date:20061009

Re: [ActiveDir] RealVNC removal

2006-10-09 Thread Matt Hargraves

I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly.
On 10/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:Return Receipt Your RE: [ActiveDir] RealVNC removal
 document: wasJustin Leney/US/DCI received by: at:10/02/2006 04:08:38 PMNEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.FREE TRIAL AT 
HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

[ActiveDir] Slightly OT - DNS Problems:

2006-10-09 Thread Blair, James

Title: Slightly OT - DNS Problems:

Hey All,

I am required to set up a trust with an acquisitions domain. Ports 53, 88 and 389 (TCP UDP) are open on the firewall theirs and ours - Both Ways verified.

I have bought in a Forward Lookup Zone of their DNS - Secondary Zone, have also however tried a Stub Zone and a Conditional Forwarder.

When I go to create the trust however it says the domain can not be contacted. I am ONLY able to connect to one of their DC's, in a DMZ, it is also a Global Catalog Server. When I ping the FQDN of the domain it goes from one of their DNS servers to another. After numerous IPCONFIG /FLUSHDNS and re-pings it eventually pings the FQDN. Still no go when trying to establish the trust.

Created a host entry for the FQDN, no go. Tried LMHOST record reload and checked the cache to verify new records were present, no go. Added the IP of their DNS server as an alternate DNS server address on the adapter, no go. Flicked between Enable NetBIOS over TCP/IP and Disable NetBIOS over TCP/IP, no go.

Perform an nslookup - .[FQDNDomain] get all IP's of their DNS servers. Perform an nslookup - set q=srv - __ladap._tcp.[FQDNDomain] get all their DNS servers all have the same weighting and a priority of 0. Perform an nslookup - guid_msdcs.[FQDNDomain] get their primary name server etc. which is the DC I can get to. SOA is the also the DC I can connect to.

Not sure if it is something to do with the Netlogon service utilising DSGetDcName? What is the next logical step, what am I missing?

I can provide more info should this be required.

Thanking anyone in advance.

James Blair

Note:Thisemail,includinganyattachments,isconfidential.Ifyouhavereceivedthisemailinerror,pleaseadvisethesenderanddeleteitandallcopiesofitfromyoursystem.Ifyouarenottheintendedrecipientofthisemail,youmustnotuse,print,distribute,copyordiscloseitscontenttoanyone.

RE: [ActiveDir] OT: wikis

2006-10-09 Thread Steve Comeau









And of course, the problem with the a=x
conundrum, is the next to the last operation where you divide both sides by a-x.
You cant do that when a=x because you are dividing by zero  a mathematical
no-no - you get infinity.







Steve Comeau

IT Manager

Rutgers Athletics

83 Rockefeller Road

Piscataway, NJ 08854

732-445-7802

732-445-4623
(fax)

www.scarletknights.com











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Monday, October 09, 2006
12:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: wikis





I wonder if you realize
that what you posted was incorrect:

1 (-1+1) (-1+1) ...

turns into:

1*0*0*0

So in the end 0 = 0

:)






On 10/6/06, [EMAIL PROTECTED]
[EMAIL PROTECTED]
wrote:

Very good altho dividing by zero (last step) is not permitted and (as
per the below) causes an issue if permitted.

How about this:
(1-1) + (1-1) + (1-1) + ... = 0

Re-write left hand side by moving brackets one place to the right: 
1 (-1+1) (-1+1) ...

Or simplified:
1 + 0 + 0 + ... = 1

So 1 = 0 !


neil
PS Glad to see I managed to get the list talking about stuff other than
IT/Windows/AD/Exch/Jet/ESE...

-Original Message- 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Crawford, Scott 
Sent: 05 October 2006 23:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis

From: http://www.jimloy.com/algebra/two.htm


 a =
x[true
for some a's and x's]
 a+a =
a+x[add a to both
sides]
2a =
a+x[a+a = 2a]
2a-2x = a+x-2x [subtract 2x from both
sides]
2(a-x) = a+x-2x [2a-2x = 2(a-x)] 
2(a-x) = a-x[x-2x =
-x]
 2 =
1[divide
both sides by a-x]


-Original Message-
From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Thursday, October 05, 2006 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis

Careful, I recall a math professor in my differential equations class or
maybe it was higher throwing a proof up on the board showing that 1 + 1 
!= 2 and it wasn't a numberical base trick

I didn't follow through it, I just closed my eyes and shook my head and
thought forward to my communications class as the sights were easier on
the eyes...

I still wonder why I went into a field with such a high ratio of men to
women... :)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of Laura A.
Robinson
Sent: Thursday, October 05, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis

999,998 + 2 = 1,000,000, not 100,000. ;-) 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
] On Behalf Of Greg Nims
 Sent: Thursday, October 05, 2006 11:49 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: wikis

 
  It's funny how we quote wikis as definitive sources of information,
  when they can be edited by anyone and everyone :)
 
  Who vets the edits and how much does that person know about the 
  subject matter??

 Anyone can edit, which is why they are generally correct.
 When 100,000 people view a record, and 2 people want to change it to
 be incorrect,
 999,998 will want to correct it. 

 I wouldn't use a wiki as a great historical or technical
source.But
 for encyclopedia entries, which give a good summation of a subject,
 they are great.


 List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

List info : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended

RE: [ActiveDir] OT: wikis

2006-10-09 Thread Ken Cornetet

They like it because it shows that division by zero can bite you without
being obvious. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sunday, October 08, 2006 4:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis

I've seen that stunt a few times. I'm not sure the point of showing it
but math teachers love to demonstrate it for some reason. 


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir- 
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: Thursday, October 05, 2006 2:22 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: wikis
 
 Careful, I recall a math professor in my differential equations class 
 or maybe it was higher throwing a proof up on the board showing that 1

 +
1
 != 2
 and it wasn't a numberical base trick
 
 I didn't follow through it, I just closed my eyes and shook my head
and
 thought forward to my communications class as the sights were easier
on
 the
 eyes...
 
 I still wonder why I went into a field with such a high ratio of men
to
 women... :)
 
 
 --
 O'Reilly Active Directory Third Edition - 
 http://www.joeware.net/win/ad3e.htm
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
 Robinson
 Sent: Thursday, October 05, 2006 12:55 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: wikis
 
 999,998 + 2 = 1,000,000, not 100,000. ;-)
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims
  Sent: Thursday, October 05, 2006 11:49 AM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: wikis
 
 
   It's funny how we quote wikis as definitive sources of
information,
   when they can be edited by anyone and everyone :)
  
   Who vets the edits and how much does that person know about the 
   subject matter??
 
  Anyone can edit, which is why they are generally correct.
  When 100,000 people view a record, and 2 people want to change it to

  be incorrect,
  999,998 will want to correct it.
 
  I wouldn't use a wiki as a great historical or technical source.  
  But for encyclopedia entries, which give a good summation of a 
  subject, they are great.
 
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ml/threads.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Waaay OT: wikis

2006-10-09 Thread neil.ruston




Not at all - I did not include any multiplication signs between the 
brackets - you've introduced them :/.

Read what I wrote at face value and you'll see it's quite valid (altho it 
breaks various maths rules!)

neil

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Matt 
  HargravesSent: Monday, October 09, 2006 5:58 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: 
  wikisI wonder if you realize that what you posted was 
  incorrect:1 (-1+1) (-1+1) ...turns 
  into:1*0*0*0So in the end 0 = 0:)
  On 10/6/06, [EMAIL PROTECTED] 
  [EMAIL PROTECTED] 
  wrote:
  Very 
good altho dividing by zero (last step) is not permitted and (asper the 
below) causes an issue if permitted.How about this:(1-1) + (1-1) 
+ (1-1) + ... = 0Re-write left hand side by moving brackets one 
place to the right: 1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 
0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to 
get the list talking about stuff other 
thanIT/Windows/AD/Exch/Jet/ESE...-Original Message- 
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm 
 a = 
x[true 
for some a's and x's] a+a = 
a+x[add a to 
both sides]2a = 
a+x[a+a = 
2a]2a-2x = a+x-2x [subtract 2x from 
both sides]2(a-x) = a+x-2x [2a-2x = 
2(a-x)] 2(a-x) = 
a-x[x-2x = 
-x] 2 = 
1[divide 
both sides by a-x]-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my 
differential equations class ormaybe it was higher throwing a proof up 
on the board showing that 1 + 1 != 2 and it wasn't a numberical base 
trickI didn't follow through it, I just closed my eyes and shook 
my head andthought forward to my communications class as the sights were 
easier onthe eyes...I still wonder why I went into a field with 
such a high ratio of men towomen... :)--O'Reilly Active 
Directory Third Edition -http://www.joeware.net/win/ad3e.htm 
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 
12:55 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-) 
 -Original Message- From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] 
] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 
AM To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] OT: wikis   It's funny how 
we quote wikis as definitive sources of information,  when they 
can be edited by anyone and everyone :)   Who vets 
the edits and how much does that person know about the   subject 
matter?? Anyone can edit, which is why they are generally 
correct. When 100,000 people view a record, and 2 people want to 
change it to be incorrect, 999,998 will want to correct it. 
 I wouldn't use a wiki as a great historical or technical 
source.But for encyclopedia entries, which give a good 
summation of a subject, they are great. List 
info : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspxList 
info : http://www.activedir.org/List.aspxList 
FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspxList 
info : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspxList 
info : http://www.activedir.org/List.aspxList 
FAQ: http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspxPLEASE 
READ: The information contained in this email is confidential 
andintended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete 
yourcopy from your system. You must not copy, distribute or take any 
furtheraction in reliance on it. Email is not a secure method of 
communication and Nomura International plc ('NIplc') will not, to the 
extent permitted by law,accept responsibility or liability for (a) the 
accuracy or completeness of,or (b) the presence of any virus, worm or 
similar malicious or disabling code in, this message or any 
attachment(s) to it. If verification of thisemail is sought then please 
request a hard copy. Unless otherwise statedthis email: (1) is not, and 
should not be treated or relied upon as, investment research; (2) 
contains

[ActiveDir] FW: Script to move user account and computer accounts

2006-10-09 Thread Group, Russ

Title: FW: Script to move user account and computer accounts






Hi all


I was wondering if there is a script I can use that will move users accounts and computer accounts from one child domain to another child domain (Windows 2000). I dont even know where to look for this, so if someone can point me in the right direction (URL or white paper) so I dont ask the same ignorant question twice, I would appreciate it.

Thanks

Russ

RE: [ActiveDir] FW: Script to move user account and computer accounts

2006-10-09 Thread Brian Desmond

Title: FW: Script to move user account and computer accounts








Admod from joeware.net can do the cross domain moves





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Group, Russ
Sent: Monday, October 09, 2006 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FW: Script to move user account and computer
accounts







Hi all


I was
wondering if there is a script I can use that will move users accounts and
computer accounts from one child domain to another child domain (Windows
2000). I dont even know where to look for this, so if someone can point
me in the right direction (URL or white paper) so I dont ask the same ignorant
question twice, I would appreciate it.

Thanks

Russ

[ActiveDir] Certificate Authority unable to publish certs in AD

2006-10-09 Thread Freddy HARTONO

Title: Certificate Authority unable to publish certs in AD






Hi guys


For some weird reason im getting the below errors on the certificate authority. CA is a one level issuing enterprise Ca, running on win2003 Enterprise Edition, with autoenrollment enable for a few usernames. GPO has been enabled for autoenrollment for both user and computer portion. Cert templates has been given the rights and is issuing User Certificate type successfully to the local machinesbut NOT publishing it to the usercertificate attribute...

Eventlog 80 on the CA server:

Certificate Services could not publish a Certificate for request 264 to the following location on server SINDC01.intlsos.com: CN=Oliva O.CUNTAPAY,OU=Users,OU=SIN,DC=intlsos,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344).

ldap: 0x32: 2098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


Eventlog on the domain controller:

Event Type: Failure Audit

Event Source: Security

Event Category: Directory Service Access 

Event ID: 566

 Accesses: Write Self

 Properties:

 ---

  Personal Information

   userCertificate

 user


 Additional Info: 

 Additional Info2: 

 Access Mask: 0x8



Things ive verified so far:

1) the CA computer account is listed in Cert Publisher group

2) Have modified Cert Publisher group to be a domain local group (its an upgrade from 2000 domain)

3) Verified that Cert Publisher has Read/Write UserCertificate attrb


Any suggestions?


Thank you and have a splendid day!

 

Kind Regards,

 

Freddy Hartono

Group Infrastructure Services Engineer

InternationalSOS Pte Ltd

mail: [EMAIL PROTECTED]

phone: (+65) 6330-9785

Re: [ActiveDir] FW: Script to move user account and computer accounts

2006-10-09 Thread Paul Williams

Title: FW: Script to move user account and computer accounts



Look at ADMOD or ADMT for xdom 
move.

If you actually want to copy a user, look 
at ADMT. Note. ADMT won't perform a copy, when operating 
intra-forest, by default. But you can configure it to do so 
IIRC.

Other options are to create a new user and 
copy the existing attributes, using a script or some code,excluding things 
like SID, UPN, etc. If this is the route you want to take, I don't think 
it's detailed in a whitepaper anywhere (it might be but I've not read it). 
This is something you need to implement yourself. The problem here is that 
ADMT tracks source and destination objects so you can re-run it and keep the 
target attributes up-to-date with the source ones. Your script won't do 
this by default.


--Paul

  - Original Message - 
  From: 
  Group, Russ 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, October 09, 2006 3:27 
  PM
  Subject: [ActiveDir] FW: Script to move 
  user account and computer accounts
  
  Hi all 
  I was wondering if there is a script I can use that 
  will move users accounts and computer accounts from one child domain to 
  another child domain (Windows 2000). I dont even know where to look for 
  this, so if someone can point me in the right direction (URL or white paper) 
  so I dont ask the same ignorant question twice, I would appreciate 
  it.
  ThanksRuss

Re: [ActiveDir] Slightly OT - DNS Problems:

2006-10-09 Thread Al Mulnick

DMZ? To begin with, why would you want to setup a trust and leave the firewalls in palce with so few ports? What is then the point of the trust? Even if you got the trust working like that (there are more ports - I think Jorge has a blog on this) you would not be able to access anything so it doesn't do you much good. I'm just not seeing the point of getting the trust working? Can you elaborate why you want to create a trust like that?
See this link as well for a list of the additional ports. http://technet2.microsoft.com/WindowsServer/en/library/108124dd-31b1-4c2c-9421-6adbc1ebceca1033.mspx?mfr=true
On 10/9/06, Blair, James [EMAIL PROTECTED] wrote:

Hey All,

I am required to set up a trust with an acquisitions domain. Ports 53, 88 and 389 (TCP UDP) are open on the firewall theirs and ours - Both Ways verified.

I have bought in a Forward Lookup Zone of their DNS - Secondary Zone, have also however tried a Stub Zone and a Conditional Forwarder.

Not sure if it is something to do with the Netlogon service utilising DSGetDcName? What is the next logical step, what am I missing?

I can provide more info should this be required.

Thanking anyone in advance.

James Blair

Re: [ActiveDir] [OT] Exchange 2007 Schema

2006-10-09 Thread Paul Williams

LOL.  It's in the rest room I'm told...

--Paul

- Original Message - 
From: Rich Milburn [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, October 06, 2006 6:56 PM
Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema

For the BrettSh T-Shirt, my vote is for the line to be split

BrettSh T-
Shirt

It's similar to the signs in the UK for leasing buildings -
TO LET
They are just missing an i.

I think Dean and Paul W know what I'm talking about

:-)
Rich

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 06, 2006 10:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema

You are definitely funny Brett, some would just argue whether it is in
the
ways you think. =)

I find you quite funny, I am waiting for the BrettSh T-Shirt to come out
in
fact. But with the crazy that can only be Brett hairdo, not the big
boy
hairdo. ;o)

I do kind of agree with Tony though, unless you are one of the TAP folks
with specific agreements with MSFT to bail you out in the event of a
nasty
fire, you probably shouldn't be installing heavily AD integrated beta
products into your production forest. I would assume that
ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for
MSFT IT
have the necessary support agreements in place. :) Plus they have Brian,
not
much he isn't going to be able to fix by himself I think.

 joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, October 05, 2006 11:58 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema

Oh crap!  Brian Puhl, you reading?  Tony says E2k7 is a beta product, I
hope you didn't load that schema on our main forest?  Too late to get it
backed out (via forest restore)?

Thanks for the heads up Tony,
BrettSh [msft]

P.S. - Does anyone think I'm as funny as I think I am ... probably not
...

On Thu, 5 Oct 2006, Tony Murray wrote:

Hi all

There are apparently schema changes post Beta 2 - just in case anyone

was
considering pre-loading the schema changes into production [1].

I don't have any further details on what the changes are.

Tony

[1] Which of course you wouldn't contemplate with a Beta product :-)

Sent via the WebMail system at mail.activedir.org

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---  
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any 
attachments.
This information is strictly confidential and may be subject to 
attorney-client
privilege. This message is intended only for the use of the named 
addressee. If
you are not the intended recipient of this message, unauthorized 
forwarding,

printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you 
should
kindly notify the sender by reply e-mail and immediately destroy this 
message.
Unauthorized interception of this e-mail is a violation of federal 
criminal law.
Applebee's International, Inc. reserves the right to monitor and review 
the
content of all messages sent to and from this e-mail address. Messages 
sent to
or from this e-mail address may be stored on the Applebee's International, 
Inc.

e-mail system.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] finding users that password never expire.

2006-10-09 Thread Yann

Hello all,I had to dodump in ADall users whose password never expires.  I used the saved queries with this custom ldap query :  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  DONT_EXPIRE_PASSWORD properties flag.  BUT i found that this search was not complete, because some users have other properties flagsuch as   UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is:  How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?  Is there a way to do it with a custom ldap query ?Thanks,Yann 
		 
Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! 
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.

RE: [ActiveDir] finding users that password never expire.

2006-10-09 Thread Almeida Pinto, Jorge de





to search for accounts that HAVE 
the option "DONT_EXPIRE_PASSWORD" enabled
ADFIND 
-bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"

and to use it with a saved query 
use as the LDAP filter:
((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

with joe's ADFIND you can just 
specify AND or OR without the need to know the OID
OR is by the way: 1.2.840.113556.1.4.804

for the other values 
see:
MS-KBQ305144_How to Use the 
UserAccountControl Flags to Manipulate User Account 
Properties

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  YannSent: Monday, October 09, 2006 17:44To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that 
  password never expire.
  
  Hello all,
  
  I had to dodump in ADall users whose password never 
  expires.
  I used the saved queries with this custom ldap query :
  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
  DONT_EXPIRE_PASSWORD properties flag.
  BUT i found that this search was not complete, because some users have 
  other properties flagsuch as 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
  UF_NOT_DELEGATED ... :(
  
  So the question is:
  How to search for user accounts that have at least the 
  DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
  Is there a way to do it with a custom ldap query ?
  
  Thanks,
  
  Yann
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
  sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos 
  opinions et vos expériences. Cliquez 
  ici. 
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] finding users that password never expire.

2006-10-09 Thread Paul Williams




Perform an AND query.

In ADFIND, this looks like 
this:

adfind -default -bit -f 
"(objectCategory=person)(userAccountControl:AND:=65536)" cn


If you want to use ADUC, or something 
else, you'll need to use this:

((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536))


--Paul


  - Original Message - 
  From: 
  Yann 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, October 09, 2006 4:43 
  PM
  Subject: [ActiveDir] finding users that 
  password never expire.
  
  Hello all,
  
  I had to dodump in ADall users whose password never 
  expires.
  I used the saved queries with this custom ldap query :
  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
  DONT_EXPIRE_PASSWORD properties flag.
  BUT i found that this search was not complete, because some users have 
  other properties flagsuch as 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
  UF_NOT_DELEGATED ... :(
  
  So the question is:
  How to search for user accounts that have at least the 
  DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
  Is there a way to do it with a custom ldap query ?
  
  Thanks,
  
  Yann
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
  sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos 
  opinions et vos expériences. Cliquez 
  ici.

[ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

2006-10-09 Thread Mark Parris

It looks like TechED 2007 New Orleans has been cancelled and will be in another 
location next year. 

Has anyone stateside heard where it is going to be as of yet?

Quote:

Microsoft cancels 3 New Orleans meetings, cites lack of flights

Lack of airline flights in and out of New Orleans prompted Microsoft
Corp. to cancel three meetings expected to bring a total of more than
30,000 people to New Orleans next year. 

They had been planned as the first meetings in New Orleans since
Hurricane Katrina for Redmond, Wash.-based Microsoft, which has held
several worldwide events bringing thousands of people to the city since
2002.

Microsoft spokeswoman Robyn Kratzer confirmed to The Associated Press
that the company was forced to cancel the planned events because they
thought it would be too difficult to transport thousands of attendees,
including some international travelers, in and out of the city.

``It was an extremely difficult situation and a difficult decision for
Microsoft, but it was totally around logistics,'' Kratzer told AP.

Two of the meetings were expected to bring 14,000 people each, and the
third about 4,000.

Service at Louis Armstrong International Airport is 61 percent of what
it was before the storm, but the airport has been able to get extra
flights for other special events, spokeswoman Michelle Duffourc said.

Continental Airlines has been particularly willing to put larger
aircraft on its flights or schedule extra flights to the city when
needed, she said.

However, nobody from Microsoft or the New Orleans Metropolitan
Convention and Visitors Bureau asked the airport to help keep the
conventions, she said.

``That is really not true,'' convention bureau spokeswoman Mary Beth
Romig said. She said the Microsoft meetings and their dates were
mentioned ``some time ago'' during the bureau's continuing talks with
the airport about flight problems.

About Microsoft's decision, she said: ``Of course we are sorry they
changed their mind. We are continuing to work with them for future dates
in future years.''

Regards,




Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
[EMAIL PROTECTED])

[ActiveDir] Forest trust divestitures

2006-10-09 Thread Harvey Kamangwitz

Hi all,

I'm consulting on a divestiture, and naturally the companies want their respective AD forests to have the minimum amount of contact necessary to migrate the security principals in the divestiture from company A to company B. I wanted to sanity check with this brain trust that we can do a one-wayforest trust in this firewalled situation. (They're going to use Quest Migration Manager for AD, and though technically it doesn't REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. A one-way outgoing trust has been approved by the various security players so it can be done.)

- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.

- ForestB DCs are physically landed at various Company A locations in pocket networks that can talk back
to Company B, so they're healthy.Though they're at Company A, they are firewalled from A until D-day.
All forest B pocket network DCs can talk to each other as well as back home.

D-Day:
- Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.)

- Firewall off communication to company B's network, and open up comm to company A's network.
This will make for a temporarily unhappy company B forest, but it will be okay for the duration of the migration. More importantly,
it'll make the PDC available on the company A network for the forest trust setup and the RID master also available
to hand out more RIDs during the migration.
There should now be a functional company B forest on company A's network (though it'll be complaining about missing DCs).

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.

- Establish the forest trust from A to B.
Would selective authentication on the trust protect the visibility of A's security principals? It's mainly designed to protect B's
resources from A's users, isn't it?

- Do the migration.

- Remove the trust

- Flip the pocket network firewalls back to block network A and allow network B.

- Let replication settle down, then transfer FSMOs back to their original locations.

- misc cleanup, like removing conditional forwarding

Appreciate any fine-tuning of this scenario, thanks!

RE: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

2006-10-09 Thread Brian Puhl

I checked with some folks internally, and they confirmed that yes, this is 
unfortunately true.

There are numerous discussions going on, and the recommendation is that you 
should watch http://microsoft.com/teched over the next week or two for updates 
and information.

Brian Puhl
Microsoft IT

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Monday, October 09, 2006 9:21 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

It looks like TechED 2007 New Orleans has been cancelled and will be in another 
location next year. 

Has anyone stateside heard where it is going to be as of yet?

Quote:

Microsoft cancels 3 New Orleans meetings, cites lack of flights

Lack of airline flights in and out of New Orleans prompted Microsoft
Corp. to cancel three meetings expected to bring a total of more than
30,000 people to New Orleans next year. 

They had been planned as the first meetings in New Orleans since
Hurricane Katrina for Redmond, Wash.-based Microsoft, which has held
several worldwide events bringing thousands of people to the city since
2002.

Microsoft spokeswoman Robyn Kratzer confirmed to The Associated Press
that the company was forced to cancel the planned events because they
thought it would be too difficult to transport thousands of attendees,
including some international travelers, in and out of the city.

``It was an extremely difficult situation and a difficult decision for
Microsoft, but it was totally around logistics,'' Kratzer told AP.

Two of the meetings were expected to bring 14,000 people each, and the
third about 4,000.

Service at Louis Armstrong International Airport is 61 percent of what
it was before the storm, but the airport has been able to get extra
flights for other special events, spokeswoman Michelle Duffourc said.

Continental Airlines has been particularly willing to put larger
aircraft on its flights or schedule extra flights to the city when
needed, she said.

However, nobody from Microsoft or the New Orleans Metropolitan
Convention and Visitors Bureau asked the airport to help keep the
conventions, she said.

``That is really not true,'' convention bureau spokeswoman Mary Beth
Romig said. She said the Microsoft meetings and their dates were
mentioned ``some time ago'' during the bureau's continuing talks with
the airport about flight problems.

About Microsoft's decision, she said: ``Of course we are sorry they
changed their mind. We are continuing to work with them for future dates
in future years.''

Regards,




Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
[EMAIL PROTECTED])

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Forest trust divestitures

2006-10-09 Thread Al Mulnick

I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ? Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about?
If they're part of the same domain, what's the point? AlOn 10/9/06, Harvey Kamangwitz
[EMAIL PROTECTED] wrote:Hi all,

- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.

D-Day:
- Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.)

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.

- Do the migration.

- Remove the trust

- Flip the pocket network firewalls back to block network A and allow network B.

- Let replication settle down, then transfer FSMOs back to their original locations.

- misc cleanup, like removing conditional forwarding

Appreciate any fine-tuning of this scenario, thanks!

RE : RE: [ActiveDir] finding users that password never expire.

2006-10-09 Thread Yann

Yes ! thanks, that works so well !! :o)But many questions i have..  What is the difference between the query "userAccountControl=65536" and "(userAccountControl:1.2.840.113556.1.4.803:=65536)" ?   Why couldn(t i find any results with my first query ?  And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query ??Thanks for your answer :)Yann  "Almeida Pinto, Jorge de" [EMAIL PROTECTED] a écrit:to search for accounts that
 HAVE the option "DONT_EXPIRE_PASSWORD" enabled  ADFIND -bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"and to use it with a saved query use as the LDAP filter:  ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))with joe's ADFIND you can just specify AND or OR without the need to know the OID  OR is by the way: 1.2.840.113556.1.4.804for the other values see:  MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account PropertiesjorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, October 09, 2006 17:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that password never expire.Hello all,I had to dodump in ADall users whose password never expires.  I used the saved queries with this custom ldap query :  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  DONT_EXPIRE_PASSWORD properties flag.  BUT i found that this search was not complete, because some users have other properties flagsuch as   UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD |
 UF_NOT_DELEGATED ... :(So the question is:  How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?  Is there a way to do it with a custom ldap query ?Thanks,Yann  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If
 you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. 
		
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses.

Re: [ActiveDir] Forest trust divestitures

2006-10-09 Thread Harvey Kamangwitz

Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that.
On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote:
I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ?
Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point?
Al

On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:

Hi all,

- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.

D-Day:
- Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.)

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.

- Do the migration.

- Remove the trust

- Flip the pocket network firewalls back to block network A and allow network B.

- Let replication settle down, then transfer FSMOs back to their original locations.

- misc cleanup, like removing conditional forwarding

Appreciate any fine-tuning of this scenario, thanks!

RE : Re: [ActiveDir] finding users that password never expire.

2006-10-09 Thread Yann

Thanks Paul.That works great :)YannPaul Williams [EMAIL PROTECTED] a écrit:  Perform an AND query.In ADFIND, this looks like this:adfind -default -bit -f "(objectCategory=person)(userAccountControl:AND:=65536)" cn  If you want to use ADUC, or
 something else, you'll need to use this:((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536))  --Paul  - Original Message -   From: Yann   To: ActiveDir@mail.activedir.org   Sent: Monday, October 09, 2006 4:43 PM  Subject: [ActiveDir] finding users that password never expire.Hello all,I had to dodump in ADall users whose password never expires.  I used the saved queries with this custom ldap query :  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  DONT_EXPIRE_PASSWORD properties flag.  BUT i found that this search was not complete, because some users have other properties flagsuch as   UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is:  How to search for user accounts that have at
 least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?  Is there a way to do it with a custom ldap query ?Thanks,Yann  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.  
		 
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.

Re: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

2006-10-09 Thread Joe Kaplan


It is a shame.  The city really needs the business.  I've been back 3
times now since the storm and things have definitely gotten better,
but it still has a long way to go.

Most of the US has kind of forgotten about it by now, so I'm guessing
that many TechEd visitors would be shocked at how messed up things
still are down there, even almost 2 years later (which is when TechEd
would have been).  Of course, most people won't be down in the 9th
ward or Chalmette during TechEd, so you wouldn't see the worst of it,
but it is still pretty stunning.

The NO airport definitely has a very sleepy feel compared to years
past, and it was never like going through O'Hare in the first place.

Joe K.

On 10/9/06, Brian Puhl [EMAIL PROTECTED] wrote:

I checked with some folks internally, and they confirmed that yes, this is 
unfortunately true.

There are numerous discussions going on, and the recommendation is that you 
should watch http://microsoft.com/teched over the next week or two for updates 
and information.

Brian Puhl
Microsoft IT


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: RE : RE: [ActiveDir] finding users that password never expire.

2006-10-09 Thread Almeida Pinto, Jorge de

userAccountControl=65536
check if all enabled options/bits (unique combination) represent a total of 
65536
 
userAccountControl:1.2.840.113556.1.4.803:=65536
check if only the option/bit represented by 65536 is enabled
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Yann
Sent: Mon 2006-10-09 20:24
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] finding users that password never expire.


Yes !  thanks, that works so well !! :o)
 
But many questions i have..
What is the difference between the query userAccountControl=65536 and 
(userAccountControl:1.2.840.113556.1.4.803:=65536) ? 
Why couldn(t i find any results with my first query ?
And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query  
??
 
Thanks for your answer :)
 
Yann


Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit :

to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD 
enabled
ADFIND -bit -default -f 
((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))
 
and to use it with a saved query use as the LDAP filter:

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
 
with joe's ADFIND you can just specify AND or OR without the need to 
know the OID
OR is by the way: 1.2.840.113556.1.4.804
 
for the other values see:
MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User 
Account Properties
 
jorge




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Yann
Sent: Monday, October 09, 2006 17:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding users that password never expire.


Hello all,
 
I had to do dump in AD all users whose password never expires.
I used the saved queries with this custom ldap query :
useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
DONT_EXPIRE_PASSWORD properties flag.
BUT i found that this search was not complete, because some 
users have other properties flag such as 
UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD 
or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
UF_NOT_DELEGATED ... :(
 
So the question is:
How to search for user accounts that have at least the 
DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
Is there a way to do it with a custom ldap query ?
 
Thanks,
 
Yann


Découvrez un nouveau moyen de poser toutes vos questions quel 
que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, 
vos opinions et vos expériences. Cliquez ici 
http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.




Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses 
http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com .
winmail.dat

Re: [ActiveDir] Forest trust divestitures

2006-10-09 Thread Al Mulnick

So, if I understand correctly you want to migrate the users along with sid-history so that you can also take along a bunch of file servers with it's permissions that are already set for one of the domains in your forest A? When the divestiture occurs, you'll push the user information over.
- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.That'll likely be problematic. You'll want to narrow that down more to use specific DC's vs. using any DC. If you use conditional forwarders, the clients of that DNS host (likely itself, but not necessarily) would be able to find B, and the reverse might also be true. The key is to be sure that the dc in A at the particular site and the dc in B at the same site, can see each other. See those links on Microsoft's site that relate to creating a trust over a firewall (but I have to wonder if it's worth it to have a firewall there at all for this).

Your biggest risk is that you run into something like sidfiltering or some issue that prevents you from being able to create the trust on schedule and be able to migrate. I suggest you test this scenario and see what shakes out to mitigate the risk that you'll not get it to work on D-Day. As I understand divestitures, they won't be very undrestanding if it's delayed due to an inability to set this up and pull off the migration. Lot's of raw nerves during the MAD process. :)
AlOn 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that.

On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote:

I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ?
Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point?

On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:

Hi all,

- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.

D-Day:
- Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.)

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.

- Do the migration.

- Remove the trust

- Flip the pocket network firewalls back to block network A and allow network B.

- Let replication settle down, then transfer FSMOs back to their original locations.

- misc cleanup, like removing conditional forwarding

Appreciate any fine-tuning of this scenario, thanks!

RE: [ActiveDir] Waaay OT: wikis

2006-10-09 Thread Joe Pochedley




No, actually, 1(-1+1)(-1+1) is the same as writing 
1*(-1+1)*(-1+1).

You can not imply a + or - sign. Since there's not an explicit + or 
- between the first 1 and opening paren., then you cannot assume one. You 
can, however, imply a multiplication What you've written implies 
multiplication.

If you shift your parentheses to push the first- operation outside 
the first paren, then you also have to remember that you're left with a +1 at 
the end This leaves 
1 
- (1-1) - (1-1) -...+1= 
1 
- (+1) = 
1 
- 1 =
0
(dropping the unnecessary positive (+) symbol on the 
1's)

Joe 
Pochedley Software suppliers are trying to make their software packages more 
user-friendly... Their best approach, so far, has been to take all 
the old brochures, and stamp the words, 'user-friendly' on the 
cover."  Bill Gates. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, October 09, 2006 10:26 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Waaay OT: wikis

Not at all - I did not include any multiplication signs between the 
brackets - you've introduced them :/.

Read what I wrote at face value and you'll see it's quite valid (altho it 
breaks various maths rules!)

neil

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Matt 
  HargravesSent: Monday, October 09, 2006 5:58 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: 
  wikisI wonder if you realize that what you posted was 
  incorrect:1 (-1+1) (-1+1) ...turns 
  into:1*0*0*0So in the end 0 = 0:)
  On 10/6/06, [EMAIL PROTECTED] 
  [EMAIL PROTECTED] 
  wrote: 
  Very 
good altho dividing by zero (last step) is not permitted and (asper the 
below) causes an issue if permitted.How about this:(1-1) + (1-1) 
+ (1-1) + ... = 0Re-write left hand side by moving brackets one 
place to the right: 1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 
0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to 
get the list talking about stuff other 
thanIT/Windows/AD/Exch/Jet/ESE...-Original Message- 
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm 
 a = 
x[true 
for some a's and x's] a+a = 
a+x[add a to 
both sides]2a = 
a+x[a+a = 
2a]2a-2x = a+x-2x [subtract 2x from 
both sides]2(a-x) = a+x-2x [2a-2x = 
2(a-x)] 2(a-x) = 
a-x[x-2x = 
-x] 2 = 
1[divide 
both sides by a-x]-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my 
differential equations class ormaybe it was higher throwing a proof up 
on the board showing that 1 + 1 != 2 and it wasn't a numberical base 
trickI didn't follow through it, I just closed my eyes and shook 
my head andthought forward to my communications class as the sights were 
easier onthe eyes...I still wonder why I went into a field with 
such a high ratio of men towomen... :)--O'Reilly Active 
Directory Third Edition -http://www.joeware.net/win/ad3e.htm 
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 
12:55 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-) 
 -Original Message- From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] 
] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 
AM To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] OT: wikis   It's funny how 
we quote wikis as definitive sources of information,  when they 
can be edited by anyone and everyone :)   Who vets 
the edits and how much does that person know about the   subject 
matter?? Anyone can edit, which is why they are generally 
correct. When 100,000 people view a record, and 2 people want to 
change it to be incorrect, 999,998 will want to correct it. 
 I wouldn't use a wiki as a great historical or technical 
source.But for encyclopedia entries, which give a good 
summation of a subject, they are great. List 
info : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspxList 
info : http://www.activedir.org/List.aspxList 
FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspxList 
info : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspxList 
info :

Re: [ActiveDir] Forest trust divestitures

2006-10-09 Thread Harvey Kamangwitz

We're going to run a test in the lab in the next few days, then a dry run with the real forest B and a dummy forest B shortly after that.
On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote:
So, if I understand correctly you want to migrate the users along with sid-history so that you can also take along a bunch of file servers with it's permissions that are already set for one of the domains in your forest A? When the divestiture occurs, you'll push the user information over.

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.That'll likely be problematic. You'll want to narrow that down more to use specific DC's vs. using any DC. If you use conditional forwarders, the clients of that DNS host (likely itself, but not necessarily) would be able to find B, and the reverse might also be true. The key is to be sure that the dc in A at the particular site and the dc in B at the same site, can see each other. See those links on Microsoft's site that relate to creating a trust over a firewall (but I have to wonder if it's worth it to have a firewall there at all for this).

On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:
Yes, there are several terabytes of server-related resources going with the divestiture and it would be an enormous job to rebuild all the access control from scratch. Sorry, I should have mentioned that.

On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote:

I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ?
Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point?
Al

On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:

Hi all,

- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.

D-Day:
- Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.)

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.

- Do the migration.

- Remove the trust

- Flip the pocket network firewalls back to block network A and allow network B.

- Let replication settle down, then transfer FSMOs back to their original locations.

- misc cleanup, like removing conditional forwarding

Appreciate any fine-tuning of this scenario, thanks!

Re: [ActiveDir] Forest trust divestitures

2006-10-09 Thread Al Mulnick

I'd be interested to hear how it turns out.
On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:
We're going to run a test in the lab in the next few days, then a dry run with the real forest B and a dummy forest B shortly after that.

On 10/9/06, Al Mulnick [EMAIL PROTECTED] wrote:

I don't think I see what you really want to accomplish? Why, if you're going to firewall the networks off anyway, do you need to migrate vs. Microsoft shuffle (create new on target, delete legacy) ?
Are other resources coming with that rely on these? Or are those being migrated as well? Is it just the workstations you're concerned about? If they're part of the same domain, what's the point?
Al

On 10/9/06, Harvey Kamangwitz [EMAIL PROTECTED]
wrote:

Hi all,

- ForestA (multiple domains) and ForestB (single domain). In the beginning, no communication between them.

D-Day:
- Transfer PDC and RID FSMOs toone of company B'spocket network DCs. (see next step for why.)

- Configure DNS conditional forwarding in forest A to find forest B's pocket network DCs and vice versa.
Would I have to set up forwarding on every DNS server in forestA? They have a lot of DCs.

- Do the migration.

- Remove the trust

- Flip the pocket network firewalls back to block network A and allow network B.

- Let replication settle down, then transfer FSMOs back to their original locations.

- misc cleanup, like removing conditional forwarding

Appreciate any fine-tuning of this scenario, thanks!

[ActiveDir] OT: A short and sweet KB

2006-10-09 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Do not run a service by using a service account that belongs to a 
different domain:

http://support.microsoft.com/?kbid=925099

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RealVNC removal

[ActiveDir] Slightly OT - DNS Problems:

RE: [ActiveDir] OT: wikis

RE: [ActiveDir] OT: wikis

RE: [ActiveDir] Waaay OT: wikis

[ActiveDir] FW: Script to move user account and computer accounts

RE: [ActiveDir] FW: Script to move user account and computer accounts

[ActiveDir] Certificate Authority unable to publish certs in AD

Re: [ActiveDir] FW: Script to move user account and computer accounts

Re: [ActiveDir] Slightly OT - DNS Problems:

Re: [ActiveDir] [OT] Exchange 2007 Schema

[ActiveDir] finding users that password never expire.

RE: [ActiveDir] finding users that password never expire.

Re: [ActiveDir] finding users that password never expire.

[ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

[ActiveDir] Forest trust divestitures

RE: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

Re: [ActiveDir] Forest trust divestitures

RE : RE: [ActiveDir] finding users that password never expire.

Re: [ActiveDir] Forest trust divestitures

RE : Re: [ActiveDir] finding users that password never expire.

Re: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???

RE: RE : RE: [ActiveDir] finding users that password never expire.

Re: [ActiveDir] Forest trust divestitures

RE: [ActiveDir] Waaay OT: wikis

Re: [ActiveDir] Forest trust divestitures

Re: [ActiveDir] Forest trust divestitures

[ActiveDir] OT: A short and sweet KB

28 matches

Site Navigation

Mail list logo

Footer information