[ActiveDir] Groups membership question

2006-10-11 Thread Aaron Steele 








I have one for you guys. I have been puzzling over for a
while. Seems simple, but I haven’t found a good solution.

 

Domain A one way trusts Domain B

 

Group in Domain A, contains members from Domain B.

 

Enumerate groups in Domain A, include membership for all
members in Domain B.

Or for the real answer.  Find user in Domain B, and
tell me all group memberships from Domain A and Domain B.

 

Any ideas? I’ve tried adfind queries, I’ve
visited the windows scripting center and am at a loss.

 

Thanks for your help.

 

/aaron

 

Aaron Steele

Mobile: 773.580.8099

[EMAIL PROTECTED]

Main: 312.334.1900    Fax: 312.224.4789

_

pointbridge.com 

-   Microsoft’s
2005 Advanced Infrastructure Partner of the Year

-   Microsoft’s
2005 Exchange Solution of the Year Winner

 

RE: [ActiveDir] Groups membership question

2006-10-12 Thread Aaron Steele 








Joe, you are a god  among
men. Thank you a ton for explaining this to me in such a clear and concise way.

 

/aaron

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Wednesday, October 11, 2006 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Groups membership question





 

The users from Domain B in the Domain A groups will be represented
as FSPs (remember you are outside of your forest). So there will be no direct
linkage capability to do this in any single query. 

 

In order to find the memberships of a Domain B
user (userDomB) in Domain A, you will need to find the FSP
for userDomB in Domain A and then look at the memberships of that FSP.
This you can either do by looking at the memberof attribute of the FSP or doing
a query against Domain B. 

 

So you could do something like

 

adfind -b DN_FOR_DOM_A  -f name=userDomB_SID memberof

 

 

You always hear that SIDs go into groups and that is what is
stored, yes, except for AD groups, those store DNs, that is why you can add
OU's or Contacts or printers or any kind of object you want to an AD group but
can't do the same on a machine that uses a registry based SAM DB and why you
have to use FSPs for references to objects outside of the local forest.

 

  joe



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Steele
Sent: Wednesday, October 11, 2006 4:19 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Groups membership question

I have one for you guys. I have been puzzling over for a
while. Seems simple, but I haven’t found a good solution.

 

Domain A one way trusts Domain B

 

Group in Domain A, contains members from Domain B.

 

Enumerate groups in Domain A, include membership for all
members in Domain B.

Or for the real answer.  Find user in Domain B, and
tell me all group memberships from Domain A and Domain B.

 

Any ideas? I’ve tried adfind queries, I’ve
visited the windows scripting center and am at a loss.

 

Thanks for your help.

 

/aaron

 

Aaron Steele

Mobile: 773.580.8099

[EMAIL PROTECTED]

Main: 312.334.1900    Fax: 312.224.4789

_

pointbridge.com 

-   Microsoft’s
2005 Advanced Infrastructure Partner of the Year

-   Microsoft’s
2005 Exchange Solution of the Year Winner

 

RE: [ActiveDir] sharepoint access log

2006-10-19 Thread Aaron Steele 








Likley HTTP Access logs.  Should show the auth’d users,
where they auth’d from and when.

 

/aaron

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Thursday, October 19, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] sharepoint access log





 



Hi,





 





What is the best or easiest way to find out if a user logged into
the SharePoint server (wss2)?





We have a SharePoint service server that is accessible from outside
the company. We use AD mode for the users





 





thanks

RE: [ActiveDir] OT: IE7 and OWA on Exchange

2006-10-23 Thread Aaron Steele 
Mike,
If you read a bit on the KB or the msexchangeteam.com blog site, it is a
F/E only thing, and really on applies if your IE7 users install the MIME
tools when logged into OWA. If your users don't install the MIME
control, then there is nothing to update.
If they do, then, the update needs to be applied to the OWA server, and
all clients need to re-add the MIME control.

/aaron

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, October 23, 2006 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: IE7 and OWA on Exchange

Does anyone know if this needs to only be installed on your Front End
Exchange servers or both Front End and Back End servers?

Mike Celone
Lead LAN Administrator
Radio Frequency Systems
v. 203-630-3311 x1031
f. 203-634-2027
m. 203-537-2406
[EMAIL PROTECTED]
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, October 23, 2006 3:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: IE7 and OWA on Exchange

The Compose Message form stops responding after you install Internet
Explorer 7.0 and the S/MIME control on an Outlook Web Access client in
Exchange Server 2003:
http://support.microsoft.com/?kbid=924334

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Exchange Log files --Disk Full--

2006-10-26 Thread Aaron Steele 








Take a look at the section titled “The path less traveled-
Remove unneeded log files manually” in the article http://www.msexchange.org/articles/Exchange-log-disk-full.html

It shows how to checkpoint the logs, so you can remove them
manually without fear they will be required in the event of disaster recovery.

 

/aaron

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Technical
Support
Sent: Thursday, October 26, 2006 1:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange Log files --Disk Full--





 



Hi All,





 





Kindly
suggest, what i can do about my Exchange Log files?





I
have about 120 GB Log files for past 4 months. I have a few doubts:-





 





Do
i really need all those log files?





If
yes, Then how is it possible to manage with this as i have a very limited space
left.





Can
i delete these log files?





Backup
doesnt remove these log files?





 





i
am really running out of space on my Exchange log storage drive.





 





Thanks!!!





Ravi

RE: [ActiveDir] AD with mixed DC

2006-12-06 Thread Aaron Steele 
I believe this KB will guide you in the correct direction.

http://support.microsoft.com/kb/278875

 

/aaron

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: Wednesday, December 06, 2006 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD with mixed DC

 

I have an AD domain with 2 2k domain controllers.  I want to add a
thirds domain controller that has a 2k3 os.  I know there is something
that needs to be enabled or disable before having an AD with mixed DC.
What do I need to do before adding the third DC?

 

Thanks

 

Antonio Aranda

Network Analyst

UT-Permian Basin

432-552-2413

RE: [ActiveDir] Lockdown CD-ROM access for some

2006-12-13 Thread Aaron Steele 
A quick google search turned up this reference to a custom .ADM template
that is available.

 

http://joeelway.spaces.live.com/blog/cns!2095EAC3772C41DB!293.entry

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lockdown CD-ROM access for some

 

I have been given a task for our secured environments (by secured, I
mean government clearances required) to develop a means to lock down
access to the CDROM drive at a user based level.  They want most users
to be restricted from using the CDROM drives in anyway, but allow a
certain security group the ability to have full use of their CDROM
drives.

 

As far as I can tell, there is not a group policy that allows for this
type of granular lockdown of the devices.  Any suggestions on how to
best tackle this?

 

Information simply cannot leave these secured environments, and they no
longer want users to have unfettered access to CD/DVD burners.  The
drive letter of the CD drives may not always be the same, in fact some
machine's drive letters may vary wildly.

 

Thanks,

~Ben

RE: [ActiveDir] OT: Exchange 2003 Copy Outgoing Messages

2007-01-03 Thread Aaron Steele 
Dan,

I did some quick searching and found a white-paper from MS on Outbound 
Journaling and how one might set that up.
That might be your best course for further research.
http://www.microsoft.com/downloads/details.aspx?FamilyID=d357e733-0e22-477c-b884-0c38fbb51533&displaylang=en


/aaron

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, January 03, 2007 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2003 Copy Outgoing Messages

Is there a way built-into Exchange 2003 running on Server 2003 that a user can 
be copied on all messages sent by another user? We have a manager that wants to 
monitor all outgoing messages sent by certain users regardless of the 
recipient. Is this possible?

Thank you in advance for any help.


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

Re: [ActiveDir] GPO to Control Local Administrators Group on Workstations

2005-05-26 Thread Aaron Steele 
You have read it correctly, as I understand it as well.
With restricted groups, even if you do not include "Administrator" in
the list of members of "Administrators" in your GPO, the local account
"Administrator" on the workstation will still have full admin access to
the machine.

/aaron


Salandra, Justin A. wrote:
> If I was to modify a GPO and put in a Restricted Group on my workstation
> GPO to control the Administrators Local Group would it remove all that
> is in the group currently including the Administrator of the Local PC?
> I read somewhere that Restricted Groups will not remove the
> Administrator no matter what even if you don't include it in the group.
> 
> If I was to just show Administrator with no domain affiliation then this
> would be translated to the local Administrator account, correct?
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 

-- 
Aaron Steele
Enterprise Systems Administrator
e:[EMAIL PROTECTED]
p:773.834.9099
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO problem - Network card disappearing

2006-01-11 Thread Aaron Steele [BSD] - ADM 



Hi 
all,
 
I was wondering if 
anyone here had experienced something, and if so, had any 
advice.
 
On a few systems, 
mostly servers, but a couple desktops as well, we setup a version of the 
Microsoft "High Security" policy, at an OU level that applied to some 
machines.  Upon application and first reboot, all seems to work 
perfectly.  If we reboot the machine again, while booting, the machine 
begins to process the GPO and then loses it's network connectivity.  The 
network cards no longer appear inside the "Network Connections" 
folder.  If one were to run "ipconfig /all" the network connections 
appear, and have IP address information associated to them.  The machine 
can not ping out, nor respond to ping from outside.  

Thanks for any help 
that can be given.
 
/aaron
 

Aaron 
SteeleUniversity of ChicagoEnterprise Systems 
AdministratorP: 
773.834.9099E: 
[EMAIL PROTECTED]
 This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.