Re: [ActiveDir] RealVNC removal
I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly. On 10/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Return Receipt Your RE: [ActiveDir] RealVNC removal document: wasJustin Leney/US/DCI received by: at:10/02/2006 04:08:38 PMNEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.FREE TRIAL AT HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Slightly OT - DNS Problems:
Title: Slightly OT - DNS Problems: Hey All, I am required to set up a trust with an acquisitions domain. Ports 53, 88 and 389 (TCP UDP) are open on the firewall theirs and ours - Both Ways verified. I have bought in a Forward Lookup Zone of their DNS - Secondary Zone, have also however tried a Stub Zone and a Conditional Forwarder. When I go to create the trust however it says the domain can not be contacted. I am ONLY able to connect to one of their DC's, in a DMZ, it is also a Global Catalog Server. When I ping the FQDN of the domain it goes from one of their DNS servers to another. After numerous IPCONFIG /FLUSHDNS and re-pings it eventually pings the FQDN. Still no go when trying to establish the trust. Created a host entry for the FQDN, no go. Tried LMHOST record reload and checked the cache to verify new records were present, no go. Added the IP of their DNS server as an alternate DNS server address on the adapter, no go. Flicked between Enable NetBIOS over TCP/IP and Disable NetBIOS over TCP/IP, no go. Perform an nslookup - .[FQDNDomain] get all IP's of their DNS servers. Perform an nslookup - set q=srv - __ladap._tcp.[FQDNDomain] get all their DNS servers all have the same weighting and a priority of 0. Perform an nslookup - guid_msdcs.[FQDNDomain] get their primary name server etc. which is the DC I can get to. SOA is the also the DC I can connect to. Not sure if it is something to do with the Netlogon service utilising DSGetDcName? What is the next logical step, what am I missing? I can provide more info should this be required. Thanking anyone in advance. James Blair Note:Thisemail,includinganyattachments,isconfidential.Ifyouhavereceivedthisemailinerror,pleaseadvisethesenderanddeleteitandallcopiesofitfromyoursystem.Ifyouarenottheintendedrecipientofthisemail,youmustnotuse,print,distribute,copyordiscloseitscontenttoanyone.
RE: [ActiveDir] OT: wikis
And of course, the problem with the a=x conundrum, is the next to the last operation where you divide both sides by a-x. You cant do that when a=x because you are dividing by zero a mathematical no-no - you get infinity. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Monday, October 09, 2006 12:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: wikis I wonder if you realize that what you posted was incorrect: 1 (-1+1) (-1+1) ... turns into: 1*0*0*0 So in the end 0 = 0 :) On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Very good altho dividing by zero (last step) is not permitted and (as per the below) causes an issue if permitted. How about this: (1-1) + (1-1) + (1-1) + ... = 0 Re-write left hand side by moving brackets one place to the right: 1 (-1+1) (-1+1) ... Or simplified: 1 + 0 + 0 + ... = 1 So 1 = 0 ! neil PS Glad to see I managed to get the list talking about stuff other than IT/Windows/AD/Exch/Jet/ESE... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis From: http://www.jimloy.com/algebra/two.htm a = x[true for some a's and x's] a+a = a+x[add a to both sides] 2a = a+x[a+a = 2a] 2a-2x = a+x-2x [subtract 2x from both sides] 2(a-x) = a+x-2x [2a-2x = 2(a-x)] 2(a-x) = a-x[x-2x = -x] 2 = 1[divide both sides by a-x] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, October 05, 2006 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended
RE: [ActiveDir] OT: wikis
They like it because it shows that division by zero can bite you without being obvious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 08, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis I've seen that stunt a few times. I'm not sure the point of showing it but math teachers love to demonstrate it for some reason. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 05, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis Careful, I recall a math professor in my differential equations class or maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trick I didn't follow through it, I just closed my eyes and shook my head and thought forward to my communications class as the sights were easier on the eyes... I still wonder why I went into a field with such a high ratio of men to women... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Waaay OT: wikis
