Re: [ActiveDir] OT: DL is this to be expected?

2006-11-22 Thread Mark Parris 
Thanks Joe.


Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: "joe" <[EMAIL PROTECTED]>
Date: Tue, 21 Nov 2006 18:02:51 
To:
Subject: RE: [ActiveDir] OT: DL is this to be expected?

Yes actually it is if you are talking about Exchange DLs...

Consider how email is marked when it comes from an Exchange DL... It isn't
coming from the DL, it is coming from the user who specified the DL as an
address... The DL is simply used for routing and hiding the TO: list from
immediate view... It isn't like say this listserv where the messages come
FROM the actual DL. If I recall correctly, Exchange actually expands the
group every time it processes the rule for every single message you receive
and there is no caching of that expansion...

You actually need to be quite careful with this, I reported this as a bug to
MSFT some time ago as I watched a series of rules like that that about took
out a very high end high perf Exchange server that was scaled to support
about 4000 users which only had about 100 on it... If you want to play with
it, select some HUGE DL you have, like say an everyone in the company DL and
set up a couple of server side rules with that DL. Early last year in some
testing I was able to actually cause mail delivery in a production
enterprise class environment to be slowed down by hours doing that... Even
if I sent a message to myself... 

   joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, November 21, 2006 4:05 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: DL is this to be expected?

Morning,

When I setup an outlook 2003  rule to move all mails from a DL to a
subfolder in my inbox, I see that all mails from this DL go into this folder
no problem, but anyone who is also a member of this DL - their mail ends up
in there too and not in the inbox.

Is this added value?

Rule is move all mails as they arrive from DL to subfolder. No other logic.

Many thanks.




Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread neil.ruston 
I believe SteveL may have already suggested that this group is only
available post w2k, and only after the PDC in the domain has been
upgraded. Further info here:
http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0
5-b919-c9311bafae351033.mspx?mfr=true

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 November 2006 05:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   <[EMAIL PROTECTED]|
| |   >  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>---
---|
  |
|
  |To:  "ActiveDir@mail.activedir.org"
|
  |cc:
|
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |
 
>---
---|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to
Windows Server 2003 and then transfer the PDC Emulator role to the
upgraded or added Windows Server 2003 box.  When a Windows Server 2003
box takes over the PDC Emulator FSMO role it will create these new
security principals.
This is documented under the section titled "Windows Server 2003 Well
Known Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed
b-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group
policies, "The Enterprise Domain Controllers group does not have read
access to this GPO. The Enterprise Domain Controllers group must have
read access on all GPO's in the domain in order for Group Policy
Modelling to function properly. To learn more about this issue and how
you can correct it, click Help.".

- I can confirm we do not have an "Enterprise Domain Controllers" group
in any of the domains.

- I have found the following article "
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4be
e-84c9-1994921658cd1033.mspx?mfr=true

" which shows how to fix the GPO issue using
"GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the
group  "Enterprise Domain Controllers" available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create
a new group.

- Does anyone have any idea how the group "Enterprise Domain
Controllers"
can be recreated with the correct SID of S-1-5-9 so that we can run the
script "GrantPermissionOnAll

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread Akomolafe, Deji 
Neil,

You responded to the thread where Steve already corrected himself. Read the doc 
you cited again. Only the EDC membership changes during the process you 
described. EDC itself is NOT created at this point. It is merely made a member 
of the newly-created "Windows Authorization Access" group.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Wed 11/22/2006 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


I believe SteveL may have already suggested that this group is only
available post w2k, and only after the PDC in the domain has been
upgraded. Further info here:
http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0
5-b919-c9311bafae351033.mspx?mfr=true

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 November 2006 05:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   <[EMAIL PROTECTED]|
| |   >  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>---
---|
  |
|
  |To:  "ActiveDir@mail.activedir.org"
|
  |cc:
|
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |
 
>---
---|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to
Windows Server 2003 and then transfer the PDC Emulator role to the
upgraded or added Windows Server 2003 box.  When a Windows Server 2003
box takes over the PDC Emulator FSMO role it will create these new
security principals.
This is documented under the section titled "Windows Server 2003 Well
Known Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed
b-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group
policies, "The Enterprise Domain Controllers group does not have read
access to this GPO. The Enterprise Domain Contro

Re: [ActiveDir] [OT] Vista Admin Tools Pack

2006-11-22 Thread Paul Williams 
If I had to guess, I would say it's because the launched process isn't a child 
of the elevated Window, but is a child of Explorer (the shell) itself.  This 
isn't the case with a CMD prompt, whereby the launched process is an actual 
child process.

Test it with Sysinternals' process explorer.  


--Paul


  - Original Message - 
  From: joe 
  To: ActiveDir@mail.activedir.org 
  Sent: Tuesday, November 21, 2006 10:49 PM
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack


  The Vista source isn't available for perusal yet so this is a complete guess 
but I expect it is something like Explorer purposely "dumbs down" the process 
token used to launch the new process. 

  Its just a guess though...


  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 





--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
  Sent: Tuesday, November 21, 2006 2:56 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack


  Steve - thanks again for sharing this very useful information.  I've tested 
this with different scenarios and I am somewhat confused as to some of the 
"great new features" of how Vista handles the security of new threads when 
launching applications:

   

  1.   I can install the AdminPak as non-privileged local user and can fix 
the DLL registration in an elevated CMD prompt with your tip below - works fine.

  2.   When I install the AdminPak from an elevated CMD prompt right away, 
everything also works fine - no need to manually register the DLLs.

  3.   When I start the AdminPak installation from an elevated Windows 
Explorer window, it does not successfully register the DLLs and again I have to 
register the DLLs manually in an elevated prompt to get them to work

  4.   When I right-click the AdminPak installation file in a Windows 
Explorer window and choose "Run as administrator" (i.e. running the install in 
elevated mode), it's the same as when launched from an elevated command prompt 
and again everything work fine without the need for manual registration of DLLs.

   

  So what's different from launching applications from an elevated Windows 
Explorer window to launching them from an elevated CMD prompt?

   

  Thanks for any insights J

   

  /Guido

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
  Sent: Tuesday, November 21, 2006 5:46 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack

   

  You have to run the batch from a command prompt that is elevated or you will 
get access denied.  To run a cmd prompt elevated search for cmd.exe from the 
start menu and right click selecting "Run As Administrator".  We have also 
found that if you simply launch the MSI from an elevated command prompt it will 
register the DLLs as well.

   

  Thanks,

   

  -Steve

   

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
  Sent: Tuesday, November 21, 2006 9:25 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack

   

  I found this write up from someone else yesterday, I can't remember where 
now.  I tried it immediately and ran into a couple immediate errors when trying 
to register these DLLs and the Active Directory snap-ins still continued to be 
non-functional.  This is using the Win2003 SP1 admin pack on Vista Business 
RTM.  Basically, I threw all those commands into a text file named register.cmd 
and let it run.

   

  Certtmpl.dll - Your user account does not have necessary access rights to 
register the Certificate Templates snap-in.  Log on with a different user 
account and try again, or contact your system administrator.  (I am local admin 
on this Vista box).

   

  Mprsnap.dll - Access is denied.  (80070005)

   

  Even those two DLLs don't seem to be related to the Active Directory 
snap-ins, I still get the error that the MMC could not create the snap-in.

   

  Anyone else run into this?

   

  ~Ben

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
  Sent: Monday, November 20, 2006 10:39 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack

   

  KB is in the works, just takes time.  Feel free to blog it or I can if I get 
some time this week, it is a bit slow this week but I have a backlog of content 
that I was supposed to have blogged.  Good news is that I accepted a new role 
at Microsoft where maintaining an official blog is part of my job. J

   

  Thanks,

   

  -Steve

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
  Sent: Monday, November 20, 2006 11:45 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack

   

  okay i

Re: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread Paul Williams 
I imagine you used the version of ADPREP that ships with Windows Server 2003 
SP1?


I believe you need to run ADPREP /DOMAINPREP /GPPREP.

This will add the inheritable ACEs to CN=Policies,CN=System,DC=...

Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE.


Re. EDCs.

ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 
2000.  The new Security Principals added by 2003 are:


 . LocalService

 . NetworkService

 . NTLM Authentication

 . Other Organization

 . Remote Interactive Logon

 . SChannel Authentication

 . This Organization



These group memberships are also modified:

 . The Network Servers group is added to the Performance Monitoring 
Users group.


 . The Enterprise Domain Controllers group is added to the Windows 
Authorization Access group.





See the link from Steve for more info. on this.  2003 RTM added new Sec 
Prins.  2003 SP1 also added some, IIRC.  Therefore ensure your PDCe is 
running k3 SP1.



--Paul


- Original Message - 
From: <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, November 22, 2006 2:04 AM
Subject: [ActiveDir] Enterprise Domain Controllers group missing...




- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
"The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help.".

- I can confirm we do not have an "Enterprise Domain Controllers" group in
any of the domains.

- I have found the following article "
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
" which shows how to fix the GPO issue using
"GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the
group  "Enterprise Domain Controllers" available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group "Enterprise Domain Controllers"
can be recreated with the correct SID of S-1-5-9 so that we can run the
script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread Paul Williams 
Mistyped the Inherited/ inherit ACE flags there, but you get my point -kind 
of makes sense in English.


I'm guessing, as I'm not in a position to test, that perhaps GPPREP adds the 
necessary ACE(s) to the aforementioned container, resulting in an ACE set 
with the INHERIT flag, which means that child objects will inherit this ACE 
(unless NO_PROPOGATE is set, which is isn't).



--Paul

- Original Message - 
From: "Paul Williams" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, November 22, 2006 10:31 AM
Subject: Re: [ActiveDir] Enterprise Domain Controllers group missing...


I imagine you used the version of ADPREP that ships with Windows Server 
2003 SP1?


I believe you need to run ADPREP /DOMAINPREP /GPPREP.

This will add the inheritable ACEs to CN=Policies,CN=System,DC=...

Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited 
ACE.



Re. EDCs.

ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 
2000.  The new Security Principals added by 2003 are:


 . LocalService

 . NetworkService

 . NTLM Authentication

 . Other Organization

 . Remote Interactive Logon

 . SChannel Authentication

 . This Organization



These group memberships are also modified:

 . The Network Servers group is added to the Performance Monitoring 
Users group.


 . The Enterprise Domain Controllers group is added to the Windows 
Authorization Access group.





See the link from Steve for more info. on this.  2003 RTM added new Sec 
Prins.  2003 SP1 also added some, IIRC.  Therefore ensure your PDCe is 
running k3 SP1.



--Paul


- Original Message - 
From: <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, November 22, 2006 2:04 AM
Subject: [ActiveDir] Enterprise Domain Controllers group missing...




- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group 
policies,
"The Enterprise Domain Controllers group does not have read access to 
this

GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, 
click

Help.".

- I can confirm we do not have an "Enterprise Domain Controllers" group 
in

any of the domains.

- I have found the following article "
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
" which shows how to fix the GPO issue using
"GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the
group  "Enterprise Domain Controllers" available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group "Enterprise Domain Controllers"
can be recreated with the correct SID of S-1-5-9 so that we can run the
script "GrantPermissionOnAllGPOs.wsf" to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread neil.ruston 
Thanks, I'll get my coat ...
 
:)

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: 22 November 2006 09:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


Neil,
 
You responded to the thread where Steve already corrected himself. Read
the doc you cited again. Only the EDC membership changes during the
process you described. EDC itself is NOT created at this point. It is
merely made a member of the newly-created "Windows Authorization Access"
group.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com http://www.akomolafe.com>  -
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

  _  

From: [EMAIL PROTECTED]
Sent: Wed 11/22/2006 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


I believe SteveL may have already suggested that this group is only
available post w2k, and only after the PDC in the domain has been
upgraded. Further info here:
http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0
5-b919-c9311bafae351033.mspx?mfr=true

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 November 2006 05:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   <[EMAIL PROTECTED]|
| |   >  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>---
---|
  |
|
  |To:  "ActiveDir@mail.activedir.org"
|
  |cc:
|
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |
 
>---
---|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to
Windows Server 2003 and then transfer the PDC Emulator role to the
upgraded or added Windows Server 2003 box.  When a Windows Server 2003
box takes over the PDC Emulator FSMO role it will create these new
security principals.
This is documented under the section titled "Windows Server 2003 Well
Known Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed
b-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Co

[ActiveDir] computer policy processing -retry behaviour

2006-11-22 Thread Graham Turner 
this is query re processing of computer group policies. i note that not 
strictly AD
related so i hope not to get 'shot down' !

i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group policy
engine, in a scenario of a user-initiated VPN, in which domain controller
connectivity is not available until some time after user logon.

this will impact the processing of computer polices that would normally be
downloaded and processed prior to CTRL-ALT-DEL

presumably, the initial computer policy processing would fail and only refresh 
on
the next scheduled interval ??

OR does the GP engine attempt more aggressively to download policies on the 
basis of
an initial failure ?

if not it seems there are going to be major issues in endpoint config on the 
basis
of any machine policies not being processed some way after user logon

Help on this gladly received.

GT


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Question regarding active directory and restricting information

2006-11-22 Thread joe 
> Is this an information security risk to our company
> especially related to employees information?

Only you and your company can answer that question. Is it maybe just a
subset of the total info - either some info for all users? All info for some
users? What is bad for others to have and what isn't? One thing I have
always considered to be some level of risk is the fact that people tend to
populate business phone numbers, email addresses, mail drop info, and the
hierarchy of their business in their AD. Say someone within one of a large
company like a Wallmart or a Sears or Toyota or a Ford and just exports that
info and hands it over to someone who likes to spam people or someone
looking for info on the internal structure of the company... With many of
those companies you could figure out most everyone with the power to make
decisions and where to find them and how to contact them with a simple AD
dump... Now that you have determined whether it is a risk or not, you have
to go the next step and determine how much of a risk there is and whether it
should be stopped or not or if certain parts of it should be stopped. So you
define your risk, identify it in all its gory parts, work out what is and
isn't acceptable, then mitigate the parts that are unacceptable. Mitigation
can range from trying to protect it with simple ACLing or obfuscation to
outright removing it or using a tremendously involved cipher.

To be quite honest, blocking people from being able to read info in AD can
be a bit of a pain. AD came along prior to the security lightbulb going off
at MSFT so things are pretty open as you have found and worse, many apps
sort of depend on that openness and don't really give you any info on what
they actually need to function properly, they just sort of leverage ACLs
that are the defaults[1]. If you truly want to lock info down, I suggest
pulling the info into an alternate store, say like ADAM which doesn't give
everyone with an ID the ability to read everything by default. If you must
keep the info in AD and you must lock it down, you are in for a good amount
of work trying to figure out which things you can safely lock down and which
things you cannot; Exchange/Outlook can be especially fun to tip toe around.
Also it is a little tough to do this generically as what you may be using or
wanting to lock down may be different from someone else and there testing
may show it safe to lock down but yours could find it unsafe to lock down.

If you want to do this, I would recommend taking your production
environment, cloning it into a segregated lab with ALL applications that use
AD and then start testing lockdown scenarios to see what breaks and go from
there. 

   joe


[1] Exchange for example and by default relies on authenticated user
permissions on global catalogs for access to a great deal of data by the
Exchange servers themselves. I received a considerable surprise many years
ago when I ran into that as what I had locked down resulted in Outlook
blowing up horribly and regularly in the lab and Exchange not functioning
quite right.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sunny
Sent: Wednesday, November 22, 2006 12:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question regarding active directory and restricting
information

Hi ,

 I am just beginning to program ADSI.
 I have been following your emails and they are always
 very informative and in detailed.
 I had a quick question.
 I work in a financial and we have Microsoft Active
 Directory and users are authenticated against this.

 Using an ADSI brower I am able to see all dominains
in
 the ADSI forest, all users, and their information
such
 as machine mac address, last login, name, phone
number
 and other office details.
 I can create something that can export this data out
 to Excel or some database.
 Is this an information security risk to our company
 especially related to employees information?
 Is there a mechanism by which we can prevent users
 from using ADSI browsers to extract such information
 from the Active Directory?
 Also are there any articles related to this?
 I want to thank you in advance for your help.

 Thanks and Regards,
 Sunny 



 


Sponsored Link

$200,000 mortgage for $660/ mo
30/15 yr fixed, reduce debt
http://yahoo.ratemarketplace.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: DL is this to be expected?

2006-11-22 Thread joe 
Excellent news. I debated the fact that that was what happened with someone
from PSS (I was holding a network trace absolutely showing it and the PSS
person was going off of what "he knew") for some time before they finally
admitted it wasn't optimal behavior and potentially quite dangerous
especially since it is difficult to determine what rules everyone is using
and there is really nothing that tells the Exchange admins what is happening
when this problem hits them. If you dislike your Exchange admins, it is a
great way to make them feel pain. ;o)

If you know the KB I would like to take a peek.

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, November 21, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DL is this to be expected?

There is a fix for this. I'm pretty sure it's public at this point.

Don't ask me the KB/patchid. It's too late on the east coast after I've
already started having a few 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, November 21, 2006 6:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DL is this to be expected?

Yes actually it is if you are talking about Exchange DLs...

Consider how email is marked when it comes from an Exchange DL... It
isn't
coming from the DL, it is coming from the user who specified the DL as
an
address... The DL is simply used for routing and hiding the TO: list
from
immediate view... It isn't like say this listserv where the messages
come
FROM the actual DL. If I recall correctly, Exchange actually expands the
group every time it processes the rule for every single message you
receive
and there is no caching of that expansion...

You actually need to be quite careful with this, I reported this as a
bug to
MSFT some time ago as I watched a series of rules like that that about
took
out a very high end high perf Exchange server that was scaled to support
about 4000 users which only had about 100 on it... If you want to play
with
it, select some HUGE DL you have, like say an everyone in the company DL
and
set up a couple of server side rules with that DL. Early last year in
some
testing I was able to actually cause mail delivery in a production
enterprise class environment to be slowed down by hours doing that...
Even
if I sent a message to myself... 

   joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, November 21, 2006 4:05 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: DL is this to be expected?

Morning,

When I setup an outlook 2003  rule to move all mails from a DL to a
subfolder in my inbox, I see that all mails from this DL go into this
folder
no problem, but anyone who is also a member of this DL - their mail ends
up
in there too and not in the inbox.

Is this added value?

Rule is move all mails as they arrive from DL to subfolder. No other
logic.

Many thanks.




Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread joe 


>> Its not viewable/searchable under ADUC even with advanced features
turned on 
 
>>> That is an incorrect statement.
 
 
Maybe... maybe not... Unless you have actually looked at that directory
instance you cannot possibly know for sure. You can expect it should follow
a certain pattern you have perceived in the past, but you can't be 100% sure
it is the case for every instance. I can show a bitmap right now that shows
that group doesn't exist in FSPs... All that proves is that my test
directory doesn't have it and your test directory does have it.
 
Enterprise Domain Controllers is a well known security principal, it lives
initially in the configuration container with other well known security
principals in the WellKnown Security Principals container. That
container isn't viewable from ADUC... It doesn't become something you can
view as an actual object in ADUC until it gets added to a group in a domain
NC - specifically/usually the group Windows Authorization Access Group. Even
if added, someone could delete it and then something has to re-add the Well
Known Security Principal to a group again to get the FSP to be created and
add it to the Authorization Access Group for things to be right. 
 
Also note that if someone is looking for the name of the group, like they
would with any normal regular group, that will obviously fail because the
name in the domain NC is a SID, not the group name. 
 
This isn't a normal case, it is a very specific special implementation.
There are special little implementation details all throughout AD that you
don't know about until you actually encounter them. I would not be suprised
by even experienced admins to be tripped up on this one. It isn't worth
really knowing about unless you have had a reason to have to know about it.
 
  joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Wednesday, November 22, 2006 1:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


>>> Its not viewable/searchable under ADUC even with advanced features
turned on 
 
That is an incorrect statement.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
 http://www.akomolafe.com> www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

  _  

From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


Hi there,



I finally found out where this group was...it is available from Windows

2000 AD forwards and is found at CN=Enterprise Domain

Controllers,CN=WellKnown Security

Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable

under ADUC even with advanced features turned on but you can use it to

apply security on an AD object.



Cheers everyone for your assistance...  ;-)



Matt Duguid

Systems Engineer for Identity Services

Department of Internal Affairs



Phone: +64 4 4748028 (wellington)

Mobile: +64 21 1713290

Fax: +64 4 4748894

Address: Level 4, 47 Boulcott Street, Wellington CBD

E-mail: [EMAIL PROTECTED]

Web: http://www.dia.govt.nz/







|-+-->

| |  |

| |  |

| |  |

| |   Steve Linehan  |

| |   <[EMAIL PROTECTED]|

| |   >  |

| |   Sent by:   |

| |   [EMAIL PROTECTED]|

| |   tivedir.org|

| |  |

| |  |

| |   22/11/2006 03:33 p.m.  |

| |   Please respond to  |

| |   ActiveDir  |

| |  |

|-+-->

 
>---
---|

  |
|

  |To:  "ActiveDir@mail.activedir.org"
|

  |cc:
|

  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |

 
>---
---|





Sorry read and responded to this to fast you should have an Enterprise

Domain Controllers group however it becomes a member of "Windows

Authorization Access group" af

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread joe 
Pub time already. Phew this day went by fast! Let's go!
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


Thanks, I'll get my coat ...
 
:)

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: 22 November 2006 09:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


Neil,
 
You responded to the thread where Steve already corrected himself. Read the
doc you cited again. Only the EDC membership changes during the process you
described. EDC itself is NOT created at this point. It is merely made a
member of the newly-created "Windows Authorization Access" group.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
 http://www.akomolafe.com> www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

  _  

From: [EMAIL PROTECTED]
Sent: Wed 11/22/2006 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


I believe SteveL may have already suggested that this group is only

available post w2k, and only after the PDC in the domain has been

upgraded. Further info here:

http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0

5-b919-c9311bafae351033.mspx?mfr=true



neil





-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of

[EMAIL PROTECTED]

Sent: 22 November 2006 05:36

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...



Hi there,



I finally found out where this group was...it is available from Windows

2000 AD forwards and is found at CN=Enterprise Domain

Controllers,CN=WellKnown Security

Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable

under ADUC even with advanced features turned on but you can use it to

apply security on an AD object.



Cheers everyone for your assistance...  ;-)



Matt Duguid

Systems Engineer for Identity Services

Department of Internal Affairs



Phone: +64 4 4748028 (wellington)

Mobile: +64 21 1713290

Fax: +64 4 4748894

Address: Level 4, 47 Boulcott Street, Wellington CBD

E-mail: [EMAIL PROTECTED]

Web: http://www.dia.govt.nz/







|-+-->

| |  |

| |  |

| |  |

| |   Steve Linehan  |

| |   <[EMAIL PROTECTED]|

| |   >  |

| |   Sent by:   |

| |   [EMAIL PROTECTED]|

| |   tivedir.org|

| |  |

| |  |

| |   22/11/2006 03:33 p.m.  |

| |   Please respond to  |

| |   ActiveDir  |

| |  |

|-+-->

 

>---

---|

  |

|

  |To:  "ActiveDir@mail.activedir.org"

|

  |cc:

|

  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group

missing...   |

 

>---

---|





Sorry read and responded to this to fast you should have an Enterprise

Domain Controllers group however it becomes a member of "Windows

Authorization Access group" after the PDC upgrade.  You will be missing

some of the other Groups and Security Principals listed in that section

until the PDC is upgraded.



Thanks,



-Steve





From: [EMAIL PROTECTED]

[EMAIL PROTECTED] On Behalf Of Steve Linehan

[EMAIL PROTECTED]

Sent: Tuesday, November 21, 2006 8:17 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...



You have to upgrade or install one of the servers in each domain to

Windows Server 2003 and then transfer the PDC Emulator role to the

upgraded or added Windows Server 2003 box.  When a Windows Server 2003

box takes over the PDC Emulator FSMO role it will create these new

security principals.

This

[ActiveDir] RE: [ActiveDir] GP question - port exceptions using IP address ranges

2006-11-22 Thread Charlie Kaiser 
I was indeed able to use the appropriate mask for some of the ranges I
needed to add, but some of them just didn't fit a mask properly. My
example was one that I had used a mask on and wasn't truly
representative of one of the "problem child" ranges. 

Thanks again. 

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Darren Mar-Elia
> Sent: Tuesday, November 21, 2006 3:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GP question - port exceptions using 
> IP address ranges
> 
> Andrew-
> 
> Your response is perfectly good if the bit math works for 
> that mask. What I was referring to is the fact that you can't 
> enter something like:
> 
>  
> 
> 10.1.1.0 - 10.1.10.0 into the firewall exceptions dialog
> 
>  
> 
> In other words, you can only enter a single contiguous 
> address space per entry. But if you're right, and a 20 bit 
> mask works for Charlie's addressing, then he's good to go.
> 
>  
> 
> Darren
> 
>  
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Cace
> Sent: Tuesday, November 21, 2006 12:21 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GP question - port exceptions using 
> IP address ranges
> 
>  
> 
> Oops, Charlie.  Then ignore my previous email.  Darren knows 
> his GPO stuff.
> 
>  
> 
> -Andrew
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Darren Mar-Elia
> Sent: Tuesday, November 21, 2006 11:30 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] GP question - port exceptions using 
> IP address ranges
> 
> Charlie-
> 
> I've seen this question asked many times, and the bottom line 
> is no, there is no way to enter ranges into the exceptions 
> lists. It would be nice though :)
> 
>  
> 
> Darren
> 
>  
> 
>  
> 
> Darren Mar-Elia
> 
> For comprehensive Windows Group Policy Information, check out 
> www.gpoguy.com  -- the best source 
> for GPO FAQs, video training, tools and whitepapers. Also 
> check out the Windows Group Policy Guide 
>  =8-1/ref=pd_bbs_1/104-1133146-9411929?v=glance&n=283155> , 
> the definitive resource for Group Policy information. 
> 
>  
> 
> Group Policy Management solutions at SDM Software 
>  
> 
>  
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Kaiser
> Sent: Tuesday, November 21, 2006 7:56 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GP question - port exceptions using IP 
> address ranges
> 
>  
> 
> I've been tasked with modifying one of our GPs to allow a 
> greater range
> 
> of access to our desktop PCs using Dameware since our support 
> model has
> 
> changed. Currently we allow Dameware access from one IP subnet. We now
> 
> need to add more subnets. The problem is that a number of 
> these subnets
> 
> are not nicely divided. For example, 204.24.0.1 - 
> 204.24.15.255, to pick
> 
> a random range.
> 
>  
> 
> I know the syntax for the policy setting is something like this:
> 
> "6129:TCP:204.24.0.1/24:enabled:dameware" or
> 
> "6129:TCP:204.24.0.1/255.255.255.0:enabled:dameware". Is 
> there a way to
> 
> enter the range above without having to enter each of the included
> 
> subnets?
> 
> Thanks...
> 
>  
> 
> **
> 
> Charlie Kaiser
> 
> W2K3 MCSA/MCSE/Security
> 
> Systems Engineer
> 
> Essex Credit / Brickwalk
> 
> 510 595 5083
> 
> ** 
> 
> List info   : http://www.activedir.org/List.aspx
> 
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> 
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: DL is this to be expected?

2006-11-22 Thread joe 
n/p of course. :) 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, November 22, 2006 3:55 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] OT: DL is this to be expected?

Thanks Joe.


Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: "joe" <[EMAIL PROTECTED]>
Date: Tue, 21 Nov 2006 18:02:51 
To:
Subject: RE: [ActiveDir] OT: DL is this to be expected?

Yes actually it is if you are talking about Exchange DLs...

Consider how email is marked when it comes from an Exchange DL... It isn't
coming from the DL, it is coming from the user who specified the DL as an
address... The DL is simply used for routing and hiding the TO: list from
immediate view... It isn't like say this listserv where the messages come
FROM the actual DL. If I recall correctly, Exchange actually expands the
group every time it processes the rule for every single message you receive
and there is no caching of that expansion...

You actually need to be quite careful with this, I reported this as a bug to
MSFT some time ago as I watched a series of rules like that that about took
out a very high end high perf Exchange server that was scaled to support
about 4000 users which only had about 100 on it... If you want to play with
it, select some HUGE DL you have, like say an everyone in the company DL and
set up a couple of server side rules with that DL. Early last year in some
testing I was able to actually cause mail delivery in a production
enterprise class environment to be slowed down by hours doing that... Even
if I sent a message to myself... 

   joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, November 21, 2006 4:05 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: DL is this to be expected?

Morning,

When I setup an outlook 2003  rule to move all mails from a DL to a
subfolder in my inbox, I see that all mails from this DL go into this folder
no problem, but anyone who is also a member of this DL - their mail ends up
in there too and not in the inbox.

Is this added value?

Rule is move all mails as they arrive from DL to subfolder. No other logic.

Many thanks.




Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠŠ¶v

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] computer policy processing -retry behaviour

2006-11-22 Thread Darren Mar-Elia 
Hey, since when is GP not related to AD? GP is the reason AD is so
popular... Anyone shoots you down for it, they'll have to answer to the
gpoguy :-)

In Win2K, XP, and 2003, if there is no connectivity to a DC when computer
*foreground* processing occurs (this is the processing that occurs at
computer startup) then GP processing simply fails. After that, you're
correct to say that during the next scheduled background processing cycle,
GP will refresh. This could be as long as 120 minutes (90 minutes plus up to
30 minute randomized value). Note that you can reduce this background
interval to as low as every 7 seconds (not that you'd want to) via policy.
However, its important to note that some policy requires a foreground
processing cycle (software installation or startup scripts in some cases
come to mind) so if the DC is never available during boot, these policies
will never process.

Now, Vista does something new. Vista has something called an "NLA refresh"
(well that's what I call it). Vista uses an entirely different, and more
dynamic mechanism for detecting the presence of a DC. What Vista says with
respect to GP refresh is, "if the last GP processing cycle failed, then as
soon as I detect that the DC is back online, I will trigger a background
policy refresh". So, it doesn't help with the foreground issues stated
above, but does significantly reduce the refresh time of up to 120 minutes.
Hope that helps.
 

Darren


Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
-- the best source for GPO FAQs, video training, tools and whitepapers. Also
check out the Windows Group Policy Guide, the definitive resource for Group
Policy information. 

Group Policy Management solutions at www.sdmsoftware.com





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, November 22, 2006 4:46 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] computer policy processing -retry behaviour 

this is query re processing of computer group policies. i note that not
strictly AD
related so i hope not to get 'shot down' !

i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group
policy
engine, in a scenario of a user-initiated VPN, in which domain controller
connectivity is not available until some time after user logon.

this will impact the processing of computer polices that would normally be
downloaded and processed prior to CTRL-ALT-DEL

presumably, the initial computer policy processing would fail and only
refresh on
the next scheduled interval ??

OR does the GP engine attempt more aggressively to download policies on the
basis of
an initial failure ?

if not it seems there are going to be major issues in endpoint config on the
basis
of any machine policies not being processed some way after user logon

Help on this gladly received.

GT


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread AFidel 
Just for future reference the easiest way to identify where an object is 
if you have a SID is to use adfind with the -binenc option:
adfind -binenc -b dc=FOO,dc=BAR -f objectSID=S-1-5-9

You'll find the full path to the object under >objectCategory:

While the binenc option isn't strictly needed for this example, as well 
known security principals apparently don't need to be encoded, it does not 
hurt and it's a good habit to get into because you WILL need it for many 
SID searches =)

Thanks,
Andrew Fidel



[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
11/22/2006 12:35 AM
Please respond to
ActiveDir@mail.activedir.org


To
ActiveDir@mail.activedir.org
cc

Subject
RE: [ActiveDir] Enterprise Domain Controllers group missing...






Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   <[EMAIL PROTECTED]|
| |   >  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>--|
  |   |
  |To:  "ActiveDir@mail.activedir.org" 
|
  |cc:   |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
 
>--|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to 
Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box.  When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled "Windows Server 2003 Well 
Known
Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx

.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
"The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help.".

- I can confirm we do not have an "Enterprise Domain Controllers" group in
any of the domains.

- I have found the following article "
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true


" which shows how to fix the GPO issue using
"GrantPermissionOnAllGPOs.wsf"...but this assumes we actually have the
group  "Enterprise Domain Controller

[ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread victor-w 
I posted this on the VMWARE forum as well but I am very interested in 
the opinion of the people who post to this list and there must be some 
people with hands on experience with ESX and DC's and Exchange 2007 
running on VM's on top of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core 
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be 
using this machine in a test lab only and will be testing mainly 
Exchange 2007 and simulating AD issues. We would like to deploy ESX 
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several 
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need 
to make the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad 
Core, see here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345 
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be 
available in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the 
fact that if one Quad would not be enough, we could always plug in 
another one :-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT - DEC 2007

2006-11-22 Thread neil.ruston 
Has anyone firmed up on attending or speaking at DEC 2007 yet?

I'll be there and wondered if anyone had suggested topics for discussion
yet.

I know the speaker submissions are closed and wondered who will be
speaking, and what they plan to 'present'.

Will we see a "dean and joe" part 2, for example?


neil


PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

[ActiveDir] OT: Are governments insane? (WA time change in 11 days)

2006-11-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

The AU's have passed a daylight savings change

http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html

Word is that MS will release a patch 
http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight-savings-update-its-approved.aspx

But here's another way to do this:
http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] mailNickName(OT)

2006-11-22 Thread joe 
The mailnickname isn't populated in a similar way to display name. The
common ways for mailnickname generation and its population are through the
RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use
CDOEXM). This is unlike displayname which has ADUC as its common way to be
populated. Certainly they could have done something like that but they
didn't. 

Changing the format is ok, most companies don't do it but some do. But if
there is going to be a change, change to something that is guaranteed to be
unique in your organization. Display names are very often not unique;
definitely not unique at scale which is why Al said, it don't scale Go
to any larger company in the US and type in Smith, Jones, Brown, or Johnson
in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, Bob's,
Carol's, Fred's, John's, Steve's, etc... If you are multi-national try
Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg,
Schulz, or Schmidt.

The attribute is used quite a bit in Exchange. Where all it is used I will
let some Exchange person respond if they want, but look quickly at a mailbox
enabled user and check how many times you see the value. Note that none of
the other attributes that use mailNickname in their initial generation will
change if you change mailnickname, you absolutely wouldn't want that or else
it would break certain types of delivery for that user. I have seen some
nasty issues in larger orgs that resulted in mailNicknames not being unique.
The problems can be solved by mechanisms other than unique mailNicknames but
unique mailNicknames is by far the easiest way to handle it. I have a tool
that reports bad Exchange attribute settings in an Org and duplicate
mailNickname is one of them that I flag as fairly high priority due to my
experiences.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, November 21, 2006 10:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)

well, the company i currently work for sets the mailNickName of all
users to "firstname.lastname".
I didnt know there was any issue with changing the format of that attribute.

we have around 110,000 users mixed between Exchange and Lotus Domino
and this is the format they have been using(why, i'm not sure, I just
started here)

I thought there could be a way to change the default format of the
mailNickName attribute the same way you could change the format of the
displayname.

What issues can arise by changing the mailNickname format.

I mean, what is this attibute for used exactly?
I thought this was only used for POP3 and IMAP and maybe OWA and ADC.
And I didnt think changing it could affect anything.
Can you guys educate me, please?

Thanks

On 11/21/06, joe <[EMAIL PROTECTED]> wrote:
> Not that I am aware of.
>
> I am with Al on this, keep it as the sAMAccountName. This value while
isn't
> enforced to be unique really should be. Using sAMAccountName helps with
that
> though it still allows duplicates in different domains.
>
>  joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Tuesday, November 21, 2006 5:19 AM
> To: activedirectory
> Subject: [ActiveDir] mailNickName(OT)
>
> Is there anyway to change the format of the mailNickName attibute to
> be something other than sAMAccountName automatically?
> Is there something like a "display specifiers" change that could
> change the format during the automatic generation of it to be
> "firstname.lastname" or can this only be scripted?
>
> Thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Outlook Rules Lockdown

2006-11-22 Thread Dan DeStefano 
Is there a way to place restrictions on which rules users can create in
Outlook, like disallowing users to create an auto-forward rule? I would
like to control these settings by group membership.

 

 

Thanks in advance for any help,

 


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Wells, James Arthur 
We're struggling with the same questions right now - one difference is the 
large amount of L2 cache on the Dual-core option for the 2900.  At any 
rate...there was an internal benchmark regarding dual vs. quad cores with ESX 3 
recently made available by Dell, but I'm not sure on its availability -
ask your Dell TAM.

As far as price goes -- today, there's a big price difference between a single 
quad or two dual core CPUs, for the ESX licensing.  But there's a strong rumor 
that EMC/VMWare will begin charging their licensing per CORE in Q1 2007.  So 
that puts you back to square one on your decision, if true.  

But if buying today, the quad will be cheaper on ESX licensing by 50%...


--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab 
system

I posted this on the VMWARE forum as well but I am very interested in the 
opinion of the people who post to this list and there must be some people with 
hands on experience with ESX and DC's and Exchange 2007 running on VM's on top 
of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 
2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine 
in a test lab only and will be testing mainly Exchange 2007 and simulating AD 
issues. We would like to deploy ESX
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need to make 
the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see 
here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be available in 
January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the fact that 
if one Quad would not be enough, we could always plug in another one :-) at a 
later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] going further OT: Are governments insane? (WA time change in 11 days)

2006-11-22 Thread neil.ruston 
Not the first and no doubt, not the last either. (It's a Western
Australia change BTW - never heard the term "AUs" before :) ).

It's about time we scrapped the whole daft idea of daylight saving, IMO.
We save an hour in the morning but lose it in the afternoon!! Who does
that benefit? [Please don't suggest 'farmers'!]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 22 November 2006 15:07
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Are governments insane? (WA time change in 11
days)

The AU's have passed a daylight savings change

http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html

Word is that MS will release a patch
http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight-savings-u
pdate-its-approved.aspx

But here's another way to do this:
http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: cpSPAM [ActiveDir] OT - DEC 2007

2006-11-22 Thread Steve Evans 
I'll be there.  It would be really helpful if the Gambling lessons were
taken off the home page.  Sends the wrong impression to the suits ;-)
 

Steve Evans


 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: cpSPAM [ActiveDir] OT - DEC 2007



Has anyone firmed up on attending or speaking at DEC 2007 yet? 

I'll be there and wondered if anyone had suggested topics for discussion
yet. 

I know the speaker submissions are closed and wondered who will be speaking,
and what they plan to 'present'. 

Will we see a "dean and joe" part 2, for example? 


neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies.

[ActiveDir] Public Folder Appointment Owner

2006-11-22 Thread Dan DeStefano 
I would like to know how to find out who created a meeting using a
calendar in a public folder. Right now, if I open an appointment that
someone else created and go into the "Scheduling" tab, it shows me as
the owner. If I then open the appointment logged on as another user, it
shows that user is the owner. Is this a configuration issue or is it
just the way it works?

 

 

Thanks,


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

RE: [ActiveDir] computer policy processing -retry behaviour

2006-11-22 Thread Graham Turner 
Darren, thanks as ever 4 post reply

this confirms my thoughts / fears !!

vista, looks interesting - stuck with Windows 2000 for now

i guess we will need to stuff enough of the settings that we need to get the
computers to some sort of functional state into local group policy.

the big one for me is a user startup script - presumably we can put this into a
local startup script that is functionally equiv to the group policy startup 
script

GT

ps did try to subscribe to gpoguy.com mail list last night but nothing back 
from the
request - ??


> Hey, since when is GP not related to AD? GP is the reason AD is so
> popular... Anyone shoots you down for it, they'll have to answer to the
> gpoguy :-)
>
> In Win2K, XP, and 2003, if there is no connectivity to a DC when computer
> *foreground* processing occurs (this is the processing that occurs at
> computer startup) then GP processing simply fails. After that, you're
> correct to say that during the next scheduled background processing cycle,
> GP will refresh. This could be as long as 120 minutes (90 minutes plus up to
> 30 minute randomized value). Note that you can reduce this background
> interval to as low as every 7 seconds (not that you'd want to) via policy.
> However, its important to note that some policy requires a foreground
> processing cycle (software installation or startup scripts in some cases
> come to mind) so if the DC is never available during boot, these policies
> will never process.
>
> Now, Vista does something new. Vista has something called an "NLA refresh"
> (well that's what I call it). Vista uses an entirely different, and more
> dynamic mechanism for detecting the presence of a DC. What Vista says with
> respect to GP refresh is, "if the last GP processing cycle failed, then as
> soon as I detect that the DC is back online, I will trigger a background
> policy refresh". So, it doesn't help with the foreground issues stated
> above, but does significantly reduce the refresh time of up to 120 minutes.
> Hope that helps.
>
>
> Darren
>
>
> Darren Mar-Elia
> For comprehensive Windows Group Policy Information, check out www.gpoguy.com
> -- the best source for GPO FAQs, video training, tools and whitepapers. Also
> check out the Windows Group Policy Guide, the definitive resource for Group
> Policy information.
>
> Group Policy Management solutions at www.sdmsoftware.com
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Wednesday, November 22, 2006 4:46 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] computer policy processing -retry behaviour
>
> this is query re processing of computer group policies. i note that not
> strictly AD
> related so i hope not to get 'shot down' !
>
> i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group
> policy
> engine, in a scenario of a user-initiated VPN, in which domain controller
> connectivity is not available until some time after user logon.
>
> this will impact the processing of computer polices that would normally be
> downloaded and processed prior to CTRL-ALT-DEL
>
> presumably, the initial computer policy processing would fail and only
> refresh on
> the next scheduled interval ??
>
> OR does the GP engine attempt more aggressively to download policies on the
> basis of
> an initial failure ?
>
> if not it seems there are going to be major issues in endpoint config on the
> basis
> of any machine policies not being processed some way after user logon
>
> Help on this gladly received.
>
> GT
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] mailNickName(OT)

2006-11-22 Thread Al Mulnick 

Other than being used for access by other protocols such as pop, imap, and
owa, last I checked it's also the value used for the x.400 like address
which is used for mail delivery internally by Exchange.  You wouldn't want
that to be non-unique else you might have to call somebody like joe to come
in and help clean up :)

I'm surprised that this company you're at has not gone to unique values for
this.  I'm equally surprised they don't have other issues with their
Exchange deployment, but it's possible you haven't gotten far enough into it
yet to notice some of them.

I've blogged about my thoughts regarding what should be globally unique in
an AD/Exchange environment.  It's a long enough blog it may even be a good
candidate for an essay or possibly a sleep aid.

If you want the details, have a read.  The short answer is that you want
every user to be unique and to have a consistent and trouble-free
experience.  That keeps you from being up late at night with international
customers first and your local in-country customers the next day.
Mailnickname is one of the attributes that should be unique same as
samaccountname and smtp address (some are enforced per forest, some per
domain but all should be enforced regardless in my opinion). Since they can
often feed on one another, I maintan that samaccountname should be the
user's foundational, non-changing, never touched as long as that person is a
member of the company in good standing, network id. Exchange relies on
Active Directory and as such you're better following the same rules .


Al

On 11/22/06, joe <[EMAIL PROTECTED]> wrote:


The mailnickname isn't populated in a similar way to display name. The
common ways for mailnickname generation and its population are through the
RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use
CDOEXM). This is unlike displayname which has ADUC as its common way to be
populated. Certainly they could have done something like that but they
didn't.

Changing the format is ok, most companies don't do it but some do. But if
there is going to be a change, change to something that is guaranteed to
be
unique in your organization. Display names are very often not unique;
definitely not unique at scale which is why Al said, it don't scale Go
to any larger company in the US and type in Smith, Jones, Brown, or
Johnson
in the GAL and you will likely see multiple Alan's, Andrew's, Amy's,
Bob's,
Carol's, Fred's, John's, Steve's, etc... If you are multi-national try
Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg,
Schulz, or Schmidt.

The attribute is used quite a bit in Exchange. Where all it is used I will
let some Exchange person respond if they want, but look quickly at a
mailbox
enabled user and check how many times you see the value. Note that none of
the other attributes that use mailNickname in their initial generation
will
change if you change mailnickname, you absolutely wouldn't want that or
else
it would break certain types of delivery for that user. I have seen some
nasty issues in larger orgs that resulted in mailNicknames not being
unique.
The problems can be solved by mechanisms other than unique mailNicknames
but
unique mailNicknames is by far the easiest way to handle it. I have a tool
that reports bad Exchange attribute settings in an Org and duplicate
mailNickname is one of them that I flag as fairly high priority due to my
experiences.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, November 21, 2006 10:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)

well, the company i currently work for sets the mailNickName of all
users to "firstname.lastname".
I didnt know there was any issue with changing the format of that
attribute.

we have around 110,000 users mixed between Exchange and Lotus Domino
and this is the format they have been using(why, i'm not sure, I just
started here)

I thought there could be a way to change the default format of the
mailNickName attribute the same way you could change the format of the
displayname.

What issues can arise by changing the mailNickname format.

I mean, what is this attibute for used exactly?
I thought this was only used for POP3 and IMAP and maybe OWA and ADC.
And I didnt think changing it could affect anything.
Can you guys educate me, please?

Thanks

On 11/21/06, joe <[EMAIL PROTECTED]> wrote:
> Not that I am aware of.
>
> I am with Al on this, keep it as the sAMAccountName. This value while
isn't
> enforced to be unique really should be. Using sAMAccountName helps with
that
> though it still allows duplicates in different domains.
>
>  joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> S

[ActiveDir] DNS Scavenging - new issue

2006-11-22 Thread Gordon Pegue 
The recent thread on DNS scavenging was interesting and
informative. It has lead me to investigate my own DNS
scavenging issue and I'd appreciate some assistance with
figuring out how to resolve it.

I manage a single domain with a mixture of 2 - Win2K &
3 - Win2K3 servers. My 2 DC's are on Win2K boxes, I have
one Win2K3 server running Exchange 2K3 and the other 2
Win2K3 servers are basically file servers at this point
although we plan on promoting one to a DC in the near
future and retiring one of the Win2K DC's.

My DNS is AD integrated.

My issue involves the issue of old, stale DNS RR's not
being properly scavenged and even though I've read some
of the documents linked in the previous thread, I'm still
a bit uncertain how to rectify my issue without totally
botching things - I'm a bit of a newbie...

Anyhow, I examine the contents of my Reverse Lookup Zone
and I find 2 Name entries for the same machine name. If I
examine the properties of each, I see, for example, that
the Record Time Stamp for one is 6-6-05 and 11-21-06 for
the other. Checking DHCP shows that the IP address for the
11-21-06 entry is the active one.

When I check the Aging settings for the zone, I see that the
No-refresh interval is set to 7 hours, the Refresh interval
is set to 7 days and the Scavenge stale RR check box is checked.

OK so far, me thinks.

When I check the properties for the DNS server, under the
Advanced tab, the Enable automatic scavenging of stale records
check box is _not_ checked.

My first question: Should it be checked?
My second question: Are the any negative consequences to doing so?

Next, when I right-click the DNS server and click Set Aging/
Scavenging for All Zones, I see that the No-refresh interval is
set to 7 days, the Refresh interval is also set to 7 days and
the Scavenge stale RR check box is _not_ checked.

My third question: As opposed to my previous 2 questions, is this
where I should be enabling scavenging?

My final question: Once the scavenging has been properly enabled,
will the really stale RR records be removed?


TIA
Gordon Pegue
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Updating cached credentials

2006-11-22 Thread Ken Cornetet 
Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect to the
corporate network directly. Instead, they log in (XP sp2) using cached
credentials and connect via a Nortel VPN. 

We have several group policies that are filtered by group membership.
The problem is that the group membership seems to be cached on the
workstation, and is never updated to reflect the new membership, and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: Are governments insane? (WA time change in 11 days)

2006-11-22 Thread Chong Ai Chung 

http://www.microsoft.com/windows/timezone/dst2007.mspx

Download link for the update is provided in following KB article but it's a
broken link for now:
http://support.microsoft.com/kb/928388/



On 11/22/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <
[EMAIL PROTECTED]> wrote:


The AU's have passed a daylight savings change

http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html

Word is that MS will release a patch
http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight-savings-update-its-approved.aspx

But here's another way to do this:
http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000

2006-11-22 Thread Mischler, Timothy J CTR USAF NASIC/SCNA 
> Hello,
> 
> I was wondering if anyone had any experience with changing their
> Windows 2003 Forest Functional Level to 2 (Windows Server forest
> level) while running Exchange 2000 (post SP3)? I've found some
> documentation stating the Exchange 2000 recipient update service does
> not replicate changes successfully in forest functional level 2 in a
> 2003 Active Directory. From what I've read the best practice is to
> leave the Forest Functional Level  on 0 (mixed level forest) until the
> Exchange 2000 server has been migrated to Exchange 2003. Any input is
> much appreciated.
> 
> Tim

Re: [ActiveDir] computer policy processing -retry behaviour

2006-11-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
Man if it were me I'd try to get up to XP sp2.  Vista is a bit bleeding 
edge and many of my LOB stuff isn't ready yet...but 2000... most of the 
zero day stuff works very nicely on that platform.


Graham Turner wrote:

Darren, thanks as ever 4 post reply

this confirms my thoughts / fears !!

vista, looks interesting - stuck with Windows 2000 for now

i guess we will need to stuff enough of the settings that we need to get the
computers to some sort of functional state into local group policy.

the big one for me is a user startup script - presumably we can put this into a
local startup script that is functionally equiv to the group policy startup 
script

GT

ps did try to subscribe to gpoguy.com mail list last night but nothing back 
from the
request - ??


  

Hey, since when is GP not related to AD? GP is the reason AD is so
popular... Anyone shoots you down for it, they'll have to answer to the
gpoguy :-)

In Win2K, XP, and 2003, if there is no connectivity to a DC when computer
*foreground* processing occurs (this is the processing that occurs at
computer startup) then GP processing simply fails. After that, you're
correct to say that during the next scheduled background processing cycle,
GP will refresh. This could be as long as 120 minutes (90 minutes plus up to
30 minute randomized value). Note that you can reduce this background
interval to as low as every 7 seconds (not that you'd want to) via policy.
However, its important to note that some policy requires a foreground
processing cycle (software installation or startup scripts in some cases
come to mind) so if the DC is never available during boot, these policies
will never process.

Now, Vista does something new. Vista has something called an "NLA refresh"
(well that's what I call it). Vista uses an entirely different, and more
dynamic mechanism for detecting the presence of a DC. What Vista says with
respect to GP refresh is, "if the last GP processing cycle failed, then as
soon as I detect that the DC is back online, I will trigger a background
policy refresh". So, it doesn't help with the foreground issues stated
above, but does significantly reduce the refresh time of up to 120 minutes.
Hope that helps.


Darren


Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
-- the best source for GPO FAQs, video training, tools and whitepapers. Also
check out the Windows Group Policy Guide, the definitive resource for Group
Policy information.

Group Policy Management solutions at www.sdmsoftware.com





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, November 22, 2006 4:46 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] computer policy processing -retry behaviour

this is query re processing of computer group policies. i note that not
strictly AD
related so i hope not to get 'shot down' !

i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group
policy
engine, in a scenario of a user-initiated VPN, in which domain controller
connectivity is not available until some time after user logon.

this will impact the processing of computer polices that would normally be
downloaded and processed prior to CTRL-ALT-DEL

presumably, the initial computer policy processing would fail and only
refresh on
the next scheduled interval ??

OR does the GP engine attempt more aggressively to download policies on the
basis of
an initial failure ?

if not it seems there are going to be major issues in endpoint config on the
basis
of any machine policies not being processed some way after user logon

Help on this gladly received.

GT


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] DNS Scavenging - new issue

2006-11-22 Thread Akomolafe, Deji 
Since someone has already taken the time to address this, I will simply refer 
you to 
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1040355,00.html

If you still have questions after that, then ask away.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Gordon Pegue
Sent: Wed 11/22/2006 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging - new issue


The recent thread on DNS scavenging was interesting and
informative. It has lead me to investigate my own DNS
scavenging issue and I'd appreciate some assistance with
figuring out how to resolve it.

I manage a single domain with a mixture of 2 - Win2K &
3 - Win2K3 servers. My 2 DC's are on Win2K boxes, I have
one Win2K3 server running Exchange 2K3 and the other 2
Win2K3 servers are basically file servers at this point
although we plan on promoting one to a DC in the near
future and retiring one of the Win2K DC's.

My DNS is AD integrated.

My issue involves the issue of old, stale DNS RR's not
being properly scavenged and even though I've read some
of the documents linked in the previous thread, I'm still
a bit uncertain how to rectify my issue without totally
botching things - I'm a bit of a newbie...

Anyhow, I examine the contents of my Reverse Lookup Zone
and I find 2 Name entries for the same machine name. If I
examine the properties of each, I see, for example, that
the Record Time Stamp for one is 6-6-05 and 11-21-06 for
the other. Checking DHCP shows that the IP address for the
11-21-06 entry is the active one.

When I check the Aging settings for the zone, I see that the
No-refresh interval is set to 7 hours, the Refresh interval
is set to 7 days and the Scavenge stale RR check box is checked.

OK so far, me thinks.

When I check the properties for the DNS server, under the
Advanced tab, the Enable automatic scavenging of stale records
check box is _not_ checked.

My first question: Should it be checked?
My second question: Are the any negative consequences to doing so?

Next, when I right-click the DNS server and click Set Aging/
Scavenging for All Zones, I see that the No-refresh interval is
set to 7 days, the Refresh interval is also set to 7 days and
the Scavenge stale RR check box is _not_ checked.

My third question: As opposed to my previous 2 questions, is this
where I should be enabling scavenging?

My final question: Once the scavenging has been properly enabled,
will the really stale RR records be removed?


TIA
Gordon Pegue
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Mark Parris 
I did pick this up somewhere

From what I understand on native INTEL E2K7 systems that utilise >8GB of RAM 
the servers suffer performance issues and the AMD chipset is the prefered 
choice for a lot of early adopters due to this issue - at VMWorld I could not 
get an answer on whether VMWare machines would suffer the same issue. 

The AMD techie stated that E2K7 was compiled on AMD too.

A little of the original post I know but I found it interesting.

 


Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: "Wells, James Arthur" <[EMAIL PROTECTED]>
Date: Wed, 22 Nov 2006 09:41:44 
To:
Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal 
lab system

We're struggling with the same questions right now - one difference is the 
large amount of L2 cache on the Dual-core option for the 2900.  At any 
rate...there was an internal benchmark regarding dual vs. quad cores with ESX 3 
recently made available by Dell, but I'm not sure on its availability -
ask your Dell TAM.

As far as price goes -- today, there's a big price difference between a single 
quad or two dual core CPUs, for the ESX licensing.  But there's a strong rumor 
that EMC/VMWare will begin charging their licensing per CORE in Q1 2007.  So 
that puts you back to square one on your decision, if true.  

But if buying today, the quad will be cheaper on ESX licensing by 50%...


--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab 
system

I posted this on the VMWARE forum as well but I am very interested in the 
opinion of the people who post to this list and there must be some people with 
hands on experience with ESX and DC's and Exchange 2007 running on VM's on top 
of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 
2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine 
in a test lab only and will be testing mainly Exchange 2007 and simulating AD 
issues. We would like to deploy ESX
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need to make 
the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see 
here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be available in 
January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the fact that 
if one Quad would not be enough, we could always plug in another one :-) at a 
later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: Are governments insane? (WA time change in 11 days)

2006-11-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

That's for the future one for USA..not the one for Western Australia though.

Chong Ai Chung wrote:

http://www.microsoft.com/windows/timezone/dst2007.mspx
 
Download link for the update is provided in following KB article but 
it's a broken link for now:

http://support.microsoft.com/kb/928388/
 

 
On 11/22/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* 
<[EMAIL PROTECTED] > wrote:


The AU's have passed a daylight savings change

http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html

Word is that MS will release a patch

http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight-savings-update-its-approved.aspx

But here's another way to do this:
http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/




--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000

2006-11-22 Thread Mischler, Timothy J CTR USAF NASIC/SCNA 
> Hello,
> 
> I was wondering if anyone had any experience with changing their
> Windows 2003 Forest Functional Level to 2 (Windows Server forest
> level) while running Exchange 2000 (post SP3)? I've found some
> documentation stating the Exchange 2000 recipient update service does
> not replicate changes successfully in forest functional level 2 in a
> 2003 Active Directory. From what I've read the best practice is to
> leave the Forest Functional Level  on 0 (mixed level forest) until the
> Exchange 2000 server has been migrated to Exchange 2003. Any input is
> much appreciated.
> 
> Tim

RE: [ActiveDir] DNS Scavenging - new issue

2006-11-22 Thread David Adner 
Yes, enable it on the server.  Only records with old timestamps will be
deleted.  So the only real possible negative is you somehow have "valid"
records with old timestamps that have not been refreshing their timestamps
for some reason.  How could that happen?  Perhaps you had devices previously
performing dynamic updates but then someone disabled the feature on them so
now their records have old timestamps.

Don't worry about the "set all zones..." option unless you want to enable
scavenging on all the zones by default.

To your 3rd and 4th questions, yes and yes.

Just make sure you have valid backups and flip the switch.  Just because
it's the day before a major holiday doesn't mean you can't take risks.  :)
You can also use dnscmd.exe /zoneexport to dump the zone(s) if you want a
file backup of it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue
Sent: Wednesday, November 22, 2006 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging - new issue

The recent thread on DNS scavenging was interesting and
informative. It has lead me to investigate my own DNS
scavenging issue and I'd appreciate some assistance with
figuring out how to resolve it.

I manage a single domain with a mixture of 2 - Win2K &
3 - Win2K3 servers. My 2 DC's are on Win2K boxes, I have
one Win2K3 server running Exchange 2K3 and the other 2
Win2K3 servers are basically file servers at this point
although we plan on promoting one to a DC in the near
future and retiring one of the Win2K DC's.

My DNS is AD integrated.

My issue involves the issue of old, stale DNS RR's not
being properly scavenged and even though I've read some
of the documents linked in the previous thread, I'm still
a bit uncertain how to rectify my issue without totally
botching things - I'm a bit of a newbie...

Anyhow, I examine the contents of my Reverse Lookup Zone
and I find 2 Name entries for the same machine name. If I
examine the properties of each, I see, for example, that
the Record Time Stamp for one is 6-6-05 and 11-21-06 for
the other. Checking DHCP shows that the IP address for the
11-21-06 entry is the active one.

When I check the Aging settings for the zone, I see that the
No-refresh interval is set to 7 hours, the Refresh interval
is set to 7 days and the Scavenge stale RR check box is checked.

OK so far, me thinks.

When I check the properties for the DNS server, under the
Advanced tab, the Enable automatic scavenging of stale records
check box is _not_ checked.

My first question: Should it be checked?
My second question: Are the any negative consequences to doing so?

Next, when I right-click the DNS server and click Set Aging/
Scavenging for All Zones, I see that the No-refresh interval is
set to 7 days, the Refresh interval is also set to 7 days and
the Scavenge stale RR check box is _not_ checked.

My third question: As opposed to my previous 2 questions, is this
where I should be enabling scavenging?

My final question: Once the scavenging has been properly enabled,
will the really stale RR records be removed?


TIA
Gordon Pegue
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Updating cached credentials

2006-11-22 Thread Al Mulnick 

As I understand it, The nortel vpn client is a shim that works at layer 3
and does not take effect until after the user session has begun.  This
prevents much of the normal node processing you'd like to see happen such as
control of the windows firewall, caching of group membership and so on.

Since most companies require a password change on a regular basis for user
accounts, I'm kind of surprised that you see this behavior. The way to
change the user credentials on a nortel client is to have the user use the
three finger salute (ctrl+alt+del sequence) to lock the workstation after
the vpn is established.  When the user logs back on this *is expected* to
re-cash the credentials.  This should be a familiar sequence of events for
the users every password change.

Has this not addressed the problem for you to date?

On 11/22/06, Ken Cornetet <[EMAIL PROTECTED]> wrote:


Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect to the
corporate network directly. Instead, they log in (XP sp2) using cached
credentials and connect via a Nortel VPN.

We have several group policies that are filtered by group membership.
The problem is that the group membership seems to be cached on the
workstation, and is never updated to reflect the new membership, and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000

2006-11-22 Thread Al Mulnick 

I *thought* the behavior of that was modified by a patch/or service pack,
but it's been a long time. RUS is notoriously picky and fragile, but I don't
recall this being a stopping point. Exchange 2000 was certainly even more
fragile.  Upgrading would be in your best interest regardless.

Have a look at the readme files for Windows server 2003 and you might want
to call Microsoft to get it from the horse's mouth.  So to speak. :)



On 11/22/06, Mischler, Timothy J CTR USAF NASIC/SCNA <
[EMAIL PROTECTED]> wrote:


 Hello,

I was wondering if anyone had any experience with changing their Windows
2003 Forest Functional Level to 2 (Windows Server forest level) while
running Exchange 2000 (post SP3)? I've found some documentation stating the
Exchange 2000 recipient update service does not replicate changes
successfully in forest functional level 2 in a 2003 Active Directory. From
what I've read the best practice is to leave the Forest Functional Level  on
0 (mixed level forest) until the Exchange 2000 server has been migrated to
Exchange 2003. Any input is much appreciated.

Tim

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Brian Desmond 
A pair of quad cores is a lot of horsepower for testing. I suspect you
will run out of disk i/o perf and memory long before you encounter the
need for a second quad core chip given the scenarios you've described.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal
lab system

I posted this on the VMWARE forum as well but I am very interested in 
the opinion of the people who post to this list and there must be some 
people with hands on experience with ESX and DC's and Exchange 2007 
running on VM's on top of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core 
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be 
using this machine in a test lab only and will be testing mainly 
Exchange 2007 and simulating AD issues. We would like to deploy ESX 
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several 
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need 
to make the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad 
Core, see here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345 
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be 
available in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the 
fact that if one Quad would not be enough, we could always plug in 
another one :-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000

2006-11-22 Thread Brian Desmond 
Tim-

 

There is a hotfix for this, I think for Exchange. The issue is that the
Exchange 2000 RUS doesn't sense changes when Linked Value Replication is
happening.

 

The easiest solution is to introduce an Exchange 2003 server to run your
RUS. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mischler,
Timothy J CTR USAF NASIC/SCNA
Sent: Wednesday, November 22, 2006 11:27 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional
Level 2 while running Exchange 2000

 

Hello, 

I was wondering if anyone had any experience with changing their Windows
2003 Forest Functional Level to 2 (Windows Server forest level) while
running Exchange 2000 (post SP3)? I've found some documentation stating
the Exchange 2000 recipient update service does not replicate changes
successfully in forest functional level 2 in a 2003 Active Directory.
>From what I've read the best practice is to leave the Forest Functional
Level  on 0 (mixed level forest) until the Exchange 2000 server has been
migrated to Exchange 2003. Any input is much appreciated.

Tim

Re: [ActiveDir] mailNickName(OT)

2006-11-22 Thread Tom Kern 

The place I'm currently at is a large 110,000 + user bank.
They use the hr employee id# for sAMAccountName and upn and in turn the dn.
   They use firstname.lastname for smtp and mailNickName and
consquently legacyExchangeDN.
Why, I have no idea.

They had a lot of input from MS in setting up their forest/exchange
ORG, so I'm not sure why it is this way.

For some backround, they use lotus as well as exchange and use a dirX
ldap server for common address book and sendmail address rewrite.
For the hour db, they use peoplesoft which they are going to sync up
with AD with MIIS soon.
I'm not sure what all this has to do with mailNickName format, but it
may provide some backround or potential trouble in the future.
Thanks for all your input.


On 11/22/06, Al Mulnick <[EMAIL PROTECTED]> wrote:

Other than being used for access by other protocols such as pop, imap, and
owa, last I checked it's also the value used for the x.400 like address
which is used for mail delivery internally by Exchange.  You wouldn't want
that to be non-unique else you might have to call somebody like joe to come
in and help clean up :)

I'm surprised that this company you're at has not gone to unique values for
this.  I'm equally surprised they don't have other issues with their
Exchange deployment, but it's possible you haven't gotten far enough into it
yet to notice some of them.

I've blogged about my thoughts regarding what should be globally unique in
an AD/Exchange environment.  It's a long enough blog it may even be a good
candidate for an essay or possibly a sleep aid.

If you want the details, have a read.  The short answer is that you want
every user to be unique and to have a consistent and trouble-free
experience.  That keeps you from being up late at night with international
customers first and your local in-country customers the next day.
Mailnickname is one of the attributes that should be unique same as
samaccountname and smtp address (some are enforced per forest, some per
domain but all should be enforced regardless in my opinion). Since they can
often feed on one another, I maintan that samaccountname should be the
user's foundational, non-changing, never touched as long as that person is a
member of the company in good standing, network id. Exchange relies on
Active Directory and as such you're better following the same rules .


Al

On 11/22/06, joe <[EMAIL PROTECTED]> wrote:
>
> The mailnickname isn't populated in a similar way to display name. The
> common ways for mailnickname generation and its population are through the
> RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use
> CDOEXM). This is unlike displayname which has ADUC as its common way to be
> populated. Certainly they could have done something like that but they
> didn't.
>
> Changing the format is ok, most companies don't do it but some do. But if
> there is going to be a change, change to something that is guaranteed to
> be
> unique in your organization. Display names are very often not unique;
> definitely not unique at scale which is why Al said, it don't scale Go
> to any larger company in the US and type in Smith, Jones, Brown, or
> Johnson
> in the GAL and you will likely see multiple Alan's, Andrew's, Amy's,
> Bob's,
> Carol's, Fred's, John's, Steve's, etc... If you are multi-national try
> Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg,
> Schulz, or Schmidt.
>
> The attribute is used quite a bit in Exchange. Where all it is used I will
> let some Exchange person respond if they want, but look quickly at a
> mailbox
> enabled user and check how many times you see the value. Note that none of
> the other attributes that use mailNickname in their initial generation
> will
> change if you change mailnickname, you absolutely wouldn't want that or
> else
> it would break certain types of delivery for that user. I have seen some
> nasty issues in larger orgs that resulted in mailNicknames not being
> unique.
> The problems can be solved by mechanisms other than unique mailNicknames
> but
> unique mailNicknames is by far the easiest way to handle it. I have a tool
> that reports bad Exchange attribute settings in an Org and duplicate
> mailNickname is one of them that I flag as fairly high priority due to my
> experiences.
>
>   joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Tuesday, November 21, 2006 10:07 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] mailNickName(OT)
>
> well, the company i currently work for sets the mailNickName of all
> users to "firstname.lastname".
> I didnt know there was any issue with changing the format of that
> attribute.
>
> we have around 110,000 users mixed between Exchange and Lotus Domino
> and this is the format they have been using(why, i'm not sure, I just
> started here)
>
> I tho

[ActiveDir] OT: Security checklists - [Fwd: IASE Postings (UNCLASSIFIED)]

2006-11-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 



 Original Message 
Subject:IASE Postings (UNCLASSIFIED)
Date:   Wed, 22 Nov 2006 13:47:18 -0500
From:   IASE <[EMAIL PROTECTED]>



Classification:  UNCLASSIFIED 
Caveats: NONE




DISA FSO has released the following updated Security Checklists,
Security Readiness Review Scripts, and the Gold Disk Version 2.

Checklists:  http://iase.disa.mil/stigs/checklist/index.html
 


ACF2 Checklist, Version 5, Release 21, filename:  ACF2-Checklist
V5R21.doc, dated 11-24-06

Active Directory Checklist, Version 1, Release 13, filename:
AD_Checklist_V1R13_20061005.zip, dated:  10-05-06

Application Security Checklist, Version 2, Release 19, filename:
app-security-checklist-v2r19-24Nov06.doc, dated: 11-24-06

Database Checklist, Version 7, Release 2-2, filename:
DB_Checklist_V7R2-2_20061029.zip, dated: 10-29-06

Desktop Application Checklist, Version 2, Release 16, filename:
Desktop_App_Checklist_v2r16.zip, dated:  11-24-06

DSN Checklist, Version 2, Release 3-3, filename:
DSN-Checklist-V2R3-3-20061124.pdf, dated:  11-24-06

RACF Checklist, Version 5, Release 21, filename:
RACF-Checklist-V5R21.doc, dated:  11-24-06

TSS Checklist, Version 5, Release 21, filename:
TSS-Checklist_V5R21.doc, dated:  11-24-06

Unisys Checklist, Version 7, Release 2, filename:
Unisys-Checklist-V7R2-20061124.pdf, dated:  11-24-06

UNIX Checklist, Version 5, Release 1, filename:
UNIX-Checklist-V5R1-20065.zip, dated:  11-15-06

W2K3 Checklist, Version 5, Release 1.7, filename:
Checklist_W2K3_V5R1.7_112406.zip, dated:  11-24-06

WIN2K Checklist, Version 5, Release 1.7, filename:
Checklist_WIN2K_V5R1.7_112406.zip, dated:  11-24-06

WINXP Checklist, Version 5, Release 1.7, filename:
Checklist_WINXP_V5R1.7_11204.zip, dated:  11-24-06

SRR Scripts:  http://iase.disa.mil/stigs/SRR/index.html
 


Oracle Unix Listener Password Check, filename:  FindLsnr.sh, dated:
10-30-06

Oracle Unix Scripts, Version 7, Release 2-2, filenames:
OracleUnix_Script_V7R2-2_20061102.tar,
OracleUnix_Script_V7R2-2_20061102.tar.gz,
OracleUnix_Script_V7R2-2_20061102.zip, dated:  11-02-06

Oracle Windows Script, Version 7, Release 2-2, filename:
OracleWindows_Script_V7R2-2_20061102.zip, dated:  11-02-06

OS390 Scripts, Version 5, Release 21, filename:  OS390.V5R21.zip, dated:
11-08-06

UNIX Scripts, Version 5, Release 1, filenames:  UNIX
51-15November06.tar.bz2, UNIX 51-15November06.tar.Z, UNIX
51-15November06.tar.zip, UNIX 51-15November06.tar.gz, dated:  11-15-06

Websrr Unix Scripts, Version 5, Release1, filename:
websrr-unix-v5r1-20061115.tar.zip, dated:  11-15-06

GOLD Disk Version 2:  http://iase.disa.mil/stigs/SRR/index.html
 


Gold Disk Version 2 Scan Disk GDV2_CD1_Engine_11-24-2006.iso

SRR-Lite CD:  http://iase.disa.mil/stigs/stig/index.html
 ,
http://iase.disa.mil/stigs/checklist/index.html
 ,
http://iase.disa.mil/stigs/SRR/index.html
 

SRR Lite - Sept06.zip 


SRR_Lite_CD_READ-ME_v1-1.pdf

STIG TIM Meeting Schedule:  http://iase.disa.mil/stigs/stig/index.html
 


Technical Interchange Meeting Schedule, filename:  FY07 STIG TIM
Schedule.xls

PKI Checklists and Procedures:
https://powhatan.iiie.disa.mil/techguid/cds/index.html
 


C2G Security Checklist, Version 4, Release 2, filename:
C2G_checklist_11-15-2006.pdf, dated:  11-15-06

C2G Procedures, Version 4, Release 2, filename:
C2G_Procedures_11-15-2006.pdf, dated:  11-15-06

DII Security Checklist, Version 3, Release 3, filename:
DII_Checklist_11-15-2006.pdf, dated:  11-15-06

DII Guard Procedures, Version 3, Release 4, filename:
DII_Guard_Procedures-11-15-2006.pdf, dated:  11-15-06

OWL Security Checklist, Version 1, Release 4, filename:
OWL_Checklist_11-15-2006.pdf, dated:  11-15-06

OWL Procedures, Version 1, Release 5, filename:  OWL
Procedures_11-15-2006.pdf, dated:  11-15-06

RM Security Checklist, Version 2, Release 2, filename:
RM_Checklist_11-15-2006.pdf, dated:  11-15-06

RM Procedures, Version 2, Release 3, filename:
RM_Procedures_11-15-2006.pdf, dated:  11-15-06

TDX Security Checklist, Version 2, Release 2, filename:
TDX_Checklist_11-15-2006.pdf, dated:  11-15-06

TDX Procedures, Version 2, Release 4, filename:
TDX_Procedures_11-15-2006.pdf, dated:  11-15-06

TGS Security Checklist, Version 2, Release 2, filename:
TGS_Checklist_11-15-2006.pdf, dated:  11-15-06

TGS Procedures, Version 2, Release 3, filename:
TGS_Procedures_11-15-2006.pdf, dated:  11-15-06

PKI STIG and Checklist:  https://powhatan.iiie.disa.mil/techguid
 


DRSN STIG, Version 1, Release 2, filename:  DRSN STIG V1R2 2006
1115.pdf, dated:  11-15-06

DRSN Checklist, Version 1, Release 2, filename:  DRSN C

RE: [ActiveDir] mailNickName(OT)

2006-11-22 Thread joe 
me too
 
Good post. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 22, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)


Other than being used for access by other protocols such as pop, imap, and
owa, last I checked it's also the value used for the x.400 like address
which is used for mail delivery internally by Exchange.  You wouldn't want
that to be non-unique else you might have to call somebody like joe to come
in and help clean up :) 

I'm surprised that this company you're at has not gone to unique values for
this.  I'm equally surprised they don't have other issues with their
Exchange deployment, but it's possible you haven't gotten far enough into it
yet to notice some of them.  

I've blogged about my thoughts regarding what should be globally unique in
an AD/Exchange environment.  It's a long enough blog it may even be a good
candidate for an essay or possibly a sleep aid.  

If you want the details, have a read.  The short answer is that you want
every user to be unique and to have a consistent and trouble-free
experience.  That keeps you from being up late at night with international
customers first and your local in-country customers the next day.
Mailnickname is one of the attributes that should be unique same as
samaccountname and smtp address (some are enforced per forest, some per
domain but all should be enforced regardless in my opinion). Since they can
often feed on one another, I maintan that samaccountname should be the
user's foundational, non-changing, never touched as long as that person is a
member of the company in good standing, network id. Exchange relies on
Active Directory and as such you're better following the same rules . 


Al


On 11/22/06, joe <[EMAIL PROTECTED]> wrote: 

The mailnickname isn't populated in a similar way to display name. The
common ways for mailnickname generation and its population are through the
RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use 
CDOEXM). This is unlike displayname which has ADUC as its common way to be
populated. Certainly they could have done something like that but they
didn't.

Changing the format is ok, most companies don't do it but some do. But if 
there is going to be a change, change to something that is guaranteed to be
unique in your organization. Display names are very often not unique;
definitely not unique at scale which is why Al said, it don't scale Go 
to any larger company in the US and type in Smith, Jones, Brown, or Johnson
in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, Bob's,
Carol's, Fred's, John's, Steve's, etc... If you are multi-national try 
Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg,
Schulz, or Schmidt.

The attribute is used quite a bit in Exchange. Where all it is used I will
let some Exchange person respond if they want, but look quickly at a mailbox

enabled user and check how many times you see the value. Note that none of
the other attributes that use mailNickname in their initial generation will
change if you change mailnickname, you absolutely wouldn't want that or else

it would break certain types of delivery for that user. I have seen some
nasty issues in larger orgs that resulted in mailNicknames not being unique.
The problems can be solved by mechanisms other than unique mailNicknames but

unique mailNicknames is by far the easiest way to handle it. I have a tool
that reports bad Exchange attribute settings in an Org and duplicate
mailNickname is one of them that I flag as fairly high priority due to my 
experiences.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, November 21, 2006 10:07 PM 
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)

well, the company i currently work for sets the mailNickName of all
users to " firstname.lastname".
I didnt know there was any issue with changing the format of that attribute.

we have around 110,000 users mixed between Exchange and Lotus Domino
and this is the format they have been using(why, i'm not sure, I just 
started here)

I thought there could be a way to change the default format of the
mailNickName attribute the same way you could change the format of the
displayname.

What issues can arise by changing the mailNickname format. 

I mean, what is this attibute for used exactly?
I thought this was only used for POP3 and IMAP and maybe OWA and ADC.
And I didnt think changing it could affect anything.
Can you guys educate me, please?

Thanks

On 11/21/06, joe <[EMAIL PROTECTED]> wrote:
> Not that I am aware of.
>
> I am with Al on this, keep it as the sAMAccountName. This value while 
isn't
> enforced t

Re: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Al Mulnick 

It's a test environment?  Knowing that you won't be testing performance
related issues in this configuration, I'd opt for the expandability.

My $0.04 worth anyway.


On 11/22/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


I posted this on the VMWARE forum as well but I am very interested in
the opinion of the people who post to this list and there must be some
people with hands on experience with ESX and DC's and Exchange 2007
running on VM's on top of ESX 3.0.1.

I am interested in the following:

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be
using this machine in a test lab only and will be testing mainly
Exchange 2007 and simulating AD issues. We would like to deploy ESX
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's.
We will unfortunately only be buying one system so we definitely need
to make the right choice.

As I said we want to buy a system with either 2 Dual Cores or 1 Quad
Core, see here under:

- 1 Quad Core 2.33 GHz Processor, Xeon 5345
- 2 Dual Core 2.33 GHz Processors, Xeon 5140

Both systems will have 8 GB of 667 MHz RAM to start with.

We have contacted Dell and we were told that the 5345 Xeon will be
available in January at the latest.

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the
fact that if one Quad would not be enough, we could always plug in
another one :-) at a later time.

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000

2006-11-22 Thread joe 
There is a hot fix available. See KB873059. 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mischler, Timothy J
CTR USAF NASIC/SCNA
Sent: Wednesday, November 22, 2006 12:27 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2
while running Exchange 2000



Hello, 

I was wondering if anyone had any experience with changing their Windows
2003 Forest Functional Level to 2 (Windows Server forest level) while
running Exchange 2000 (post SP3)? I've found some documentation stating the
Exchange 2000 recipient update service does not replicate changes
successfully in forest functional level 2 in a 2003 Active Directory. From
what I've read the best practice is to leave the Forest Functional Level  on
0 (mixed level forest) until the Exchange 2000 server has been migrated to
Exchange 2003. Any input is much appreciated.

Tim

RE: [ActiveDir] Enterprise Domain Controllers group missing...

2006-11-22 Thread joe 
If querying objectsid in K3 or ADAM you don't need -binenc, even for
non-well knowns. :)
 
Any other SID field though will require it that I am aware of. 
 
 
 
The quickest way to find a SID in objectsid or sidhistory with adfind is
through the adsid shortcut like so
 
adfind -sc adsid:s-1-5-9
 
   joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...



Just for future reference the easiest way to identify where an object is if
you have a SID is to use adfind with the -binenc option: 
adfind -binenc -b dc=FOO,dc=BAR -f objectSID=S-1-5-9 

You'll find the full path to the object under >objectCategory: 

While the binenc option isn't strictly needed for this example, as well
known security principals apparently don't need to be encoded, it does not
hurt and it's a good habit to get into because you WILL need it for many SID
searches =) 

Thanks, 
Andrew Fidel 



[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 


11/22/2006 12:35 AM 


Please respond to
ActiveDir@mail.activedir.org



To
ActiveDir@mail.activedir.org 

cc

Subject
RE: [ActiveDir] Enterprise Domain Controllers group missing...






Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   <[EMAIL PROTECTED]|
| |   >  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
 
>---
---|
 |
|
 |To:  "ActiveDir@mail.activedir.org"
|
 |cc:
|
 |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |
 
>---
---|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of "Windows
Authorization Access group" after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box.  When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled "Windows Server 2003 Well Known
Security Principals" in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2
f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
"The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must h

RE: [ActiveDir] Updating cached credentials

2006-11-22 Thread Ken Cornetet 
Thanks Al. We typically change passwords via a web app (Psynch) rather
than at the workstation. One of our desktop techs thought that changing
your password via the three-finger salute would cause the credentials to
be updated, but in this case it didn't seem to work. We'll try the
workstation lock and see if that works.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 22, 2006 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Updating cached credentials


As I understand it, The nortel vpn client is a shim that works at layer
3 and does not take effect until after the user session has begun.  This
prevents much of the normal node processing you'd like to see happen
such as control of the windows firewall, caching of group membership and
so on.  

Since most companies require a password change on a regular basis for
user accounts, I'm kind of surprised that you see this behavior. The way
to change the user credentials on a nortel client is to have the user
use the three finger salute (ctrl+alt+del sequence) to lock the
workstation after the vpn is established.  When the user logs back on
this *is expected* to re-cash the credentials.  This should be a
familiar sequence of events for the users every password change. 

Has this not addressed the problem for you to date? 


On 11/22/06, Ken Cornetet <[EMAIL PROTECTED] > wrote: 

Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect
to the 
corporate network directly. Instead, they log in (XP sp2) using
cached
credentials and connect via a Nortel VPN.

We have several group policies that are filtered by group
membership.
The problem is that the group membership seems to be cached on
the 
workstation, and is never updated to reflect the new membership,
and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Updating cached credentials

2006-11-22 Thread Wells, James Arthur 
Windows XP SP2 introduces a new, background cached password sync process that 
does not require the workstation to be locked, only that it be able to talk 
back to a DC...it's tied to Fast Logon Optimization threads...
 
http://support.microsoft.com/?id=824302
 
That KB article doesn't really describe it, but I had PSS dig around and talk 
to the KB author - it's just a small addition to Fast Logon Optimization that 
will update the cached password silently, in the background.  Usually very 
quickly, too.  We've proven this even on wireless+VPN-connected
machines.
 
 
Not sure how or if the Nortel client impacts this...but since it happens AFTER 
user logon, I would expect not.
 
--James
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 22, 2006 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Updating cached credentials


As I understand it, The nortel vpn client is a shim that works at layer 3 and 
does not take effect until after the user session has begun.  This prevents 
much of the normal node processing you'd like to see happen such as control of 
the windows firewall, caching of group membership and so on.  

Since most companies require a password change on a regular basis for user 
accounts, I'm kind of surprised that you see this behavior. The way to change 
the user credentials on a nortel client is to have the user use the three 
finger salute (ctrl+alt+del sequence) to lock the workstation after the
vpn is established.  When the user logs back on this *is expected* to re-cash 
the credentials.  This should be a familiar sequence of events for the users 
every password change. 

Has this not addressed the problem for you to date? 


On 11/22/06, Ken Cornetet <[EMAIL PROTECTED] > wrote: 

Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect to the 
corporate network directly. Instead, they log in (XP sp2) using cached
credentials and connect via a Nortel VPN.

We have several group policies that are filtered by group membership.
The problem is that the group membership seems to be cached on the 
workstation, and is never updated to reflect the new membership, and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] going further OT: Are governments insane? (WA time change in 11 days)

2006-11-22 Thread Molkentin, Steve 

Neil, All,

It doesn't benefit us, that's for sure!  ;)

Daylight saving is great, it's just that we here in Queensland aren't
allowed to have it yet (that makes it hard dealing with the other east
coast states, let me tell you, and turns a 2 hour difference between us
and NZ into 3 hours, meaning you either start REALLY early or they
finish REALLY late).

We'll just keep an eye out for the patch and seek to apply it as soon as
it rears it's head.

themolk.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, 23 November 2006 2:04 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] going further OT: Are governments
> insane? (WA time change in 11 days)
>
> Not the first and no doubt, not the last either. (It's a Western
> Australia change BTW - never heard the term "AUs" before :) ).
>
> It's about time we scrapped the whole daft idea of daylight
> saving, IMO.
> We save an hour in the morning but lose it in the afternoon!! Who does
> that benefit? [Please don't suggest 'farmers'!]
>
> neil
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Susan Bradley,
> CPA aka Ebitz - SBS Rocks [MVP]
> Sent: 22 November 2006 15:07
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] OT: Are governments insane? (WA time change in 11
> days)
>
> The AU's have passed a daylight savings change
>
> http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html
>
> Word is that MS will release a patch
> http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight
> -savings-u
> pdate-its-approved.aspx
>
> But here's another way to do this:
> http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
>
>
>
> PLEASE READ: The information contained in this email is
> confidential and
> intended for the named recipient(s) only. If you are not an intended
> recipient of this email please notify the sender immediately
> and delete your
> copy from your system. You must not copy, distribute or take
> any further
> action in reliance on it. Email is not a secure method of
> communication and
> Nomura International plc ('NIplc') will not, to the extent
> permitted by law,
> accept responsibility or liability for (a) the accuracy or
> completeness of,
> or (b) the presence of any virus, worm or similar malicious
> or disabling
> code in, this message or any attachment(s) to it. If
> verification of this
> email is sought then please request a hard copy. Unless
> otherwise stated
> this email: (1) is not, and should not be treated or relied upon as,
> investment research; (2) contains views or opinions that are
> solely those of
> the author and do not necessarily represent those of NIplc;
> (3) is intended
> for informational purposes only and is not a recommendation,
> solicitation or
> offer to buy or sell securities or related financial
> instruments.  NIplc
> does not provide investment services to private customers. 
> Authorised and
> regulated by the Financial Services Authority.  Registered in England
> no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St
> Martin's-le-Grand,
> London, EC1A 4NP.  A member of the Nomura group of companies.
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir@mail.activedir.org/
>

This email (including any attachments)  contains confidential  information and 
is intended only for the named addressee. If you are not the named addressee 
you should not disseminate, distribute or copy this email. Please notify the 
sender immediately by email if you have received this email by mistake and 
delete this email from your system and destroy any copies.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or communicated without the written consent of the copyright owner.

Email transmission cannot be guaranteed to be secure or error-free and  emails 
may be interfered with, may contain computer viruses or other defects and may 
not be successfully replicated on other systems. The sender does not give any 
warranties nor accepts any liability in relation to any of these matters. If 
you have any doubt about the authenticity of an email purportedly sent by us, 
please contact us immediately. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Victor W. 
Was thinking along that line as well. The system will probably be fast enough 
with one quad but we also have the option to add another quad  later.  I read 
somewhere however that dual cores are able to access more/make better use of 
system RAM. When I read those kind of things I get the feeling that Quad is not 
always better than Dual and that makes me wonder and it puzzles me.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: woensdag 22 november 2006 20:11
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal 
lab system

 

It's a test environment?  Knowing that you won't be testing performance related 
issues in this configuration, I'd opt for the expandability.

My $0.04 worth anyway. 



On 11/22/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

I posted this on the VMWARE forum as well but I am very interested in
the opinion of the people who post to this list and there must be some
people with hands on experience with ESX and DC's and Exchange 2007
running on VM's on top of ESX 3.0.1.

I am interested in the following:

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be
using this machine in a test lab only and will be testing mainly 
Exchange 2007 and simulating AD issues. We would like to deploy ESX
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definitely need
to make the right choice.

As I said we want to buy a system with either 2 Dual Cores or 1 Quad
Core, see here under:

- 1 Quad Core 2.33 GHz Processor, Xeon 5345
- 2 Dual Core 2.33 GHz Processors, Xeon 5140

Both systems will have 8 GB of 667 MHz RAM to start with.

We have contacted Dell and we were told that the 5345 Xeon will be
available in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the
fact that if one Quad would not be enough, we could always plug in
another one :-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] mailNickName(OT)

2006-11-22 Thread joe 
I have to admit some surprise that you have that large of an org and haven't
hit issues in collisions on the name space when using firstname.lastname.
Actually I find it more than surprising, I expect you have some exceptions
or some folks got a display name that isn't something they totally prefer,
like a Ted became a Theodore or something for example...

On the MSFT helped with the design comment... I realize you weren't around
for it but don't confuse "someone from MSFT" helped with the design with
"MSFT" helped with the design. It is something I learned a long time ago to
separate. Not every MSFT resource is as knowledgeable as they should be in
every area they may be called in to work on... i.e. When using say MCS or
PSS to help with things, don't blindly follow, understand what they are
designing or asking you to do. Obviously this isn't strictly limited to
MSFT, this goes for every company that has "experts" that come in and help. 

While you hope you get all of the experience of Microsoft in every Microsoft
employee (or all of the experience of Company X from every Company X
employee) who visits you, the simple and obvious truth of the matter is that
you don't. You get a person with some level X of experience who has some
level X of access to other people. Some of these people will be extremely
experienced in what you are doing (or some aspect of what you are doing),
some will pretend they are. Some will know who to contact to verify
plans/ideas, some won't, some won't even care to because they feel they know
enough themselves. I have met all versions of these. My favorites are those
who are comfortable enough in themselves to actually say "I don't know the
anwers to that" or "I am not sure" that is quickly followed by "But I will
find out". Interestingly, the people willing to say I don't know tend to be
the ones that most of the other MSFT folks consider to be some of the
brightest folks working on those things... Imagine that.

At any point if you get the feeling that the person is more of a shyster
than an expert, call them out and ask for them to get someone else on the
phone to talk it out as well. If you are in a 100k+ org, you should have the
weight to even get someone from Redmond on the phone to help answer
questions. Also don't be afraid to just ask here, say someone said X and Y
and we aren't exactly sure if that is accurate... People here will either
say yes, no, it depends, or where &%#$ are your smilies... 

All of that to say, even if someone from MSFT helped with some design of
something, don't rely on that meaning it authoritatively the most optimal
configuration or even how it should be done at all. You are on better ground
if you get an official design review from PSS because then several folks
should be looking at it, but even still... I have seen some funny
recommendations even in those that I have completely ignored. Basically you
need to have some good understanding of what you are doing as well. In a
small company the repercussions and actually the need for special thinking
is greatly reduced, Microsoft Redmond targets those situations. In larger
companies above the 30/50/80/100k user marks, IMO, someone better have a
good understanding of AD unless all of your support is farmed out to another
company and then someone there better have a really good understanding. 



If you want to read on, there is a funny story I have of an MSFT Exchange
Alliance Premier person who had an issue saying I don't know and radically
impacted his image and how the customer viewed him... This just came up in a
chat I had with someone recently so since it is fresh in my head... I was in
a training class several years ago when this Alliance tech ventured onto the
topic of the general ACL model that he thought he understood and I started
questioning him on it because he said something that I knew to be wrong. I
was personally curious how far he would take his incorrect answer so asked a
couple of leading questions that should have sent warnings to him. He didn't
stop, in fact, he kept going with it and actually ended his responses to my
questions with something like "I am only wrong once per year and this isn't
the time" or something really silly like that. I let him smile for a few
seconds as I looked at the other Microsoft folks in the back of the room who
knew me and realized something bad was happening and then I pointed out some
errors for him. From that second on he looked like a gomer to the customer
(us) but worse, to every MSFT person in that room, they couldn't stop
laughing. A year later I recall he was still actively being ribbed about it.
I expect even now he gets the occasional poke... I know every time he says
something to the customer, even still, they question whether or not they can
trust the answer. Going back even farther I once had another PSS Alliance
Exchange Tech tell me that the limitation in Windows 2000 with 5000 members
in a group had been fixed, just not documented as

[ActiveDir] ActiveDir.Org Web Site Update [List Admin]

2006-11-22 Thread Matty 
Hi All,

 

I just want to update you on some recent changes to the ActiveDir.Org
  site.

 

As you may know, the last attempt at publishing the Mail List's archives on
ActiveDir.Org was a complete disaster.  The software we were using (Mhonarc)
just couldn't keep up with the volume (I actually suspect it was also due to
the length of some of Joes mails - only joking ;-)). 

 

The good news is we finally got around to developing our own solution (this
time with extremely long field lengths ;-)) so you can now find the archives
back on-site again here  . 

 

The archive is updated hourly.  Its fully RSS'd so you can subscribe to the
main archive feed if you prefer to view posts in that way.  If you are that
keen on following a particular thread, we also maintain a separate feed for
each separate thread.

 

Another recent update that is also related to the List Archive is the new
Posters   feature.  This feature
categorises the lists archive by sender and will publish all threads that
you have ever been involved in.  You need to be registered with
  ActiveDir.org (with the same email
address as you use to subscribe to the list) in order publish your threads
to the Posters page.

 

Here's an example of Tony's posts Posters page:
http://www.activedir.org/ma/posters.aspx?id=2

 

It's kind of like having your own ActiveDir Mail List Blog.  We encourage
you to join in the fun ;-).  Again there is a feed so you can subscribe to
only specific posters messages if you choose to do so.  The nice option here
is you can link this feed from your own blog/web site or from your message
footer when posting to the list.

 

What about an archive/site search?  There isn't one at the moment.  This
will be implemented early in the New Year but for now we are counting on
Google.

 

If you think of other features you would like to see on the site or find
issues with existing functionality then let us know.

 

Hope you find the new pages useful.

 

Cheers, 

 

Matty

(General ActiveDir Dogsbody #2)

 

Site: http://www.activedir.org/

Register: http://www.activedir.org/register.aspx

Posters page: http://www.activedir.org/ma/posters.aspx

Archive page: http://www.activedir.org/ma/default.aspx

RE: cpSPAM [ActiveDir] OT - DEC 2007

2006-11-22 Thread Mark Parris 
Apparently "Grillenmeier of HP" will be there! Sounds regal :-)

 

http://www.dec2007.com/workshop.cfm

Mark Parris 

Base IT Ltd 
Active Directory Consultancy 



  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Evans
Sent: 22 November 2006 16:11
To: ActiveDir@mail.activedir.org
Subject: RE: cpSPAM [ActiveDir] OT - DEC 2007

 

I'll be there.  It would be really helpful if the Gambling lessons were
taken off the home page.  Sends the wrong impression to the suits ;-)

 

Steve Evans

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 6:57 AM
To: ActiveDir@mail.activedir.org
Subject: cpSPAM [ActiveDir] OT - DEC 2007

Has anyone firmed up on attending or speaking at DEC 2007 yet? 

I'll be there and wondered if anyone had suggested topics for discussion
yet. 

I know the speaker submissions are closed and wondered who will be speaking,
and what they plan to 'present'. 

Will we see a "dean and joe" part 2, for example? 

 

neil 

PLEASE READ: The information contained in this email is confidential and 

intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete your


copy from your system. You must not copy, distribute or take any further 

action in reliance on it. Email is not a secure method of communication and 

Nomura International plc ('NIplc') will not, to the extent permitted by law,


accept responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence of any virus, worm or similar malicious or disabling 

code in, this message or any attachment(s) to it. If verification of this 

email is sought then please request a hard copy. Unless otherwise stated 

this email: (1) is not, and should not be treated or relied upon as, 

investment research; (2) contains views or opinions that are solely those of


the author and do not necessarily represent those of NIplc; (3) is intended 

for informational purposes only and is not a recommendation, solicitation or


offer to buy or sell securities or related financial instruments. NIplc 

does not provide investment services to private customers. Authorised and 

regulated by the Financial Services Authority. Registered in England 

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 4NP. A member of the Nomura group of companies.

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Victor W. 
You mean that it is in fact overkill. I have thought about this and I know
that it probably is. 2 Dual Cores will be probably overkill as well. Both
options probably being overkill, with one quad, we at least have the option
to add another one later in case this may be necessary and one quad will be
cheaper than 2 Duals.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: woensdag 22 november 2006 19:41
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal
lab system

A pair of quad cores is a lot of horsepower for testing. I suspect you
will run out of disk i/o perf and memory long before you encounter the
need for a second quad core chip given the scenarios you've described.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal
lab system

I posted this on the VMWARE forum as well but I am very interested in 
the opinion of the people who post to this list and there must be some 
people with hands on experience with ESX and DC's and Exchange 2007 
running on VM's on top of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core 
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be 
using this machine in a test lab only and will be testing mainly 
Exchange 2007 and simulating AD issues. We would like to deploy ESX 
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several 
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need 
to make the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad 
Core, see here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345 
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be 
available in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the 
fact that if one Quad would not be enough, we could always plug in 
another one :-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] mailNickName(OT)

2006-11-22 Thread David Adner 
While I firmly agree that guidance should never be blindly followed,
regardless of the source, I'd add that customers who say "Microsoft reviewed
this" or something like that should not necessarily be taken to mean the
design was in any way developed by or recommended by MS (I can't speak for
the OP; I'm just making a general statement.)  I've seen many a customer
fight for a MS stamp of approval on a design that in no way is best
practices but "works" and meets the bare bones supportability requirements.
Also, recommendations to change a design are often met with "but it works
and I don't want to possibly break it just to comply with best practices so
unless you tell me it's completely broken we're not changing it."  But
that's rarely disclosed when problems come up down the road. 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 22, 2006 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mailNickName(OT)

I have to admit some surprise that you have that large of an org and haven't
hit issues in collisions on the name space when using firstname.lastname.
Actually I find it more than surprising, I expect you have some exceptions
or some folks got a display name that isn't something they totally prefer,
like a Ted became a Theodore or something for example...

On the MSFT helped with the design comment... I realize you weren't around
for it but don't confuse "someone from MSFT" helped with the design with
"MSFT" helped with the design. It is something I learned a long time ago to
separate. Not every MSFT resource is as knowledgeable as they should be in
every area they may be called in to work on... i.e. When using say MCS or
PSS to help with things, don't blindly follow, understand what they are
designing or asking you to do. Obviously this isn't strictly limited to
MSFT, this goes for every company that has "experts" that come in and help. 

While you hope you get all of the experience of Microsoft in every Microsoft
employee (or all of the experience of Company X from every Company X
employee) who visits you, the simple and obvious truth of the matter is that
you don't. You get a person with some level X of experience who has some
level X of access to other people. Some of these people will be extremely
experienced in what you are doing (or some aspect of what you are doing),
some will pretend they are. Some will know who to contact to verify
plans/ideas, some won't, some won't even care to because they feel they know
enough themselves. I have met all versions of these. My favorites are those
who are comfortable enough in themselves to actually say "I don't know the
anwers to that" or "I am not sure" that is quickly followed by "But I will
find out". Interestingly, the people willing to say I don't know tend to be
the ones that most of the other MSFT folks consider to be some of the
brightest folks working on those things... Imagine that.

At any point if you get the feeling that the person is more of a shyster
than an expert, call them out and ask for them to get someone else on the
phone to talk it out as well. If you are in a 100k+ org, you should have the
weight to even get someone from Redmond on the phone to help answer
questions. Also don't be afraid to just ask here, say someone said X and Y
and we aren't exactly sure if that is accurate... People here will either
say yes, no, it depends, or where &%#$ are your smilies... 

All of that to say, even if someone from MSFT helped with some design of
something, don't rely on that meaning it authoritatively the most optimal
configuration or even how it should be done at all. You are on better ground
if you get an official design review from PSS because then several folks
should be looking at it, but even still... I have seen some funny
recommendations even in those that I have completely ignored. Basically you
need to have some good understanding of what you are doing as well. In a
small company the repercussions and actually the need for special thinking
is greatly reduced, Microsoft Redmond targets those situations. In larger
companies above the 30/50/80/100k user marks, IMO, someone better have a
good understanding of AD unless all of your support is farmed out to another
company and then someone there better have a really good understanding. 



If you want to read on, there is a funny story I have of an MSFT Exchange
Alliance Premier person who had an issue saying I don't know and radically
impacted his image and how the customer viewed him... This just came up in a
chat I had with someone recently so since it is fresh in my head... I was in
a training class several years ago when this Alliance tech ventured onto the
topic of the general ACL model that he thought he understood and I started
questioning him on it because he said something that I knew to be wrong. I
was personally curious how far he would take his incorrect answer so asked a
couple of leading que

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

2006-11-22 Thread Victor W. 
I believe the amount of L2 cache is 4mb on a Dual Core and 2x4mb on a Quad
Core.

Thanks for pointing me to the benchmark from Dell, I will indeed talk to our
TAM about it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur
Sent: woensdag 22 november 2006 16:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal
lab system

We're struggling with the same questions right now - one difference is the
large amount of L2 cache on the Dual-core option for the 2900.  At any
rate...there was an internal benchmark regarding dual vs. quad cores with
ESX 3 recently made available by Dell, but I'm not sure on its availability
-
ask your Dell TAM.

As far as price goes -- today, there's a big price difference between a
single quad or two dual core CPUs, for the ESX licensing.  But there's a
strong rumor that EMC/VMWare will begin charging their licensing per CORE in
Q1 2007.  So that puts you back to square one on your decision, if true.  

But if buying today, the quad will be cheaper on ESX licensing by 50%...


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab
system

I posted this on the VMWARE forum as well but I am very interested in the
opinion of the people who post to this list and there must be some people
with hands on experience with ESX and DC's and Exchange 2007 running on VM's
on top of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at
2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this
machine in a test lab only and will be testing mainly Exchange 2007 and
simulating AD issues. We would like to deploy ESX
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need to
make the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core,
see here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be available
in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the fact
that if one Quad would not be enough, we could always plug in another one
:-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT-Help with PFINFO fro Exchange 5.5

2006-11-22 Thread John Strongosky 
 Hi,

 

 Could someone please, please, please help me find the PFINFO.exe tool
for Exchange 5.5. 

I've found the ftp link for it on the Google group's message board but when
I try it, it says I don't have permissions. I also don't have access to the
Resource Kit for Win2k.

 

Reasons that someone out there should help me...

 

1.  I've asked nicesee my mom did raise me to be polite...
2.  You'll save the remaining hair I have on my head.
3.  Keep me from cursing
4.  I won't have to drink some Pepto-Bismol for my ulcer
5.  My wife will appreciate it, as it gives me gas when I drink
Pepto-Bismol.
6.  I'll be a hero to my co-workers, since we won't have to go thru all
our PF to look for Zombie users by hand
7.  It's the season

 

 

john

RE: [ActiveDir] OT-Help with PFINFO fro Exchange 5.5

2006-11-22 Thread Mark Parris 
http://msexchangeteam.com/archive/2004/11/05/252979.aspx

 

Try this works for me and I downloaded it.

 

Mark Parris 

Base IT Ltd 
Active Directory Consultancy 
+44 (0)7801 690596 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 22 November 2006 23:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Help with PFINFO fro Exchange 5.5

 

 Hi,

 

 Could someone please, please, please help me find the PFINFO.exe tool
for Exchange 5.5. 

I've found the ftp link for it on the Google group's message board but when
I try it, it says I don't have permissions. I also don't have access to the
Resource Kit for Win2k.

 

Reasons that someone out there should help me.

 

1.  I've asked nice..see my mom did raise me to be polite.
2.  You'll save the remaining hair I have on my head...
3.  Keep me from cursing..
4.  I won't have to drink some Pepto-Bismol for my ulcer..
5.  My wife will appreciate it, as it gives me gas when I drink
Pepto-Bismol.
6.  I'll be a hero to my co-workers, since we won't have to go thru all
our PF to look for Zombie users by hand..
7.  It's the season..

 

 

john

RE: [ActiveDir] Updating cached credentials

2006-11-22 Thread Guy Teverovsky 

Using "runas /user: something" after establishing a VPN session 
should do the trick.

Guy


From: [EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, November 22, 2006 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Updating cached credentials

Thanks Al. We typically change passwords via a web app (Psynch) rather than at 
the workstation. One of our desktop techs thought that changing your password 
via the three-finger salute would cause the credentials to be updated, but in 
this case it didn't seem to work. We'll try the workstation lock and see if 
that works.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 22, 2006 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Updating cached credentials

As I understand it, The nortel vpn client is a shim that works at layer 3 and 
does not take effect until after the user session has begun.  This prevents 
much of the normal node processing you'd like to see happen such as control of 
the windows firewall, caching of group membership and so on.

Since most companies require a password change on a regular basis for user 
accounts, I'm kind of surprised that you see this behavior. The way to change 
the user credentials on a nortel client is to have the user use the three 
finger salute (ctrl+alt+del sequence) to lock the workstation after the vpn is 
established.  When the user logs back on this *is expected* to re-cash the 
credentials.  This should be a familiar sequence of events for the users every 
password change.

Has this not addressed the problem for you to date?

On 11/22/06, Ken Cornetet <[EMAIL PROTECTED]  > wrote:
Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect to the
corporate network directly. Instead, they log in (XP sp2) using cached
credentials and connect via a Nortel VPN.

We have several group policies that are filtered by group membership.
The problem is that the group membership seems to be cached on the
workstation, and is never updated to reflect the new membership, and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] mailNickName(OT)

2006-11-22 Thread Al Mulnick 

I think I see the reason that it hasn't been as big a problem as it could
be. The id is not yet everywhere.  You will run into those collisions.
Statistically (note, I'm not a statistician, but I sometimes play one on the
internet) your numbers are just too large not to.  When you hook in MIIS,
you'll start to see a lot of john smith's and you'll have to map them and
come up with rules to automatically resolve those if possible.  I dunno
though, you may be an organization that enjoys manual processes.

Even for first.lastname for smtp addresses I'm reasonably sure there's
either a really strong nepotism policy in your organization or you've got
some *process* that allows for making those unique.  I've worked in much
smaller shops that had such policies (sadly, no strong nepotism rule, but
that's another story altogether.)

I second what joe says about not taking their word for anything.  I'll go so
far as to qualify that and say that the best answer you should get from a
consultant or on-site resource is "it depends." What that really means is
that depending on the information available, your current best practice as
it was intended is to do x.  I can't begin to tell you how many things that
started from the product teams as "the product only does this" later ends up
to be, " for the love of  don't do
this!!!"  Think clustering and you'll know what I'm talking about.

Every bit of it depends.  But Microsoft developers need more parameters than
"it depends" so they come up with scenarios.  And they narrow those down out
of necessity.  If you fit in that scenario, your stuff is a tested
scenario.  If not, it's something they may have thought of but didn't think
enough customers would use and so didn't spend time testing thoroughly - aka
if it works, it was meant to do that. If it does not, what the ^%$# were you
thinking? Don't you read that (often non-existent) documentation that
explicitly says not to do that? Or didn't you know that it wouldn't work
like that? I mean, it's common sense right?

Anyhow, I always remember two things about consultants - without common
understanding, there can be no common sense (I ripped that off in case you
wonder) and everything should be explicitly written down.  When in doubt ask
for the project notes and verify that the information you're working off of
is explicitly stated and see if you can find out why. I can tell you if it's
a Microsoft employee, you should have no issue asking that person directly
to see if they can remember what the thinking was behind that and if that's
still considered a best practice in light of what you want to do.  It's
entirely possible that the way the question was asked, the answer makes
perfect sense (within that context anyway).  It's more probable the question
wasn't asked because nobody thought it was important to ask at the time.
Exchange folks rarely care about such things unless they also happen to be
deep in Directory Services - rare animal that can do that and carry on a
conversation with a non-geek ;)

Out of curiousity, what made you ask in the first place?



On 11/22/06, Tom Kern <[EMAIL PROTECTED]> wrote:


The place I'm currently at is a large 110,000 + user bank.
They use the hr employee id# for sAMAccountName and upn and in turn the
dn.
   They use firstname.lastname for smtp and mailNickName and
consquently legacyExchangeDN.
Why, I have no idea.

They had a lot of input from MS in setting up their forest/exchange
ORG, so I'm not sure why it is this way.

For some backround, they use lotus as well as exchange and use a dirX
ldap server for common address book and sendmail address rewrite.
For the hour db, they use peoplesoft which they are going to sync up
with AD with MIIS soon.
I'm not sure what all this has to do with mailNickName format, but it
may provide some backround or potential trouble in the future.
Thanks for all your input.


On 11/22/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
> Other than being used for access by other protocols such as pop, imap,
and
> owa, last I checked it's also the value used for the x.400 like address
> which is used for mail delivery internally by Exchange.  You wouldn't
want
> that to be non-unique else you might have to call somebody like joe to
come
> in and help clean up :)
>
> I'm surprised that this company you're at has not gone to unique values
for
> this.  I'm equally surprised they don't have other issues with their
> Exchange deployment, but it's possible you haven't gotten far enough
into it
> yet to notice some of them.
>
> I've blogged about my thoughts regarding what should be globally unique
in
> an AD/Exchange environment.  It's a long enough blog it may even be a
good
> candidate for an essay or possibly a sleep aid.
>
> If you want the details, have a read.  The short answer is that you want
> every user to be unique and to have a consistent and trouble-free
> experience.  That keeps you from being up late at night with
international
> customers first and your local i

Re: [ActiveDir] Updating cached credentials

2006-11-22 Thread [EMAIL PROTECTED] 

Hi Ken,

P-Synch includes an Active-X component that automates, from the web
password change session, what the good folks on this list describe.

Basically, since Microsoft does not expose an API to update the local
password cache, the way to force it to update is to do an authentication
with the new password.  You can do that with the ActiveX component right
from the P-Synch UI.

Please call our support number - whoever answers will show you how to get
it going.  If you have any trouble, just ping me.

Cheers!

-- Idan

--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com


Visit M-Tech at the Gartner Identity and Access Management Summit:
  http://www.gartner.com/2_events/conferences/iam1_section.jsp
  November 29 -- December 1; Las Vegas; Booth D.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Visit M-Tech at the FinSec trade show:
  http://www.misti.com/default.asp?Page=65&Return=70&ProductID=5305
  December 4 -- 5; New York



 The information in this email is confidential and may be legally
 privileged.  It is intended solely for the addressee.  Access to this
 email by anyone else is unauthorized.  If you are not the intended
 recipient, any disclosure, copying, distribution or any action taken or
 omitted to be taken in reliance on it, is prohibited and may be unlawful.


On Wed, 22 Nov 2006, Ken Cornetet wrote:


Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect to the
corporate network directly. Instead, they log in (XP sp2) using cached
credentials and connect via a Nortel VPN.

We have several group policies that are filtered by group membership.
The problem is that the group membership seems to be cached on the
workstation, and is never updated to reflect the new membership, and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Windows 2000 Admin Password

2006-11-22 Thread Haritwal, Dhiraj 
I forgot the password of one of my windows 2000 server. Is there any way
to reset/remove the administrator password?

Dhiraj Haritwal

 

 



---
This email is confidential and intended only for the use of the individual or 
entity named above and may contain information that is privileged. If you are 
not the intended recipient, you are notified that any dissemination, 
distribution or copying of this email is strictly prohibited. If you have 
received this email in error, please notify us immediately by return email or 
telephone and destroy the original message. - This mail is sent via Sony Asia 
Pacific Mail Gateway.
---

Re: [ActiveDir] Windows 2000 Admin Password

2006-11-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2005-36,GGLG:en&q=reset+administrator+password

Start with Google.

Law 3 of computer security.. if you have physical access... it's YOURS 
to own.


Haritwal, Dhiraj wrote:


I forgot the password of one of my windows 2000 server. Is there any 
way to reset/remove the administrator password?


Dhiraj Haritwal

 

 




This email is confidential and intended only for the use of the 
individual or entity named above and may contain information that is 
privileged. If you are not the intended recipient, you are notified 
that any dissemination, distribution or copying of this email is 
strictly prohibited. If you have received this email in error, please 
notify us immediately by return email or telephone and destroy the 
original message. - This mail is sent via Sony Asia Pacific Mail Gateway.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT: Quickbooks really and truly will run without Admin rights

2006-11-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 


http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCONTENT&q=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted+-+Standard+User&p=SG_QuickBooksPremier2007


KnowledgeBase Support

Title:
 

QuickBooks 2007 will not run if the Windows user is a Restricted - 
Standard User


KB ID#:
 


1000152

Overview:
 

The information below is in regards to QuickBooks 2007 not running with 
Windows users who have been granted with restricted - standard user 
permissions:


When starting QuickBooks, it flashes and goes away. It sometimes shows 
the following error message and then goes away.


  LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 
LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open 
applications and restart QuickBooks. If the problem persists, insert the 
QuickBooks CD into your computer and then reinstall the software. If you 
encounter the problem again, contact Technical Support.


QuickBooks runs normally if the Windows user is an administrator.

The folder permissions may have been changed by the domain policy so 
that QuickBooks cannot access some of the required folders under 
C:\Documents and Settings\All Users.


Make sure that the following folders have Full Control for Everyone:

  * C:\Documents and Settings\All Users\Application 
Data\Intuit\Entitlement Client\v3
  * C:\Documents and Settings\All Users\Application 
Data\Intuit\Entitlement Client
  * C:\Documents and Settings\All Users\Application 
Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and 
Settings\All Users\Application Data\Intuit\Quickbooks 2007)
  * C:\Documents and Settings\All Users\Application Data\Common 
Files\Intuit

  * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks
  * C:\Documents and Settings\All 
Users\Documents\Intuit\QuickBooks\Company Files

  * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06
  * C:\Documents and Settings\All 
Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks 
Enterprise Solutions 7.0


Please follow the steps below to change folder permissions:

 1. Right-click on the Start button and select Explore.
 2. Navigate to each first folder on the list above.
 3. Right click on the folder and select Properties.
 4. Click on the Security tab.
 5. Select Everyone in "Group or user names."

Note: If Everyone is not listed in that window, click on Add, then type 
in Everyone in the "Enter the object names to select" and click OK. If 
the Multiple Names Found box pops up, select Everyone and click OK.


 6. Add a checkmark to the Full Control checkbox and click OK.
 7. Repeat steps 1-6 for each folder on the list above.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/