RE: [ActiveDir] FRS and DNS problem

2006-12-16 Thread Craig A. Bumpstead 
Hi,

Thank you for your suggestions, unfortunately I was unable to resolve my
problem.

I had already used the ntdsutil to transfer the roles. I have noticed
that the share for SYSVOL is not there.
How do I resolve that?
Perhaps that is the key?

Regards


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, 13 December 2006 6:44 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FRS and DNS problem

http://www.eventid.net/display.asp?eventid=13562&eventno=662&source=NtFr
s&phase=1
Reviewed that?

You've checked that it truly holds the FSMO roles?  (ntdsutil)
http://support.microsoft.com/kb/255504
http://support.microsoft.com/kb/234790

Craig A. Bumpstead wrote:
>
> Hi,
>
>  
>
> I moved all FSMO roles from my old server to my new server. But now I 
> seem to have a FRS issue. When I run netdiag /test:dns I get the 
> following:
>
>  
>
> Domain membership test . . . . . . : Failed
>
> [WARNING] The system volume has not been completely replicated to 
> the local
>
> machine. This machine is not working properly as a DC.
>
>  
>
> I also get Event ID: 13562
>
>  
>
> As a result I am unable to remove the old server via dcpromo, as it 
> reports it cannot locate a domain controller.
>
>  
>
> Any help would be great.
>
>  
>
> Cheers,
>
> Craig
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Exchange reconnect(OT)

2006-12-16 Thread Tony Murray 
Does the account you are using to perform the reconnect have Send As
permissions on the user object?  See the link below for the correct
application of Send As permissions.

http://msexchangeteam.com/archive/2005/01/07/348596.aspx

Tony 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Sunday, 17 December 2006 2:22 p.m.
To: activedirectory
Subject: [ActiveDir] Exchange reconnect(OT)

I have Exchange delegated full admin rights on the ex2k3 sp2 org and i have
all the read/write perms to mailbox-enabled user attributes listed here-
http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc1
19c9-961a-4e78-acf8-97099256f452.mspx?mfr=true

However,I'm running into this issue-
I delete a users mailbox, which works fine. When i try to reconnect this
orphaned mailbox to a different user, i get this error- "you do not have the
rights required to complete the operation Id no: c1030728"

Reconnecting back to the old user works fine.

I have the exact same rights to the exchange attributes on both user
objects.

Is there more to permissions under the hood when reconnecting a mailbox to a
diff user than mailbox enabling a user that i'm running into.
I notice there is nothing in the Working with AD permssions white paper
about reconnecting a mailbox to a diff user but i just thought it was the
same exact rights needed for mailbox-enabling a user.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] SBS Dies Twice in Four Days

2006-12-16 Thread Susan Bradley 
(I suck at lurking what can I say) The other day someone was arguing about SBS 
saying "what are you going to do if the AD gets corrupted" and got to say 
"Well, according to the AD gurus I know, it's very rare for AD to get corrupted 
and typically is not AD that has gone wrong but something else".
   
  They came back and said "Oh well I meant overall corruption" 

joe <[EMAIL PROTECTED]> wrote:
  @page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }  
P.MsoNormal {   FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New 
Roman"  }  LI.MsoNormal {   FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: 
"Times New Roman"  }  DIV.MsoNormal {   FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; 
FONT-FAMILY: "Times New Roman"  }  A:link {   COLOR: blue; TEXT-DECORATION: 
underline  }  SPAN.MsoHyperlink {   COLOR: blue; TEXT-DECORATION: underline  }  
A:visited {   COLOR: purple; TEXT-DECORATION: underline  }  
SPAN.MsoHyperlinkFollowed {   COLOR: purple; TEXT-DECORATION: underline  }  
P.MsoAutoSig {   FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New 
Roman"  }  LI.MsoAutoSig {   FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: 
"Times New Roman"  }  DIV.MsoAutoSig {   FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; 
FONT-FAMILY: "Times New Roman"  }  P.Body {   FONT-SIZE: 10pt; MARGIN: 0in 0in 
0pt; FONT-FAMILY: Arial  }  LI.Body {   FONT-SIZE: 10pt; MARGIN:
 0in 0in 0pt; FONT-FAMILY: Arial  }  DIV.Body {   FONT-SIZE: 10pt; MARGIN: 0in 
0in 0pt; FONT-FAMILY: Arial  }  P.SectionHead1 {   FONT-WEIGHT: bold; 
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-STYLE: italic; FONT-FAMILY: Arial  } 
 LI.SectionHead1 {   FONT-WEIGHT: bold; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; 
FONT-STYLE: italic; FONT-FAMILY: Arial  }  DIV.SectionHead1 {   FONT-WEIGHT: 
bold; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-STYLE: italic; FONT-FAMILY: 
Arial  }  P.SectionHead2 {   FONT-WEIGHT: bold; FONT-SIZE: 10pt; MARGIN: 0in 
0in 0pt; FONT-FAMILY: Arial  }  LI.SectionHead2 {   FONT-WEIGHT: bold; 
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Arial  }  DIV.SectionHead2 { 
  FONT-WEIGHT: bold; FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: Arial  
}  SPAN.EmailStyle20 {   COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: 
personal-compose  }  DIV.Section1 {   page: Section1  }  SBS... uh oh there 
goes the neighborhood... This one could possibly get the
 [OT] badge I expect and/or go to the SBS specific groups. If an SBS server 
died, AD would be one of the last things on it I would suspect with everything 
it runs.  ;o)
   
joe
   
  --
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
   

   


-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Thursday, December 14, 2006 1:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBS Dies Twice in Four Days


  
Hi –
   
  I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 
2500. In the last four days, the machine has simply died -- twice. I can find 
no obvious (or not so obvious) cause for this. There appears little that 
correlates directly with the crashes. The event logs are pretty clear of major 
errors (except below). The Open Manage software does not show any hardware 
problems. The drives are somewhat fragmented but not horribly. 
   
  The few errors that show up include this: Shortly before Saturday’s crash, 
the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this 
domain, I followed the steps provided to set the “Enabled Journal Wrap 
Automatic Restore” key to 1. This appeared to have cleared the error. This 
error has not recurred.
   
  Also, Exchange has logged some errors such as 2104 and 8197 which seem 
associated with access to the GC. When I followed the steps in MSKB 828764, I 
do not find any entries in the registry keys listed which are supposed to refer 
to the GC. 
   
  Either way, I am not sure those would bring down a server – twice. 
   
  Sorry if this is rambling a bit. I have been looking at this for several 
hours and don’t seem to be making any headway. Any thoughts welcome. The server 
is up now (after a hard reboot), but I’ve got to feel comfortable with leaving 
this server for a week – or my earlier post about laptop batteries will be 
meaningless ;-)
   
  TIA
   
  -- nme
   


  --
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006

RE: [ActiveDir] AB Views Export/Import

2006-12-16 Thread Brian Desmond 
No I think he wants a GALSync type thing...

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, December 16, 2006 8:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AB Views Export/Import

 

Hey Jerry, I am not exactly sure what you are asking for here.

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Thursday, November 02, 2006 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AB Views Export/Import

Would like to build a AB Views on an AD directory that stores Contacts
from multiple AD Forests.  Export these views to a file and Import them
to each of the Forests.  

Does Joe's ADFind support this, or is there another tool someone can
suggest.

Many thanks,

Jerry

 

Jerry Welch

CPS Systems

US/Canada: 888-666-0277

International: +1 703 827 0919 (-5 GMT)

IP Phone (Skype):  Jerry_Welch  ( www.skype.net 
)

RE: [ActiveDir] LDAP query assistance

2006-12-16 Thread joe 
It would be nice if there were some easy way to know when not all of the
info was represented when you do the ASQ... i.e. A referral or something
that gets tossed so you know that there were DNs in the attribute you were
ASQ'ing that couldn't be reached. Kind of scary aspect to using ASQ.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Monday, September 25, 2006 5:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP query assistance


Great answer Joe.  I completely missed the multi-domain issue, thinking (as
I wrote) that was only an issue for DLGs.  Oh well, you've certainly
refreshed my memory and answered the question admirably.
 
As you can tell from this, and from our off-line conversation, I'm just
using ASQ all the time ('cause it's great!) -sometimes it's not appropriate
: )
 
 
--Paul

- Original Message - 
From: joe   
To: ActiveDir@mail.activedir.org 
Sent: Friday, September 22, 2006 3:53 PM
Subject: RE: [ActiveDir] LDAP query assistance

This unfortunately isn't going to work...
 
1. Global group membership is not maintained in the GC. Depending on the
domain the GC you query hosts, your results will vary. If you hit a parent
DC GC then you will see memberships for the parent (and Unis). If you hit a
child DC GC, then you will see memberships of the child (and Unis). 
 
 
2. An ASQ query query will only work against objects in the linked attribute
that are immediately available. Depending on whether you hit a GC port or
the local LDAP port and depending on the info present in that GC instance
(see comments above) the results again could vary. The ASQ query does NOT
cross DCs to return info. Again since the global group membership of a
domain is only maintained on a DC of that domain this will only resolve part
of the membership.
 
A couple of examples of ASQ in action...
 
G:\Temp\delete>adfind -e -b "CN=Pre-Windows 2000 Compatible
Access,CN=Builtin,DC=joe,DC=com" member
 
AdFind V01.31.00cpp Joe Richards (  [EMAIL PROTECTED])
March 2006
 
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
 
dn:CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com
>member: CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com
>member: CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com
>member: CN=Domain Users,CN=Users,DC=joe,DC=com
 


1 Objects returned
 
G:\Temp\delete>adfind -e -b "CN=Pre-Windows 2000 Compatible
Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn
 
AdFind V01.31.00cpp Joe Richards (  [EMAIL PROTECTED])
March 2006
 
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
 
dn:CN=Domain Users,CN=Users,DC=joe,DC=com
dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com
 
2 Objects returned
 
 
Note that the member attribute of the group has 3 members but the ASQ
objectclass=* query only returns 2, that is because doing the LDAP port 389
query, the child1 object is not available.
 
Now change that to a GC query to a GC that is a DC for joe.com and it works
 
G:\Temp\delete>adfind -h 2k3dc02 -gc -b "CN=Pre-Windows 2000 Compatible
Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn
 
AdFind V01.31.00cpp Joe Richards (  [EMAIL PROTECTED])
March 2006
 
Using server: 2k3dc02.joe.com:3268
Directory: Windows Server 2003
 
dn:CN=Domain Users,CN=Users,DC=joe,DC=com
dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com
dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com
 
3 Objects returned
 
But if I wanted the membership of those three global groups and tried
against the same GC you will note that the membership of the child1 domain
group is not enumerated... 
 
G:\Temp\delete>adfind -h 2k3dc02 -gc -b "CN=Pre-Windows 2000 Compatible
Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member
 
AdFind V01.31.00cpp Joe Richards (  [EMAIL PROTECTED])
March 2006
 
Using server: 2k3dc02.joe.com:3268
Directory: Windows Server 2003
 
dn:CN=Domain Users,CN=Users,DC=joe,DC=com
>member: CN=Domain Admins,CN=Users,DC=joe,DC=com
>member: CN=administrator,CN=Users,DC=joe,DC=com
 
dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com
 
dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com
>member: CN=2K3EXC02,CN=Computers,DC=joe,DC=com
>member: CN=2K3EXC01,CN=Computers,DC=joe,DC=com
 


3 Objects returned
 
But turn it around and use a child1 GC and what do you think you get?
 
G:\Temp\delete>adfind -h 2k3dc10 -gc -b "CN=Pre-Windows 2000 Compatible
Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member
 
AdFind V01.31.00cpp Joe Richards (  [EMAIL PROTECTED])
March 2006
 
Using server: 2k3dc10.child1.joe.com:3268
Directory: Windows Server 2003
 

0 Objects returned
 
 
 
That's right... nothing. That makes

RE: [ActiveDir] Send As(OT)

2006-12-16 Thread joe 
Odd, like I said, I could easily be wrong. I will have to play with it if I
can find any time. Unlikely of course, at least for the next few months.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Saturday, December 16, 2006 8:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Send As(OT)

Actually, it just started to work a few days ago.

In Exchange, you can send as a mail-enabled group so that an email
appears to be from the group(security or distribution).

I think this was some weird replication/info store cache issue that
for some reason took 4 days to resolve itself.

Thanks

On 12/16/06, joe <[EMAIL PROTECTED]> wrote:
> In Exchange nothing comes from the DL, it comes from the user who sent to
> the DL. I believe you cannot in actualality (sp?) send from a DL because a
> DL is an alias, not a mailbox.
>
> I could easily be wrong not being an Exchange guy but I don't expect I am.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Tuesday, December 05, 2006 6:12 PM
> To: activedirectory
> Subject: [ActiveDir] Send As(OT)
>
> I have given a user "send As" perm directly on a universal distribution
> group
> in AD.
> However, whenever this user slects the group from the GAL in the "From:"
> field of Outlook 2k3 and attempts to send an email as that group, he gets
an
> error of "You do not have the permission to send the message on behalf of
> the
> specified user".
>
> The group is NOT nested in any of the AdminSDHolder protected groups.
> The user has been given "send as" perms directly on the UDG. He is in no
> groups with expilict denys.
> I have also tried giving my account "send as" perms to the group and I get
> the same error.
> I have waitied over 24hrs so its also not a info store cache/replication
> issue.
>
> I'm running exchange 2k3 sp2 with the latest hotfixes(including the send
as
> one) in a win2k3 forest(win2k3 FFL/DFL).
>
> Any ideas would be great.
>
> Thnaks for your time.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AB Views Export/Import

2006-12-16 Thread joe 
Hey Jerry, I am not exactly sure what you are asking for here.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Thursday, November 02, 2006 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AB Views Export/Import



Would like to build a AB Views on an AD directory that stores Contacts from
multiple AD Forests.  Export these views to a file and Import them to each
of the Forests.  

Does Joe's ADFind support this, or is there another tool someone can
suggest.

Many thanks,

Jerry

 

Jerry Welch

CPS Systems

US/Canada: 888-666-0277

International: +1 703 827 0919 (-5 GMT)

IP Phone (Skype):  Jerry_Welch  (   www.skype.net )

RE: Deleting an OU in AD and AD/AM with 1,000,000++ users (WAS: RE: [ActiveDir] )

2006-12-16 Thread joe 
Hmm I swear I responded to this but I don't see it... So... 

The progress dots is only for reading in the CSV pipe... Not for what it is
currently working on.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of F. Javier Jarava
Sent: Thursday, November 02, 2006 12:47 PM
To: ActiveDir@mail.activedir.org
Subject: Deleting an OU in AD and AD/AM with 1,000,000++ users (WAS: RE:
[ActiveDir] )

 Duh!!

Sorry for answering myself, and also for forgetting to set a subject to my
previous email (Sould-ve been "Deleting an OU in AD and AD/AM with
1,000,000++ users")

I have taken the time to re-read the help screens (I did read them all, I
swear. I mean, how did I learn about -sc adau if not? ;) and I have found
about the -treedelete switch that seems to be what I am looking for (I knew
it had to be there somewhere; admod would not *really* let you shoot
yourself in the foot if there was no way to really wipe a domain from it).

In any case, my previous question about "progress signs" stands. In this
case, I have two instances of admod happily chugging away (one is deleting
the users in AD; other in ADAM) but no sign of what they are doing, other
than the fact that the VM hosting the domain and ADAM is seriously tasked.

Thanks a lot, and sorry for the unnecesary blunder.

J

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de F. Javier Jarava
Enviado el: jueves, 02 de noviembre de 2006 18:38
Para: ActiveDir@mail.activedir.org
Asunto: [ActiveDir] 

Hi all!!

I've been stress-testing some utilities we use internally, specifically a
tool to "sync" users from AD to AD/AM (ok, not exactly sync; we just need a
user/computer object with the same names that those in AD). For the purpose,
I have created an OU in AD that I then filled with 100+ users (admod -sc
adau:100;SomePassword1;CN= a couple of times ).

The tool survived the beating, but now I want to delete the OU and the users
within, both in AD and ADAM. I thought that:

admod -b "OU_DN" -rm

Would do the trick but it complains that it can't delete a non-leaf
(otherwise understandable). ADUC and ADAM-ADSIEdit let me say "delete", but
they take in the order of ages (they are at it now). Users&Comp. seems to
hang, and ADSIEdit every now and then comes up with a message box saying:

---
ADAM-ADSIEdit
---
The tree deletion is not finished.  The request must be made again to
continue deleting the tree. 
---
OK   
---

I click OK, select "delete" again on the OU, and on it goes...

My question is, I "know" that there has to be a better/quicker way to do
this that does not involve "listing" all objetct and piping them to admod?

Thanks a lot.

Javier Jarava

PS: For bonus "points", I seem to recall some post on joe's blog about
having "progress dots" in admod that show objetcts being modified.. But I
wasn't able to find the proper switch in the docs, so when I created 100
users I got 100 DNs shown on screen. So, what is the proper option to
say "don't print all progress, just a running % or something like that"??

Thanks a bunch again.

J

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] supportedsaslmechanisms

2006-12-16 Thread joe 
I am not aware of being able to do so no. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Monday, November 06, 2006 2:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] supportedsaslmechanisms

Is it possible to disable one (or more) of these mechanisms?

I ask as I see the following on my 2 remaining w2k DCs

supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO

and on my w2k3 DCs

supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

I have a misbehaving Unix app that exits right after it gets a list of 
the supported SASL mechanisms on a w2k3 DC but works fine with a w2k DC. 
  I'd like to rule out some sort of overflow in the app.

al

-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Is it 2000 or 2003?

2006-12-16 Thread joe 
> (I liked the way ADFIND and ADMOD output this 
> info. so thought I'd steal Joe's idea and wrap 
> this info.  

Thanks, it was something I came up with on the fly because I was testing
something and not paying as close attention to the server name as I should
have been and actually was hitting the wrong OS version box. So I was like,
ok, I'll fix that!


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Friday, November 17, 2006 5:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

Interesting, you're more than likely doing it in a more efficient manner 
than I then.

Here's the code I use in all of my scripts (for anyone who's interested in 
this) these days (I liked the way ADFIND and ADMOD output this info. so 
thought I'd steal Joe's idea and wrap this info. into all my scripts that do

something with the DS):


' ***
' Sub printDirectoryInfo(RootDSE)
'
' Sub prints the DC that is being used and the
' level of the directory service.
'
' Note.  Sub calls func getDSFunctionality
'
' ***
Private Sub printDirectoryInfo(oRootDse)
 Dim sServer, sDSFunctionality

 sServer = oRootDse.get("dNSHostName")
 sDSFunctionality = _
  getDSFunctionality(oRootDse.get("domainControllerFunctionality"), _
   oRootDse.get("supportedCapabilities"))

 echo"Using server: " & sServer
 echo"Directory: " & sDSFunctionality & vbCrLf
End Sub



' ***
' Func getDSFunctionality(int)
'
' get the domain functional level for info.
' purposes function returns a string defining the
' current value of the DC queried (via serverless
' bind)
'
' ***
Private Function getDSFunctionality(iDSFunctionality, _
  cSupportedCapabilities)

 Dim oBase, dsf, nTMixedDomain, supportedCapability, bFlag
 bFlag = False

 Select Case iDSFunctionality
  Case 0
   Set oBase = oRootDse.get("defaultNamingContext")
   nTMixedDomain = oBase.get("nTMixedDomain")

   If(nTMixedDomain=1)Then
dsf = "Windows 2000 Native"
   Else
dsf = "Windows 2000 Mixed"
   End If
  Case 1
   dsf = "Windows Server 2003 Interim"
  Case 2
   For Each supportedCapability In cSupportedCapabilities
If(supportedCapability = _
  LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID)Then
 bFlag = True
End If
   Next

   If(bFlag)Then
dsf = "Active Directory Application Mode (ADAM)"
   Else
dsf = "Windows Server 2003"
   End If
 End Select

 getDSFunctionality = dsf
End Function



' ***
' Sub echo(String)
'
' Sub prints the passed string to the console
' (if run from CSCRIPT) or to the shell via
' message box (if run from WSCRIPT).
'
' ***
Private Sub echo(sOuputString)
 WScript.Echo(sOuputString)
End Sub


--Paul

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, November 16, 2006 6:32 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?


> AdFind only determines the Directory level, it doesn't look for functional
> modes or mixed mode. The way I get directory level is through the
> supportedCapabilities attribute of the rootdse of the DC. Of course it is
> possible to hit one DC looking for info and I pull the ROOTDSE from that 
> DC
> and then in the background a referral is processed which ends up getting 
> the
> info from another DC in another domain (or same domain if looking at app
> parts).
>
> You can get functionality modes from the rootdse attributes
> domainFunctionality and forestFunctionality.
>
> For all of those, just do an
>
> AdFind -rootdse
>
> And you will see what I am decoding and logically how I ascertain 
> directory
> level.
>
>
>
> Mixed mode versus native you simply use the domain NCs nTMixedDomain
> attribute.
>
>   joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
> Sent: Thursday, November 16, 2006 11:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Is it 2000 or 2003?
>
> I don't understand where you are seeing this info.  Are you referring to 
> the
>
> applet that is used to raise the FL?  Or something else?
>
> As for the "flag" that is used to identify the directory, it is usually a
> combination of:
>
> msDS-Behavior-Version
> nTMixedDomain
> supportedCapabilities
>
>
> Or at least, that is the way I put info. such as server and directory in
> each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he
> does it the same way too.
>
> Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain. 
> If
>
> it's 2, check supportedCapabilities to see whether or not it is ADAM (it's

RE: [ActiveDir] ActiveDir.Org Web Site Update [List Admin]

2006-12-16 Thread joe 
Hmmm I almost missed this post
 
Ok Matty goes on the list 
 
;o)
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matty
Sent: Wednesday, November 22, 2006 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ActiveDir.Org Web Site Update [List Admin]



Hi All,

 

I just want to update you on some recent changes to the ActiveDir.Org
  site.

 

As you may know, the last attempt at publishing the Mail List's archives on
ActiveDir.Org was a complete disaster.  The software we were using (Mhonarc)
just couldn't keep up with the volume (I actually suspect it was also due to
the length of some of Joes mails - only joking ;-)). 

 

The good news is we finally got around to developing our own solution (this
time with extremely long field lengths ;-)) so you can now find the archives
back on-site again here  . 

 

The archive is updated hourly.  Its fully RSS'd so you can subscribe to the
main archive feed if you prefer to view posts in that way.  If you are that
keen on following a particular thread, we also maintain a separate feed for
each separate thread.

 

Another recent update that is also related to the List Archive is the new
Posters   feature.  This feature
categorises the lists archive by sender and will publish all threads that
you have ever been involved in.  You need to be registered with
 ActiveDir.org (with the same email
address as you use to subscribe to the list) in order publish your threads
to the Posters page.

 

Here's an example of Tony's posts Posters page:
http://www.activedir.org/ma/posters.aspx?id=2

 

It's kind of like having your own ActiveDir Mail List Blog.  We encourage
you to join in the fun ;-).  Again there is a feed so you can subscribe to
only specific posters messages if you choose to do so.  The nice option here
is you can link this feed from your own blog/web site or from your message
footer when posting to the list.

 

What about an archive/site search?  There isn't one at the moment.  This
will be implemented early in the New Year but for now we are counting on
Google.

 

If you think of other features you would like to see on the site or find
issues with existing functionality then let us know.

 

Hope you find the new pages useful.

 

Cheers, 

 

Matty

(General ActiveDir Dogsbody #2)

 

Site: http://www.activedir.org/

Register: http://www.activedir.org/register.aspx

Posters page: http://www.activedir.org/ma/posters.aspx

Archive page: http://www.activedir.org/ma/default.aspx

[ActiveDir] Exchange reconnect(OT)

2006-12-16 Thread Tom Kern 

I have Exchange delegated full admin rights on the ex2k3 sp2 org and i
have all the read/write perms to mailbox-enabled user attributes
listed here- 
http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3ADPerm/bdc119c9-961a-4e78-acf8-97099256f452.mspx?mfr=true

However,I'm running into this issue-
I delete a users mailbox, which works fine. When i try to reconnect
this orphaned mailbox to a different user, i get this error-
"you do not have the rights required to complete the operation
Id no: c1030728"

Reconnecting back to the old user works fine.

I have the exact same rights to the exchange attributes on both user objects.

Is there more to permissions under the hood when reconnecting a
mailbox to a diff user than mailbox enabling a user that i'm running
into.
I notice there is nothing in the Working with AD permssions white
paper about reconnecting a mailbox to a diff user but i just thought
it was the same exact rights needed for mailbox-enabling a user.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Find a use of an account in AD

2006-12-16 Thread joe 
I seem to recall Dean Wells posting a batch file to the list to gather all
of the service accounts being used across a forest, might want to peek at
the archives.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter
Sent: Thursday, November 30, 2006 3:33 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Find a use of an account in AD


Hello all,
I have a few user accounts which are used as service accounts which are
member of the Domain Admins group but I have no idea what they are for.
Does anyone know of a way of identifying where these accounts are used e.g
as a service etc. using a script or something? if so does anyone have a
script they could share ;-)
It's a windows 2003, single forest, single domain
Ta!
Amy

Send instant messages to your online friends http://uk.messenger.yahoo.com

RE: [ActiveDir] Send As(OT)

2006-12-16 Thread Brian Desmond 
I have a recollection of being able to send from a DL though I haven't
been an Exchange admin in 6+ months so I may be thinking of something
else. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Saturday, December 16, 2006 7:56 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Send As(OT)
> 
> In Exchange nothing comes from the DL, it comes from the user who sent
> to
> the DL. I believe you cannot in actualality (sp?) send from a DL
> because a
> DL is an alias, not a mailbox.
> 
> I could easily be wrong not being an Exchange guy but I don't expect I
> am.
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
> Sent: Tuesday, December 05, 2006 6:12 PM
> To: activedirectory
> Subject: [ActiveDir] Send As(OT)
> 
> I have given a user "send As" perm directly on a universal
distribution
> group
> in AD.
> However, whenever this user slects the group from the GAL in the
> "From:"
> field of Outlook 2k3 and attempts to send an email as that group, he
> gets an
> error of "You do not have the permission to send the message on behalf
> of
> the
> specified user".
> 
> The group is NOT nested in any of the AdminSDHolder protected groups.
> The user has been given "send as" perms directly on the UDG. He is in
> no
> groups with expilict denys.
> I have also tried giving my account "send as" perms to the group and I
> get
> the same error.
> I have waitied over 24hrs so its also not a info store
> cache/replication
> issue.
> 
> I'm running exchange 2k3 sp2 with the latest hotfixes(including the
> send as
> one) in a win2k3 forest(win2k3 FFL/DFL).
> 
> Any ideas would be great.
> 
> Thnaks for your time.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] mailNickName(OT)

2006-12-16 Thread joe 
Excellent points David. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, November 22, 2006 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mailNickName(OT)

While I firmly agree that guidance should never be blindly followed,
regardless of the source, I'd add that customers who say "Microsoft reviewed
this" or something like that should not necessarily be taken to mean the
design was in any way developed by or recommended by MS (I can't speak for
the OP; I'm just making a general statement.)  I've seen many a customer
fight for a MS stamp of approval on a design that in no way is best
practices but "works" and meets the bare bones supportability requirements.
Also, recommendations to change a design are often met with "but it works
and I don't want to possibly break it just to comply with best practices so
unless you tell me it's completely broken we're not changing it."  But
that's rarely disclosed when problems come up down the road. 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, November 22, 2006 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mailNickName(OT)

I have to admit some surprise that you have that large of an org and haven't
hit issues in collisions on the name space when using firstname.lastname.
Actually I find it more than surprising, I expect you have some exceptions
or some folks got a display name that isn't something they totally prefer,
like a Ted became a Theodore or something for example...

On the MSFT helped with the design comment... I realize you weren't around
for it but don't confuse "someone from MSFT" helped with the design with
"MSFT" helped with the design. It is something I learned a long time ago to
separate. Not every MSFT resource is as knowledgeable as they should be in
every area they may be called in to work on... i.e. When using say MCS or
PSS to help with things, don't blindly follow, understand what they are
designing or asking you to do. Obviously this isn't strictly limited to
MSFT, this goes for every company that has "experts" that come in and help. 

While you hope you get all of the experience of Microsoft in every Microsoft
employee (or all of the experience of Company X from every Company X
employee) who visits you, the simple and obvious truth of the matter is that
you don't. You get a person with some level X of experience who has some
level X of access to other people. Some of these people will be extremely
experienced in what you are doing (or some aspect of what you are doing),
some will pretend they are. Some will know who to contact to verify
plans/ideas, some won't, some won't even care to because they feel they know
enough themselves. I have met all versions of these. My favorites are those
who are comfortable enough in themselves to actually say "I don't know the
anwers to that" or "I am not sure" that is quickly followed by "But I will
find out". Interestingly, the people willing to say I don't know tend to be
the ones that most of the other MSFT folks consider to be some of the
brightest folks working on those things... Imagine that.

At any point if you get the feeling that the person is more of a shyster
than an expert, call them out and ask for them to get someone else on the
phone to talk it out as well. If you are in a 100k+ org, you should have the
weight to even get someone from Redmond on the phone to help answer
questions. Also don't be afraid to just ask here, say someone said X and Y
and we aren't exactly sure if that is accurate... People here will either
say yes, no, it depends, or where &%#$ are your smilies... 

All of that to say, even if someone from MSFT helped with some design of
something, don't rely on that meaning it authoritatively the most optimal
configuration or even how it should be done at all. You are on better ground
if you get an official design review from PSS because then several folks
should be looking at it, but even still... I have seen some funny
recommendations even in those that I have completely ignored. Basically you
need to have some good understanding of what you are doing as well. In a
small company the repercussions and actually the need for special thinking
is greatly reduced, Microsoft Redmond targets those situations. In larger
companies above the 30/50/80/100k user marks, IMO, someone better have a
good understanding of AD unless all of your support is farmed out to another
company and then someone there better have a really good understanding. 



If you want to read on, there is a funny story I have of an MSFT Exchange
Alliance Premier person who had an issue saying I don't know and radically
impacted his image and how the customer viewed him... This just came up in a
chat I had with someone recently so since it is fresh in my head... I

RE: [ActiveDir] mailNickName(OT)

2006-12-16 Thread joe 
Hmm I think you echoed all of the thoughts I had when I read that post. I
can now retire. I have been replaced by a younger model. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, November 23, 2006 5:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mailNickName(OT)

Hi Tom,

Glad to hear you've moved on to bigger things. It only gets more fun as
the numbers get larger. :)

With regard to your email address question, you can update the recipient
policy the RUS uses to automatically stamp everything with
[EMAIL PROTECTED] You would set your recipient policy to include
[EMAIL PROTECTED] to generate this for each object. Reference Q285136
for more info.

8 People for 110K mailboxes seems like a lot to me, but that's just me.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, November 23, 2006 9:11 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)

I ask because the reason mailNickName is in "firstname.lastname"
format, is due to a dirsync process that runs once a day and reads
that attribute to do an address rewrite.
When a mailbox enabled user is created, the RUS stamps it with an
"[EMAIL PROTECTED]".
Later, the dirsync process adds "[EMAIL PROTECTED]", so
when mail goes out, sendmail rewrites the RHS portion of the smtp
addy.
if mailNickName is sAMAccountName, it doesnt work.


Sometimes during the provisioning process, the lan access guys  forget
to set this attribute to that value, so the exchange team was looking
for a way to automatically generate the value in the correct format,
kinda like displayName.

I just started here about 2 months ago, so i'm not complelety sure how
the process works and i'm trying not to annoy everyone with too many
questions.

This is the first truly large corp i've ever worked for. Before i was
the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8
member Exchange team for a 110,000 user bank that you've all heard of
and i guess i'm trying to wrap my head around how a org this size
works...
i'm actually kinda surprised no one on the exchange team knows how to
script or is very knowldgable about AD.
Then again the AD team doesn't seem that knowldgable about AD.

They just migrated from EX 5.5 to EX2K3 when i started, so i guess
they are trying to get up to speed witn exchange.

i only made the MS comment because a corp this large seems to have a
lot of resurces at MS and I saw that someone from MS did their EX2K3
design doc.
I'm not under the illusion that just because someone is from MS that
they know what they are doing but i guess i have illusions about
companies this size and that they would somehow get the better support
from MS and other vendors.

Thanks for your responses and help.

On 11/22/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
> I think I see the reason that it hasn't been as big a problem as it
could
> be. The id is not yet everywhere.  You will run into those collisions.
> Statistically (note, I'm not a statistician, but I sometimes play one
on the
> internet) your numbers are just too large not to.  When you hook in
MIIS,
> you'll start to see a lot of john smith's and you'll have to map them
and
> come up with rules to automatically resolve those if possible.  I
dunno
> though, you may be an organization that enjoys manual processes.
>
> Even for first.lastname for smtp addresses I'm reasonably sure there's
> either a really strong nepotism policy in your organization or you've
got
> some *process* that allows for making those unique.  I've worked in
much
> smaller shops that had such policies (sadly, no strong nepotism rule,
but
> that's another story altogether.)
>
> I second what joe says about not taking their word for anything.  I'll
go so
> far as to qualify that and say that the best answer you should get
from a
> consultant or on-site resource is "it depends." What that really means
is
> that depending on the information available, your current best
practice as
> it was intended is to do x.  I can't begin to tell you how many things
that
> started from the product teams as "the product only does this" later
ends up
> to be, " for the love of  don't do
this!!!"
>  Think clustering and you'll know what I'm talking about.
>
> Every bit of it depends.  But Microsoft developers need more
parameters than
> "it depends" so they come up with scenarios.  And they narrow those
down out
> of necessity.  If you fit in that scenario, your stuff is a tested
scenario.
>  If not, it's something they may have thought of but didn't think
enough
> customers would use and so didn't spend time testing thoroughly - aka
if it
> works, it was meant to do that. If it does not, what the ^%$# were you
> thinking? Don't you read that (often non-ex

Re: [ActiveDir] Send As(OT)

2006-12-16 Thread Tom Kern 

Actually, it just started to work a few days ago.

In Exchange, you can send as a mail-enabled group so that an email
appears to be from the group(security or distribution).

I think this was some weird replication/info store cache issue that
for some reason took 4 days to resolve itself.

Thanks

On 12/16/06, joe <[EMAIL PROTECTED]> wrote:

In Exchange nothing comes from the DL, it comes from the user who sent to
the DL. I believe you cannot in actualality (sp?) send from a DL because a
DL is an alias, not a mailbox.

I could easily be wrong not being an Exchange guy but I don't expect I am.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, December 05, 2006 6:12 PM
To: activedirectory
Subject: [ActiveDir] Send As(OT)

I have given a user "send As" perm directly on a universal distribution
group
in AD.
However, whenever this user slects the group from the GAL in the "From:"
field of Outlook 2k3 and attempts to send an email as that group, he gets an
error of "You do not have the permission to send the message on behalf of
the
specified user".

The group is NOT nested in any of the AdminSDHolder protected groups.
The user has been given "send as" perms directly on the UDG. He is in no
groups with expilict denys.
I have also tried giving my account "send as" perms to the group and I get
the same error.
I have waitied over 24hrs so its also not a info store cache/replication
issue.

I'm running exchange 2k3 sp2 with the latest hotfixes(including the send as
one) in a win2k3 forest(win2k3 FFL/DFL).

Any ideas would be great.

Thnaks for your time.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Tombstone.

2006-12-16 Thread joe 
Difficult to replicate a deleted object... If you send a null to your
replication partner, it doesn't know what to remove. :)
 
You can get around the whole tombstone thing though if you use dynamic
objects. Those really and truly do delete with no chance of reanimation.
However, the time to die info is (well usually) on the object from the very
beginning so you don't need to replicate around a notification of a
tombstone, each DC will know when it needs to remove the object. This is
actually a fun way to build lingering objects in your directory. There are a
couple of ways it can be leveraged to do so if you really want to work at
dorking your forest up.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, December 04, 2006 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Tombstone.


Brett, because of the way the question was asked it might be a good idea to
mention why that's important vs. just deleting an object and replicating
that. 

My $0.04 for the day. 

Al


On 12/4/06, Brett Shirley <[EMAIL PROTECTED]> wrote: 

By default it is not possible to recover an AD object from an AD
tombstone.

The AD tombstone mechanism is used to support AD replication.

The way AD replications works, is that in a sense a delete is really like 
a modify by "setting the isDeleted" attribute (really the metadata, maybe
the attr too, don't remember OTOH).  By setting this attribute the AD
object turns into an AD tombstone, a change that can replicate normally 
around to make the delete global.

Cheers,
Brett Shirley


On Tue, 5 Dec 2006, Ajay Kumar wrote:

> Hi all,
>
> I have a query
> Is that possible to recover network object from AD tombstone. 
> If not then wht is use of it.
>
> Regards,
> Ajay pardeshi
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Tombstone.

2006-12-16 Thread joe 
Note that not all objects can be reanimated, there is a little bug I found
that impacts objects (mostly config objects if I recall properly) created
with specific settings that will not allow you to move them out of the
deleted objects container once they have been "deleted/tombstoned". I
believe I ran into that while doing mass testing of AdMod which will also
reanimate tombstones. The bug is officially bugged and should be corrected
eventually.

  joe 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, December 04, 2006 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Tombstone.

Hi Ajay

Not sure what network objects you are interested in, but you do have the
ability to reanimate tombstoned objects.  The main issue with this is that
not all of the attributes are preserved when the object is tombstoned, which
means you won't get back everything that was lost using this method.

For some tools leveraging the reanimation API, have a look at:

http://www.microsoft.com/technet/sysinternals/utilities/AdRestore.mspx

http://www.quest.com/object_restore_for_active_directory/

Also have a look at the discussion thread below.  Dean Wells shows how to
modify the schema to include additional attributes in tombstone reanimation.

http://www.mail-archive.com/activedir@mail.activedir.org/msg30802.html

Tony
-- Original Message --
From: "Ajay Kumar" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 5 Dec 2006 00:33:21 +0530

Hi all,

I have a query
Is that possible to recover network object from AD tombstone.
If not then wht is use of it.

Regards,
Ajay pardeshi


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AD Schema Extensions and Exchange System Manager

2006-12-16 Thread joe 
I am not positive on this, but I think you need to look at mAPIIDs.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Waters, MW (Mike)
Sent: Tuesday, December 05, 2006 5:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema Extensions and Exchange System Manager


Excellent mail list ... keep up the good work!
 
But can anyone help me ..
 
For various reasons we have extended the schema in our Active Directory
(test only at present) to add further local attributes to users.
 
All is working well until I attempt to make use of the data in these extra
attributes within Exchange System Manager (ESM). Specifically, I would like
to extend the user template visible from Outlook Address Book to display
information contained in the schema extensions
 
Unfortunately, the ESM only allows a handful of attributes to be picked for
display and none of them our extensions.
 
Anyone know how to coerce ESM to allow other user attributes to be chosen?
 
Regards
 
Mike Waters

RE: [ActiveDir] Send As(OT)

2006-12-16 Thread joe 
In Exchange nothing comes from the DL, it comes from the user who sent to
the DL. I believe you cannot in actualality (sp?) send from a DL because a
DL is an alias, not a mailbox.  

I could easily be wrong not being an Exchange guy but I don't expect I am.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, December 05, 2006 6:12 PM
To: activedirectory
Subject: [ActiveDir] Send As(OT)

I have given a user "send As" perm directly on a universal distribution
group
in AD.
However, whenever this user slects the group from the GAL in the "From:"
field of Outlook 2k3 and attempts to send an email as that group, he gets an
error of "You do not have the permission to send the message on behalf of
the
specified user".

The group is NOT nested in any of the AdminSDHolder protected groups.
The user has been given "send as" perms directly on the UDG. He is in no
groups with expilict denys.
I have also tried giving my account "send as" perms to the group and I get
the same error.
I have waitied over 24hrs so its also not a info store cache/replication
issue.

I'm running exchange 2k3 sp2 with the latest hotfixes(including the send as
one) in a win2k3 forest(win2k3 FFL/DFL).

Any ideas would be great.

Thnaks for your time.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Resending because I kept sending via the wrong account.

2006-12-16 Thread joe 
Ah. And the PDC verus non-PDC? Red Herring? Cross-contamination?  Crossed
the streams and the sta-puff marshmallow man wasn't in sight. ;o) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Tuesday, December 05, 2006 8:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Resending because I kept sending via the wrong account.

Okay, folks, I think I may have an answer to the behavior I've been seeing
with an account that is NOT a Domain Admin but IS an Administrator not
showing as the individual owner of the object when the policy is set to
"object creator".

The only thing I can think of is this- I've been doing this all via TS
connections. I'm not sure how I managed to do it, but I'm guessing that I
never actually logged off the TestLaura account after I removed it from
Domain Admins and made it a member of Administrators instead. I could have
sworn that I'd logged the darn thing off a whole buncha times, but that's
the only possibility that could explain why I was seeing the behavior I was
seeing. I feel like an idiot now. :-) (No agreement from the peanut gallery,
please; everybody has a bad day. I just tend to have mine very publicly.)

In any case, PLEASE DO NOT USE DOMAIN ADMIN ACCOUNTS FOR ROUTINE TASKS THAT
CAN BE PERFORMED USING NON-DA ACCOUNTS. (sorry, not yelling, just too lazy
to do psuedo-italics) None of this ownership stuff and policy changing has
any effect on accounts that are members of Domain Admins, only on accounts
that are members of the domain's Administrators group without being DAs. You
will still not be able to use ownership as a reliable indicator of object
creator REGARDLESS. Since object owners can *give* ownership to anybody they
desire (this has been possible since the NT days, just not exposed in the
GUI until post Win2K), there's nothing to guarantee that that hasn't been
done. If you want to know which user account was used to create objects in
the directory, use the event logs and auditing. Do not use object ownership.

Thank you very much, and we now return you to your regularly-scheduled
programming. I'm gonna go eat. 

:-D

Laura

P.S. There were a bunch of rambling posts I sent before this one, but I
think this one actually sums stuff up well enough, and I'm sure you're tired
of seeing posts from me at this point! :-)

To summarize: If you're not as dain bramaged as I am and you set the "System
Objects: Default owner...: policy to "object creator", accounts that are
members of Administrators but are NOT members of Domain Admins will show as
the initial owner of the objects they create. Accounts that are members of
Domain Admins will be unaffected by the policy.

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006
11:50 AM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-16 Thread joe 
So what was the overall outcome here?
 
Did the PDC -vs not-PDC end up making a difference?
 
Administrators -vs- Domain Admins?
 
etc etc etc
 
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, December 05, 2006 8:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Well, I've done some more testing and the results are interesting. 
 
In both instances I have the policy in place and set to "Object Creator".
 

1.  

If the account used for AD object creation is a member of Domain
Admins the owner is shown as Domain Admins.
2.  

If the account used for AD object creation is a member of
Administrators the owner is shown as the account used to create the object.

 
Tony
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 6 December 2006 12:00 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
sorry to say, but I have different results...mailed them offline to Laura
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object. NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting "System objects: Default
owner for objects created by members of the Administrators group" DOES NOT
AFFECT DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
confi

RE: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix

2006-12-16 Thread joe 
I am not so sure he needs to be able to actually understand what is in the
blob so decoding of any part of the security descriptor shouldn't be
necessary. Sounds like he simply wants to copy from one object to another
and that should be possible using the LDAP_SERVER_SD_FLAGS_OID control which
really shouldn't be all that difficult to build and submit to the server
assuming you have ber_printf available and I believe most LDAP APIs do have
it. 

If copying the entire SD and the app has the appropriate rights (i.e.
something with rights to modify the SACL as that is generally the touchy
part), it may be possible to do it without using the control even. It isn't
something I have tried to do personally.

Now seeing the domain from which the original poster is writing and having
some detailed understanding of that specific environment and knowing all of
the Enterprise/Domain Administrators, I am curious what exactly they want to
do from UNIX and Java with machine accounts and whether they are chatting
with anyone as they may find they really don't have rights to do what they
are wanting to do or are specifically disallowed from mucking with it.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen
Sent: Tuesday, December 12, 2006 11:00 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Possibility of writing to ntSecurityDescriptor with
LDAP and Unix

On Tue, 12 Dec 2006 14:49:46 -0500
"Santiago, Felderi (F.)" <[EMAIL PROTECTED]> wrote:

> 
> I know this may sounds crazy, but I need to write to the
> ntSecurityDescriptor attribute on a computer account from Unix via LDAP.
> Any clues?  Essentially, what I am trying to do is query the
> ntsecuritydescriptor attribute of an object already in AD to see the
> value and would like to moving forward to set the same value to a
> specific object moving forward.
> 
> Why ldap from Unix?  Well, I am dealing with Unix Admins who hate
> Windows and want to do everything Unix.  Any tips or tricks would be
> greatly appreciated.

Doubt it. Basically you need two things: an LDAP client that supports the
LDAP_SERVER_SD_FLAGS_OID control and a library that understands how to
decode and manipulate the binary array of ACEs that makes up a security
descriptor. The first part is easy. The second part is very difficult
unless you're confortable hacking in C or Java.

As LDAP clients on UNIX go the best ones are:

1) OpenLDAP's C library which give you low level access to build controls
and therefore will definitely allow you to set LDAP_SERVER_SD_FLAGS_OID
flags.
2) Java's JNDI which should also have low level access but I'm not sure.
3) The Perl binding for OpenLDAP is pretty good but again I'm not sure
you can do an arbitrary LDAPControl.

As security descriptor libraries go there are only two that I'm aware of:

1) Samba has a C api and a Python binding but it could be difficult trying
to decipher how to use it as it most likely is not designed specifically
for generic use such as this.
2) JCIFS has code to get security descriptors and resolve names of SIDs
but it only has code to decode security descriptors not encode them. But
the only reason that I mention JCIFS is because if *I* had to do this,
I think JNDI/JCIFS would be the path of least resistance and you would
end up with a pretty nice and flexible solution.

Or, if they ok with using a web interface you could write a ASP to do
the work and protect it with Kerberos SSO which Firefox can do.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Vista GPO

2006-12-16 Thread Brian Desmond 
Oddly enough I was on a concall with MS the other day and one of the
accounts mentioned he was rolling out a 3K seat Vista upgrade in March.
Sad they already had vendor commitments for application fixes and
everything. I was pretty surprised. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Saturday, December 16, 2006 6:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Vista GPO
> 
> I don't know of anyone officially moving to Vista any time soon. Folks
> are
> playing with it, usually IT folks are just looking to get the latest
> and
> greatest to feel cool, they don't generally really and truly need any
> of the
> features. Several places I have heard with any kind of plans are
> talking
> 2008 soonest for Vista and Office 2007.
> 
> I was chatting with some other folks about this recently and I expect
a
> lot
> of companies will find the migration to Vista to be even more
difficult
> than
> their migration from Win9x to NT based technology. At least with NT
> Technology you usually had a bunch of people that had a lot of NT
> knowledge
> already and could leverage it or could go out into the newsgroups and
> find
> folks who have been running NT stuff in production for years and
years.
> You
> don't really have that with Vista (and LongHorn) and the changes are
> sufficient enough that it will break quite a few things. I am not
> saying
> that is bad necessarily, that is what everyone started screaming for
> when
> they said MSFT wasn't secure enough. Now people will get to find out
> what
> that really means... I know quite a few developers who are hopping mad
> over
> a lot of the changes and some are even more concerned over where code
> signing is going, etc. Especially folks with low priced or free
> software
> that they may available because if code signing becomes absolutely
> required,
> you have to pay for that as a developer/company.
> 
> Anyway, my thoughts are that there will be quite a few companies with
> custom
> mechanisms for managing things that they have developed over the years
> that
> will all completely fail or nearly completely fail with Vista and will
> have
> to be reworked or outright replaced which could take a lot of time.
> This
> doesn't even start to get into the realm of just plain old line of
> business
> apps.
> 
> Don't get me wrong, some leading edge people will move fast and take
> the
> black eyes and bloodied noses in stride, most folks though I expect to
> follow the old wait for SP1 rule and then wait even longer as they
> realize
> it isn't a simple forklift of the binaries. I wouldn't be surprised to
> see
> most large companies deploying Longhorn heavily into production before
> Vista
> even.
> 
>joe
> 
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
> CPA
> aka Ebitz - SBS Rocks [MVP]
> Sent: Friday, December 15, 2006 8:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Vista GPO
> 
> (as a bystander here .. I personally like the point/counterpoints..
> just
> sometimes we need to realize that we lose ...what?  About 60% of
> communication via email? And adjust accordingly okay?  Can we hug and
> make up?)
> 
> Pogue's Posts - Technology - New York Times Blog:
> http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/
> 
> Granted I'm little... but are you guys really and truly rolling out
> Vista in other than Lab settings anyway?  I'm getting hit over the
head
> on a daily basis by vendors are are saying "Wait".
> 
> My two benchmarks of when I can say I'm somewhat "business ready" on
> Vista is when the ISA firewall client that supports Vista ships (it
did
> earlier this week) and when Trend isn't offering up beta versions as
> the
> only ones that will run on Vista.
> 
> Are you guys really and truly rolling these suckers out on production
> boxes?
> 
> Don't geeks adapt anyway?  (We may not read... but we adapt right?)
> 
> This is slightly incorrect...but the fact is SQL 2005 express
> officially
> needs sp2 to run on Vista
>
http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz
> 2/ind
> ex.htm?cnn=yes
> 
> *Wait Until after Tax Time? *Note that Intuit's tax software divisions
> are recommending that their users wait until after tax season to make
> any move to Windows Vista. These notices are posted for both Lacerte
> Professional Tax Software
>
 S2&b=
> 0&j=NzQzNjgzNDcS1&mt=1>
> and ProSeries Professional Tax Software
>
 S2&b=
> 0&j=NzQzNjgzNDcS1&mt=1>.
> 
> *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds
much
> promise for significant improvem

RE: [ActiveDir] LDAP query

2006-12-16 Thread joe 
If I understand what you are asking, no I don't believe this is something
that can be queried. I expect you are looking to be able to do something
like what you can do with "net sessions" or "net files"

You could maybe do something with the event tracing stuff or SPA2. But that
wouldn't be a query, that would be running and collecting info and then you
generate the report from the output generated. 

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess
Sent: Friday, December 15, 2006 4:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP query

hi,

Does anyone know how to query active LDAP sessions on a Win 2003
Domain Controller.
I need to know the functional users which are used to query the AD by
application or unix systemsy

Thanks in advance
Thomas
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] SBS Dies Twice in Four Days

2006-12-16 Thread joe 
SBS... uh oh there goes the neighborhood... This one could possibly get the
[OT] badge I expect and/or go to the SBS specific groups. If an SBS server
died, AD would be one of the last things on it I would suspect with
everything it runs.  ;o)
 
  joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Thursday, December 14, 2006 1:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBS Dies Twice in Four Days



Hi -

 

I have a client with a four-year old SBS 2000 SP4 install on a Dell
PowerEdge 2500. In the last four days, the machine has simply died -- twice.
I can find no obvious (or not so obvious) cause for this. There appears
little that correlates directly with the crashes. The event logs are pretty
clear of major errors (except below). The Open Manage software does not show
any hardware problems. The drives are somewhat fragmented but not horribly. 

 

The few errors that show up include this: Shortly before Saturday's crash,
the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in
this domain, I followed the steps provided to set the "Enabled Journal Wrap
Automatic Restore" key to 1. This appeared to have cleared the error. This
error has not recurred.

 

Also, Exchange has logged some errors such as 2104 and 8197 which seem
associated with access to the GC. When I followed the steps in MSKB 828764,
I do not find any entries in the registry keys listed which are supposed to
refer to the GC. 

 

Either way, I am not sure those would bring down a server - twice. 

 

Sorry if this is rambling a bit. I have been looking at this for several
hours and don't seem to be making any headway. Any thoughts welcome. The
server is up now (after a hard reboot), but I've got to feel comfortable
with leaving this server for a week - or my earlier post about laptop
batteries will be meaningless ;-)

 

TIA

 

-- nme

 


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006

RE: [ActiveDir] AD admin tool for Vista

2006-12-16 Thread joe 
Any answers would simply be guesses but I honestly wouldn't expect anything
until Longhorn release time frames.
 
Note that those Petri instructions initially were posted to this list by
Steve Linehan (Microsoft).
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lu, WeiMing
Sent: Friday, December 15, 2006 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD admin tool for Vista 


Does anyone know when Microsoft will release Adminpak for Vista? The
following link is the only solution now? I followed the instruction, and was
able to snap in to MMC, but all AD objects become not-recognizable icon.
Thanks. 
 
 
http://www.petri.co.il/running_win_2003_adminpak_on_vista_rtm.htm

RE: [ActiveDir] Vista GPO

2006-12-16 Thread joe 
I don't know of anyone officially moving to Vista any time soon. Folks are
playing with it, usually IT folks are just looking to get the latest and
greatest to feel cool, they don't generally really and truly need any of the
features. Several places I have heard with any kind of plans are talking
2008 soonest for Vista and Office 2007. 

I was chatting with some other folks about this recently and I expect a lot
of companies will find the migration to Vista to be even more difficult than
their migration from Win9x to NT based technology. At least with NT
Technology you usually had a bunch of people that had a lot of NT knowledge
already and could leverage it or could go out into the newsgroups and find
folks who have been running NT stuff in production for years and years. You
don't really have that with Vista (and LongHorn) and the changes are
sufficient enough that it will break quite a few things. I am not saying
that is bad necessarily, that is what everyone started screaming for when
they said MSFT wasn't secure enough. Now people will get to find out what
that really means... I know quite a few developers who are hopping mad over
a lot of the changes and some are even more concerned over where code
signing is going, etc. Especially folks with low priced or free software
that they may available because if code signing becomes absolutely required,
you have to pay for that as a developer/company.

Anyway, my thoughts are that there will be quite a few companies with custom
mechanisms for managing things that they have developed over the years that
will all completely fail or nearly completely fail with Vista and will have
to be reworked or outright replaced which could take a lot of time. This
doesn't even start to get into the realm of just plain old line of business
apps. 

Don't get me wrong, some leading edge people will move fast and take the
black eyes and bloodied noses in stride, most folks though I expect to
follow the old wait for SP1 rule and then wait even longer as they realize
it isn't a simple forklift of the binaries. I wouldn't be surprised to see
most large companies deploying Longhorn heavily into production before Vista
even.

   joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, December 15, 2006 8:32 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO

(as a bystander here .. I personally like the point/counterpoints.. just 
sometimes we need to realize that we lose ...what?  About 60% of 
communication via email? And adjust accordingly okay?  Can we hug and 
make up?)

Pogue's Posts - Technology - New York Times Blog:
http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/

Granted I'm little... but are you guys really and truly rolling out 
Vista in other than Lab settings anyway?  I'm getting hit over the head 
on a daily basis by vendors are are saying "Wait".

My two benchmarks of when I can say I'm somewhat "business ready" on 
Vista is when the ISA firewall client that supports Vista ships (it did 
earlier this week) and when Trend isn't offering up beta versions as the 
only ones that will run on Vista.

Are you guys really and truly rolling these suckers out on production boxes?

Don't geeks adapt anyway?  (We may not read... but we adapt right?)

This is slightly incorrect...but the fact is SQL 2005 express officially 
needs sp2 to run on Vista
http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2/ind
ex.htm?cnn=yes

*Wait Until after Tax Time? *Note that Intuit's tax software divisions 
are recommending that their users wait until after tax season to make 
any move to Windows Vista. These notices are posted for both Lacerte 
Professional Tax Software 
 
and ProSeries Professional Tax Software 
.

*Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much 
promise for significant improvements in security and functionality. 
However, Intuit suggests the decision to upgrade to Windows Vista be 
approached carefully, for two reasons:

* Potential reliability issues often associated with the initial
  release of operating systems.
* Intuit will not be able to support QuickBooks 2006 and earlier on
  Windows Vista.





Laura A. Robinson wrote:
> Deji, I've had enough of you attributing statements to me that I have 
> not made, and therefore I am finished with this conversation.
>  
> Laura
>
>

> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of
> *Akomolafe, Deji
> *Sent:* Friday, December 15, 2006 4:44 PM
> *To:*

RE: [ActiveDir] Group Membership Update Frequency

2006-12-16 Thread joe 
Unfortunately I haven't delved extremely deeply into the application of
Group Policy. I am not sure how membership is being checked/maintained for
it. 

As for what group memberships a given machine currently knows about itself,
you should be able to fire up a localsystem command prompt (K3/XP or before
you use AT service with /interactive) and then use sectok (joeware) or
whoami /groups to see what is in the interactive token. 

If you want to see what other machines think of your access, fire up ADAM on
a member of the domain you care about and fire the localsystem command
prompt again as above and then query the tokenGroups attribute of the
rootdse like so

adfind -h ADAMSERVER -rootdse -resolvesids tokengroups

  joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Michael Heß
Sent: Saturday, December 16, 2006 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: AW: [ActiveDir] Group Membership Update Frequency

Joe,

thanks a lot for your helpful reply and sorry that my reply took so long.
I am still waiting for a response because of my Microsoft Support ticket. 

Its my goal to combine GPO´s with Security Groups to manage different
actions of the servers in the same OU.

For this reason I created some Security groups and distributed the servers
to the groups.
Then I checked servers by GPRESULT for the group membership and some servers
updated it without measurable delay, some servers after a week and some
servers never.
I cant understand this behaviour and so I started a support request at MS
for what I am still waiting for. 

As soon as I will get a official reply I will let you know.

Thomas

PS: IS there a another chance to check group membership for a server except
GPRESULT 


-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von joe
Gesendet: Sonntag, 10. Dezember 2006 17:41
An: ActiveDir@mail.activedir.org
Betreff: RE: [ActiveDir] Group Membership Update Frequency

It depends what you mean by this. 

The off the cuff answer is the server "knows" what it has based on its local
security token so it actually never recognized the change. However

Machines and users can have both local security tokens and kerb certs. The
kerb certs are refreshed, the security token never is. Plus add in NTLM and
if it is used to access remote resources you can have three answers... So
the more full answer is "It depends."

So briefly:

If the security group is needed in the local security token, it will never
get updated, you need to reboot. This will impact the machine's
determination locally of what groups it has if the application is looking at
the token OR trying to access something with Windows security locally (say
like the group allows it to read a file locally). I have asked several folks
inside of MSFT if there is anything that could be used to force this refresh
of the security token and no one has been able to tell me there is indeed
something that will do it and here is how... If so, I would have written the
tool to do it if it were something they could point at.

If the security group is needed for remote kerberos operations or someone is
reading the kerb cert directly local to the machine, it will occur when the
ticket refreshs. You can purge the kerb cache to speed this up. 

If the security group is needed for remote operations where NTLM is being
used (say it is accessing a resource by IP instead of name so it can't do
the SPN lookup), it will be used depending on whether or not the DC being
used by the remote resource has the group membership or not (whether or not
the DC the server itself uses has it or not is immaterial in this case
because the server doesn't tell the remote resource what accessed it has,
the remote resource asks its DC when it auth's the account). This could be
immediately to seconds after the group update or even weeks depending on the
OS revs of the DCs and the replication topology and max theoretical latency
for the environment. 

This is all exactly the same as it is for users.   


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess
Sent: Thursday, December 07, 2006 7:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Membership Update Frequency

hi there,

when does a server recognize that he is part of AD global Security group?
Do i have to reboot every system or is there an update frequency where
the server checks the AD?

I need this to know because i want to use the Security Group Filtering
with GPO´s

Thanks in advance
Thomas
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/Li

RE: [ActiveDir] Disabling DNS updates for a network interface (for real)

2006-12-16 Thread Akomolafe, Deji 
http://support.microsoft.com/default.aspx?scid=kb;KO;275554


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Brian Cline
Sent: Sat 12/16/2006 10:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling DNS updates for a network interface (for real)


I've got a third network interface on a DC I'm running at home that acquires a 
DHCP address from a completely separate subnet than the rest of the LAN. Since 
the DC kept updating DNS by adding that IP to its list of dcname.domain.com 
records, I removed the "Register this connection's addresses in DNS" box, but 
the DC still continues to update DNS with that particular address. Is there any 
other method I can use to disable this behavior? I wouldn't mind it so much if 
the other PCs were on that second subnet too, but they are not a part of it and 
thus have trouble connecting to the DC sometimes because of that DNS entry. Any 
ideas are welcome.
Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

[ActiveDir] Disabling DNS updates for a network interface (for real)

2006-12-16 Thread Brian Cline 
I've got a third network interface on a DC I'm running at home that
acquires a DHCP address from a completely separate subnet than the rest
of the LAN. Since the DC kept updating DNS by adding that IP to its list
of dcname.domain.com records, I removed the "Register this connection's
addresses in DNS" box, but the DC still continues to update DNS with
that particular address. Is there any other method I can use to disable
this behavior? I wouldn't mind it so much if the other PCs were on that
second subnet too, but they are not a part of it and thus have trouble
connecting to the DC sometimes because of that DNS entry. Any ideas are
welcome.

Brian Cline, Applications Developer
Department of Information Technology
G&P Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] OT: Vista Resource Monitor blank

2006-12-16 Thread Laura A. Robinson 
One additional clarification- Resource Monitor (aka Resource View) does use
the same objects as Perfmon, but it's a different, (usually) pre-configured
view into resource utilization. This still doesn't help with your problem,
but I didn't want to give the impression that the two are not connected in
any way. :-)

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Matheesha Weerasinghe
> Sent: Friday, December 15, 2006 11:18 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: Vista Resource Monitor blank
> 
> Yes I was. I often launch the resource monitor from task 
> manager and its not blank. But in this instance it was. So I 
> find it hard to believe "its normal". Thanks for the reply 
> anyway Laura.
> 
> Cheers
> 
> M@
> 
> On 12/15/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:
> > Are you referring to Performance Monitor? If so, that's normal. You 
> > have to pick the objects and counters that you want to watch.
> >
> > Laura
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Matheesha 
> > > Weerasinghe
> > > Sent: Friday, December 15, 2006 5:34 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] OT: Vista Resource Monitor blank
> > >
> > > Has anyone ever seen the resource monitor of Vista RTM 
> blank with no 
> > > CPU/Mem/Disk etc... details at all? Last night I noticed 
> when I used 
> > > resource monitor it didnt display anything. Task Manager showed 
> > > activity as expected but not the resource monitor. I 
> assumed it was 
> > > possibly due to the machine waking up from sleep but 
> couldn't repro 
> > > it.
> > >
> > > Cheers
> > >
> > > M@
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir@mail.activedir.org/
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.432 / Virus Database: 268.15.18/586 - Release
> > > Date: 12/13/2006 6:13 PM
> > >
> > >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 
> > 12/15/2006
> > 10:02 AM
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir@mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.15.20/588 - Release 
> Date: 12/15/2006 10:02 AM
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.21/589 - Release Date: 12/15/2006
5:10 PM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Vista Resource Monitor blank

2006-12-16 Thread Laura A. Robinson 
Then you weren't referring to Performance Monitor (if you'd said that you
launched it from Task Manager, I wouldn't have thought you meant Perfmon).
Resource Monitor and Performance Monitor are not the same thing, and it *is*
normal for *Perfmon* to launch with no counters, which is why I asked you
for clarification. The only thing I can think of is that there is a delay
before display begins when you launch Resource Monitor from Task Manager.
Since you can't reproduce the problem, it's difficult to give you a solid
answer, but if you are able to reproduce the issue, please post how you did
so so that others can see if they can duplicate it. I have been unable to
reproduce the problem on my machines after waking them from sleep, but if
you are able to come up with a reproducible scenario, I'm certainly willing
to test it.

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Matheesha Weerasinghe
> Sent: Friday, December 15, 2006 11:18 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] OT: Vista Resource Monitor blank
> 
> Yes I was. I often launch the resource monitor from task 
> manager and its not blank. But in this instance it was. So I 
> find it hard to believe "its normal". Thanks for the reply 
> anyway Laura.
> 
> Cheers
> 
> M@
> 
> On 12/15/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:
> > Are you referring to Performance Monitor? If so, that's normal. You 
> > have to pick the objects and counters that you want to watch.
> >
> > Laura
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> Matheesha 
> > > Weerasinghe
> > > Sent: Friday, December 15, 2006 5:34 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] OT: Vista Resource Monitor blank
> > >
> > > Has anyone ever seen the resource monitor of Vista RTM 
> blank with no 
> > > CPU/Mem/Disk etc... details at all? Last night I noticed 
> when I used 
> > > resource monitor it didnt display anything. Task Manager showed 
> > > activity as expected but not the resource monitor. I 
> assumed it was 
> > > possibly due to the machine waking up from sleep but 
> couldn't repro 
> > > it.
> > >
> > > Cheers
> > >
> > > M@
> > > List info   : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> > > http://www.mail-archive.com/activedir@mail.activedir.org/
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.432 / Virus Database: 268.15.18/586 - Release
> > > Date: 12/13/2006 6:13 PM
> > >
> > >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 
> > 12/15/2006
> > 10:02 AM
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir@mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.15.20/588 - Release 
> Date: 12/15/2006 10:02 AM
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.21/589 - Release Date: 12/15/2006
5:10 PM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

AW: [ActiveDir] Group Membership Update Frequency

2006-12-16 Thread Thomas Michael Heß 
Joe,

thanks a lot for your helpful reply and sorry that my reply took so long.
I am still waiting for a response because of my Microsoft Support ticket. 

Its my goal to combine GPO´s with Security Groups to manage different
actions of the servers in the same OU.

For this reason I created some Security groups and distributed the servers
to the groups.
Then I checked servers by GPRESULT for the group membership and some servers
updated it without measurable delay, some servers after a week and some
servers never.
I cant understand this behaviour and so I started a support request at MS
for what I am still waiting for. 

As soon as I will get a official reply I will let you know.

Thomas

PS: IS there a another chance to check group membership for a server except
GPRESULT 


-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von joe
Gesendet: Sonntag, 10. Dezember 2006 17:41
An: ActiveDir@mail.activedir.org
Betreff: RE: [ActiveDir] Group Membership Update Frequency

It depends what you mean by this. 

The off the cuff answer is the server "knows" what it has based on its local
security token so it actually never recognized the change. However

Machines and users can have both local security tokens and kerb certs. The
kerb certs are refreshed, the security token never is. Plus add in NTLM and
if it is used to access remote resources you can have three answers... So
the more full answer is "It depends."

So briefly:

If the security group is needed in the local security token, it will never
get updated, you need to reboot. This will impact the machine's
determination locally of what groups it has if the application is looking at
the token OR trying to access something with Windows security locally (say
like the group allows it to read a file locally). I have asked several folks
inside of MSFT if there is anything that could be used to force this refresh
of the security token and no one has been able to tell me there is indeed
something that will do it and here is how... If so, I would have written the
tool to do it if it were something they could point at.

If the security group is needed for remote kerberos operations or someone is
reading the kerb cert directly local to the machine, it will occur when the
ticket refreshs. You can purge the kerb cache to speed this up. 

If the security group is needed for remote operations where NTLM is being
used (say it is accessing a resource by IP instead of name so it can't do
the SPN lookup), it will be used depending on whether or not the DC being
used by the remote resource has the group membership or not (whether or not
the DC the server itself uses has it or not is immaterial in this case
because the server doesn't tell the remote resource what accessed it has,
the remote resource asks its DC when it auth's the account). This could be
immediately to seconds after the group update or even weeks depending on the
OS revs of the DCs and the replication topology and max theoretical latency
for the environment. 

This is all exactly the same as it is for users.   


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess
Sent: Thursday, December 07, 2006 7:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Membership Update Frequency

hi there,

when does a server recognize that he is part of AD global Security group?
Do i have to reboot every system or is there an update frequency where
the server checks the AD?

I need this to know because i want to use the Security Group Filtering
with GPO´s

Thanks in advance
Thomas
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/