date:20070125

RE: [ActiveDir] moving server local groups to AD?

2007-01-25 Thread Grillenmeier, Guido

ADMT (even in V3) doesn't support this directly, however, you can still use it 
to do the re-ACLing if you want, since you can feed it with a list of SID 
mappings.  You would still have to perform the bulk of the work yourself, which 
would be to re-create matching groups in AD and to add the members of the 
server-local groups to the AD groups.  While doing this, you'd create your SID 
mapping-file.

I know that Quest's DMW tool has the capability to do all of this for you (i.e. 
migrate server local groups to AD incl. membership and re-ACLing the server 
appropriately) - but you might also want to Google around a little for scripts 
that serve this purpose.

/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.
Sent: Donnerstag, 25. Januar 2007 04:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] moving server local groups to AD?

(I sure hope this doesn't sound like too dumb a question!)  We have a server 
where local security groups were created for local file access.  The files on 
this server are going to be moved to a file server cluster.  Can ADMT v3 
migrate these security groups up to the AD structure with the hopes of 
retaining SIDHistory and therefore access to the moved files?

If ADMT wouldn't work, does anyone have suggestions for this operation?  As 
always, any help is appreciated!

Mike Thommes

RE: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Grillenmeier, Guido

What other things did you change in the same or other GPOs that apply to the 
machine you're logging on as admin?  If you've applied some lockdown GPOs for 
file-system permissions, those will also apply for your admins

/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den 
Wyngaert
Sent: Mittwoch, 24. Januar 2007 17:38
To: ActiveDir
Subject: [ActiveDir] "Add or Remove Programs" GPO

Hi,

I've set a GPO for some users that restricts usage of "Add or Remove Programs" 
(User Configuration\Administrative Templates\Control Panel\Add or Remove 
Programs). This GPO is linked to a specific OU where those users reside.

But now I have even with admin accounts to which the GPO doesn't apply (totally 
different OU location and so on...) problems with opening the interface, it 
refers to security that is not correct on C:\WINNT\System32\rundll32.exe

Is this normal?! Did I miss something before setting this GPO?

Thanks,
Bart

Re: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Bart Van den Wyngaert


No NTFS or other restrictions set in that GPO or the PC GPO.
Only some other restrictions like no access to control panel, no messenger,
... stuff.

These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).

My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...

Thanks,
Bart


On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:


 What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

RE: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Grillenmeier, Guido

So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error 
message could naturally be a false hint, but might as well check it out.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den 
Wyngaert
Sent: Donnerstag, 25. Januar 2007 12:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

No NTFS or other restrictions set in that GPO or the PC GPO.
Only some other restrictions like no access to control panel, no messenger, ... 
stuff.

These apply to the specific Users OU + Computer OU, making a User & PC 
configuration for those PC's + Users (certain department).

My admin account is totally somewhere else in the directory without those GPO's 
applied to. The restrictions in the Computer GPO are also not set to block the 
admin. I can drilldown the Computer GPO if you want, as I don't see any 
relevant setting in it. Otherwise I would be blocking myself and that's just 
the point I don't want...

Thanks,
Bart

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> 
wrote:

What other things did you change in the same or other GPOs that apply to the 
machine you're logging on as admin?  If you've applied some lockdown GPOs for 
file-system permissions, those will also apply for your admins

/Guido

From: [EMAIL PROTECTED]  [mailto:[EMAIL 
PROTECTED]] On Behalf Of Bart Van den Wyngaert
Sent: Mittwoch, 24. Januar 2007 17:38
To: ActiveDir
Subject: [ActiveDir] "Add or Remove Programs" GPO

Hi,

I've set a GPO for some users that restricts usage of "Add or Remove Programs" 
(User Configuration\Administrative Templates\Control Panel\Add or Remove 
Programs). This GPO is linked to a specific OU where those users reside.

But now I have even with admin accounts to which the GPO doesn't apply (totally 
different OU location and so on...) problems with opening the interface, it 
refers to security that is not correct on C:\WINNT\System32\rundll32.exe

Is this normal?! Did I miss something before setting this GPO?

Thanks,

Bart

[ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Thommes, Michael M.

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the "creation date" as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the "modified date" is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

Re: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Bart Van den Wyngaert


I did, but the local administrators group has full control on the file. And
ofcourse, my AD admin account is part of the local administrators group on
the workstations (naturally).

That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either...


On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:


 So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The
error message could naturally be a false hint, but might as well check it
out.



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Donnerstag, 25. Januar 2007 12:00
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] "Add or Remove Programs" GPO



No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no
messenger, ... stuff.



These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).



My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want...



Thanks,

Bart



On 1/25/07, *Grillenmeier, Guido* <[EMAIL PROTECTED]> wrote:

What other things did you change in the same or other GPOs that apply to
the machine you're logging on as admin?  If you've applied some lockdown
GPOs for file-system permissions, those will also apply for your admins



/Guido



*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Bart Van den Wyngaert
*Sent:* Mittwoch, 24. Januar 2007 17:38
*To:* ActiveDir
*Subject:* [ActiveDir] "Add or Remove Programs" GPO



Hi,



I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside.



But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe



Is this normal?! Did I miss something before setting this GPO?



Thanks,

Bart

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the "creation date" as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the "modified date" is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Thommes, Michael M.

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the
/E /B /COPYALL switches.  It does not seem to have the desired effect
(ie, both the "modified date" and the "creation date" are still the
current date).  Any other thoughts?

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the "creation date" as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the "modified date" is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-25 Thread Paul Williams

You can register records like this by messing up a reverse lookup record 
addition using DNSCMD.

--Paul

  - Original Message - 
  From: EIS Lists 
  To: ActiveDir@mail.activedir.org 
  Sent: Wednesday, January 24, 2007 9:28 PM
  Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

  Thanks, all. Ulf, you explanation was great! I am sure it was someone 
(probably me!) just typed a .1 in some setting on the printer and allowed it to 
register in DNS. 

  Many thanks.

  -- nme

  Noah Eiger

--

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
  Sent: Wednesday, January 24, 2007 12:29 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

  Just 9:30 pm here, so not really late.

  Many are mixing up the zones with the "DNS-Subdomains" or whatever they are 
actually called. But in this case he even had it right, he said that under the 
domain zone he has the "_*"-folders as well as a folder "1". I had to reread 
too ;-)

  How are things? See you in March?

  Gruesse - Sincerely, 

  Ulf B. Simon-Weidner 

Profile & Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D   
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
  Sent: Mittwoch, 24. Januar 2007 21:17
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

  That's what I would expect.  But since the original poster called it a "zone" 
I figured I'd ask. What are you doing up so late? :)

  On 1/24/07, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:

  No Zone - no properties ;-)

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
  Sent: Mittwoch, 24. Januar 2007 20:24
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

  What are properties of the 1 zone? 

  On 1/24/07, EIS Lists <[EMAIL PROTECTED]> wrote:

  Hi -

  Under one of our forward lookup zones (AD-integrated), we have the usual
  folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
  as a single folder just named: "1" (without the quotes). There is a single 
  A-record  under it for one of our printers.

  Any idea what this folder is?

  Thanks.

  -- nme

RE: [ActiveDir] "Add or Remove Programs" GPO

2007-01-25 Thread Darren Mar-Elia

You would not get a permissions problem from that admin. templates policy.
They just don't work that way. So my guess is its something else. What
happens, as administrator, when you run "appwiz.cpl" from a command prompt?

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Thursday, January 25, 2007 4:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

 

I did, but the local administrators group has full control on the file. And
ofcourse, my AD admin account is part of the local administrators group on
the workstations (naturally).

 

That's the reason I absolutely don't have a clue, I don't see the relation
in restrictions put in place and the effect on the admin account and when I
start looking for that error message, I don't make progress either... 

 

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 

So what is the NTFS security on C:\WINNT\System32\rundll32.exe?  The error
message could naturally be a false hint, but might as well check it out.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Donnerstag, 25. Januar 2007 12:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Add or Remove Programs" GPO

 

No NTFS or other restrictions set in that GPO or the PC GPO.

Only some other restrictions like no access to control panel, no messenger,
... stuff.

 

These apply to the specific Users OU + Computer OU, making a User & PC
configuration for those PC's + Users (certain department).

 

My admin account is totally somewhere else in the directory without those
GPO's applied to. The restrictions in the Computer GPO are also not set to
block the admin. I can drilldown the Computer GPO if you want, as I don't
see any relevant setting in it. Otherwise I would be blocking myself and
that's just the point I don't want... 

 

Thanks,

Bart

 

On 1/25/07, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: 

What other things did you change in the same or other GPOs that apply to the
machine you're logging on as admin?  If you've applied some lockdown GPOs
for file-system permissions, those will also apply for your admins 

 

/Guido

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den
Wyngaert
Sent: Mittwoch, 24. Januar 2007 17:38
To: ActiveDir
Subject: [ActiveDir] "Add or Remove Programs" GPO

 

Hi,

 

I've set a GPO for some users that restricts usage of "Add or Remove
Programs" (User Configuration\Administrative Templates\Control Panel\Add or
Remove Programs). This GPO is linked to a specific OU where those users
reside. 

 

But now I have even with admin accounts to which the GPO doesn't apply
(totally different OU location and so on...) problems with opening the
interface, it refers to security that is not correct on
C:\WINNT\System32\rundll32.exe 

 

Is this normal?! Did I miss something before setting this GPO?

 

Thanks,

Bart

[ActiveDir] Kerberos Question

2007-01-25 Thread Mike Hogenauer

Just curious - 

 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

Re: [ActiveDir] Kerberos Question

2007-01-25 Thread Al Mulnick


It could also mean you have a problem with the tool, right?

Are you seeing some other symptoms that caused you to look at this tool?
Time? you can check that pretty easily by checking the time on your machine
and comparing to a DC in your environment.

What do you see in your system event log?

On 1/25/07, Mike Hogenauer <[EMAIL PROTECTED]> wrote:


 Just curious –



I have the resource kit tool *Kerbtray *running on my taskbar – When I
double click it; it list my tickets, etc…

Twice during the day yesterday it turned red and said there was no tickets
available. It's already done this once today –



When it was showing information it had a ticket renewal until time up to 8
days and a start and end time offset of 10 minutes



Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc.



Thanks in advance for any insight on this.



Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Mike Hogenauer

The Time is the same on the PDC emulator as my PC – no event logs I could find 
– I guess it might be a problem with the tool – I don’t have any firewalls 
between my PC and the DC. The loss of the ticket information is what raised the 
flag for me. 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, January 25, 2007 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Question

It could also mean you have a problem with the tool, right? 

Are you seeing some other symptoms that caused you to look at this tool? 
Time? you can check that pretty easily by checking the time on your machine and 
comparing to a DC in your environment. 

What do you see in your system event log? 

On 1/25/07, Mike Hogenauer <[EMAIL PROTECTED]> wrote: 

Just curious – 

I have the resource kit tool Kerbtray running on my taskbar – When I double 
click it; it list my tickets, etc… 

Twice during the day yesterday it turned red and said there was no tickets 
available. It's already done this once today – 

When it was showing information it had a ticket renewal until time up to 8 days 
and a start and end time offset of 10 minutes 

Does this mean my ticket is getting renewed or that I could have a time 
problem, connecting to the PDC emulator problem, etc. 

Thanks in advance for any insight on this.

Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Thommes, Michael M.

I think you are seeing your Kerberos tickets start to reach their
expiration time.  The kerbtray icon will go from green to red.  I think
the last 5 or 15 minutes the default configuration will also issue an
audible (and very distinctive) sound.  The tickets will renew
automatically (and the icon will go from red back to green).  This will
happen until you reach the default "renew tickets until..." date.  At
that time you will need to manually renew your ticket unless you do
something like logoff and then logon to automatically get new tickets.

 

Hth,

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Question 

 

Just curious - 

 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Mike Hogenauer

Cool - sounds good to me! 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, January 25, 2007 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Question 

I think you are seeing your Kerberos tickets start to reach their
expiration time.  The kerbtray icon will go from green to red.  I think
the last 5 or 15 minutes the default configuration will also issue an
audible (and very distinctive) sound.  The tickets will renew
automatically (and the icon will go from red back to green).  This will
happen until you reach the default "renew tickets until..." date.  At
that time you will need to manually renew your ticket unless you do
something like logoff and then logon to automatically get new tickets.

Hth,

Mike Thommes

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Question 

Just curious - 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

Thanks in advance for any insight on this.

Mike

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Ryan A. Conrad

If you suspect it's the KerbTray tool, you may wish to use KList (part of the 
Reskit) to verify that both are showing the same output.

Ryan

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Question

The Time is the same on the PDC emulator as my PC - no event logs I could find 
- I guess it might be a problem with the tool - I don't have any firewalls 
between my PC and the DC. The loss of the ticket information is what raised the 
flag for me.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, January 25, 2007 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos Question

It could also mean you have a problem with the tool, right?

Are you seeing some other symptoms that caused you to look at this tool?
Time? you can check that pretty easily by checking the time on your machine and 
comparing to a DC in your environment.

What do you see in your system event log?
On 1/25/07, Mike Hogenauer <[EMAIL PROTECTED]> wrote:

Just curious -

I have the resource kit tool Kerbtray running on my taskbar - When I double 
click it; it list my tickets, etc...

Twice during the day yesterday it turned red and said there was no tickets 
available. It's already done this once today -

When it was showing information it had a ticket renewal until time up to 8 days 
and a start and end time offset of 10 minutes

Does this mean my ticket is getting renewed or that I could have a time 
problem, connecting to the PDC emulator problem, etc.

Thanks in advance for any insight on this.

Mike

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

2007-01-25 Thread Ulf B. Simon-Weidner

A Hostname underneath a folder "1"? I'd agree if just the number would be
there, but not with a name (<> other number) underneath.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Donnerstag, 25. Januar 2007 15:14
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

You can register records like this by messing up a reverse lookup record
addition using DNSCMD.

 

--Paul

 

- Original Message - 

From: EIS Lists   

To: ActiveDir@mail.activedir.org 

Sent: Wednesday, January 24, 2007 9:28 PM

Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Thanks, all. Ulf, you explanation was great! I am sure it was someone
(probably me!) just typed a .1 in some setting on the printer and allowed it
to register in DNS. 

 

Many thanks.

 

-- nme

 

Noah Eiger

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, January 24, 2007 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

Just 9:30 pm here, so not really late.

 

Many are mixing up the zones with the "DNS-Subdomains" or whatever they are
actually called. But in this case he even had it right, he said that under
the domain zone he has the "_*"-folders as well as a folder "1". I had to
reread too ;-)

 

How are things? See you in March?

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 21:17
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

That's what I would expect.  But since the original poster called it a
"zone" I figured I'd ask. What are you doing up so late? :)

On 1/24/07, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:

No Zone - no properties ;-)

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Mittwoch, 24. Januar 2007 20:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

 

What are properties of the 1 zone? 

On 1/24/07, EIS Lists <[EMAIL PROTECTED]> wrote:

Hi -



Under one of our forward lookup zones (AD-integrated), we have the usual
folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
as a single folder just named: "1" (without the quotes). There is a single 
A-record  under it for one of our printers.



Any idea what this folder is?



Thanks.



-- nme

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the /E
/B /COPYALL switches.  It does not seem to have the desired effect (ie, both
the "modified date" and the "creation date" are still the current date).
Any other thoughts?

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the "creation date" as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the "modified date" is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

Re: [ActiveDir] AD Security Auditing

2007-01-25 Thread AFidel

AdFind.exe -sddc++  -b DC=example,DC=com -resolvesids -f 
"|(objectcategory=container)(objectcategory=organizationalUnit)" 
>OU_ACL.txt

Thanks,
Andrew Fidel




"Casey Robertson" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
01/23/2007 05:41 PM
Please respond to
ActiveDir@mail.activedir.org


To

cc

Subject
[ActiveDir] AD Security Auditing






We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and 
individual object types (users, computers, etc) so that we can determine 
who has rights to what.  The prospect of doing this manually is daunting 
at best and for the most part I have only seen 3rd party tools (read: 
expensive) that do this in an easy to use fashion.
 
Any suggestions for tools, scripts etc would be appreciated.  Either that 
or we can rebuild our OU structure J
 
Casey Robertson

[ActiveDir] remove orphan DC from the domain

2007-01-25 Thread senthil Kumar

Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article 

 


1.

Click Start, point to Programs, point to Accessories, and then click Command
Prompt.


2.

At the command prompt, type ntdsutil, and then press ENTER.


3.

Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.


4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged on user
does not have administrative permissions, different credentials can be
supplied by specifying the credentials to use before making the connection.
To do this, type set creds DomainNameUserNamePassword, and then press ENTER.
For a null password, type null for the password parameter.


5.

Type connect to server servername, and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error
occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions
on the server.

Note If you try to connect to the same server that you want to delete, when
you try to delete the server that step 15 refers to, you may receive the
following error message: 

Error 2094. The DSA Object cannot be deleted0x2094 


6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.


7.

Type select operation target and press ENTER.


8.

Type list domains and press ENTER. A list of domains in the forest is
displayed, each with an associated number.


9.

Type select domain number and press ENTER, where number is the number
associated with the domain the server you are removing is a member of. The
domain you select is used to determine whether the server being removed is
the last domain controller of that domain.


10.

Type list sites and press ENTER. A list of sites, each with an associated
number, appears.


11.

Type select site number and press ENTER, where number is the number
associated with the site the server you are removing is a member of. You
should receive a confirmation listing the site and domain you chose.


12.

Type list servers in site and press ENTER. A list of servers in the site,
each with an associated number, is displayed. 


13.

Type select server number, where number is the number associated with the
server you want to remove. You receive a confirmation listing the selected
server, its Domain Name System (DNS) host name, and the location of the
server's computer account you want to remove.


14.

Type quit and press ENTER. The Metadata Cleanup menu appears.


15.

Type remove selected server and press ENTER. You should receive confirmation
that the removal completed successfully. If you receive the following error
message, the NTDS Settings object may already be removed from Active
Directory as the result of another administrator removing the NTDS Settings
object or replication of the successful removal of the object after running
the DCPROMO utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain
controller that will be removed. Ntdsutil has to bind to a domain controller
other than the one that will be removed with metadata cleanup.


16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You
should receive confirmation that the connection disconnected successfully.


17.

Remove the cname record in the _msdcs.root domain of forest zone in DNS.
Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings
object is created with a new GUID and a matching cname record in DNS. You do
not want the DCs that exist to use the old cname record.

As best practice, you should delete the host name and other DNS records. If
the lease time that remains on Dynamic Host Configuration Protocol (DHCP)
address assigned to offline server is exceeded then another client can
obtain the IP address of the problem DC.


18.

In the DNS console, use the DNS MMC to delete the A record in DNS. The A
record is also known as the Host record. To delete the A record, right-click
the A record, and then click Delete. Also, delete the cname record in the
_msdcs container. To do this, expand the _msdcs container, right-click
cname, and then click Delete.

Important If this is a DNS server, remove the reference to this DC under the
Name Servers tab. To do this, in the DNS console, click the domain name
under Forward Lookup Zones, and then remove this server from the Name
Servers tab. 

Note If you have reverse lookup zones, also remove the server from these
zones. 


19.

If the deleted computer is the last domain controller in a child domain, and
the child domain was also deleted, use AD

Re: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread Matt . Duguid

It should be removed. We have the same situation on our site in the past
and used the same article. We did a search on the AD later and found the
odd piece of data hanging around in AD which we tidied up.

Which domain controllers held which FSMO roles? Were any on the DC that you
have lost? Have you managed to transfer these to another DC?

Cheers,

Matt Duguid
Microsoft Systems Engineer
Information and Technology Group - Identity Services
The Department of Internal Affairs Te Tari Taiwhenua

Direct Dial: +64 4 4748028 x8028
Fax: +64 4 4748894
Mobile: +64 21 1713290
Address: Level 4, 47 Boulcott Street, Wellington, New Zealand
Internet: http://www.dia.govt.nz/



|-+-->
| |  |
| |  |
| |  |
| |   "senthil Kumar"|
| |   <[EMAIL PROTECTED]|
| |   com>   |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   26/01/2007 12:14 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+-->
  
>--|
  | 
 |
  |To:
 |
  |cc:  
 |
  |Subject: [ActiveDir] remove orphan DC from the domain
 |
  
>--|


Hi,

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article




   
 1.  Click Start, point to Programs, point to Accessories, and then click 
Command Prompt.  

   
 2.  At the command prompt, type ntdsutil, and then press ENTER.
   

   
 3.  Type metadata cleanup, and then press ENTER. Based on the options given, 
the administrator can perform the removal, but   
 additional configuration parameters must be specified before the removal 
can occur.   

   
 4.  Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently   
 logged on user does not have administrative permissions, different 
credentials can be supplied by specifying the credentials to   
 use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null 
 password, type null for the password parameter.
   

   
 5.  Type connect to server servername, and then press ENTER. You should 
receive confirmation that the connection is successfully  
 established. If an error occurs, verify that the domain controller being 
used in the connection is available and the credentials  
 you supplied have administrative permissions on the server.
   

   
 Note If you try to connect to the same server that you want to delete, 
when you try to delete the server that step 15 refers to,  
 you may receive the following error message:   
   
 Error 2094. The DSA Object cannot be deleted0x2094

RE: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread Almeida Pinto, Jorge de

the AD metadata cleanup is nothing more then removal/deletion of objects that 
belong to a DC that is not live anymore. Just other like other object deletions 
(user, group, etc) the deletions will replicate to other DCs (assuming 
replication is working fine) that host the same partitions from which the 
objects were removed. Because of that you only need to target ONE live DC in 
the same domain when using NTDSUTIL.
 
Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain



Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article 

 

1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration parameters 
must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the specific 
server where the changes occur. If the currently logged on user does not have 
administrative permissions, different credentials can be supplied by specifying 
the credentials to use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null password, type 
null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions on 
the server.

Note If you try to connect to the same server that you want to delete, when you 
try to delete the server that step 15 refers to, you may receive the following 
error message: 

Error 2094. The DSA Object cannot be deleted0x2094 

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is the 
last domain controller of that domain.

10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.

11.

Type select site number and press ENTER, where number is the number associated 
with the site the server you are removing is a member of. You should receive a 
confirmation listing the site and domain you chose.

12.

Type list servers in site and press ENTER. A list of servers in the site, each 
with an associated number, is displayed. 

13.

Type select server number, where number is the number associated with the 
server you want to remove. You receive a confirmation listing the selected 
server, its Domain Name System (DNS) host name, and the location of the 
server's computer account you want to remove.

14.

Type quit and press ENTER. The Metadata Cleanup menu appears.

15.

Type remove selected server and press ENTER. You should receive confirmation 
that the removal completed successfully. If you receive the following error 
message, the NTDS Settings object may already be removed from Active Directory 
as the result of another administrator removing the NTDS Settings object or 
replication of the successful removal of the object after running the DCPROMO 
utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain controller 
that will be removed. Ntdsutil has to bind to a domain controller other than 
the one that will be removed with metadata cleanup.

16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You 
should receive confirmation that the connection disconnected successfully.

17.

Remove the cname record in the _msdcs.root domain of forest zone in DNS. 
Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings 
object is created with a new GUID and a matching cname record in DNS. You do 
not want the DCs that exist to use the o

[ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Stu Packett


How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
something wrong.  Thanks again.

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Ulf B. Simon-Weidner

Hi Stu,

 

I don't think there's a way to expose mulitvalued attributes with CSVDE -
you'd either have to use LDIFDE or VBScript or anything else to view all
values of those attributes.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

 

How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
something wrong.  Thanks again.

RE: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread senthil Kumar

Thanks for your logic. I hope so in the remaining Dc it will do
automatically.

 

Regards,

 

Senthil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain

 

the AD metadata cleanup is nothing more then removal/deletion of objects
that belong to a DC that is not live anymore. Just other like other object
deletions (user, group, etc) the deletions will replicate to other DCs
(assuming replication is working fine) that host the same partitions from
which the objects were removed. Because of that you only need to target ONE
live DC in the same domain when using NTDSUTIL.

 

Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD
metadata of one of the DCs on the other 999 DCs... ;-))

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : 

 

  _  

From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article 

 


1.

Click Start, point to Programs, point to Accessories, and then click Command
Prompt.


2.

At the command prompt, type ntdsutil, and then press ENTER.


3.

Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.


4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged on user
does not have administrative permissions, different credentials can be
supplied by specifying the credentials to use before making the connection.
To do this, type set creds DomainNameUserNamePassword, and then press ENTER.
For a null password, type null for the password parameter.


5.

Type connect to server servername, and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error
occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions
on the server.

Note If you try to connect to the same server that you want to delete, when
you try to delete the server that step 15 refers to, you may receive the
following error message: 

Error 2094. The DSA Object cannot be deleted0x2094 


6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.


7.

Type select operation target and press ENTER.


8.

Type list domains and press ENTER. A list of domains in the forest is
displayed, each with an associated number.


9.

Type select domain number and press ENTER, where number is the number
associated with the domain the server you are removing is a member of. The
domain you select is used to determine whether the server being removed is
the last domain controller of that domain.


10.

Type list sites and press ENTER. A list of sites, each with an associated
number, appears.


11.

Type select site number and press ENTER, where number is the number
associated with the site the server you are removing is a member of. You
should receive a confirmation listing the site and domain you chose.


12.

Type list servers in site and press ENTER. A list of servers in the site,
each with an associated number, is displayed. 


13.

Type select server number, where number is the number associated with the
server you want to remove. You receive a confirmation listing the selected
server, its Domain Name System (DNS) host name, and the location of the
server's computer account you want to remove.


14.

Type quit and press ENTER. The Metadata Cleanup menu appears.


15.

Type remove selected server and press ENTER. You should receive confirmation
that the removal completed successfully. If you receive the following error
message, the NTDS Settings object may already be removed from Active
Directory as the result of another administrator removing the NTDS Settings
object or replication of the successful removal of the object after running
the DCPROMO utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain
controller that will be removed. Ntdsutil has to bind to a domain controller
other than the one that will be removed with metadata cleanup.


16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You
should receive confirmation

Re: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread Joe Kaplan

In addition to what Ulf said, there also isn't any practical way to query 
for users that have secondary addresses vs. only having a primary and there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and then 
check for the values that are prefixed with lower case "smtp".


Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.


Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner

To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE - 
you'd either have to use LDIFDE or VBScript or anything else to view all 
values of those attributes.


Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D

 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett

Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing 
something wrong.  Thanks again. 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-25 Thread Michael B. Smith

I'm guessing you didn't like the answers you got on the exchange list?

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Thursday, January 25, 2007 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every
Exchange user?  I can't seem to find a way via csvde, but maybe I'm
doing something wrong.  Thanks again.

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Thommes, Michael M.

Hi Ulf,

I don't have any problems with the "creation date" on files.  It's
the "creation date" on the directory folders that is not right.  Could
you try robocopy again, this time trying to copy some tree structure
that has branches (subdirectories) and see what "creation date" is on
the subdirectory folders?  Thanks much!

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4
89-F2F1214C811D>
  Weblog: http://msmvps.org/UlfBSimonWeidner
http://msmvps.org/UlfBSimonWeidner> 
  Website: http://www.windowsserverfaq.org
http://www.windowsserverfaq.org/> 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the
/E /B /COPYALL switches.  It does not seem to have the desired effect
(ie, both the "modified date" and the "creation date" are still the
current date).  Any other thoughts?

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the "creation date" as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the "modified date" is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

Re: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-25 Thread Alex Fontana

LMAO...I thought my Outlook rule was broken for a second...


On 1/25/07 5:12 PM, "Michael B. Smith" <[EMAIL PROTECTED]> wrote:

> I'm guessing you didn't like the answers you got on the exchange list?
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
> Sent: Thursday, January 25, 2007 6:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] How to find non-primary SMTP addresses?
> 
> How does one go about getting the non-primary SMTP addresses for every
> Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing
> something wrong.  Thanks again.

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

2007-01-25 Thread Akomolafe, Deji

Were the answers along the lines of "it can't be done"?

http://www.akomolafe.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%20of%20users%20OR%20Groups.txt

YMWV


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Michael B. Smith
Sent: Thu 1/25/2007 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: How to find non-primary SMTP addresses?


I'm guessing you didn't like the answers you got on the exchange list?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Thursday, January 25, 2007 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?


How does one go about getting the non-primary SMTP addresses for every Exchange 
user?  I can't seem to find a way via csvde, but maybe I'm doing something 
wrong.  Thanks again.

RE: [ActiveDir] How to find non-primary SMTP addresses?

2007-01-25 Thread joe

 
Yeah JoeK is right on, nothing in LDAP will help you with this. The
proxyAddresses attribute is case insensitive so there is no way to query to
just get addresses that are secondary. 

AdFind can help with this in a small perl script. You use the CSV capability
of AdFind combined with its ability to only display the multivalue
attributes that have a string match to smtp (AdFind isn't case sensitive
either for this query). That simply outputs just smtp addresses so it is
nice and clean. The perl script would look something like


@out=`adfind -sc exchaddresses:smtp -csv -nocsvheader`;

foreach $thisline (@out)
 {
  next unless $thisline=~/smtp:.+/;
  $thisline=~s/(SMTP:.+)([\";])/$2/; # strip out primary
  $thisline=~s/;{2,}/;/; # cleanup multiple semicolons
  $thisline=~s/;\"/\"/; # cleanup semicolon/quote
  print $thisline;
 }



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, January 25, 2007 7:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to query 
for users that have secondary addresses vs. only having a primary and there 
isn't any practical way to just get the secondary addresses out of the 
proxyAddresses attribute.  You essentially need to get all the data and then

check for the values that are prefixed with lower case "smtp".

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP 
itself doesn't help much.

Joe K.

- Original Message - 
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE - 
you'd either have to use LDIFDE or VBScript or anything else to view all 
values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
  Profile & Publications: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses for every 
Exchange user?  I can't seem to find a way via csvde, but maybe I'm doing 
something wrong.  Thanks again. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] remove orphan DC from the domain

2007-01-25 Thread Almeida Pinto, Jorge de

I forgot to mention:
 
* If the DC that died had FSMO roles, you need to seize them (check which DC 
had FSMO roles with --> NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if 
you have aging/scavenging enabled
 
Also make sure the GC role and DNS roles is hosted by other computers (other 
DCs)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do automatically.

 

Regards,

 

Senthil

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain

 

the AD metadata cleanup is nothing more then removal/deletion of objects that 
belong to a DC that is not live anymore. Just other like other object deletions 
(user, group, etc) the deletions will replicate to other DCs (assuming 
replication is working fine) that host the same partitions from which the 
objects were removed. Because of that you only need to target ONE live DC in 
the same domain when using NTDSUTIL.

 

Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : 

 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article 

 

1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration parameters 
must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the specific 
server where the changes occur. If the currently logged on user does not have 
administrative permissions, different credentials can be supplied by specifying 
the credentials to use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null password, type 
null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions on 
the server.

Note If you try to connect to the same server that you want to delete, when you 
try to delete the server that step 15 refers to, you may receive the following 
error message: 

Error 2094. The DSA Object cannot be deleted0x2094 

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is the 
last domain controller of that domain.

10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.

11.

Type select site number and press ENTER, where number is the number associated 
with the site the server you are removing is a member of. You should receive a 
confirmation listing the site and domain you chose.

12.

Type list servers in site and press ENTER. A list of servers in the site, each 
with an associated number, is displayed. 

13.

Type select server number, where number is the number associated with the 
server you want to remove. You receive a confirmation listing the selected 
server, its Domain Name System (DNS) host name, and the location of the 
ser

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

2007-01-25 Thread Ulf B. Simon-Weidner

Sorry - I've missed that point.

 

Yes - you're right, I got the same results.

 

However, if you use robocopy which is now included in Vista in System32
(XP027, 5.1.10.1027) you can use a new switch to accomplish this:

robocopy /dcopy:t /E /B /copyall . .

 

The /dcopy:t does the trick.

 

Thanks for bringing this up so I had to look into it - I'll blog this since
it's a very interesting change.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Freitag, 26. Januar 2007 02:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

I don't have any problems with the "creation date" on files.  It's the
"creation date" on the directory folders that is not right.  Could you try
robocopy again, this time trying to copy some tree structure that has
branches (subdirectories) and see what "creation date" is on the
subdirectory folders?  Thanks much!

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F
2F1214C811D>
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D   
  Weblog:  http://msmvps.org/UlfBSimonWeidner>
http://msmvps.org/UlfBSimonWeidner
  Website:  http://www.windowsserverfaq.org/>
http://www.windowsserverfaq.org

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the /E
/B /COPYALL switches.  It does not seem to have the desired effect (ie, both
the "modified date" and the "creation date" are still the current date).
Any other thoughts?

 

Mike Thommes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining "creation date" when copying
directories?

 

What "move/copy" tools can be used to copy directories/files to another
location and still retain the "creation date" value?  Robocopy seems to keep
creation date on files but directories are given the current date.  Am I
missing a switch in Robocopy to do this?  A backup/restore operation (with
ntbackup.exe) retains the "creation date" as one would expect.  I am just
looking for other possible tools.  I should mention that with all of the
tools I've tried, the "modified date" is always the current date for
directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] moving server local groups to AD?

RE: [ActiveDir] "Add or Remove Programs" GPO

Re: [ActiveDir] "Add or Remove Programs" GPO

RE: [ActiveDir] "Add or Remove Programs" GPO

[ActiveDir] OT: maintaining "creation date" when copying directories?

Re: [ActiveDir] "Add or Remove Programs" GPO

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

RE: [ActiveDir] "Add or Remove Programs" GPO

[ActiveDir] Kerberos Question

Re: [ActiveDir] Kerberos Question

RE: [ActiveDir] Kerberos Question

RE: [ActiveDir] Kerberos Question

RE: [ActiveDir] Kerberos Question

RE: [ActiveDir] Kerberos Question

RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

Re: [ActiveDir] AD Security Auditing

[ActiveDir] remove orphan DC from the domain

Re: [ActiveDir] remove orphan DC from the domain

RE: [ActiveDir] remove orphan DC from the domain

[ActiveDir] How to find non-primary SMTP addresses?

RE: [ActiveDir] How to find non-primary SMTP addresses?

RE: [ActiveDir] remove orphan DC from the domain

Re: [ActiveDir] How to find non-primary SMTP addresses?

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

Re: [ActiveDir] OT: How to find non-primary SMTP addresses?

RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

RE: [ActiveDir] How to find non-primary SMTP addresses?

RE: [ActiveDir] remove orphan DC from the domain

RE: [ActiveDir] OT: maintaining "creation date" when copying directories?

33 matches

Site Navigation

Mail list logo

Footer information