RE: [ActiveDir] DirectoryServices vb.net is broken.
Thanks for the explanation Joe. I am currently on chapter three of your book. Can't read it fast enough. Do you know if 'deUser.commitchanges' is smart enough not to send an update request to AD if the collection is not dirty? Thanks Y From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Thu 28/12/2006 4:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. I'm not sure if it is a bug or not. Generally, I always use .Value to set a value and only use Add if I'm explicitly trying to add an additional value to a multi-valued attribute that already has values. Same basic approach for Remove. That helps keep me out of trouble. :) It is interesting, because there have been MANY problems with the various techniques used to modify the property cache in S.DS over the years. I think the current design is the least problematic. The issue really stems from the way S.DS tries to represent the property cache as a stateful collection of collections on the DirectoryEntry, but ADSI does this in a non-stateful way using Put and PutEx to modify. The other issue has to do with the fact that each ADSI provider does stuff slighly differently under the hood when it talks to the actual API doing the work (LDAP for LDAP, Net* for WinNT, ABO for IIS provider, etc.). The alternative is to just switch over to using System.DirectoryServices.Protocols. That basically talks directly to LDAP via wldap32.dll (like the www.joeware.net tools do, but going through .NET first). However, you tend to have to write more code to do the same thing and learn a lot more about LDAP that you might want to, so it is a two-edged sword. The most difficult things are learning how to use the advanced LDAP controls to do things like paged searches and security descriptor read/modify operations. ADSI tries to make that stuff easy for you. Note also that there is nothing really new and exciting in DS programming in .NET 3.0. The next wave of stuff for DS will be in the next .NET rev that ships with the next Visual Studio. .NET 3.0 is actually the .NET 2.0 runtime with additional assemblies that support WCF, WPF, WWF and CardSpace. Many of the assemblies are unchanged and actually run straight from the .NET 2.0 install directory. The good news is that our book is not out of date for at least another year. :) The next version is supposed to have strongly typed support for users and groups, kind of like S.DS.ActiveDirectory adds strongly typed support for concepts like Forests, Domains, Trusts, Schema, Replication etc. There are a few minor tweaks to ADSI in Windows Vista (remember that ADSI comes with Windows, so it is on a different release cycle than S.DS, which comes with .NET and usually cycles with Visual Studio but sometimes cycles with Windows). However, these are pretty low key. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 1:40 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. One last comment Joe, Do you think that is a bug with DSS? That now means depending of the attribute, you have to use different method? Kinda makes it complicated don't you think?. Now I have to hard code attribute names in my program. if attribute=description do this else do it this way. That sucks Microsoft. Y From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Thu 28/12/2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. I'm saying that those two are not equivalent functions under the hood. Add typically does a PutEx with the append flag, while Put just does a put, which is essentially an LDAP update operation. I think you would have the same problem if you invoked PutEx and used the Append flag. .Value uses PutEx, but with the ADSI replace flag, which boils down to an LDAP update operation. Aren't all of the layers fun? :) You can dig into the details a little more by using Reflector to reverse compile System.DirectoryServices into your language of choice. That is how Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP is pretty hard unless you have access to the Microsoft source code. Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll stand by the more detailed stuff on attribute modification in Ch 6. Thanks for buying it and I hope it helps more than hurts. There is an inevitable amount of hair loss that must occur with any new LDAP programming project, but hopefully it won't require prescription drugs or surgery to replace. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 12:06 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. It worked. Thanks a million. Hopefully my hair won't take to long to grow back
[ActiveDir] DirectoryServices vb.net is broken.
I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DirectoryServices vb.net is broken.
It worked. Thanks a million. Hopefully my hair won't take to long to grow back. I bought your book last week from amazon. I currently reading chapter 3. Actually took your example code. See 3.13.vb. Isn't that funny? I thought DirectoryServices was a wrapper to ADSI? Why do you say they are not equivalent? Y They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says that it allows multiple values, but the DS itself will only allow it to contain a single value for backward compatibility with previous DS APIs. That might be part of the problem here. In any event, it is generally always good practice to use the .Value property to set a single value. There is more info on this in ch 6 of our book (www.directoryprogramming.net). Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 10:13 AM Subject: [ActiveDir] DirectoryServices vb.net is broken. I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx winmail.dat
RE: [ActiveDir] DirectoryServices vb.net is broken.
Thanks for the info, I actually understand, and please don't take my comments as a complaint. So far I love the book, there isn't anything out there that comes close to have so much information on directory services. I have been programming with DSS for about 1 year now and let me tell ya, google does not have much when it comes to directory programming. This book will definitely be my first resource. I still have allot to learn and I think Microsoft is also learning because DSS 2.0 has improved 2 fold over 1.1. Can't wait to see framework 3.0. Y From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Thu 28/12/2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. I'm saying that those two are not equivalent functions under the hood. Add typically does a PutEx with the append flag, while Put just does a put, which is essentially an LDAP update operation. I think you would have the same problem if you invoked PutEx and used the Append flag. .Value uses PutEx, but with the ADSI replace flag, which boils down to an LDAP update operation. Aren't all of the layers fun? :) You can dig into the details a little more by using Reflector to reverse compile System.DirectoryServices into your language of choice. That is how Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP is pretty hard unless you have access to the Microsoft source code. Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll stand by the more detailed stuff on attribute modification in Ch 6. Thanks for buying it and I hope it helps more than hurts. There is an inevitable amount of hair loss that must occur with any new LDAP programming project, but hopefully it won't require prescription drugs or surgery to replace. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 12:06 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. It worked. Thanks a million. Hopefully my hair won't take to long to grow back. I bought your book last week from amazon. I currently reading chapter 3. Actually took your example code. See 3.13.vb. Isn't that funny? I thought DirectoryServices was a wrapper to ADSI? Why do you say they are not equivalent? Y They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says that it allows multiple values, but the DS itself will only allow it to contain a single value for backward compatibility with previous DS APIs. That might be part of the problem here. In any event, it is generally always good practice to use the .Value property to set a single value. There is more info on this in ch 6 of our book (www.directoryprogramming.net). Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 10:13 AM Subject: [ActiveDir] DirectoryServices vb.net is broken. I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx winmail.dat
RE: [ActiveDir] DirectoryServices vb.net is broken.
One last comment Joe, Do you think that is a bug with DSS? That now means depending of the attribute, you have to use different method? Kinda makes it complicated don't you think?. Now I have to hard code attribute names in my program. if attribute=description do this else do it this way. That sucks Microsoft. Y From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Thu 28/12/2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. I'm saying that those two are not equivalent functions under the hood. Add typically does a PutEx with the append flag, while Put just does a put, which is essentially an LDAP update operation. I think you would have the same problem if you invoked PutEx and used the Append flag. .Value uses PutEx, but with the ADSI replace flag, which boils down to an LDAP update operation. Aren't all of the layers fun? :) You can dig into the details a little more by using Reflector to reverse compile System.DirectoryServices into your language of choice. That is how Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP is pretty hard unless you have access to the Microsoft source code. Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll stand by the more detailed stuff on attribute modification in Ch 6. Thanks for buying it and I hope it helps more than hurts. There is an inevitable amount of hair loss that must occur with any new LDAP programming project, but hopefully it won't require prescription drugs or surgery to replace. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 12:06 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. It worked. Thanks a million. Hopefully my hair won't take to long to grow back. I bought your book last week from amazon. I currently reading chapter 3. Actually took your example code. See 3.13.vb. Isn't that funny? I thought DirectoryServices was a wrapper to ADSI? Why do you say they are not equivalent? Y They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says that it allows multiple values, but the DS itself will only allow it to contain a single value for backward compatibility with previous DS APIs. That might be part of the problem here. In any event, it is generally always good practice to use the .Value property to set a single value. There is more info on this in ch 6 of our book (www.directoryprogramming.net). Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 10:13 AM Subject: [ActiveDir] DirectoryServices vb.net is broken. I have a user with no description attribute. Anyone know why this works? User.Invoke(put, New Object() {description, txtBxNewDescription.Text}) User.commitChanges but this doesn't User.Properties(Description).Add(txtBxNewDescription.Text) User.commitChanges I get the following error message. ComError {A constraint violation occurred. (Exception from HRESULT: 0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx winmail.dat
RE: [ActiveDir] DHCP Problem
Do you have a reservation for your old DC? From: [EMAIL PROTECTED] on behalf of Bob Anderson Sent: Mon 16/10/2006 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP Problem Neil, When I add a new Authorization record it ads it with the old server name. I think my problem is that I have given my new server the same IP address as the old one that died Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 16, 2006 10:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP Problem If I understand this post correctly, you may need to add a new DHCP authorisation record for the new server, with the correct name and IP address. You may also need to re-configure routers so that BOOTP packets are forwarded to the correct IP address and/or MAC address. You didn't state what was not working after the change so it's hard to know what to suggest :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: 16 October 2006 15:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DHCP Problem Good Morning, I have a bad DHCP problem. I have replaced our Primary Domain Computer and I think I have messed DHCP up badly. The new Domain Controller has been given the same IP address as the old on and when I go into DHCP console the old server name shows up for the DHCP computer. This was an emergency switch as the old DC has died. Thanks in advance for all your help. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx winmail.dat
[ActiveDir] Seperating Database and logs on seperate disks
Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Finding best way to list servers in AD.
Ok ladies and gentlemen, Once again I need your help. What would be the best query to list all servers in Active Directory knowing that no additional indexes have been added from the default install? 1. ((|(operatingSystem=Windows 2000 Server)(operatingSystem=Windows Server 20003)) 2. ((ObjectCategory=Computer)(OperationSystem=*Server*)) I do not know of any other attribute to use other then operationSystem which limits your options. Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] How to make EmployeeNumber unique?
Hey, Can anyone tell me how I can force uniqueness on the EmployeeNumber attribute? I researched it for about 30 minutes but could not find an answer. I usually would take more time but I am in a hurry. Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to make EmployeeNumber unique?
I was hoping I can flick a switch to enforce uniqueness. Kinda like samaccount name or DN. From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Mon 13/03/2006 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to make EmployeeNumber unique? I suspect you will need an external process to do this. There is no built-in capability for enforcing this kind of uniqueness. So you will need some centralized script or application that all changes to this attribute go through for validation. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, March 13, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to make EmployeeNumber unique? Hey, Can anyone tell me how I can force uniqueness on the EmployeeNumber attribute? I researched it for about 30 minutes but could not find an answer. I usually would take more time but I am in a hurry. Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] How to make EmployeeNumber unique?
You are all right. Thanks for the quick response guys. Once again, this group came through. I should have gave a little more background of my problem. We would like to connect Remedy to AD. Remedy's requirements are unique alpha numeric number and a maximum of 15 characters. I got it to work using 5 users but know I have to build a script that will 'stamp' 4 users with a unique number. The script will then run every 4 hours are so looking for any new user and then stamp then with a unique number. I have to make sure that new users do not get an already used number. Scanning 4 accounts every time I find a new user is not very effective. Thanks again. Y From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 13/03/2006 12:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to make EmployeeNumber unique? In the end, it really does come down to ensuring that your source value is unique. Not having your global repository ensuring it's uniuqe for you. Subtle yet distinct difference that you'll find has it's own set of tradeoffs. If you want employeeID to be unique across your forest, ensure it's indexed and in your global catalogs. Add a step into your creation process that checks for that value prior to commit. Al On 3/13/06, joe [EMAIL PROTECTED] wrote: Hope away, won't help. :o) Even sAMAccountName uniqueness can be sidestepped, it is a distributed system, the only way to get true enforced uniqueness is to singlehome/singlemaster the updates that you want to be unique. I have asked for triggers and business rules in AD but was told by Stuart Kwan of the Ottawa Kwan Clan that they have already implemented those for us in MIIS. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, March 13, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to make EmployeeNumber unique? I was hoping I can flick a switch to enforce uniqueness. Kinda like samaccount name or DN. _ From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Mon 13/03/2006 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to make EmployeeNumber unique? I suspect you will need an external process to do this. There is no built-in capability for enforcing this kind of uniqueness. So you will need some centralized script or application that all changes to this attribute go through for validation. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Monday, March 13, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to make EmployeeNumber unique? Hey, Can anyone tell me how I can force uniqueness on the EmployeeNumber attribute? I researched it for about 30 minutes but could not find an answer. I usually would take more time but I am in a hurry. Thanks Yves St-Cyr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] Found bug in Active Directory DNS (integrated)
Ok, this is the scenario.I needed to create 123 DNS entries really quick so I decided to use DNSCMD. It ended it being a big mistake. The mandatory parameters for DNSCMD /RECORDADD are the following: servername /RecordAdd Zone NodeName RRType RRData [command parameters] So I typed in the following: (entered it on different lines for easy readibiltiy). ncdc01 /RecordAdd myDomain.com hostA.myDomain.com A 192.168.1.2 The command completes with a "Command Completed Successfuly". Great. Only one problem. It does not show up in the DNS management console. I can see it in the directory but not in the DNS snapin. When I do a NsLookup on that record it comes up as hostA.myDomain.com.myDomain.com. Ok so I figured out that you do not need to specify the domain name for the NodeName parameter of the command. I go ahead and delete the entry in ADUC because I can't see it in DNS console, clear the DNS cache on the server and clear the cache on my client. When I run NsLookup on the host again it shows up as hostA.myDomain.com.myDomain.com. That is impossible right? The only way I was able to clear this entry from the server cache was to restart DNS on the DC. Not a feasible solution when you have 20 DC across the country. Has anyone seen this before? Thanks Yves
RE: [ActiveDir] Found bug in Active Directory DNS (integrated)
I concur. I understand why it does not show up in the gui but I do not understand why the server is still caching it. Deleting the object, clearing the pc cache and the server DNS cache does not get rid of the A record. I was hoping someone can try it in their environment and see if they get the same results. Y From: Joe PochedleySent: Wed 07/12/2005 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Found bug in Active Directory DNS (integrated) Your NodeName is incorrect... NodeName -- name of node for which a record will be added - FQDN of a node (name with a '.' at the end) OR - node name relative to the ZoneName OR - "@" for zone root node OR - service name for SRV only (e.g. _ftp._tcp) The FQDN of the node in your example below should be "hostA." (note the . at the end of the name) not "hostA.myDomain.com" ... Essentially, you added a host to the sub-domain myDomain.com.myDomain.com instead, which is why it doesn't show up in the GUI where expected. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Wednesday, December 07, 2005 9:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Found bug in Active Directory DNS (integrated) Ok, this is the scenario.I needed to create 123 DNS entries really quick so I decided to use DNSCMD. It ended it being a big mistake. The mandatory parameters for DNSCMD /RECORDADD are the following: servername /RecordAdd Zone NodeName RRType RRData [command parameters] So I typed in the following: (entered it on different lines for easy readibiltiy). ncdc01 /RecordAdd myDomain.com hostA.myDomain.com A 192.168.1.2 The command completes with a "Command Completed Successfuly". Great. Only one problem. It does not show up in the DNS management console. I can see it in the directory but not in the DNS snapin. When I do a NsLookup on that record it comes up as hostA.myDomain.com.myDomain.com. Ok so I figured out that you do not need to specify the domain name for the NodeName parameter of the command. I go ahead and delete the entry in ADUC because I can't see it in DNS console, clear the DNS cache on the server and clear the cache on my client. When I run NsLookup on the host again it shows up as hostA.myDomain.com.myDomain.com. That is impossible right? The only way I was able to clear this entry from the server cache was to restart DNS on the DC. Not a feasible solution when you have 20 DC across the country. Has anyone seen this before? Thanks Yves
RE: [ActiveDir] Help with VB script to map printers
Actually both are valid. From: WILLIAMS, J.D.Sent: Wed 07/12/2005 2:31 PMTo: 'ActiveDir@mail.activedir.org'Cc: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Help with _vbscript_ to map printers My wsh book shows the command to be .AddPrinterConnection not .AddWindowsPrinterConnection HTH Thanks, JD Northrop Grumman Information Technology Commercial, State Local Solutions512-377-x235 Alphapage 866-521-6091 E-Page [EMAIL PROTECTED] From: Noah Eiger [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 07, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help with _vbscript_ to map printers Hi - I am trying to modify a VBS found on the Internet to map multiple printers. This will be run for every user in an OU. I keep getting the following error for line 8: 8007007B - The filename, directory name or volume syntax is incorrect I have played around with the syntax but think I am missing something very basic here. Any thoughts? I got this from: http://www.computerperformance.co.uk/ezine/ezine16.htm#Example%203:%20Mapping%20Multiple%20Printers ' Poached from Guy Thomas February 2004. ' ** Dim multiPrinter, UNCpath1, UNCpath2, UNCpath3 UNCpath1 = "\\server.abc.private\HP Color LaserJet 3500" UNCpath2 = "\\server.abc.private\HP LaserJet 3300" UNCpath2 = "\\server.abc.private\HP LaserJet 5000" Set multiPrinter = CreateObject("WScript.Network") multiPrinter.AddWindowsPrinterConnection UNCpath1 multiPrinter.AddWindowsPrinterConnection UNCpath2 multiPrinter.AddWindowsPrinterConnection UNCpath3 ' WScript.Echo "Your printer is mapped from : " UNCpath1 _ ' "and from : " UNCpath2 WScript.Quit ' End of _vbscript_ --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.371 / Virus Database: 267.13.12/194 - Release Date: 12/7/2005
[ActiveDir] AD related? not really...
We have workstation that are not added to the domainand are configured to autologin. The username and password are duplicated on our domain which allows the local accountto use network resources. We would like to join the workstation to the domain (to many advantages to explain why) and eliminate the local account and modify the autologin to use a domain username and password. This causes a problem as the username and password is stored in the registry as plain text. Asanyone everhad to deal withthis scenario? I have found the following articles (below) that describe that the Autologon password can either be plain text in the registry (Winlogon key) OR encrypted into a Local Security Authority (LSA) secret. Does anyone knowto use these functions to encrypt the username and passwordin the registry? http://www.microsoft.com/technet/security/tools/mbsa1/wp.mspx (Autologon section) http://msdn.microsoft.com/library/default.asp?url="">
RE: [ActiveDir] AD related? not really...
Thanks Mitch, Very interesting. The source code is different then the actual executable. I sending an email to the developer. Hopefully he will reply. You wouldn't know if it encrypts the password would you? Yves From: Mitch ReidSent: Thu 01/12/2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD related? not really... Sysinternals has a free utility that will automate the process: http://www.sysinternals.com/Utilities/Autologon.html On 12/1/05, AD [EMAIL PROTECTED] wrote: We have workstation that are not added to the domainand are configured to autologin. The username and password are duplicated on our domain which allows the local accountto use network resources. We would like to join the workstation to the domain (to many advantages to explain why) and eliminate the local account and modify the autologin to use a domain username and password. This causes a problem as the username and password is stored in the registry as plain text. Asanyone everhad to deal withthis scenario? I have found the following articles (below) that describe that the Autologon password can either be plain text in the registry (Winlogon key) OR encrypted into a Local Security Authority (LSA) secret. Does anyone knowto use these functions to encrypt the username and passwordin the registry? http://www.microsoft.com/technet/security/tools/mbsa1/wp.mspx (Autologon section) http://msdn.microsoft.com/library/default.asp?url="">
RE: [ActiveDir] FSMO role transfer
Sorry I had to express myself here. Love the analogy. Well said. From: joeSent: Tue 29/11/2005 9:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Actually I make all DCs that have a possibility of being the forest root PDC synchronize from an external source. I haven't ever run DNS on DCs so I can't say anything to that, however if I did, I might consider it. There really is nothing to moving FSMO roles. Have you had a FSMO role move failure that makes you giddy about them? I was serious when I said that moving the roles was a 5 second operation. It doesn't take regular failures (hardware, software, or other)to have one just occur at any random time. It is just like house insurance, you don't buy it because you want to use it or even expect to use it, you buy it to cover you in the event something does happen. Everyone has to make a judgement call as to whether the insurance costs outweigh the impact of whatever it is the insurance protects against. Moving FSMO roles would be insurance, the thing it is protecting against is the possibility of some dorked up issue coming up when the server is going down or coming up or if it doesn't come up at all. If you use the manual steps, the overhead is minutes, if you use scripts the overhead is seconds. That is better than the pennies a day used to sell people on other insurance. I would be afraid if my customers were so weak on procedure that moving a FSMO role was considered hard or dangerous. Obviously this is something that everyone is going to have different feelings on. I certainly don't care what people do on their owns, my process and what I recommend is to move the roles. I much rather move roles than seize them. Seizing is when I get concerns such as RID pools and now you are locked into what you are doing with the offline DC. Overall I would say that a vast majority of the reboots and maintanence work I have done didn't appear after the fact to need the FSMO move. But I figure thefew minutes spent over the years wasn't an excessive administrative cost to do the FSMO moves. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Tuesday, November 29, 2005 6:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Tuesday, November 29, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client
RE: [ActiveDir] FSMO role transfer
Amy, You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices: 1. install base os and do a full system restore from the tapes of the old server. or 2. install base os and run dcpromo, install new DC to existing domain and then remove old server from environment. Good Luck Y From: Amy HunterSent: Tue 29/11/2005 11:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer So are these FSMO rolesstored in some sort of configuration partition in AD? if not, where are they stored? I plan to replacemy DC hardware next year, as long as I bring the new server up withthesame IP/Name etcconfiguration etc, I won't need to move the FSMO roles to another DC when Ireplace the hardware? Sorry if these seems junior questions, this is my first job in IT (i'm doing this for free for experience) thank you for your help, Amy ;o) "Almeida Pinto, Jorge de" [EMAIL PROTECTED] wrote: First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.
[ActiveDir] Disabling Distributed Link Tracking Server on domain Controllers
As anyone found any issues in disabling the "distributed link tracking server" onwindows 2000 server domain controllers? I would like to take a two step approachin disabling this useless service. First on the DCs and them on all workstations. Iwas just wondering if there would be an impact on the clients seeing that cannot communicate with the server. Thanks Yves
RE: [ActiveDir] Disabling Distributed Link Tracking Server on domain Controllers
Thanks for info the joe and Guido, Because of our politics where I work, modifiying 4 workstations is not that easy. Changing 20 DCs on the other hand is a walk in the park. If I do not remove all of the filelinks manually, aren't they going to age out automatically after 60 days? Thanks Y From: Grillenmeier, GuidoSent: Mon 28/11/2005 11:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers nope, no known impact (unless you have specifically deployed an app that makes use of this service - none of the MS apps do, which is why the service is disabled by default in Win2003). however, if you want to make sure, why don't you just reverse your disabling process: first disable all clients, then disable the service on the DCs. Don't forget to cleanup the records underneath your domain's System\FileLinks\ObjectMoveTable and System\FileLinks\VolumeTable containers as these will surely contain a lot of garbage. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Montag, 28. November 2005 17:40To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers As anyone found any issues in disabling the "distributed link tracking server" onwindows 2000 server domain controllers? I would like to take a two step approachin disabling this useless service. First on the DCs and them on all workstations. Iwas just wondering if there would be an impact on the clients seeing that cannot communicate with the server. Thanks Yves
RE: [ActiveDir] strGrooup?
Two words Option Explicit From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, November 14, 2005 6:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] strGrooup? I cannot figure this one out. Why doesnt the following script work when I use strGroup, instead, it works (maps drives) when I use strGrooup. strGrooup isnt even defined. Option Explicit Dim objNetwork, objUser, CurrentUser, objFSO Dim strGroup Const Windows_Group = BSG - IS Windows Systems Const Pricing_Group = gs-ssd-pricing Const IPCC_Group = IPCCGroup Const IXOS_Group = IXOS_ScanPost_Common Set objNetwork = CreateObject(WScript.Network) ' Forces script to skip errors (rem below line to see errors) on error resume next Dim WshNetwork Set WshNetwork = WScript.CreateObject(WScript.Network) ' Set all drives to be removed here. WshNetwork.RemoveNetworkDrive e: WshNetwork.RemoveNetworkDrive f: Set objUser = CreateObject(ADSystemInfo) Set CurrentUser = GetObject(LDAP:// objUser.UserName) strGroup = LCase(Join(CurrentUser.MemberOf)) if instr(strGrooup, Windows_Group) then objNetwork.MapNetworkDrive s:, \\gsfps2\siteshare objNetwork.MapNetworkDrive u:, \\gsfps2\users end if if instr(strGroup, IXOS_Group) then objNetwork.MapNetworkDrive e:, \\gsimage2\IXOS_ScanPost_Common\Late Archive objNetwork.MapNetworkDrive f:, \\gsimage2\IXOS_ScanPost_Common\Common Post objNetwork.MapNetworkDrive i:, \\gsimage2\IXOS_ScanPost_Common\Normal objNetwork.MapNetworkDrive j:, \\gsimage2\IXOS_ScanPost_Common\Demand objNetwork.MapNetworkDrive k:, \\gsimage2\IXOS_ScanPost_Common\Emergency end if Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Need ADSI Scripting help.
Assuming file containing computer names is Computers.txt located in the same folder as vbs. This creates an outputfile called Computers Results.txt. You can add any attributes to your outputfile as needed. Start of Script Option Explicit ' Objects Dim oFS Dim oInputFile Dim oOutputFile Dim rootDSE Dim objConnection Dim objCommand Dim objRecordSet Dim rsComputers ' Arrays Dim aComputers ' Strings Dim sComputer Dim sDomain Dim sStatus Set oFS = CreateObject(Scripting.FileSystemObject) Set oInputFile = oFS.OpenTextFile(Computers.txt, 1) Set oOutputFile = oFS.CreateTextFile(Computers - Result.txt, True) ' Doing AD Stuff Set rootDSE = GetObject(LDAP://RootDSE) sDomain = rootDSE.Get(defaultNamingContext) Set objConnection = CreateObject(ADODB.Connection) Set objCommand = CreateObject(ADODB.Command) objConnection.Provider = ADsDSOObject objConnection.Open Active Directory Provider Set objCOmmand.ActiveConnection = objConnection objCommand.Properties(Page Size) = 1000 objCommand.properties(Cache Results) = True ' Reading Text File aComputers = Split(oInputFile.ReadAll, VbCrLf) ' looping every computer For Each sComputer In aComputers objCommand.CommandText = LDAP:// sDomain ;((objectcategory=computer)(cn= sComputer ));Name, userAccountControl;Subtree Set rsComputers = objCommand.Execute If rsComputers.EOF Then oOutputFile.WriteLine sComputer vbTab Can't find computer Else Do Until rsComputers.EOF If rsComputers.Fields(userAccountControl).value And 2 Then sStatus = Disabled Else sStatus = Enabled End if oOutputFile.WriteLine sComputer vbTab sStatus rsComputers.MoveNext Loop End if Next ' Closing Text file oInputFile.Close oOutputFile.Close objConnection.Close End of Script From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Friday, October 21, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need ADSI Scripting help. I was hoping someone will direct him to dsquery :o) Assuming file containing computernames is Comps.txt put this in the batch file and keep it in same folder as comps.txt for /f %%A in (comps.txt) do ( dsquery computer -samid %%A$ | dsget computer -samid -disabled ) You should get the two column listing computername with YES or NO for disabled. - Kamlesh On 10/21/05, Jitendra Kalyankar [EMAIL PROTECTED] wrote: I know about the Oldcmp.exe, but the thing is the tool is really powerful and I don't want Jr. Sys. Admins doing something or deleting something that they are not suppose to. And again I will have to go through the security department route to use it. Too much hassel Hope that explains my situation. Sincerely, Jitendra Kalyankar On 10/20/05, Creamer, Mark [EMAIL PROTECTED] wrote: Before you do this, see oldcmp at www.joeware.net http://www.joeware.net/win/free/index.htm mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jitendra Kalyankar Sent: Thursday, October 20, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need ADSI Scripting help. I am looking for some example script and/or help for the script I am writing for my company. What I want to achieve is if I run the script against the machine list which will be in the text file, it should give me the output in the text file saying which machine account is enabled, disabled or not found. I know how to manipulate the text files using fso object but I am not sure what do I need to use to get the attributes of computer container in AD. Any help in this regard is highly appreciated and valued. Please let me know if you need more information abou this. -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged.If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.Please reply to the message immediately by informing the sender that the message was misdirected.After replying, please delete and otherwise erase it and any attachments from your computer system.Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Thanks, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org
[ActiveDir] VB.NET AD object picker?
Does anyone have vb.net code they would like to share? I am looking for an Active Directory object picker written in vb.net. I can find allot of C++ examples but I am more comfortable with visual basic. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VB.NET AD object picker?
Already own it. Great book. Good idea about writing your name on it. Unfortunately the book does not show any gui examples or/and how to use the treeview object in vb.net. From: [EMAIL PROTECTED] on behalf of Lou Vega Sent: Thu 02/06/2005 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VB.NET AD object picker? Robbie Allen's Active Directory Cookbook is full of great examples in VB. Check out the link to the code here: http://www.rallenhome.com/books/adcookbook/code.html I fully recommend purchasing it as well. This book as seen a lot of use while sitting on my desk! (Be sure to write your name on it using a big fat permanent marker so if it grows legs and walks you can find the culprit!) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Thursday, June 02, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] VB.NET AD object picker? Does anyone have vb.net code they would like to share? I am looking for an Active Directory object picker written in vb.net. I can find allot of C++ examples but I am more comfortable with visual basic. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Joining workstation to domain over vpn(again)
Is netbios over tcpip disabled? You can find this setting on the WINS tab under the advanced setting of your network card. I remember seeing that error message for a different problem Network cannot be found and enabling netbios fixed it. You never know. Good luck Yves -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 26, 2005 6:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Joining workstation to domain over vpn(again) Hmmm... MTU setting maybe? You haven't been able to join successfully. Why would the machine name come up in an ldap search? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 26, 2005 4:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Joining workstation to domain over vpn(again) I have no idea but I doubt it because it does an ldap search on my dc's looking for its name and comes up null. I'm not sure what to look for, i've never run a sniffer while joining a domain. I guess i'd expect some kerberos and smb... but i don't see that. just the ldap search(ethereal calls it cldap) and dns queries. even if it were blocked, i should see an attempt on the client side to connect on these ports but i don't. and as i said, no firewall of any kind and all other clients at that location can join via vpn with no issues. thanks [EMAIL PROTECTED] wrote: Does the LDAP ping imply that the client can't access port 389? m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 26, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Joining workstation to domain over vpn(again) No. There are about 5 other win xp clients in that office that have been able to join the domain via VPN. This is the only one with an issue and its not running any fw software. Some of the other's are running xp sp2 with the firewall on and they have no issues. thanks Medeiros, Jose wrote: Hi Tom, Do you have Zone Alarm or some other type of Software Based Firewall installed? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Thursday, May 26, 2005 12:03 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Joining workstation to domain over vpn(again) I'm still having problems joining a winxp sp1 MS PPTP vpn client to my domain. The client is connecting to a windows 2000 sp4 RRAS server via pptp. When i try to join the domain, I get the prompt to enter creditianls and then, network name could not be found error. I have all correct dns/wins settings. I made an #PRE and #DOM entry in lmhosts pointing to the PDCE. When i run ethereal, i see the client querying and getting the srv records from my dns for all dc's in the domain and doing an ldap search on a number of dc's sucessfully. Then the last thing i get is a failed ldap ping(port unreachable). I'm not sure if that's the issue. I'm not doing NAT or Port address transaltion for the RRAS server. It has a public ip. The only PAT/NAT is on the client side but I don't think that is really an issue as I can vpn and auth to AD thru the RRAS server and term service in app mode to other servers. I just can't join the domain. Any help would be great. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDP does not return modifyTimeStamp attribute...
Does anyone know why LDP does not return the modifyTimeStamp attribute?
RE: [ActiveDir] LDP does not return modifyTimeStamp attribute...
Hmm, I am a little bit confused joe. I did not ask for msExchAlObjectVersion but it returns it anyways. Isn't LDP suppose to return every attribute that is set for a an object? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmailSent: Tuesday, November 09, 2004 4:31 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Because you didn't request it. That one needs to be specifically requested, you can instead use whenChanged which is returned in the default * set. joe From: [EMAIL PROTECTED] on behalf of ADSent: Tue 11/9/2004 4:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDP does not return modifyTimeStamp attribute... Does anyone know why LDP does not return the modifyTimeStamp attribute?
RE: [ActiveDir] Trust Computer for delegation
Thanks for the info. When you say any service could leverage tokens from other users are you referring to services that are running on that box or services running somewhere on the network? If the server is secure and limited people have access to it, wouldn't that make more secure? Thanks Y From: Grillenmeier, GuidoSent: Thu 07/10/2004 6:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Trust Computer for delegation if you have Win2000, you'll be opening security holes since basically any service could leverage tokens from other users connecting to it to do whatever it likes as the user that's why in 2003, constrained delegation was added, so you can configure it for just a specific service... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Thursday, October 07, 2004 9:01 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Trust Computer for delegation Ladies and Gentlemen, Can someonetell mewhat exactly happens or what the ramifications are when you enable "Trust Computer for delegation"? I wrote an ASP.NET app that uses current credentials to authenticate. I know that the web app works when this "Feature" is on, and I know that it doesn't when it is off. I know that it allows for the forwarding of Kerberos tickets from a different computer but I do not know if this breaks or better yet opens the door for hackers. Any feedback on this matter would be appreciated. Thanks Yves
RE: [ActiveDir] GPO applying.
secedit /refreshpolicy machine_policy /enforce From: Cothern Jeff D. Team EITCSent: Thu 07/10/2004 5:33 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GPO applying. A server we were working on was inadvertently moved into an OU that had a policy applied to it. That GPO had some settings that we are not sure which that broke some functionality of the server we are still in the process of developing fully. The Server was moved out of that ou back into the standard Computer ou but the Policy still appears to be affecting it. Is there a way to clear any policies that are applying to the machine? Jeff
[ActiveDir] Trust Computer for delegation
Ladies and Gentlemen, Can someonetell mewhat exactly happens or what the ramifications are when you enable "Trust Computer for delegation"? I wrote an ASP.NET app that uses current credentials to authenticate. I know that the web app works when this "Feature" is on, and I know that it doesn't when it is off. I know that it allows for the forwarding of Kerberos tickets from a different computer but I do not know if this breaks or better yet opens the door for hackers. Any feedback on this matter would be appreciated. Thanks Yves
RE: [ActiveDir] Tracking the machine from which user logs in
We are doing it using logon scripts. Using vbscript and WMI you can get anything you want. The captured data is then stored on a share and then processed by another application. We did it this way not to increase login times. Y -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mukul Joshi Sent: Sunday, June 06, 2004 2:55 AM To: ADList Subject: [ActiveDir] Tracking the machine from which user logs in Hi, I am writing an application that would track the login logoff activities of users. I can get lastlogin and lastlogoff information from AD, but I also need to know the machine/IP on which that particular login/logoff happened. How do I get this information? Thanks ~ Mukul List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain.
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Al, You hit the nail on the head about my intentions. I did say vbscript or vb.net but I still appreciate that the fine folk in this forum are trying to help me. I read the code in the link provided. Looks great but the workstations I am adding to the domain are w2k Pro. Just my luck. :-) The problem with LDAP searching for DCs is your need to specify a DC name in your query. You cannot perform a serverless bind unless your workstation is a member of the domain. Hard coding a server name is not an option because as we all know, servers change. I am starting to think that capturing the output of NSLookup is the only solution. Not pretty but it will work. Y From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 14, 2004 10:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. I think the original request was that it be vbscript or vb.net. I suppose you could wrap the call, but I'm not sure it meets what he's looking for. Additionally, I think we overcomplicated the request. I think he just wants to be able to add to a workstation to a domain which is a script similar to http://www.microsoft.com/technet/community/scriptcenter/compmgmt/scrcm31.mspxwhich uses the netbios or shortname of the domain to join (as does the built in pieces). Otherwise, why do you want to find the members of a domain from a non-member workstation if not to join? Is there something else you're after? If so, you may want to investigate LDAP searching for DC's in a domain. You can pass the creds to the domain that are required for searching. DNS will do it, and the DNSGetHostbyname or sister method should be helpful there. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 6:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. This should be what you want... http://msdn.microsoft.com/library/default.asp?url=""> From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 5:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. The problem with name resolution is the fact that you have to HARD Code your server names. That is what I am trying to stay away from. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 13, 2004 4:42 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. Huh? Wouldn't thename resolution calls work better then? http://msdn.microsoft.com/library/default.asp?url=""> Al From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Believe it or not Mike I gave that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to create a shell object, capture the output to a file and then parseit. Not the cleanest solution. I was hoping to find an object that will kinda do it all. From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?Mike Thommes-Original Message-From: AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Enumerating DCs from a workstation that is notmember of domain.Hey Guys,I am looking for a vb script or vb.net code that would return domain controllers (names or ip addresses) of a specific domain name on a workstation that is NOT member of the domain.When you add a computer to a domain (right click "my computer", properties, Computer Name, Change) you specify a domain name. When you click on ok it will ask you for a username and password right? When you click "ok" the computer must talk with a domain controller to add your computer to the domain right? I basically need that functionality.Thank you in advance.Yves St-CyrList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Enumerating DCs from a workstation that is not member of domain.
Hey Guys, I am looking for a vb script or vb.net code that would return domain controllers (names or ip addresses) of a specific domain name on a workstation that is NOT member of the domain. When you add a computer to a domain (right click my computer, properties, Computer Name, Change) you specify a domain name. When you click on ok it will ask you for a username and password right? When you click ok the computer must talk with a domain controller to add your computer to the domain right? I basically need that functionality. Thank you in advance. Yves St-Cyr List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain.
Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. The problem with name resolution is the fact that you have to HARD Code your server names. That is what I am trying to stay away from. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 13, 2004 4:42 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain. Huh? Wouldn't thename resolution calls work better then? http://msdn.microsoft.com/library/default.asp?url=""> Al From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Believe it or not Mike I gave that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to create a shell object, capture the output to a file and then parseit. Not the cleanest solution. I was hoping to find an object that will kinda do it all. From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain. Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?Mike Thommes-Original Message-From: AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Enumerating DCs from a workstation that is notmember of domain.Hey Guys,I am looking for a vb script or vb.net code that would return domain controllers (names or ip addresses) of a specific domain name on a workstation that is NOT member of the domain.When you add a computer to a domain (right click "my computer", properties, Computer Name, Change) you specify a domain name. When you click on ok it will ask you for a username and password right? When you click "ok" the computer must talk with a domain controller to add your computer to the domain right? I basically need that functionality.Thank you in advance.Yves St-CyrList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Anyone ever convert dnsRecord attribute?
Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
David, I am sure it will work but my DNS as over 45000+ objects and it is running on a production network. It scares me a little to do that. Y From: Chianese, David P.Sent: Fri 26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? As Al mentioned, why not convert the zone to Std. Primary and take a copy of the zone files that are written to disk. Then revert it back to ADI. I have done this before without incident to supply ourBIND unixservers copies (or pieces) of our zone files. I have done this in the past for stale PTR records as well. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of ADSent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 11:39 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Anyone ever convert dnsRecord attribute? Help, We have a DNS integrated zone and I have a need to enumerate all reverse lookup records. Unfortunetaly the computer name in saved in a octectstring format attribute called dnsRecord. Lookup a record in the DC=xx.in-addr.arpa,CN=MicrosoftDNS, CN=System,DC=DomainName" container and you will see what I am talking about. As anyone ever written a function to convert this octetstring to something that is readable? Thanks Yves St-Cyr
RE: [ActiveDir] Anyone ever convert dnsRecord attribute?
Yep, I'm looking for the hostname. The hostname is not stored in a separate attribute that I can see. You definitely found the right attribute. Is that funky or what? I agree with you, LDAPall the way baby. Can a non perl person understand the perl code and convert it VBScript easily? I'm a vbscript person myself. I was at the conference lastyear, the one hosted in Ottawa. I believe this year it's in Washington.Has it happened yet?Plenty of good information there for sure. Thanks Yves From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 26, 2004 5:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Interesting problem. What specifically do you need out of the octet string, just the host name? Anyone have a map of what exactly is in octet string or what data should be in it even if you don't know the format? I would assume probably serial number and some other info? It isn't in MSDN that I see. dn:DC=0,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=comdnsRecord: 0B00 0C00 05F0 0200 0E10 0901 0762 6F62 7465 7374 00 dn:DC=1,DC=20.10.169.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=joehome,DC=comdnsRecord: 0C00 0C00 05F0 0300 0E10 0A01 0862 6F62 7465 7374 3200 From this it appears that the hostname starts at about the 13th dword. So above would be 0A01 0862 6F62 7465 7374 3200 and 0A01 0862 6F62 7465 7374 3200 for the names which would resolve into bobtest and bobtest2. This could be done fairly painlessly with perl I think... As for Al's question about why enumerate via LDAP? Because its there baby, that is the beauty of using LDAP. If you aren't going to do LDAP queries, might as well be using a SQL Server or flat file or something. Let me see what I can do with this. I just put the Disturbed CD in, feeling like doing some hacking. BTW, if you didn't go to the Directory Experts Conference, you missed a good time. NetPro did a good job and there was a lot of good discussions. Plus some of the stuff Stuart was talking about was pretty darn cool. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, March 26, 2004 3:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? David, I am sure it will work but my DNS as over 45000+ objects and it is running on a production network. It scares me a little to do that. Y From: Chianese, David P.Sent: Fri 26/03/2004 2:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? As Al mentioned, why not convert the zone to Std. Primary and take a copy of the zone files that are written to disk. Then revert it back to ADI. I have done this before without incident to supply ourBIND unixservers copies (or pieces) of our zone files. I have done this in the past for stale PTR records as well. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of ADSent: Friday, March 26, 2004 2:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? I am looking for duplicate registrations in the reverse lookup zone. I am hoping to export everything to txt (4+ objects) file so I can parse using excel. I actually found the article you mention but the I have to install the WMI provider on the DC. I am hoping to avoid this if I can. Tha't why I am hoping to use LDAP with some sort of OctetString converter. Y From: Mulnick, AlSent: Fri 26/03/2004 1:04 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? You mean like a zone transfer? DNS.CMD could be useful, scripting could be useful such as this one http://www.microsoft.com/technet/community/scriptcenter/network/scnet163.mspx(note the requirements). DNSLINT might have some value for you as well. Heck, Nslookup in a loop might be useful but you'd have to know what you're going after. Saying all of that, you could transfer the zone to a non-integrated instance and parse the zone file if you really wanted to. I'd opt for the script, but that's me. Al From: AD [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 1:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Hi Al, Can you elaborate how I can export the entire zone via DNS. Thanks Yves From: Mulnick, AlSent: Fri 26/03/2004 11:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Anyone ever convert dnsRecord attribute? Why do you want to enumerate via LDAP? Why not via DNS? From: AD [mailto
RE: [ActiveDir] OU/Computer accounts reorganization
Title: RE: [ActiveDir] OU/Computer accounts reorganization I guess one would also have to ask why not just apply the policies to the sites and not worry about the ou's? Then you don't have to worry about it now or in the future. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, AlPosted At: Friday, February 20, 2004 1:24 PMPosted To: ADConversation: [ActiveDir] OU/Computer accounts reorganizationSubject: RE: [ActiveDir] OU/Computer accounts reorganization Should have added this part to the last email: Some books that might help: http://www.amazon.com/exec/obidos/ASIN/007212444X/trianglntusergro/104-1680195-3694330 From: Mulnick, Al Sent: Friday, February 20, 2004 1:10 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OU/Computer accounts reorganization Nslookup FQDN_of_computer_name would do it. But now might be a good time to look into the scripting. It could save you a lot of time and you may have to do this again some time. -Original Message- From: J0mb [mailto:[EMAIL PROTECTED]] Sent: Friday, February 20, 2004 12:58 PM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] OU/Computer accounts reorganization ok...thanks for all replies. Unfortunately i have a basic knowledge of scripting, so it looks like it's going to be a hard job. Anyway, what would be the best method to achieve this? Get the Ip addresses of the machines from a nslookup or ping, or is there a command/function or whatever to get the ip/site from the active directory? J List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU/Computer accounts reorganization
Title: RE: [ActiveDir] OU/Computer accounts reorganization I'm not saying to not use GPO but rather apply the GPO's at the site level - it's the same mechanism just at a different level. It wouldn't resolve the delegated administration issue but that's really just adding and removing object when talking aboutmachines. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of J0mbPosted At: Friday, February 20, 2004 2:16 PMPosted To: ADConversation: [ActiveDir] OU/Computer accounts reorganizationSubject: R: [ActiveDir] OU/Computer accounts reorganization Because each site needs different GPOs (SUS server at local site, different desktops, different logon scripts, certain OUs have delegated administration etc...I agree with the "make it simple, see it working better" statement, but i wouldn't certainly give up using key Win2000 AD features for that. Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di ADInviato: venerdì 20 febbraio 2004 19.42A: [EMAIL PROTECTED]Oggetto: RE: [ActiveDir] OU/Computer accounts reorganization I guess one would also have to ask why not just apply the policies to the sites and not worry about the ou's? Then you don't have to worry about it now or in the future. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, AlPosted At: Friday, February 20, 2004 1:24 PMPosted To: ADConversation: [ActiveDir] OU/Computer accounts reorganizationSubject: RE: [ActiveDir] OU/Computer accounts reorganization Should have added this part to the last email: Some books that might help: http://www.amazon.com/exec/obidos/ASIN/007212444X/trianglntusergro/104-1680195-3694330 From: Mulnick, Al Sent: Friday, February 20, 2004 1:10 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OU/Computer accounts reorganization Nslookup FQDN_of_computer_name would do it. But now might be a good time to look into the scripting. It could save you a lot of time and you may have to do this again some time. -Original Message- From: J0mb [mailto:[EMAIL PROTECTED]] Sent: Friday, February 20, 2004 12:58 PM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] OU/Computer accounts reorganization ok...thanks for all replies. Unfortunately i have a basic knowledge of scripting, so it looks like it's going to be a hard job. Anyway, what would be the best method to achieve this? Get the Ip addresses of the machines from a nslookup or ping, or is there a command/function or whatever to get the ip/site from the active directory? J List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Changing Hardware for DC
Thanks for all of the info and tips. I will be doing this in a few weeks and will let you know if I turn up anything that may be of interest to the group. AM2K4 - Original Message - From: Mark Caldwell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 12:19 PM Subject: RE: [ActiveDir] Changing Hardware for DC Rich, I sent a mail to you the other day (you're A-B's account). Give me a ping if you get a sec. :) Mark C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 09, 2003 6:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing Hardware for DC In early days, in a lab, I rebuilt a few DCs before I remembered about demoting (i.e. I blew them away) and learned ntdsutil the hard way. But since then I have demoted a number of them and not had a problem. However, while searching for something else last night, I ran across a couple of TechNet and JSI articles about using the /FORCEREMOVAL switch on DCPROMO for when a DC just doesn't cooperate... here maybe this will save you the trouble of searching (and keep you from actually needing them! :) http://support.microsoft.com/default.aspx?kbid=332199 http://www.jsiinc.com/SUBN/tip6700/rh6741.htm your DNS records should be taken care of if DNS is working correctly. Do transfer the FSMO roles off first as you mentioned. If you haven't done them before, they're pretty straight-forward except for the schema master role. You have to register a dll to use the graphical schema tool (you can use ntdsutil but it can be intimidating if you haven't used it much before). This article goes through all the roles, just in case. http://support.microsoft.com/?kbid=255690 good luck - Rich -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing Hardware for DC Interesting on your demotion experience. I have been running AD and large numbers of domain controllers since the bloody oem days and can't say I have experienced what you have experienced. I have run into a couple of DCPROMO's into DC's before where the SPN didn't make it into the main part of AD but never a failed demotion. If the machine was functioning and had dns entries I could demote. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, December 03, 2003 8:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Changing Hardware for DC This should work just fine. A couple of things to watch for, though: 1. Wait a while after the demotion of each DC before you rename it. Make sure your AD has replicated fully. 2. Back in the early days of AD, I did a lot of this sort of thing in the lab and found that demoting a DC to a member server was a crap-shoot. Many times the demotion would fail, and I'd be in for a long session with NTDSUtil to clean up. That was in the SP1 days, though - things may be better now. An alternate method of doing what you want would be to do a full backup, then a restore on the new hardware. I think I like your method better, though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Man Sent: Tuesday, December 02, 2003 11:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Changing Hardware for DC Hello, I need to replace a few DC's with new hardware. I MUST be able to use the same machine name and IP address for the new server so I will need to take the old server down and bring the new up in its place. These are the FSMO holders so I just want to make sure there are no unforeseen issues with doing this. A few additional notes: These DC's are the FSMO's and DNS is on Bind 8. Rough plan: Old server: -Transfer roles off to another DC -SystemState backup? -Demote old server -Change name -Change IP New server: -Assign 'old' Name -Assign 'old' IP -DCPromo New server -Transfer roles back -Etc, etc. What am I missing, do I need to do any kind of DNS cleanup first or this will happen dynamically? Any thoughts? Thanks, AM _ Shop online for kids' toys by age group, price range, and toy category at MSN Shopping. No waiting for a clerk to help you! http://shopping.msn.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED
RE: [ActiveDir] Article on SUS
I had a question on the automatic install feature for clients. If we were to set that at 3:00 AM, what happens if the user shuts their machine off (or takes it home) at night. I'm not seeing an answer in their deployment guide. Inquiring minds want to know -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2003 11:50 AM Posted To: AD Conversation: [ActiveDir] Article on SUS Subject: [ActiveDir] Article on SUS http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci928356, 00.html http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci928356 ,00.html Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Article on SUS
In looking at the ADM for the SUS SP1 I found the answer. It is configurable to wait x minutes after startup if the scheduled time was missed. -Original Message- From: AD Posted At: Thursday, September 18, 2003 2:50 PM Posted To: AD Conversation: [ActiveDir] Article on SUS Subject: RE: [ActiveDir] Article on SUS I had a question on the automatic install feature for clients. If we were to set that at 3:00 AM, what happens if the user shuts their machine off (or takes it home) at night. I'm not seeing an answer in their deployment guide. Inquiring minds want to know -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2003 11:50 AM Posted To: AD Conversation: [ActiveDir] Article on SUS Subject: [ActiveDir] Article on SUS http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci928356, 00.html http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci928356 ,00.html Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Article on SUS
Great site - thank you. -Original Message- From: Tom Meunier [mailto:[EMAIL PROTECTED] Posted At: Thursday, September 18, 2003 3:06 PM Posted To: AD Conversation: [ActiveDir] Article on SUS Subject: RE: [ActiveDir] Article on SUS http://www.susserver.com/FAQs/FAQ-AutoUpdateSettings.asp You can tell it to apply missed patches after startup, and then either auto-reboot or prompt for reboot. -Original Message- From: AD [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Article on SUS I had a question on the automatic install feature for clients. If we were to set that at 3:00 AM, what happens if the user shuts their machine off (or takes it home) at night. I'm not seeing an answer in their deployment guide. Inquiring minds want to know List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query on ObjectSID attribute
Can anyone test the following instructions from Jimmy and let me know if it worked for you? I can't seem to get it to work. I am not searching on a deleted SID. I am searching on an existing sid that I cut and paste from an existing user. Thanks Y From: Jimmy AnderssonSent: Fri 22/08/2003 5:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Set it like this: Base DN SID=S-1-5-21-709049380-3306950797-3746505139 Filter ((ObjectCategory=*)(name=*)) Don't forget the '' and '' on the SID, you might also need to put in the '-' symbol within the SID itself. Also you might need to check in the control 'Return deleted objects' if the object exist in the Deleted Object container. You'll find the controls in Search - Options - Controls. You also might need to Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:58 PM To: [EMAIL PROTECTED] Tony, I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first). In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "((ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony Murray Sent: Fri 22/08/2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message ------ From: AD [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN SID=S-1-5-21-709049380-3306950797-3746505139 Filter ((ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: ((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query on ObjectSID attribute
Title: Message Would love to get is book. Not available from Chapters. ISBN #0672315874. Do you have an extra copy you would like to sell? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 25, 2003 1:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Hey Joe, Wow, thanks for the compliment dude. Is the SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I haven't seen it before as part of ADSI. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute This is an adsi thing and is called a SID Bind, you can also do a GUID bind in a similar manner. If you are using LDAP API instead of ADSI you need to encode the sid back into an octet string and do the search with it. Check out Gil Kirkpatrick's Programming Active Directory as he has some good info on this type of schtuff. Actually if you are doing any AD programming, get that book. Gil rocks. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I never heard of using an attributeas your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this:Base DN SID=S-1-5-21-709049380-3306950797-3746505139Filter ((ObjectCategory=*)(name=*))(I used a SID from my lab domain)You might need to load the control for deleted objects, if it's deleted.Regards,/Jimmy- Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory-- www.qadvice.com -- -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of ADSent: Friday, August 22, 2003 12:35 AMTo: [EMAIL PROTECTED]Anyone know how to query AD on the ObjectSID? My query looks like this: ((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-341234134123412432412344)) Doesn't return anything. I know the sid must converted but I am not surewhat format it should be in. Thanks YList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query on ObjectSID attribute
I never heard of using an attributeas your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy AnderssonSent: Thu 21/08/2003 7:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN SID=S-1-5-21-709049380-3306950797-3746505139 Filter ((ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: ((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP query on ObjectSID attribute
Tony, I clicked on Browse and thenSearch in LDP. The little window comes up. (I actually used bind first). Inthe base DN fieldI typed in "SID=S15A913838F5E5A9AABF22742D54F69" In the Filter field I type in "((ObjectCategory=*))" My scope is set to Subtree. I clicked on Run. The ObjectSID was a cut and paste from my attribute. I does not returnanything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=. Any help would be appreciated. Thanks Y From: Tony MurraySent: Fri 22/08/2003 10:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute It's not really using an attribute as your Base DN. The starting point for a search can be SID, GUID or DN. It works as Jimmy describes below. Tony -- Original Message ------ From: AD [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 09:26:36 -0400 I never heard of using an attribute as your BaseDN. If this worked for you I really would like to know how you did it. Thanks Y From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this: Base DN SID=S-1-5-21-709049380-3306950797-3746505139 Filter ((ObjectCategory=*)(name=*)) (I used a SID from my lab domain) You might need to load the control for deleted objects, if it's deleted. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED] Anyone know how to query AD on the ObjectSID? My query looks like this: ((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344)) Doesn't return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP query on ObjectSID attribute
Anyone know how to query AD on the ObjectSID? My query looks like this: ((ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-341234134123412432412344)) Doesnt return anything. I know the sid must converted but I am not sure what format it should be in. Thanks Y