[ActiveDir] Missing Computer Account
I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] Missing Computer Account
Use network identification wizard and tell it to use the current account in the domain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert Sent: Friday, November 24, 2006 3:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Missing Computer Account I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp
RE: [ActiveDir] Missing Computer Account
Drop it into a workgroup then try to add to the domain again I'd also just delete the computer account for good measure. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert Sent: 24 November 2006 13:36 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Missing Computer Account I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
[ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz], used by a Group Policy Management tool (3rd party) so that the service account has the necessary rights to 'manage' all GPOs in the domain. Aside from app specific rights, I have assigned the following rights using GPMC scripts [scripts shown below]: 1. Create/edit GPO links at the root of the domain and all child containers cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyy xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy 2. Create new GPOs in the domain cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf xxx\sys-zzz /Domain:xxx.yyy 3. Edit, delete and mod security rights to all existing GPOs in the domain cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy To cut a long story short, step 2 does not appear to grant the required 'create' right [GP mgmt tool complains of an access denied issue]. However, if I manually (using GPMC) add the service account to the list of objects permitted to create GPOs in the domain [instead of using the script in step 2], then the GP Management app functions fine. Has anyone encountered a similar issues? Are there newer version of the GPMC scripts? [I have GPMC with SP1] Just to add to the strangeness of this issue, if I execute the same scripts above but against a different domain (same service account) the 3rd party app functions fine in that other domain :/ Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Missing Computer Account
Did you try deleting the compter account in ad? -Original Message- From: Todd Hofert [mailto:[EMAIL PROTECTED] Sent: Fri Nov 24 08:38:20 2006 To: ActiveDir@mail.activedir.org Subject:[ActiveDir] Missing Computer Account I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Public Folder Appointment Owner
Try putting the calendar in Category view, then bringing in the From field. - Original Message - From: Dan DeStefano To: ActiveDir@mail.activedir.org Sent: Wednesday, November 22, 2006 8:16 AM Subject: [ActiveDir] Public Folder Appointment Owner I would like to know how to find out who created a meeting using a calendar in a public folder. Right now, if I open an appointment that someone else created and go into the “Scheduling” tab, it shows me as the owner. If I then open the appointment logged on as another user, it shows that user is the owner. Is this a configuration issue or is it just the way it works? Thanks, Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] Scaling up with AD or ADAM?
I personally don't have any experience with ADAM at big scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Joe Kaplan wrote: That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're
RE: [ActiveDir] Missing Computer Account
I have deleted the account and I have tried adding it to Workgroup, then renaming and adding back to AD. It still will not allow log in. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Friday, November 24, 2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Missing Computer Account Did you try deleting the compter account in ad? -Original Message- From: Todd Hofert [mailto:[EMAIL PROTECTED] Sent: Fri Nov 24 08:38:20 2006 To: ActiveDir@mail.activedir.org Subject:[ActiveDir] Missing Computer Account I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Missing Computer Account
Network Identification Wizard did the trick. Thank You Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francois Klopper (Ret) Sent: Friday, November 24, 2006 8:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Missing Computer Account Use network identification wizard and tell it to use the current account in the domain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert Sent: Friday, November 24, 2006 3:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Missing Computer Account I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
Re: [ActiveDir] mailNickName(OT)
Size doesn't seem to matter when it comes to support :) I'm with Brian on this: can you rehash the problem and post it again? Can you include a reason the RUS isn't used to create a [EMAIL PROTECTED] address for the users? Can you also include what process they use to resolve collisions now in the sendmail and dirsync processes? That may be a deciding point for you regarding your recommendations back to your team. It's entirely possible that the dirsync process has some logic in it to prevent and resolve dups, which may be why the process you describe is in use. Al On 11/23/06, Tom Kern [EMAIL PROTECTED] wrote: I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out of necessity. If you fit in that scenario, your stuff is a tested scenario. If not, it's something they may have thought of but didn't think enough customers would use and so didn't spend time testing thoroughly - aka if it works, it was meant to do that. If it does not, what the ^%$# were you thinking? Don't you read that (often non-existent) documentation that explicitly says not to do that? Or didn't you know that it wouldn't work like that? I mean, it's common sense right? Anyhow, I always remember two things about consultants - without common understanding, there can be no common sense (I ripped that off in case you wonder) and everything should be explicitly written down. When in doubt ask for the project notes and verify that the information you're working off of is explicitly stated and see if you can find out why. I can tell you if it's a Microsoft employee, you should have
Re: [ActiveDir] Granting rights to 'Manage GPOs'
Neil, this would seem to indicate that something else is going on: Just to add to the strangeness of this issue, if I execute the same scripts above but against a different domain (same service account) the 3rd party app functions fine in that other domain :/ What is the domain it works against? A test domain? Something more out of the box than the domain you're running against? On 11/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am attempting to assign rights to a service account [sys-zzz], used by a Group Policy Management tool (3rd party) so that the service account has the necessary rights to 'manage' all GPOs in the domain. Aside from app specific rights, I have assigned the following rights using GPMC scripts [scripts shown below]: 1. Create/edit GPO links at the root of the domain and all child containers cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyyxxx\sys-zzz /Permission:linkgpos /Inherit /Domain: xxx.yyy 2. Create new GPOs in the domain cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf xxx\sys-zzz /Domain:xxx.yyy 3. Edit, delete and mod security rights to all existing GPOs in the domain cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy To cut a long story short, step 2 does not appear to grant the required 'create' right [GP mgmt tool complains of an access denied issue]. However, if I manually (using GPMC) add the service account to the list of objects permitted to create GPOs in the domain [instead of using the script in step 2], then the GP Management app functions fine. Has anyone encountered a similar issues? Are there newer version of the GPMC scripts? [I have GPMC with SP1] Just to add to the strangeness of this issue, if I execute the same scripts above but against a different domain (same service account) the 3rd party app functions fine in that other domain :/ Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] mailNickName(OT)
Could I bother you for a link to your blog? Searching on 'al mulnick blog mailnickname' (and various combinations thereof) got me all kinds of stuff, none of which seemed to be what you're referring to. C'mon, Al, you gotta get over this shyness... - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Wednesday, November 22, 2006 8:41 AM Subject: Re: [ActiveDir] mailNickName(OT) Other than being used for access by other protocols such as pop, imap, and owa, last I checked it's also the value used for the x.400 like address which is used for mail delivery internally by Exchange. You wouldn't want that to be non-unique else you might have to call somebody like joe to come in and help clean up :) I'm surprised that this company you're at has not gone to unique values for this. I'm equally surprised they don't have other issues with their Exchange deployment, but it's possible you haven't gotten far enough into it yet to notice some of them. I've blogged about my thoughts regarding what should be globally unique in an AD/Exchange environment. It's a long enough blog it may even be a good candidate for an essay or possibly a sleep aid. If you want the details, have a read. The short answer is that you want every user to be unique and to have a consistent and trouble-free experience. That keeps you from being up late at night with international customers first and your local in-country customers the next day. Mailnickname is one of the attributes that should be unique same as samaccountname and smtp address (some are enforced per forest, some per domain but all should be enforced regardless in my opinion). Since they can often feed on one another, I maintan that samaccountname should be the user's foundational, non-changing, never touched as long as that person is a member of the company in good standing, network id. Exchange relies on Active Directory and as such you're better following the same rules . Al On 11/22/06, joe [EMAIL PROTECTED] wrote: The mailnickname isn't populated in a similar way to display name. The common ways for mailnickname generation and its population are through the RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use CDOEXM). This is unlike displayname which has ADUC as its common way to be populated. Certainly they could have done something like that but they didn't. Changing the format is ok, most companies don't do it but some do. But if there is going to be a change, change to something that is guaranteed to be unique in your organization. Display names are very often not unique; definitely not unique at scale which is why Al said, it don't scale Go to any larger company in the US and type in Smith, Jones, Brown, or Johnson in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, Bob's, Carol's, Fred's, John's, Steve's, etc... If you are multi-national try Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg, Schulz, or Schmidt. The attribute is used quite a bit in Exchange. Where all it is used I will let some Exchange person respond if they want, but look quickly at a mailbox enabled user and check how many times you see the value. Note that none of the other attributes that use mailNickname in their initial generation will change if you change mailnickname, you absolutely wouldn't want that or else it would break certain types of delivery for that user. I have seen some nasty issues in larger orgs that resulted in mailNicknames not being unique. The problems can be solved by mechanisms other than unique mailNicknames but unique mailNicknames is by far the easiest way to handle it. I have a tool that reports bad Exchange attribute settings in an Org and duplicate mailNickname is one of them that I flag as fairly high priority due to my experiences. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, November 21, 2006 10:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) well, the company i currently work for sets the mailNickName of all users to firstname.lastname. I didnt know there was any issue with changing the format of that attribute. we have around 110,000 users mixed between Exchange and Lotus Domino and this is the format they have been using(why, i'm not sure, I just started here) I thought there could be a way to change the default format of the mailNickName attribute the same way you could change the format of the displayname. What issues can arise by changing the mailNickname format. I mean, what is this attibute for used