Not at all - I did not include any multiplication signs between the brackets - you've introduced them :/. Read what I wrote at face value and you'll see it's quite valid (altho it breaks various maths rules!) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Matt HargravesSent: Monday, October 09, 2006 5:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: wikisI wonder if you realize that what you posted was incorrect:1 (-1+1) (-1+1) ...turns into:1*0*0*0So in the end 0 = 0:) On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Very good altho dividing by zero (last step) is not permitted and (asper the below) causes an issue if permitted.How about this:(1-1) + (1-1) + (1-1) + ... = 0Re-write left hand side by moving brackets one place to the right: 1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to get the list talking about stuff other thanIT/Windows/AD/Exch/Jet/ESE...-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm a = x[true for some a's and x's] a+a = a+x[add a to both sides]2a = a+x[a+a = 2a]2a-2x = a+x-2x [subtract 2x from both sides]2(a-x) = a+x-2x [2a-2x = 2(a-x)] 2(a-x) = a-x[x-2x = -x] 2 = 1[divide both sides by a-x]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my differential equations class ormaybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trickI didn't follow through it, I just closed my eyes and shook my head andthought forward to my communications class as the sights were easier onthe eyes...I still wonder why I went into a field with such a high ratio of men towomen... :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxPLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains
[ActiveDir] FW: Script to move user account and computer accounts
Title: FW: Script to move user account and computer accounts Hi all I was wondering if there is a script I can use that will move users accounts and computer accounts from one child domain to another child domain (Windows 2000). I dont even know where to look for this, so if someone can point me in the right direction (URL or white paper) so I dont ask the same ignorant question twice, I would appreciate it. Thanks Russ
RE: [ActiveDir] FW: Script to move user account and computer accounts
Title: FW: Script to move user account and computer accounts Admod from joeware.net can do the cross domain moves Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Monday, October 09, 2006 10:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FW: Script to move user account and computer accounts Hi all I was wondering if there is a script I can use that will move users accounts and computer accounts from one child domain to another child domain (Windows 2000). I dont even know where to look for this, so if someone can point me in the right direction (URL or white paper) so I dont ask the same ignorant question twice, I would appreciate it. Thanks Russ
[ActiveDir] Certificate Authority unable to publish certs in AD
Title: Certificate Authority unable to publish certs in AD Hi guys For some weird reason im getting the below errors on the certificate authority. CA is a one level issuing enterprise Ca, running on win2003 Enterprise Edition, with autoenrollment enable for a few usernames. GPO has been enabled for autoenrollment for both user and computer portion. Cert templates has been given the rights and is issuing User Certificate type successfully to the local machinesbut NOT publishing it to the usercertificate attribute... Eventlog 80 on the CA server: Certificate Services could not publish a Certificate for request 264 to the following location on server SINDC01.intlsos.com: CN=Oliva O.CUNTAPAY,OU=Users,OU=SIN,DC=intlsos,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344). ldap: 0x32: 2098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Eventlog on the domain controller: Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Accesses: Write Self Properties: --- Personal Information userCertificate user Additional Info: Additional Info2: Access Mask: 0x8 Things ive verified so far: 1) the CA computer account is listed in Cert Publisher group 2) Have modified Cert Publisher group to be a domain local group (its an upgrade from 2000 domain) 3) Verified that Cert Publisher has Read/Write UserCertificate attrb Any suggestions? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Infrastructure Services Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
Re: [ActiveDir] FW: Script to move user account and computer accounts
Title: FW: Script to move user account and computer accounts Look at ADMOD or ADMT for xdom move. If you actually want to copy a user, look at ADMT. Note. ADMT won't perform a copy, when operating intra-forest, by default. But you can configure it to do so IIRC. Other options are to create a new user and copy the existing attributes, using a script or some code,excluding things like SID, UPN, etc. If this is the route you want to take, I don't think it's detailed in a whitepaper anywhere (it might be but I've not read it). This is something you need to implement yourself. The problem here is that ADMT tracks source and destination objects so you can re-run it and keep the target attributes up-to-date with the source ones. Your script won't do this by default. --Paul - Original Message - From: Group, Russ To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 3:27 PM Subject: [ActiveDir] FW: Script to move user account and computer accounts Hi all I was wondering if there is a script I can use that will move users accounts and computer accounts from one child domain to another child domain (Windows 2000). I dont even know where to look for this, so if someone can point me in the right direction (URL or white paper) so I dont ask the same ignorant question twice, I would appreciate it. ThanksRuss
Re: [ActiveDir] Slightly OT - DNS Problems:
DMZ? To begin with, why would you want to setup a trust and leave the firewalls in palce with so few ports? What is then the point of the trust? Even if you got the trust working like that (there are more ports - I think Jorge has a blog on this) you would not be able to access anything so it doesn't do you much good. I'm just not seeing the point of getting the trust working? Can you elaborate why you want to create a trust like that? See this link as well for a list of the additional ports. http://technet2.microsoft.com/WindowsServer/en/library/108124dd-31b1-4c2c-9421-6adbc1ebceca1033.mspx?mfr=true On 10/9/06, Blair, James [EMAIL PROTECTED] wrote: Hey All, I am required to set up a trust with an acquisitions domain. Ports 53, 88 and 389 (TCP UDP) are open on the firewall theirs and ours - Both Ways verified. I have bought in a Forward Lookup Zone of their DNS - Secondary Zone, have also however tried a Stub Zone and a Conditional Forwarder. When I go to create the trust however it says the domain can not be contacted. I am ONLY able to connect to one of their DC's, in a DMZ, it is also a Global Catalog Server. When I ping the FQDN of the domain it goes from one of their DNS servers to another. After numerous IPCONFIG /FLUSHDNS and re-pings it eventually pings the FQDN. Still no go when trying to establish the trust. Created a host entry for the FQDN, no go. Tried LMHOST record reload and checked the cache to verify new records were present, no go. Added the IP of their DNS server as an alternate DNS server address on the adapter, no go. Flicked between Enable NetBIOS over TCP/IP and Disable NetBIOS over TCP/IP, no go. Perform an nslookup - .[FQDNDomain] get all IP's of their DNS servers. Perform an nslookup - set q=srv - __ladap._tcp.[FQDNDomain] get all their DNS servers all have the same weighting and a priority of 0. Perform an nslookup - guid_msdcs.[FQDNDomain] get their primary name server etc. which is the DC I can get to. SOA is the also the DC I can connect to. Not sure if it is something to do with the Netlogon service utilising DSGetDcName? What is the next logical step, what am I missing? I can provide more info should this be required. Thanking anyone in advance. James Blair Note:Thisemail,includinganyattachments,isconfidential.Ifyouhavereceivedthisemailinerror,pleaseadvisethesenderanddeleteitandallcopiesofitfromyoursystem.Ifyouarenottheintendedrecipientofthisemail,youmustnotuse,print,distribute,copyordiscloseitscontenttoanyone.
Re: [ActiveDir] [OT] Exchange 2007 Schema
LOL. It's in the rest room I'm told... --Paul - Original Message - From: Rich Milburn [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 6:56 PM Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema For the BrettSh T-Shirt, my vote is for the line to be split BrettSh T- Shirt It's similar to the signs in the UK for leasing buildings - TO LET They are just missing an i. I think Dean and Paul W know what I'm talking about :-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema You are definitely funny Brett, some would just argue whether it is in the ways you think. =) I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in fact. But with the crazy that can only be Brett hairdo, not the big boy hairdo. ;o) I do kind of agree with Tony though, unless you are one of the TAP folks with specific agreements with MSFT to bail you out in the event of a nasty fire, you probably shouldn't be installing heavily AD integrated beta products into your production forest. I would assume that ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for MSFT IT have the necessary support agreements in place. :) Plus they have Brian, not much he isn't going to be able to fix by himself I think. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 05, 2006 11:58 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema Oh crap! Brian Puhl, you reading? Tony says E2k7 is a beta product, I hope you didn't load that schema on our main forest? Too late to get it backed out (via forest restore)? Thanks for the heads up Tony, BrettSh [msft] P.S. - Does anyone think I'm as funny as I think I am ... probably not ... On Thu, 5 Oct 2006, Tony Murray wrote: Hi all There are apparently schema changes post Beta 2 - just in case anyone was considering pre-loading the schema changes into production [1]. I don't have any further details on what the changes are. Tony [1] Which of course you wouldn't contemplate with a Beta product :-) Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] finding users that password never expire.
Hello all,I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ?Thanks,Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE: [ActiveDir] finding users that password never expire.
to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))" and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, October 09, 2006 17:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that password never expire. Hello all, I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] finding users that password never expire.
Perform an AND query. In ADFIND, this looks like this: adfind -default -bit -f "(objectCategory=person)(userAccountControl:AND:=65536)" cn If you want to use ADUC, or something else, you'll need to use this: ((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536)) --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 4:43 PM Subject: [ActiveDir] finding users that password never expire. Hello all, I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
[ActiveDir] OT: TechED 2007 New Orleans Cancelled ???
It looks like TechED 2007 New Orleans has been cancelled and will be in another location next year. Has anyone stateside heard where it is going to be as of yet? Quote: Microsoft cancels 3 New Orleans meetings, cites lack of flights Lack of airline flights in and out of New Orleans prompted Microsoft Corp. to cancel three meetings expected to bring a total of more than 30,000 people to New Orleans next year. They had been planned as the first meetings in New Orleans since Hurricane Katrina for Redmond, Wash.-based Microsoft, which has held several worldwide events bringing thousands of people to the city since 2002. Microsoft spokeswoman Robyn Kratzer confirmed to The Associated Press that the company was forced to cancel the planned events because they thought it would be too difficult to transport thousands of attendees, including some international travelers, in and out of the city. ``It was an extremely difficult situation and a difficult decision for Microsoft, but it was totally around logistics,'' Kratzer told AP. Two of the meetings were expected to bring 14,000 people each, and the third about 4,000. Service at Louis Armstrong International Airport is 61 percent of what it was before the storm, but the airport has been able to get extra flights for other special events, spokeswoman Michelle Duffourc said. Continental Airlines has been particularly willing to put larger aircraft on its flights or schedule extra flights to the city when needed, she said. However, nobody from Microsoft or the New Orleans Metropolitan Convention and Visitors Bureau asked the airport to help keep the conventions, she said. ``That is really not true,'' convention bureau spokeswoman Mary Beth Romig said. She said the Microsoft meetings and their dates were mentioned ``some time ago'' during the bureau's continuing talks with the airport about flight problems. About Microsoft's decision, she said: ``Of course we are sorry they changed their mind. We are continuing to work with them for future dates in future years.'' Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 [EMAIL PROTECTED])
[ActiveDir] Forest trust divestitures
Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow network B. - Let replication settle down, then transfer FSMOs back to their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks!
RE: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???
I checked with some folks internally, and they confirmed that yes, this is unfortunately true. There are numerous discussions going on, and the recommendation is that you should watch http://microsoft.com/teched over the next week or two for updates and information. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, October 09, 2006 9:21 AM To: ActiveDir.org Subject: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ??? It looks like TechED 2007 New Orleans has been cancelled and will be in another location next year. Has anyone stateside heard where it is going to be as of yet? Quote: Microsoft cancels 3 New Orleans meetings, cites lack of flights Lack of airline flights in and out of New Orleans prompted Microsoft Corp. to cancel three meetings expected to bring a total of more than 30,000 people to New Orleans next year. They had been planned as the first meetings in New Orleans since Hurricane Katrina for Redmond, Wash.-based Microsoft, which has held several worldwide events bringing thousands of people to the city since 2002. Microsoft spokeswoman Robyn Kratzer confirmed to The Associated Press that the company was forced to cancel the planned events because they thought it would be too difficult to transport thousands of attendees, including some international travelers, in and out of the city. ``It was an extremely difficult situation and a difficult decision for Microsoft, but it was totally around logistics,'' Kratzer told AP. Two of the meetings were expected to bring 14,000 people each, and the third about 4,000. Service at Louis Armstrong International Airport is 61 percent of what it was before the storm, but the airport has been able to get extra flights for other special events, spokeswoman Michelle Duffourc said. Continental Airlines has been particularly willing to put larger aircraft on its flights or schedule extra flights to the city when needed, she said. However, nobody from Microsoft or the New Orleans Metropolitan Convention and Visitors Bureau asked the airport to help keep the conventions, she said. ``That is really not true,'' convention bureau spokeswoman Mary Beth Romig said. She said the Microsoft meetings and their dates were mentioned ``some time ago'' during the bureau's continuing talks with the airport about flight problems. About Microsoft's decision, she said: ``Of course we are sorry they changed their mind. We are continuing to work with them for future dates in future years.'' Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 [EMAIL PROTECTED]) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Forest trust divestitures
I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ? Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point? AlOn 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow network B. - Let replication settle down, then transfer FSMOs back to their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks!
RE : RE: [ActiveDir] finding users that password never expire.
Yes ! thanks, that works so well !! :o)But many questions i have.. What is the difference between the query "userAccountControl=65536" and "(userAccountControl:1.2.840.113556.1.4.803:=65536)" ? Why couldn(t i find any results with my first query ? And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query ??Thanks for your answer :)Yann "Almeida Pinto, Jorge de" [EMAIL PROTECTED] a écrit:to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account PropertiesjorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, October 09, 2006 17:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that password never expire.Hello all,I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ?Thanks,Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses.
Re: [ActiveDir] Forest trust divestitures
Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that. On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote: I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ? Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point? Al On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow network B. - Let replication settle down, then transfer FSMOs back to their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks!
RE : Re: [ActiveDir] finding users that password never expire.
Thanks Paul.That works great :)YannPaul Williams [EMAIL PROTECTED] a écrit: Perform an AND query.In ADFIND, this looks like this:adfind -default -bit -f "(objectCategory=person)(userAccountControl:AND:=65536)" cn If you want to use ADUC, or something else, you'll need to use this:((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536)) --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 4:43 PM Subject: [ActiveDir] finding users that password never expire.Hello all,I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ?Thanks,Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
Re: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???
It is a shame. The city really needs the business. I've been back 3 times now since the storm and things have definitely gotten better, but it still has a long way to go. Most of the US has kind of forgotten about it by now, so I'm guessing that many TechEd visitors would be shocked at how messed up things still are down there, even almost 2 years later (which is when TechEd would have been). Of course, most people won't be down in the 9th ward or Chalmette during TechEd, so you wouldn't see the worst of it, but it is still pretty stunning. The NO airport definitely has a very sleepy feel compared to years past, and it was never like going through O'Hare in the first place. Joe K. On 10/9/06, Brian Puhl [EMAIL PROTECTED] wrote: I checked with some folks internally, and they confirmed that yes, this is unfortunately true. There are numerous discussions going on, and the recommendation is that you should watch http://microsoft.com/teched over the next week or two for updates and information. Brian Puhl Microsoft IT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: RE : RE: [ActiveDir] finding users that password never expire.
userAccountControl=65536 check if all enabled options/bits (unique combination) represent a total of 65536 userAccountControl:1.2.840.113556.1.4.803:=65536 check if only the option/bit represented by 65536 is enabled Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Yann Sent: Mon 2006-10-09 20:24 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query userAccountControl=65536 and (userAccountControl:1.2.840.113556.1.4.803:=65536) ? Why couldn(t i find any results with my first query ? And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query ?? Thanks for your answer :) Yann Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit : to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled ADFIND -bit -default -f ((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536)) and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . winmail.dat
Re: [ActiveDir] Forest trust divestitures
So, if I understand correctly you want to migrate the users along with sid-history so that you can also take along a bunch of file servers with it's permissions that are already set for one of the domains in your forest A? When the divestiture occurs, you'll push the user information over. - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.That'll likely be problematic. You'll want to narrow that down more to use specific DC's vs. using any DC. If you use conditional forwarders, the clients of that DNS host (likely itself, but not necessarily) would be able to find B, and the reverse might also be true. The key is to be sure that the dc in A at the particular site and the dc in B at the same site, can see each other. See those links on Microsoft's site that relate to creating a trust over a firewall (but I have to wonder if it's worth it to have a firewall there at all for this). Your biggest risk is that you run into something like sidfiltering or some issue that prevents you from being able to create the trust on schedule and be able to migrate. I suggest you test this scenario and see what shakes out to mitigate the risk that you'll not get it to work on D-Day. As I understand divestitures, they won't be very undrestanding if it's delayed due to an inability to set this up and pull off the migration. Lot's of raw nerves during the MAD process. :) AlOn 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that. On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote: I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ? Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point? Al On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow network B. - Let replication settle down, then transfer FSMOs back to their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks!
RE: [ActiveDir] Waaay OT: wikis
No, actually, 1(-1+1)(-1+1) is the same as writing 1*(-1+1)*(-1+1). You can not imply a + or - sign. Since there's not an explicit + or - between the first 1 and opening paren., then you cannot assume one. You can, however, imply a multiplication What you've written implies multiplication. If you shift your parentheses to push the first- operation outside the first paren, then you also have to remember that you're left with a +1 at the end This leaves 1 - (1-1) - (1-1) -...+1= 1 - (+1) = 1 - 1 = 0 (dropping the unnecessary positive (+) symbol on the 1's) Joe Pochedley Software suppliers are trying to make their software packages more user-friendly... Their best approach, so far, has been to take all the old brochures, and stamp the words, 'user-friendly' on the cover." Bill Gates. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 09, 2006 10:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Waaay OT: wikis Not at all - I did not include any multiplication signs between the brackets - you've introduced them :/. Read what I wrote at face value and you'll see it's quite valid (altho it breaks various maths rules!) neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Matt HargravesSent: Monday, October 09, 2006 5:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: wikisI wonder if you realize that what you posted was incorrect:1 (-1+1) (-1+1) ...turns into:1*0*0*0So in the end 0 = 0:) On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Very good altho dividing by zero (last step) is not permitted and (asper the below) causes an issue if permitted.How about this:(1-1) + (1-1) + (1-1) + ... = 0Re-write left hand side by moving brackets one place to the right: 1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to get the list talking about stuff other thanIT/Windows/AD/Exch/Jet/ESE...-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm a = x[true for some a's and x's] a+a = a+x[add a to both sides]2a = a+x[a+a = 2a]2a-2x = a+x-2x [subtract 2x from both sides]2(a-x) = a+x-2x [2a-2x = 2(a-x)] 2(a-x) = a-x[x-2x = -x] 2 = 1[divide both sides by a-x]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my differential equations class ormaybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trickI didn't follow through it, I just closed my eyes and shook my head andthought forward to my communications class as the sights were easier onthe eyes...I still wonder why I went into a field with such a high ratio of men towomen... :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info :
Re: [ActiveDir] Forest trust divestitures
We're going to run a test in the lab in the next few days, then a dry run with the real forest B and a dummy forest B shortly after that. On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote: So, if I understand correctly you want to migrate the users along with sid-history so that you can also take along a bunch of file servers with it's permissions that are already set for one of the domains in your forest A? When the divestiture occurs, you'll push the user information over. - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.That'll likely be problematic. You'll want to narrow that down more to use specific DC's vs. using any DC. If you use conditional forwarders, the clients of that DNS host (likely itself, but not necessarily) would be able to find B, and the reverse might also be true. The key is to be sure that the dc in A at the particular site and the dc in B at the same site, can see each other. See those links on Microsoft's site that relate to creating a trust over a firewall (but I have to wonder if it's worth it to have a firewall there at all for this). Your biggest risk is that you run into something like sidfiltering or some issue that prevents you from being able to create the trust on schedule and be able to migrate. I suggest you test this scenario and see what shakes out to mitigate the risk that you'll not get it to work on D-Day. As I understand divestitures, they won't be very undrestanding if it's delayed due to an inability to set this up and pull off the migration. Lot's of raw nerves during the MAD process. :) Al On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that. On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote: I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ? Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point? Al On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow network B. - Let replication settle down, then transfer FSMOs back to their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks!
Re: [ActiveDir] Forest trust divestitures
I'd be interested to hear how it turns out. On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: We're going to run a test in the lab in the next few days, then a dry run with the real forest B and a dummy forest B shortly after that. On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote: So, if I understand correctly you want to migrate the users along with sid-history so that you can also take along a bunch of file servers with it's permissions that are already set for one of the domains in your forest A? When the divestiture occurs, you'll push the user information over. - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.That'll likely be problematic. You'll want to narrow that down more to use specific DC's vs. using any DC. If you use conditional forwarders, the clients of that DNS host (likely itself, but not necessarily) would be able to find B, and the reverse might also be true. The key is to be sure that the dc in A at the particular site and the dc in B at the same site, can see each other. See those links on Microsoft's site that relate to creating a trust over a firewall (but I have to wonder if it's worth it to have a firewall there at all for this). Your biggest risk is that you run into something like sidfiltering or some issue that prevents you from being able to create the trust on schedule and be able to migrate. I suggest you test this scenario and see what shakes out to mitigate the risk that you'll not get it to work on D-Day. As I understand divestitures, they won't be very undrestanding if it's delayed due to an inability to set this up and pull off the migration. Lot's of raw nerves during the MAD process. :) Al On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that. On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote: I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ? Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point? Al On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.) - ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them. - ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day. All forest B pocket network DCs can talk to each other as well as back home. D-Day: - Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.) - Firewall off communication to company B's network, and open up comm to company A's network. This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly, it'll make the PDC available on the company A network for the forest trust setup and the RID master also available to hand out more RIDs during the migration. There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs). - Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa. Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs. - Establish the forest trust from A to B. Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's resources from A's users, isn't it? - Do the migration. - Remove the trust - Flip the pocket network firewalls back to block network A and allow network B. - Let replication settle down, then transfer FSMOs back to their original locations. - misc cleanup, like removing conditional forwarding Appreciate any fine-tuning of this scenario, thanks!
[ActiveDir] OT: A short and sweet KB
Do not run a service by using a service account that belongs to a different domain: http://support.microsoft.com/?kbid=925099 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx