[ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Yann 
Hello all  Happy new year ! :)
   
  AD 2k3 sp1 in FFL mode.
   
  When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.
   
  Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?
   
  Thanks,
   
  Yann
   
   

 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail

RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Akomolafe, Deji 
It's normal. You should be permissioning your resources with groups instead 
of directly with user accounts. Groups tend to last longer, so you don't have 
to deal with the horrible SIDs.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)

AD 2k3 sp1 in FFL mode.

When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.

Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?

Thanks,

Yann


__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail

RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Almeida Pinto, Jorge de 
and to remove those orphaned SIDs you could use SUBINACL (make sure you 
download the lastest version from the MS site)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Akomolafe, Deji
Sent: Thu 2007-01-04 10:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SID Deleted users remains in NTS permission.


It's normal. You should be permissioning your resources with groups instead 
of directly with user accounts. Groups tend to last longer, so you don't have 
to deal with the horrible SIDs.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)
 
AD 2k3 sp1 in FFL mode.
 
When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.
 
Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?
 
Thanks,
 
Yann
 
 

__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Yann 
Thanks for replying.
   
  You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??
   
  I always thought that sids *HAVE TO* disapear dynamically on all existing 
ACLs set on file server.
  I'm a bit surprise that the system (AD-file server) leave this dirty sid 
and that there is no synchronisation that updates the link between the AD 
object and the ACE
   
  What is the reason ? could this behavior be altering ?
   
  I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...
   
  Thanks.
   
  Yann
  

Akomolafe, Deji [EMAIL PROTECTED] a écrit :
  It's normal. You should be permissioning your resources with groups 
instead of directly with user accounts. Groups tend to last longer, so you 
don't have to deal with the horrible SIDs.
   

  
Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


  
  
-
  From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)
   
  AD 2k3 sp1 in FFL mode.
   
  When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.
   
  Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?
   
  Thanks,
   
  Yann
   
   
  __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 



 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail

Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Paul Williams 
The ACEs in the ACL on the file server are maintained by the LSA on that 
server.  ACLs on member servers are nothing to do with AD really.  AD is used 
to verify the SIDs in the ACLs when necessary, but it's the local LSA that's 
doing the authorisation (based on the information in one's security token which 
AD participates in generating).

Managing the ACLs is the client's job, not the DCs job.  I don't see this 
changing in the future.  It would be far to complex and expensive to have the 
DCs manage this kind of stuff.  The whole MSFT client-server design is based on 
the client systems doing most of the leg work.  Clients always use servers.  
Servers don't use clients.


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 10:35 AM
  Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.


  Thanks for replying.

  You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??

  I always thought that sids *HAVE TO* disapear dynamically on all existing 
ACLs set on file server.
  I'm a bit surprise that the system (AD-file server) leave this dirty sid 
and that there is no synchronisation that updates the link between the AD 
object and the ACE

  What is the reason ? could this behavior be altering ?

  I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...

  Thanks.

  Yann


  Akomolafe, Deji [EMAIL PROTECTED] a écrit :
It's normal. You should be permissioning your resources with groups 
instead of directly with user accounts. Groups tend to last longer, so you 
don't have to deal with the horrible SIDs.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)

AD 2k3 sp1 in FFL mode.

When i delete a user or group from AD, and these objects have permissions 
on ntfs permissions, i usually see their sids remaining in those file  
directory ACLs.

Is this normal ? If not,what could be the reason(s)  how to investigate 
this issue ?

Thanks,

Yann


__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 


  __
  Do You Yahoo!?
  En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
possible contre les messages non sollicités 
  http://mail.yahoo.fr Yahoo! Mail

Re: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site?

2007-01-04 Thread Paul Williams 
Yes.  Enabling inter-site change notifications essentially means that you have 
intra-site replication occuring over a site link.  The only real difference is 
that bridgeheads are still used.  

Basically, when a DC receives a change, a notification is generated and sent to 
it's downstream partners.  By default, notifications are only sent to adjacent 
DCs within the same site.  When you enable change notifications on a site link, 
notifications are forwarded over the site link by the local bridgeheads.  This 
means that any change will have replicated from the local bridgehead to the 
remote bridghead within ~30 seconds.  So, a change should have propogated 
across the site in question in under a minute.

Obviously, this puts a little extra load on the BHs, and more frequent amounts 
of traffic on the cross-site links.  If the links are more the 2Mbps and the 
BHs aren't dying under the load, it will be OK to enable this, but you should 
monitor the usual CPU and disk queues to be sure.  If the BHs are really old, 
or you have slow lines  then you might want to do additional testing and/ or 
reconsider.


--Paul


  - Original Message - 
  From: Anders Blomgren 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 1:11 AM
  Subject: Re: [ActiveDir] do I have to choose between intra-site replication 
speeds or dc based on site?


  Does change notification add anything else than account lockouts to the 
table? I was hoping for some way to add the whole shebang or atleast something 
that encompasses most daily administrative tasks.

  Regards,
  Anders

   
  On 1/4/07, Roger Longden [EMAIL PROTECTED] wrote: 
You can enable change notification on the site links between the sites in 
question to allow them to replicate as if they are in the same site.  This has 
the nice benefit in that you can have separate sites for authentication, SMS, 
Exchange etc purposes while allowing the DCs to replicate (AD replication only; 
FRS replication is not impacted) in a more timely manner.  The link below 
contains some instructions on enabling the option.  Briefly, you modify the 
options attribute on the site link.  Specifically for change notification 
it's as simple as adding 1 to whatever the current value is.  It's not 
set by default.  The change is dynamic; just wait for replication of the 
change and the KCC to run on both ends.  Especially for environments like what 
you seem to be describing change notification between sites is a common 
configuration. 




http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EY6AI



 - Roger





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders 
Blomgren
Sent: Wednesday, January 03, 2007 6:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] do I have to choose between intra-site replication 
speeds or dc based on site?



Hi,



We have several different locations, all very well connected (min 100Mbit). 
Each location has a dc. Right now, each location is it's own site so that the 
users connect to their local dc. This has the (in my case) disadvantage of 
limiting the replication schedule to a minimum of 15 minutes. Our network would 
have no difficulty handling intra-site replication but is there a way to make 
sure users connect to their geographically closest dc, including dfs? 

Yes, I want to have my cake and eat it. But can it be done?



Regards,

Anders

RE: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Robert Bobel 
The issue is that there is no automated service in AD/Windows that reconciles 
the SIDs in AD with those used to ACL the file system; and AD ACLs are separate 
and disconnected from the OS ACLs. Imagine deleting a group or user that had 
permissions on hundreds of computers around your network the OS on each box 
would have to *know* that the user or group was deleted then scan itself for 
obsolete SIDs or alternativly some service on the DC could contact each server 
to scan it for obsolete SIDs.
 
As Deji correctly pointed out this is another example of why you should use 
groups to do your permissioning... it is also one of the reasons why many 
administrators choose to disable user accounts rather than just delete them 
when they become obsolete.
 
Bob 



From: [EMAIL PROTECTED] on behalf of Yann
Sent: Thu 1/4/2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.


Thanks for replying.
 
You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??
 
I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs 
set on file server.
I'm a bit surprise that the system (AD-file server) leave this dirty sid and 
that there is no synchronisation that updates the link between the AD object 
and the ACE
 
What is the reason ? could this behavior be altering ?
 
I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...
 
Thanks.
 
Yann


Akomolafe, Deji [EMAIL PROTECTED] a écrit :

It's normal. You should be permissioning your resources with groups 
instead of directly with user accounts. Groups tend to last longer, so you 
don't have to deal with the horrible SIDs.
 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)
 
AD 2k3 sp1 in FFL mode.
 
When i delete a user or group from AD, and these objects have 
permissions on ntfs permissions, i usually see their sids remaining in those 
file  directory ACLs.
 
Is this normal ? If not,what could be the reason(s)  how to 
investigate this issue ?
 
Thanks,
 
Yann
 
 
__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 


__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail

Re: RE: [ActiveDir] finding users that password never expire.

2007-01-04 Thread Paul Williams 
The equals operator is looking for an exact match.  As userAccountControl is a 
bitwise attribute (each bit represents an option) then in many cases it won't 
be 65536.  Using the logical AND matching rule (1.2.840.113556.1.4.803) means 
that it checks the bit in question, regardless of what other bits are set.

As for how you use the AND matching rule, you actually write it as 
identifier:matching rule:=value 

e.g. 

((objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))

More info. here:
 -- http://msdn2.microsoft.com/en-us/library/aa746475.aspx


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Monday, October 09, 2006 6:24 PM
  Subject: RE : RE: [ActiveDir] finding users that password never expire.


  Yes !  thanks, that works so well !! :o)

  But many questions i have..
  What is the difference between the query userAccountControl=65536 and 
(userAccountControl:1.2.840.113556.1.4.803:=65536) ? 
  Why couldn(t i find any results with my first query ?
  And how do you construct the :1.2.840.113556.1.4.803: part of the ldap 
query  ??

  Thanks for your answer :)

  Yann


  Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit :
to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled
ADFIND -bit -default -f 
((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))

and to use it with a saved query use as the LDAP filter:

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

with joe's ADFIND you can just specify AND or OR without the need to know 
the OID
OR is by the way: 1.2.840.113556.1.4.804

for the other values see:
MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User 
Account Properties

jorge


--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
  Sent: Monday, October 09, 2006 17:44
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] finding users that password never expire.


  Hello all,

  I had to do dump in AD all users whose password never expires.
  I used the saved queries with this custom ldap query :
  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
DONT_EXPIRE_PASSWORD properties flag.
  BUT i found that this search was not complete, because some users have 
other properties flag such as 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or 
UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
UF_NOT_DELEGATED ... :(

  So the question is:
  How to search for user accounts that have at least the 
DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
  Is there a way to do it with a custom ldap query ?

  Thanks,

  Yann

--
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions 
et vos expériences. Cliquez ici. 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.




--
  Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses.

RE : RE: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Yann 
Ok, interesting thing you point out.
  So in the case of restoring the group deleted, there will also no automated 
service that reconcilies the sid in AD with those used to ACL the file system ?
   
  Today, I discovered something i thought i master... :)
  Thanks all for clarification to this subject.
  
Robert Bobel [EMAIL PROTECTED] a écrit :
The issue is that there is no automated service in AD/Windows that 
reconciles the SIDs in AD with those used to ACL the file system; and AD ACLs 
are separate and disconnected from the OS ACLs. Imagine deleting a group or 
user that had permissions on hundreds of computers around your network the OS 
on each box would have to *know* that the user or group was deleted then scan 
itself for obsolete SIDs or alternativly some service on the DC could contact 
each server to scan it for obsolete SIDs.
   
  As Deji correctly pointed out this is another example of why you should use 
groups to do your permissioning... it is also one of the reasons why many 
administrators choose to disable user accounts rather than just delete them 
when they become obsolete.

   
  Bob   


-
  
  From: [EMAIL PROTECTED] on behalf of Yann
Sent: Thu 1/4/2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.



Thanks for replying.
   
  You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??
   
  I always thought that sids *HAVE TO* disapear dynamically on all existing 
ACLs set on file server.
  I'm a bit surprise that the system (AD-file server) leave this dirty sid 
and that there is no synchronisation that updates the link between the AD 
object and the ACE
   
  What is the reason ? could this behavior be altering ?
   
  I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...
   
  Thanks.
   
  Yann
  

Akomolafe, Deji [EMAIL PROTECTED] a écrit :
  It's normal. You should be permissioning your resources with groups 
instead of directly with user accounts. Groups tend to last longer, so you 
don't have to deal with the horrible SIDs.
   

  
Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


  
  
-
  From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)
   
  AD 2k3 sp1 in FFL mode.
   
  When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.
   
  Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?
   
  Thanks,
   
  Yann
   
   
  __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 


  __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 



 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread joe 
Not sure why this suprises you. The ACLs are not maintained by AD nor the
SAM where the user accounts exist which means you either get to poll or put
some form of notification system in process. Consider also the case of
trusted security principals, systems don't get a notification when a trusted
system deletes a security principal. 
 
Here are just a couple of the bad things that could happen if the machines
were responsible for cleaning up those SIDs
 
1. Overhead. Do you know the sheer number of Security Descriptors that are
on any given system? You are just thinking of file Security Descriptors but
there are Security Descriptors on many many different securable objects. I
have published the list of items I at least know about to this list on a
couple of occasions and the different types of objects alone is double
digits let alone the actual instants of those objects. Consider a file
system with hundreds of thousands or millions of Security Descriptors with
really long ACL chains. You could have a scavenger thread running 24x7 in
idle mode (you wouldn't want it higher as it would eat up CPU and that would
be a different complaint) just constantly walking the ACLs and verifying
them. 
 
2. Mistakes. Since we don't have a change notification capability for
deleted security principals, and quite honestly you wouldn't (could you
imagine 300,000 machines registering with every domain in your forest for
change notifications of security principal changes) so that leaves polling
and lets say you have a tempory network glitch that makes a SID unresolvable
to a friendly name... Do you then just start stripping the SIDs from the
ACLs because a name can't be resolved once, twice, three times? What about
when an account gets undeleted or restored because it was accidently deleted
for an hour?
 
I can think of even more bad things but don't have the time to write about
them. If you want to, think through how you would build an application to do
what you are suggesting. It is always a good thought exercise before being
surprised at what MSFT has done. Keep in mind they are a collection of
really bright programmers that often have to work in committee, they aren't
necessarily miracle workers.
 
Could this be done? Maybe. I think could visualize mechanisms to possibly
help here but would really have to think it through even more than I have
and I have thought a lot about things like this... But it would take serious
rework with how security is implemented on Windows and I would be quite
fearful of the scaling capabilities. The Windows security system is
difficult to work with and can be quite a pain but it is extremely flexible
and powerful at the same time. I have started and stopped several times to
write all inclusive security tracking tools, it is a big big deal and if
done wrong will really make someone have a bad day.
 
As someone else mentioned, use groups. Don't use users. When you go to
delete a group, make it a point to clean up where that group has been used.
If you don't know where it has been used, that is a process issue and one of
the reasons why I am not a fan of universal and global groups because the
scope of use is huge. Alternately write your own tools to scan all of the
various ACLs looking for unresolvable SIDs and clean them up, but I would be
shy on how agressive you are with the cleanup. You can easily screw yourself
up.
 
  joe
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04, 2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.


Thanks for replying.
 
You say that it is normal that the sid still remains in file  directory
ACLs after the deletion of the corresponding group ??
 
I always thought that sids *HAVE TO* disapear dynamically on all existing
ACLs set on file server.
I'm a bit surprise that the system (AD-file server) leave this dirty sid
and that there is no synchronisation that updates the link between the AD
object and the ACE
 
What is the reason ? could this behavior be altering ?
 
I'd like sid disappears after deletion of the corresponding group in AD in
order to not have this dirty SIDs...
 
Thanks.
 
Yann


Akomolafe, Deji [EMAIL PROTECTED] a écrit :

It's normal. You should be permissioning your resources with groups
instead of directly with user accounts. Groups tend to last longer, so you
don't have to deal with the horrible SIDs.
 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
 x-excid://3277/uri:http://www.akomolafe.com www.akomolafe.com - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow

[ActiveDir] Windows 2000 domain

2007-01-04 Thread Karsten Aarhus 
 Dear all,

I have a problem I never face before.

In my windows 2000 domain I would like to join a security group to a
group but the system will not let me.
I can see if I choose to join a disbutions group insted there is no
problem at all?

The system is a small business 2000 server

What can be the problem and how to I solved this so I can join the
security group insted?

Regards

Karsten Aarhus
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Windows 2000 domain

2007-01-04 Thread Paul Williams 
If you're talking about group nesting, the mode of the domain limits some of 
the potential configurations.  Check to see whether or not you're in mixed 
mode.  If you are, nesting is limited and you can't have universal groups. 
If you're in native, what group can't you place into what group?  Please 
define the scope of each group, e.g. domain local or global or universal.



--Paul

- Original Message - 
From: Karsten Aarhus [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, January 04, 2007 1:58 PM
Subject: [ActiveDir] Windows 2000 domain



Dear all,

I have a problem I never face before.

In my windows 2000 domain I would like to join a security group to a
group but the system will not let me.
I can see if I choose to join a disbutions group insted there is no
problem at all?

The system is a small business 2000 server

What can be the problem and how to I solved this so I can join the
security group insted?

Regards

Karsten Aarhus
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Haritwal, Dhiraj 
But still the actual discussion is pending. If someone is having a single 
folder which is mapped to a single user. So in that case how we can use groups 
 suppose tomorrow this user left the organization  his account got deleted, 
SID will come on to the permission of that folder. If I am not wrong the actual 
discussion was why SID is coming after deleted an account. Why it's not getting 
deleted automatically.

 

 

Dhiraj Haritwal

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 04, 2007 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

 

Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM 
where the user accounts exist which means you either get to poll or put some 
form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 

 

Here are just a couple of the bad things that could happen if the machines were 
responsible for cleaning up those SIDs

 

1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 

 

2. Mistakes. Since we don't have a change notification capability for deleted 
security principals, and quite honestly you wouldn't (could you imagine 300,000 
machines registering with every domain in your forest for change notifications 
of security principal changes) so that leaves polling and lets say you have a 
tempory network glitch that makes a SID unresolvable to a friendly name... Do 
you then just start stripping the SIDs from the ACLs because a name can't be 
resolved once, twice, three times? What about when an account gets undeleted or 
restored because it was accidently deleted for an hour?

 

I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.

 

Could this be done? Maybe. I think could visualize mechanisms to possibly help 
here but would really have to think it through even more than I have and I have 
thought a lot about things like this... But it would take serious rework with 
how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.

 

As someone else mentioned, use groups. Don't use users. When you go to delete a 
group, make it a point to clean up where that group has been used. If you don't 
know where it has been used, that is a process issue and one of the reasons why 
I am not a fan of universal and global groups because the scope of use is huge. 
Alternately write your own tools to scan all of the various ACLs looking for 
unresolvable SIDs and clean them up, but I would be shy on how agressive you 
are with the cleanup. You can easily screw yourself up.

 

  joe

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04, 2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.

Thanks for replying.

 

You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??

 

I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs 
set on file server.

I'm a bit surprise that the system (AD-file server) leave this dirty sid and 
that there is no synchronisation that updates the link between the AD object 
and the ACE

 

What is the reason ? could this behavior be altering ?

 

I'd like sid disappears after deletion of the

Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Paul Williams 
Because it's not managed by the DS.  The SID as you refer to it is actually an 
ACE.  The ACE is an item that makes up the DACL which makes up the ACL.  This 
is managed locally by the member server.  Windows itself.  The LSA.  It's far 
too expensive and problematic with the current design for this to auto-manage 
itself.  Re-read Joe's post.  

The DS doesn't know or care where a security principal is referenced as an ACE 
in an ACL.  And the computer in question shouldn't really auto-prune the ACEs 
based on a rule or two...


--Paul


  - Original Message - 
  From: Haritwal, Dhiraj 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 3:18 PM
  Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.


  But still the actual discussion is pending. If someone is having a single 
folder which is mapped to a single user. So in that case how we can use groups 
 suppose tomorrow this user left the organization  his account got deleted, 
SID will come on to the permission of that folder. If I am not wrong the actual 
discussion was why SID is coming after deleted an account. Why it's not getting 
deleted automatically.

   

   

  Dhiraj Haritwal

   

   


--

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
  Sent: Thursday, January 04, 2007 7:18 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

   

  Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM 
where the user accounts exist which means you either get to poll or put some 
form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 

   

  Here are just a couple of the bad things that could happen if the machines 
were responsible for cleaning up those SIDs

   

  1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 

   

  2. Mistakes. Since we don't have a change notification capability for deleted 
security principals, and quite honestly you wouldn't (could you imagine 300,000 
machines registering with every domain in your forest for change notifications 
of security principal changes) so that leaves polling and lets say you have a 
tempory network glitch that makes a SID unresolvable to a friendly name... Do 
you then just start stripping the SIDs from the ACLs because a name can't be 
resolved once, twice, three times? What about when an account gets undeleted or 
restored because it was accidently deleted for an hour?

   

  I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.

   

  Could this be done? Maybe. I think could visualize mechanisms to possibly 
help here but would really have to think it through even more than I have and I 
have thought a lot about things like this... But it would take serious rework 
with how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.

   

  As someone else mentioned, use groups. Don't use users. When you go to delete 
a group, make it a point to clean up where that group has been used. If you 
don't know where it has been used, that is a process issue and one of the 
reasons why I am not a fan of universal and global groups because the scope of 
use is huge. Alternately write your own tools to scan all of the various ACLs 
looking for unresolvable SIDs and clean them up, but I would be shy on how 
agressive you are with the cleanup. You can easily screw yourself

RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Yann 
Hi,
   
  After rereading posts, it now makes sense to me that the ACEs are managed by 
the local LSA, and not by AD LSA
   
  So now if i consider that a group or user is deleted from AD and that object 
is set on an AD object ACLs (not share or ntfs permission), that object will be 
definitively disappear with no sid remaining from the ACLs, because the update 
is done by the local LSA (DC) where the deletion occurs, that is to say AD 
itself...
   
   
  Yann
   
  
joe [EMAIL PROTECTED] a écrit :
  Not sure why this suprises you. The ACLs are not maintained by AD nor the 
SAM where the user accounts exist which means you either get to poll or put 
some form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 
   
  Here are just a couple of the bad things that could happen if the machines 
were responsible for cleaning up those SIDs
   
  1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 
   
  2. Mistakes. Since we don't have a change notification capability for deleted 
security principals, and quite honestly you wouldn't (could you imagine 300,000 
machines registering with every domain in your forest for change notifications 
of security principal changes) so that leaves polling and lets say you have a 
tempory network glitch that makes a SID unresolvable to a friendly name... Do 
you then just start stripping the SIDs from the ACLs because a name can't be 
resolved once, twice, three times? What about when an account gets undeleted or 
restored because it was accidently deleted for an hour?
   
  I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.
   
  Could this be done? Maybe. I think could visualize mechanisms to possibly 
help here but would really have to think it through even more than I have and I 
have thought a lot about things like this... But it would take serious rework 
with how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.
   
  As someone else mentioned, use groups. Don't use users. When you go to delete 
a group, make it a point to clean up where that group has been used. If you 
don't know where it has been used, that is a process issue and one of the 
reasons why I am not a fan of universal and global groups because the scope of 
use is huge. Alternately write your own tools to scan all of the various ACLs 
looking for unresolvable SIDs and clean them up, but I would be shy on how 
agressive you are with the cleanup. You can easily screw yourself up.
   
joe
   
--
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   

   


-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04, 2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.


  
  Thanks for replying.
   
  You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??
   
  I always thought that sids *HAVE TO* disapear dynamically on all existing 
ACLs set on file server.
  I'm a bit surprise that the system (AD-file server) leave this dirty sid 
and that there is no synchronisation that updates the link between the AD 
object and the ACE
   
  What is the reason ? could this behavior be altering ?
   
  I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...
   
  Thanks.
   
  Yann

Re: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Paul Williams 
No.  Not quite.  No cleanup happens whatsoever.  Even when the ACEs are in the 
AD they aren't cleaned up.  The LSA was mentioned to try and highlight the 
expense and difficulty of such a cleanup operation.  The fact of the matter is 
that regardless of the securable object, it's ACE is managed locally and no 
cross-checking is done against a DC and a DC certainly doesn't look for stale 
ACEs when an object is deleted.

Hope this clarifies the point.


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 3:54 PM
  Subject: RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.


  Hi,

  After rereading posts, it now makes sense to me that the ACEs are managed by 
the local LSA, and not by AD LSA

  So now if i consider that a group or user is deleted from AD and that object 
is set on an AD object ACLs (not share or ntfs permission), that object will be 
definitively disappear with no sid remaining from the ACLs, because the update 
is done by the local LSA (DC) where the deletion occurs, that is to say AD 
itself...


  Yann


  joe [EMAIL PROTECTED] a écrit :
Not sure why this suprises you. The ACLs are not maintained by AD nor the 
SAM where the user accounts exist which means you either get to poll or put 
some form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 

Here are just a couple of the bad things that could happen if the machines 
were responsible for cleaning up those SIDs

1. Overhead. Do you know the sheer number of Security Descriptors that are 
on any given system? You are just thinking of file Security Descriptors but 
there are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 

2. Mistakes. Since we don't have a change notification capability for 
deleted security principals, and quite honestly you wouldn't (could you imagine 
300,000 machines registering with every domain in your forest for change 
notifications of security principal changes) so that leaves polling and lets 
say you have a tempory network glitch that makes a SID unresolvable to a 
friendly name... Do you then just start stripping the SIDs from the ACLs 
because a name can't be resolved once, twice, three times? What about when an 
account gets undeleted or restored because it was accidently deleted for an 
hour?

I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.

Could this be done? Maybe. I think could visualize mechanisms to possibly 
help here but would really have to think it through even more than I have and I 
have thought a lot about things like this... But it would take serious rework 
with how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.

As someone else mentioned, use groups. Don't use users. When you go to 
delete a group, make it a point to clean up where that group has been used. If 
you don't know where it has been used, that is a process issue and one of the 
reasons why I am not a fan of universal and global groups because the scope of 
use is huge. Alternately write your own tools to scan all of the various ACLs 
looking for unresolvable SIDs and clean them up, but I would be shy on how 
agressive you are with the cleanup. You can easily screw yourself up.

  joe

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04, 2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE:

RE : Re: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Yann 
Yes, definitively ;o)
   
  Thanks again !
   
  Cheers,
   
  Yann

Paul Williams [EMAIL PROTECTED] a écrit :
  No.  Not quite.  No cleanup happens whatsoever.  Even when the ACEs 
are in the AD they aren't cleaned up.  The LSA was mentioned to try and 
highlight the expense and difficulty of such a cleanup operation.  The fact of 
the matter is that regardless of the securable object, it's ACE is managed 
locally and no cross-checking is done against a DC and a DC certainly doesn't 
look for stale ACEs when an object is deleted.
   
  Hope this clarifies the point.
   
   
  --Paul
  

- Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 3:54 PM
  Subject: RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
  

  Hi,
   
  After rereading posts, it now makes sense to me that the ACEs are managed by 
the local LSA, and not by AD LSA
   
  So now if i consider that a group or user is deleted from AD and that object 
is set on an AD object ACLs (not share or ntfs permission), that object will be 
definitively disappear with no sid remaining from the ACLs, because the update 
is done by the local LSA (DC) where the deletion occurs, that is to say AD 
itself...
   
   
  Yann
   
  
joe [EMAIL PROTECTED] a écrit :
  Not sure why this suprises you. The ACLs are not maintained by AD nor the 
SAM where the user accounts exist which means you either get to poll or put 
some form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 
   
  Here are just a couple of the bad things that could happen if the machines 
were responsible for cleaning up those SIDs
   
  1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 
   
  2. Mistakes. Since we don't have a change notification capability for deleted 
security principals, and quite honestly you wouldn't (could you imagine 300,000 
machines registering with every domain in your forest for change notifications 
of security principal changes) so that leaves polling and lets say you have a 
tempory network glitch that makes a SID unresolvable to a friendly name... Do 
you then just start stripping the SIDs from the ACLs because a name can't be 
resolved once, twice, three times? What about when an account gets undeleted or 
restored because it was accidently deleted for an hour?
   
  I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.
   
  Could this be done? Maybe. I think could visualize mechanisms to possibly 
help here but would really have to think it through even more than I have and I 
have thought a lot about things like this... But it would take serious rework 
with how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.
   
  As someone else mentioned, use groups. Don't use users. When you go to delete 
a group, make it a point to clean up where that group has been used. If you 
don't know where it has been used, that is a process issue and one of the 
reasons why I am not a fan of universal and global groups because the scope of 
use is huge. Alternately write your own tools to scan all of the various ACLs 
looking for unresolvable SIDs and clean them up, but I would be shy on how 
agressive you are with the cleanup. You can easily screw yourself up.
   
joe
   
--
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
   

   


-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On

RE: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site?

2007-01-04 Thread Lee, Wook 
Another difference is that you still have the potential for inter-site data 
compression though it will not happen as often since the changes may not reach 
the compression threshold as often. It all depends on how big the replication 
packets are. At one point the threshold was something like 50KB but I don't 
remember off the top of my head whether that's still the case. It's something 
that Dean or joe would know though.

Wook

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, January 04, 2007 3:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] do I have to choose between intra-site replication 
speeds or dc based on site?

Yes.  Enabling inter-site change notifications essentially means that you have 
intra-site replication occuring over a site link.  The only real difference is 
that bridgeheads are still used.

Basically, when a DC receives a change, a notification is generated and sent to 
it's downstream partners.  By default, notifications are only sent to adjacent 
DCs within the same site.  When you enable change notifications on a site link, 
notifications are forwarded over the site link by the local bridgeheads.  This 
means that any change will have replicated from the local bridgehead to the 
remote bridghead within ~30 seconds.  So, a change should have propogated 
across the site in question in under a minute.

Obviously, this puts a little extra load on the BHs, and more frequent amounts 
of traffic on the cross-site links.  If the links are more the 2Mbps and the 
BHs aren't dying under the load, it will be OK to enable this, but you should 
monitor the usual CPU and disk queues to be sure.  If the BHs are really old, 
or you have slow lines  then you might want to do additional testing and/ or 
reconsider.


--Paul

- Original Message -
From: Anders Blomgrenmailto:[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org
Sent: Thursday, January 04, 2007 1:11 AM
Subject: Re: [ActiveDir] do I have to choose between intra-site replication 
speeds or dc based on site?

Does change notification add anything else than account lockouts to the table? 
I was hoping for some way to add the whole shebang or atleast something that 
encompasses most daily administrative tasks.

Regards,
Anders


On 1/4/07, Roger Longden [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:

You can enable change notification on the site links between the sites in 
question to allow them to replicate as if they are in the same site.  This has 
the nice benefit in that you can have separate sites for authentication, SMS, 
Exchange etc purposes while allowing the DCs to replicate (AD replication only; 
FRS replication is not impacted) in a more timely manner.  The link below 
contains some instructions on enabling the option.  Briefly, you modify the 
options attribute on the site link.  Specifically for change notification 
it's as simple as adding 1 to whatever the current value is.  It's not 
set by default.  The change is dynamic; just wait for replication of the 
change and the KCC to run on both ends.  Especially for environments like what 
you seem to be describing change notification between sites is a common 
configuration.



http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EY6AI



 - Roger





From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL 
PROTECTED]mailto:[EMAIL PROTECTED]] On Behalf Of Anders Blomgren
Sent: Wednesday, January 03, 2007 6:22 PM
To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org
Subject: [ActiveDir] do I have to choose between intra-site replication speeds 
or dc based on site?



Hi,



We have several different locations, all very well connected (min 100Mbit). 
Each location has a dc. Right now, each location is it's own site so that the 
users connect to their local dc. This has the (in my case) disadvantage of 
limiting the replication schedule to a minimum of 15 minutes. Our network would 
have no difficulty handling intra-site replication but is there a way to make 
sure users connect to their geographically closest dc, including dfs?

Yes, I want to have my cake and eat it. But can it be done?



Regards,

Anders

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Lee, Wook 
I should point out that you can get dangling SIDs even when the relevant user 
or group is still in the AD. The scenario involves SID History and the 
migration of security principals from one domain to another.

Suppose a security principal, say user X with SID X is migrated from domain A 
to domain B. (Let's keep everything in the same forest to make it interesting.) 
The new object, user Y, in domain B will now have a new SID Y and SID X will be 
placed in the SID History attribute of the object. The resources back in domain 
A that user X had permissions to directly will still have ACEs that refer to 
SID X. Windows uses the SID history to allow user Y to have access back to the 
resource in domain A. Kind of like having dual citizenship.

At some point after user X is migrated, the AD administrators decide that user 
formerly known as user X has had enough time on the fence (or have found that 
the user is experiencing token bloat but that's a topic for another message) 
and cleans out SID X from the SID History for user Y. Unless something is done 
to touch all the objects in domain A that might refer to SID X and replace it 
with SID Y, user Y will lose access to those resources and ACEs that refer to 
SID X will remain in the ACLs for those resources. This is the case for 
anywhere that SID X is referenced even though the user formerly known as X 
(i.e. user Y) is still in the AD.

The difficulty of hunting down all the references to SID X is further 
complicated if there are any group policies that refer to SID X or if there are 
any domains that trusted domain A that could then make reference to SID X in an 
ACL somewhere.  And let's not forget that there may also be references to SID X 
inside a variety of data stores such as but not limited to SQL, Exchange 
mailboxes, etc.

And just because a SID doesn't back-translate, it doesn't mean that the object 
is really gone. Itcould just mean that the domain that is responsible for the 
translation is temporarily unavailable, so it's best to double check that the 
SID is really defunct before purging any references to it.

Wook

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, January 04, 2007 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.

Because it's not managed by the DS.  The SID as you refer to it is actually an 
ACE.  The ACE is an item that makes up the DACL which makes up the ACL.  This 
is managed locally by the member server.  Windows itself.  The LSA.  It's far 
too expensive and problematic with the current design for this to auto-manage 
itself.  Re-read Joe's post.

The DS doesn't know or care where a security principal is referenced as an ACE 
in an ACL.  And the computer in question shouldn't really auto-prune the ACEs 
based on a rule or two...


--Paul

- Original Message -
From: Haritwal, Dhirajmailto:[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org
Sent: Thursday, January 04, 2007 3:18 PM
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

But still the actual discussion is pending. If someone is having a single 
folder which is mapped to a single user. So in that case how we can use groups 
 suppose tomorrow this user left the organization  his account got deleted, 
SID will come on to the permission of that folder. If I am not wrong the actual 
discussion was why SID is coming after deleted an account. Why it's not getting 
deleted automatically.


Dhiraj Haritwal



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 04, 2007 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM 
where the user accounts exist which means you either get to poll or put some 
form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal.

Here are just a couple of the bad things that could happen if the machines were 
responsible for cleaning up those SIDs

1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint)

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

2007-01-04 Thread Akomolafe, Deji 
You can also get dangling SIDs when the server housing the resource is not 
able to contact a corresponding DC for various reasons. One common reason is 
WAN outage, another is DNS hiccup. In any case, you are looking at the 
permission on a resource on a file server in a remote office, and you are 
seeing SIDs instead of normal names because the file server is unable to 
normalize the SIDs to names at that particular time. The accounts themselves 
are not deleted in AD, the file server just couldn't reach a DC to get the 
info. When connectivity/name resolution is restored, the SIDs appear normal 
as they should.

Now, we certainly don't want the file server to go uh-oh, I can't resolve 
these wacky names, so they must be bad. Let me delete them during that outage, 
do we?

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Lee, Wook
Sent: Thu 1/4/2007 10:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.


I should point out that you can get dangling SIDs even when the relevant user 
or group is still in the AD. The scenario involves SID History and the 
migration of security principals from one domain to another.
 
Suppose a security principal, say user X with SID X is migrated from domain A 
to domain B. (Let's keep everything in the same forest to make it interesting.) 
The new object, user Y, in domain B will now have a new SID Y and SID X will be 
placed in the SID History attribute of the object. The resources back in domain 
A that user X had permissions to directly will still have ACEs that refer to 
SID X. Windows uses the SID history to allow user Y to have access back to the 
resource in domain A. Kind of like having dual citizenship.
 
At some point after user X is migrated, the AD administrators decide that user 
formerly known as user X has had enough time on the fence (or have found that 
the user is experiencing token bloat but that's a topic for another message) 
and cleans out SID X from the SID History for user Y. Unless something is done 
to touch all the objects in domain A that might refer to SID X and replace it 
with SID Y, user Y will lose access to those resources and ACEs that refer to 
SID X will remain in the ACLs for those resources. This is the case for 
anywhere that SID X is referenced even though the user formerly known as X 
(i.e. user Y) is still in the AD. 
 
The difficulty of hunting down all the references to SID X is further 
complicated if there are any group policies that refer to SID X or if there are 
any domains that trusted domain A that could then make reference to SID X in an 
ACL somewhere.  And let's not forget that there may also be references to SID X 
inside a variety of data stores such as but not limited to SQL, Exchange 
mailboxes, etc.
 
And just because a SID doesn't back-translate, it doesn't mean that the object 
is really gone. Itcould just mean that the domain that is responsible for the 
translation is temporarily unavailable, so it's best to double check that the 
SID is really defunct before purging any references to it.
 
Wook
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, January 04, 2007 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.
 
Because it's not managed by the DS.  The SID as you refer to it is actually an 
ACE.  The ACE is an item that makes up the DACL which makes up the ACL.  This 
is managed locally by the member server.  Windows itself.  The LSA.  It's far 
too expensive and problematic with the current design for this to auto-manage 
itself.  Re-read Joe's post.  
 
The DS doesn't know or care where a security principal is referenced as an ACE 
in an ACL.  And the computer in question shouldn't really auto-prune the ACEs 
based on a rule or two...
 
 
--Paul
 
- Original Message - 
From: Haritwal, Dhiraj 
To: ActiveDir@mail.activedir.org 
Sent: Thursday, January 04, 2007 3:18 PM
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
 
But still the actual discussion is pending. If someone is having a single 
folder which is mapped to a single user. So in that case how we can use groups 
 suppose tomorrow this user left the organization  his account got deleted, 
SID will come on to the permission of that folder. If I am not wrong the actual 
discussion was why SID is coming after deleted an account. Why it's not getting 
deleted automatically.
 
 
Dhiraj Haritwal
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent:

RE: [ActiveDir] Filter out a certain group of users from the GAL

2007-01-04 Thread Victor W. 
Joe,

This worked, thanks.

Just as you suggested I should do, I used (!(attr=val)) instead of
(!attr=val) and pulled the memberOf
check out to the top level along with mailnickname.


Cheers,


Victor

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, December 23, 2006 7:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL

A couple of items to look at for all issues like this:

Is the group a universal group[1]? 

Are the users direct members of the group or in the group via nesting?


Specifically here I would look at the filter in a cleaner format such as
what adfind will give you with the -stats+ and -stats+only switches. Here is
your query below against one of my test domains with the guests group
specified.


(
  (mailNickname=*)
  (|
(
  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com)
  (!
(memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com)
  )
  (objectClass=user)
  (!
(homeMDB=*)
  )
  (!
(msExchHomeServerName=*)
  )
)
(
  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
  (objectClass=user)
  (|
(homeMDB=*)
(msExchHomeServerName=*)
  )
)
(
  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
  (objectClass=contact)
)
(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com)
 
(objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D
C=com)
 
(objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat
ion,DC=joe,DC=com)
  )
)


The filter is kind of messy.



Under the OR (|) block you have 6 main components. 

The last four (easy ones)

3. Any Contacts
4. Any Dynamic DLs
5. Any Public Folders
6. Any groups

All of those tied with the initial mailnickname mean Exchange enabled
versions of each.

Then the first one says give only user objects that aren't in the group
specified and don't have homeMDB and msExchHomeServerName populated. This
would be mail enabled users that are NOT in the group you are concerned
about.

Then the second one says give all users with homeMDB or msExchHomeServerName
populated. This would be all mailbox enabled users period.

If you want to set it so that if something is in that group, despite the
object type, it won't be in the GAL you would want to pull the memberOf
check out to the top level along with mailnickname. Maybe something like


(
  (mailNickname=*)
  (!
(memberOf=CN=Guests,CN=Builtin,DC=domain,DC=com)
  )  
  (|
(
  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com)
  (objectClass=user)
  (!
(homeMDB=*)
  )
  (!
(msExchHomeServerName=*)
  )
)
(
  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
  (objectClass=user)
  (|
(homeMDB=*)
(msExchHomeServerName=*)
  )
)
(
  (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
  (objectClass=contact)
)
(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com)
 
(objectCategory=CN=ms-Exch-Public-Folder,CN=Schema,CN=Configuration,DC=joe,D
C=com)
 
(objectCategory=CN=ms-Exch-Dynamic-Distribution-List,CN=Schema,CN=Configurat
ion,DC=joe,DC=com)
  )
)


  joe


[1] Not important if a single domain forest.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: Wednesday, December 20, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL

Thanks, this got me closer to the correct query. It sure saved me a lot of
tries, trying to get the query right using (!attr=val), instead of using
(!(attr=val). I however did not get to managed to get it working completely.
Even with the (!(attr=val) The query outputs exactly the same.

The query below does perhaps look more complex than it in fact is. It is in
fact the Default GAL from Exchange as it comes out of the box. I have been
trying to filter out a certain group from appearing in this GAL. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, December 19, 2006 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL

I didn't look it over completely to see what you are doing but noticed the
(!attr=val) and wanted to comment on that specific piece...

When making AL filters, Exchange is picky and if you put in a ! you need to
do use long form of (!(attr=val)) and not (!attr=val). While AD will not
have a problem with the filter, AD isn't interpreting that filter, Exchange
is pulling everything from AD and doing the filtering itself. That is why
ESM will

Re: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site?

2007-01-04 Thread Anders Blomgren 

Thanks a bunch. I guess I was confusing change notifications with urgent
notifications.
The forest (synonymous with domain in my case) contains below 1000 users and
the links are 100Mbit, rarely over 20% utilization. So I think the BHs can
take it.

Once again, thanks folks!

Regards,
Anders


On 1/4/07, Paul Williams [EMAIL PROTECTED] wrote:


 Yes.  Enabling inter-site change notifications essentially means that you
have intra-site replication occuring over a site link.  The only real
difference is that bridgeheads are still used.

Basically, when a DC receives a change, a notification is generated and
sent to it's downstream partners.  By default, notifications are only sent
to adjacent DCs within the same site.  When you enable change notifications
on a site link, notifications are forwarded over the site link by the local
bridgeheads.  This means that any change will have replicated from the local
bridgehead to the remote bridghead within ~30 seconds.  So, a change should
have propogated across the site in question in under a minute.

Obviously, this puts a little extra load on the BHs, and more frequent
amounts of traffic on the cross-site links.  If the links are more the 2Mbps
and the BHs aren't dying under the load, it will be OK to enable this, but
you should monitor the usual CPU and disk queues to be sure.  If the BHs are
really old, or you have slow lines  then you might want to do additional
testing and/ or reconsider.


--Paul



- Original Message -
*From:* Anders Blomgren [EMAIL PROTECTED]
*To:* ActiveDir@mail.activedir.org
 *Sent:* Thursday, January 04, 2007 1:11 AM
*Subject:* Re: [ActiveDir] do I have to choose between intra-site
replication speeds or dc based on site?


Does change notification add anything else than account lockouts to the
table? I was hoping for some way to add the whole shebang or atleast
something that encompasses most daily administrative tasks.

Regards,
Anders


On 1/4/07, Roger Longden [EMAIL PROTECTED] wrote:

  You can enable change notification on the site links between the sites
 in question to allow them to replicate as if they are in the same site.
 This has the nice benefit in that you can have separate sites for
 authentication, SMS, Exchange etc purposes while allowing the DCs to
 replicate (AD replication only; FRS replication is not impacted) in a more
 timely manner.  The link below contains some instructions on enabling the
 option.  Briefly, you modify the options attribute on the site link.
 Specifically for change notification it's as simple as adding 1 to
 whatever the current value is.  It's not set by default.  The change is
 dynamic; just wait for replication of the change and the KCC to run on both
 ends.  Especially for environments like what you seem to be describing
 change notification between sites is a common configuration.




 
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EY6AI



  - Roger





 *From:* [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] *On Behalf Of *Anders Blomgren
 *Sent: *Wednesday, January 03, 2007 6:22 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] do I have to choose between intra-site
 replication speeds or dc based on site?



 Hi,



 We have several different locations, all very well connected (min
 100Mbit). Each location has a dc. Right now, each location is it's own site
 so that the users connect to their local dc. This has the (in my case)
 disadvantage of limiting the replication schedule to a minimum of 15
 minutes. Our network would have no difficulty handling intra-site
 replication but is there a way to make sure users connect to their
 geographically closest dc, including dfs?

 Yes, I want to have my cake and eat it. But can it be done?



 Regards,

 Anders

[ActiveDir] OT: Hello?

2007-01-04 Thread WATSON, BEN 
I haven't seen a single e-mail from the mailing list since yesterday
morning. Is anyone else seeing this e-mail?  Has anyone else received
e-mails since then?

 

Just curious if the list has just been dead for the past day, or if
something might not be working properly.

 

~Ben

Re: [ActiveDir] OT: Hello?

2007-01-04 Thread Anders Blomgren 

Given that I asked a question and got 4 decent answers, I'd say it works in
more ways than one. :)

Regards,
Anders


On 1/4/07, WATSON, BEN [EMAIL PROTECTED] wrote:


 I haven't seen a single e-mail from the mailing list since yesterday
morning. Is anyone else seeing this e-mail?  Has anyone else received
e-mails since then?



Just curious if the list has just been dead for the past day, or if
something might not be working properly.



~Ben

RE: [ActiveDir] OT: Hello?

2007-01-04 Thread Crawford, Scott 
I've seen a few today, but the list has been quite slow for the last
week or so.  Come on guys, the holidays are the time to actually get
stuff done :-)

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, January 04, 2007 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Hello?

 

I haven't seen a single e-mail from the mailing list since yesterday
morning. Is anyone else seeing this e-mail?  Has anyone else received
e-mails since then?

 

Just curious if the list has just been dead for the past day, or if
something might not be working properly.

 

~Ben

RE: [ActiveDir] OT: Hello?

2007-01-04 Thread Daniel Gilbert 
Hey, Santa brought me coupon for a new home computer, redeemed the
coupon and built the system.  Doesn't that count as work??

Dan

  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Crawford, Scott [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 3:35 pm
 To: ActiveDir@mail.activedir.org
 
Ive seen a few today, but the list has been quite slow for 
 the last week or so.  Come on guys, the holidays are the time to actually get 
 stuff done J   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of WATSON, BEN
  Sent: Thursday, January 04, 2007 4:21 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail from the 
 mailing list since yesterday morning. Is anyone else seeing this e-mail?  Has 
 anyone else received e-mails since then?   Just curious if the list has just 
 been dead for the past day, or if something might not be working properly.   
 ~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

2007-01-04 Thread Gil Kirkpatrick 
Only if you had to install Linux.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, January 04, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Hello?

Hey, Santa brought me coupon for a new home computer, redeemed the
coupon and built the system.  Doesn't that count as work??

Dan

  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Crawford, Scott [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 3:35 pm
 To: ActiveDir@mail.activedir.org
 
Ive seen a few today, but the list has been quite slow
for the last week or so.  Come on guys, the holidays are the time to
actually get stuff done J   From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
  Sent: Thursday, January 04, 2007 4:21 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail
from the mailing list since yesterday morning. Is anyone else seeing
this e-mail?  Has anyone else received e-mails since then?   Just
curious if the list has just been dead for the past day, or if something
might not be working properly.   ~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

2007-01-04 Thread Akomolafe, Deji 
Santa brought me coupon for a new home computer, redeemed the coupon and 
built the system

So, what exactly did YOU do?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Gil Kirkpatrick
Sent: Thu 1/4/2007 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Hello?


Only if you had to install Linux.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, January 04, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Hello?

Hey, Santa brought me coupon for a new home computer, redeemed the
coupon and built the system.  Doesn't that count as work??

Dan

  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Crawford, Scott [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 3:35 pm
 To: ActiveDir@mail.activedir.org
 
Ive seen a few today, but the list has been quite slow
for the last week or so.  Come on guys, the holidays are the time to
actually get stuff done J   From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
  Sent: Thursday, January 04, 2007 4:21 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail
from the mailing list since yesterday morning. Is anyone else seeing
this e-mail?  Has anyone else received e-mails since then?   Just
curious if the list has just been dead for the past day, or if something
might not be working properly.   ~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

2007-01-04 Thread Daniel Gilbert 
Well, I usually lurk on this list but my day to day task is to run a
W2K3 forest.

Dan


  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Akomolafe, Deji [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 4:20 pm
 To: ActiveDir@mail.activedir.org
 
Santa brought me coupon for a new home computer, redeemed the coupon 
 and built the system   So, what exactly did YOU do? 
 Sincerely, 
_
   (, /  |  /)   /) /)   
 /---| (/_  __   ___// _   //  _ 
  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
 (_/ /)  
(/   
 Microsoft MVP - Directory Services
 www.akomolafe.com - we know IT
 -5.75, -3.23
 Do you now realize that Today is the Tomorrow you were worried about 
 Yesterday? -anon 
   From: Gil Kirkpatrick
 Sent: Thu 1/4/2007 3:09 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Hello?
 
  Only if you had to install Linux.
  
  -gil
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
  Sent: Thursday, January 04, 2007 4:04 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT: Hello?
  
  Hey, Santa brought me coupon for a new home computer, redeemed the
  coupon and built the system. Doesn't that count as work??
  
  Dan
  
    Original Message 
   Subject: RE: [ActiveDir] OT: Hello?
   From: Crawford, Scott [EMAIL PROTECTED]
   Date: Thu, January 04, 2007 3:35 pm
   To: ActiveDir@mail.activedir.org
   
   Ive seen a few today, but the list has been quite slow
  for the last week or so. Come on guys, the holidays are the time to
  actually get stuff done J From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
   Sent: Thursday, January 04, 2007 4:21 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] OT: Hello? I havent seen a single e-mail
  from the mailing list since yesterday morning. Is anyone else seeing
  this e-mail? Has anyone else received e-mails since then? Just
  curious if the list has just been dead for the past day, or if something
  might not be working properly. ~Ben 
  
  List info : http://www.activedir.org/List.aspx
  List FAQ : http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ma/default.aspx
  List info : http://www.activedir.org/List.aspx
  List FAQ : http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ma/default.aspx
   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

2007-01-04 Thread Daniel Gilbert 
Gil,

I will attach a LINUX sticker on one side and mount my DEC chicken on
the other.

Dan


  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Gil Kirkpatrick [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 4:09 pm
 To: ActiveDir@mail.activedir.org
 
 Only if you had to install Linux.
 
 -gil
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
 Sent: Thursday, January 04, 2007 4:04 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Hello?
 
 Hey, Santa brought me coupon for a new home computer, redeemed the
 coupon and built the system.  Doesn't that count as work??
 
 Dan
 
   Original Message 
  Subject: RE: [ActiveDir] OT: Hello?
  From: Crawford, Scott [EMAIL PROTECTED]
  Date: Thu, January 04, 2007 3:35 pm
  To: ActiveDir@mail.activedir.org
  
 Ive seen a few today, but the list has been quite slow
 for the last week or so.  Come on guys, the holidays are the time to
 actually get stuff done J   From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
   Sent: Thursday, January 04, 2007 4:21 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail
 from the mailing list since yesterday morning. Is anyone else seeing
 this e-mail?  Has anyone else received e-mails since then?   Just
 curious if the list has just been dead for the past day, or if something
 might not be working properly.   ~Ben
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] Directory Experts Conference Early-bird pricing expires this week

2007-01-04 Thread Gil Kirkpatrick 
Greetings, list mavens.

The early-bird pricing for DEC 2007 expires this week, so if you're
thinking about coming, now would be a good time to register. Some of the
highlights of this years conference:

1. Hands-on Longhorn AD workshop
2. Hands-on MIIS Raven workshop
3. Hands-on ADFS workshop
4. Keynotes by Kim Cameron (Microsoft architect for identity) and Peter
Houston (Microsoft Senior Director for Identity and Access)
5. Walkthrough and feedback sessions for MIIS Raven
6. Two full tracks of AD technical sessions
7. Two full tracks of MIIS technical sessions
8. Sessions on ADFS, Certificate Lifecycle Manager, InfoCard, and Rights
Management Server 

So now's the time... Check the agenda and register at www.dec2007.com.

Thanks,

Gil Kirkpatrick
Conference Founder
MVP, Directory Services

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx