directory which is sort of like a file. You modify a directory/folder file when you modify the "contents" of that directory file... aka the data the directory is responsible for... i.e. you add/delete entries in the directory, either files or subdirectories. Anything else and you are putting a tremendous load on the system especially if they have deep hierarchical directory structures for what I would consider no reason. Consider you have a folder structure with tens of thousands of folders at various levels even up to 20 levels deep and you have thousands of people making changes and you are expecting all of those changes to cascade further changes all the way back to the root of the drive... No, makes no sense really. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir KaushalSent: Tuesday, September 12, 2006 9:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Date Modification not same on the folder and subfolder level Hi All, On my file server, why do i get different modified dates for users main folder and subfolders and even the files in the subfolders. My concern is even if a user has changed or modified a file on any specific date, the parent folder should show me the latest modified date. Or if we have N number of files modified on different dates, then what should be the date on the parent folder ? Thanks in advance. Regards,Sudhir KaushalSystems Engineer (GIS)MCS Wintel IndiaComputer Sciences CorporationHello - + 91 120 2582323 Ext. 2649You never win Silver, You lose Gold This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] Block Inheritance on DC OU
To me it seems intuitive that GP processing would behave the same way for DCs as it would for other computers. And to answer the question, yes I have confirmed this in testing numerous times over the years-most recently the day Ben asked the question. Darren -Original Message- From: Derek Harris [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 9/14/2006 4:11 PM Subject: RE: [ActiveDir] Block Inheritance on DC OU I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, September 14, 2006 3:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU You say Obvious but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controller's OU pose? And what reason would [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Touche 8-) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Thursday, September 14, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
RE: [ActiveDir] Strange password issue
The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura
Re: [ActiveDir] OT: Protecting against Spyware/Adware
A member of the Power Users group may be able to gain administrator rights and permissions in Windows Server 2003, Windows 2000, or Windows XP: http://support.microsoft.com/default.aspx?scid=kb;en-us;825069 Why power user isn't good enough Thommes, Michael M. wrote: Touche’ 8-) Mike Thommes *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Thursday, September 14, 2006 5:04 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Crawford, Scott *Sent:* Thursday, September 14, 2006 11:33 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobody runs as a local administrator. We have zero issues with spyware. Coincidence? *From:* [EMAIL PROTECTED] on behalf of Chris Pohlschneider *Sent:* Thu 9/14/2006 9:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Replication Metadata
I doubt that IADsTools was updated. They seemed to be trying to kill that as far back as 2001. I think it was someone's pet project and they went to another petting zoo to work... I know I found some time issues in it back then and some more later that I tried to get corrected and was wholly unsuccessful on both occasions. But the answer is... There is additional metadata available now for looking at value level changes. The way IADsTools was probably getting the info (this is a guess, never saw the code) is through the attribute replPropertyMetaData but it very well could have been using the RPC based API call DsReplicaGetInfo. Probably the simplest mechanism to use now are the attributes msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will return XML strings with the data. If you are equipped to handle it, you can instead make the calls much faster and pass less data on the wire by asking for the binary versions of those attributes by appending the ;binary modifier. If you want to write DC API based code, you can use DsReplicateGetInfo2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 08, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Metadata I'm using Robbie Allens example for using IADSTools.DCFunctions to read group object meta data. I just realized that now that we've upgraded to 2003 I can no longer look at the member last changed field to determine when group membership last changed. I know that RepAdmin can look at the individual group changes so there must be some updated API that I can use to do the same thing, I just can't seem to find it. Can anyone point me in the right direction? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Replication Metadata
That's great info; thanks joe. I'll take a look at msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do this in a vbscript and avoid getting into any compiled solutions. I told my boss I could do this in an hour because I thought I could just use IADsTools, oopsie. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata I doubt that IADsTools was updated. They seemed to be trying to kill that as far back as 2001. I think it was someone's pet project and they went to another petting zoo to work... I know I found some time issues in it back then and some more later that I tried to get corrected and was wholly unsuccessful on both occasions. But the answer is... There is additional metadata available now for looking at value level changes. The way IADsTools was probably getting the info (this is a guess, never saw the code) is through the attribute replPropertyMetaData but it very well could have been using the RPC based API call DsReplicaGetInfo. Probably the simplest mechanism to use now are the attributes msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will return XML strings with the data. If you are equipped to handle it, you can instead make the calls much faster and pass less data on the wire by asking for the binary versions of those attributes by appending the ;binary modifier. If you want to write DC API based code, you can use DsReplicateGetInfo2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 08, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Metadata I'm using Robbie Allens example for using IADSTools.DCFunctions to read group object meta data. I just realized that now that we've upgraded to 2003 I can no longer look at the member last changed field to determine when group membership last changed. I know that RepAdmin can look at the individual group changes so there must be some updated API that I can use to do the same thing, I just can't seem to find it. Can anyone point me in the right direction? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Replication Metadata
Yep, if vbscript you want the XML versions... You should be able to do this in an hour You just need to pick the right hour. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, September 14, 2006 9:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata That's great info; thanks joe. I'll take a look at msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do this in a vbscript and avoid getting into any compiled solutions. I told my boss I could do this in an hour because I thought I could just use IADsTools, oopsie. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata I doubt that IADsTools was updated. They seemed to be trying to kill that as far back as 2001. I think it was someone's pet project and they went to another petting zoo to work... I know I found some time issues in it back then and some more later that I tried to get corrected and was wholly unsuccessful on both occasions. But the answer is... There is additional metadata available now for looking at value level changes. The way IADsTools was probably getting the info (this is a guess, never saw the code) is through the attribute replPropertyMetaData but it very well could have been using the RPC based API call DsReplicaGetInfo. Probably the simplest mechanism to use now are the attributes msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will return XML strings with the data. If you are equipped to handle it, you can instead make the calls much faster and pass less data on the wire by asking for the binary versions of those attributes by appending the ;binary modifier. If you want to write DC API based code, you can use DsReplicateGetInfo2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 08, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Metadata I'm using Robbie Allens example for using IADSTools.DCFunctions to read group object meta data. I just realized that now that we've upgraded to 2003 I can no longer look at the member last changed field to determine when group membership last changed. I know that RepAdmin can look at the individual group changes so there must be some updated API that I can use to do the same thing, I just can't seem to find it. Can anyone point me in the right direction? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Egypt time zone change
A hotfix is available to change the daylight saving time for the (GMT+02:00) Cairo time zone for the year 2006 on Windows XP-based and on Windows Server 2003-based computers: http://support.microsoft.com/?kbid=921028 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Active Directory Cookbooks...
Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbooks...
*points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbooks...
hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbooks...
Actually I did the Active Directory Third Edition. The Active Directory Cookbook is in the Second Edition now and that was done by Laura Hunter. My book you can find in my signature, the Cookbook you can find at http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48 70433?ie=UTF8 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbooks...
I have just purchased the 2nd one and will be on to the 3rd one as soon as I have finished that... Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 03:14 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --| Actually I did the Active Directory Third Edition. The Active Directory Cookbook is in the Second Edition now and that was done by Laura Hunter. My book you can find in my signature, the Cookbook you can find at http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48 70433?ie=UTF8 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info :
RE: [ActiveDir] Strange password issue
I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no
RE: [ActiveDir] Active Directory Cookbooks...
Oh yeah. I get the two confused. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 10:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... Actually I did the Active Directory Third Edition. The Active Directory Cookbook is in the Second Edition now and that was done by Laura Hunter. My book you can find in my signature, the Cookbook you can find at http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48 70433?ie=UTF8 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] List archive
Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] List archive
yes Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: David AdnerSent: Thu 9/14/2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List archive Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx