[ActiveDir] Server Printer Permissions
Everyone, I am not sure if I have already asked this before, if I have I apologize. I have about 200 printers throughout our domain that have the default permissions that occur when a printer is setup. Recently we decided to allow our Help Desk to clear print queues on all printers in the domain. I have searched and searched, Google, Groups, etc. in finding a solution to add our Help Desk group with manage document permissions on these printers but I have come up empty. Short of hitting every printer queue in the domain is there a way I can automate adding this group with the appropriate permissions to these printer queues whether it be a tool, a script creation by me, etc. Two is there a way in Active Directory to configure through Group Policy or other means the ability to add this group when a printer is created? Lastly, Printer Operators built-in group is not acceptable as this gives to many permissions, this must be custom. Thanks in Advance (TIA). Jeremy -- Jeremy Burkes System Analyst/MIS SPHQ [EMAIL PROTECTED] PH: 703-601-9584 Fax: 703-601-9179
RE: [ActiveDir] VBSCRIPT ADSI IADs Get Method
Nevermind, just found the answer to my own question, and it is no, must use the persons CN, no other attributes are accepted, good to know. Thanks for the potential help. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Wednesday, November 30, 2005 3:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _vbscript_ ADSI IADs Get Method Everyone, I am trying to write a _vbscript_ to connect to a user account using the samaccountname attribute to update some info. Is this even possible and if so can someone provide a code sample, I would think it would look something like this for Test in the Microsoft domain: LDAP://sAMAccountName=Test, OU=Users,DC=Microsoft,DC=COM or LDAP://sAMAccountName=Test,CN=Users,DC=Microsoft,DC=COM Then again, maybe this is not even possible. If not should I use ADO instead even though I am returning 1 record with each query, seems inefficient way to me when I can just use an ADSI pointer. Jeremy -- Jeremy Burkes System Analyst/MIS SPHQ [EMAIL PROTECTED] PH: 202-764-1270 Fax: 202-764-1503
RE: [ActiveDir] VBSCRIPT ADSI IADs Get Method
Yeah I was trying to avoid ADO (Recordsets). I can still use GetObject but must pull the OU, then search the OUfor the matching username (pain). So I am using the GetObject(Winnt://). Thank you everyone for the help. Jeremy From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, November 30, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method It is possible... you only have to do it another way... query AD for the object that matches a certain sAMAccountName --- sDomainDNSW2Kx = ADCORP.LAN ssAMAccountName = JORGE Set oConnection = CreateObject(ADODB.Connection) Set oCommand = CreateObject(ADODB.Command) oConnection.Provider = ADsDSOObject oConnection.Open ADs Provider Set oCommand.ActiveConnection = oConnection sQuery = SELECT DistinguishedName FROM 'LDAP:// sDomainDNSW2Kx ' WHERE sAMAccountName = ' ssAMAccountName ' oCommand.CommandText = sQuery Set oResults = oCommand.Execute sObjDN = oResults.Fields(DistinguishedName) --- cheers, Jorge From: [EMAIL PROTECTED] on behalf of Burkes, Jeremy [Contractor] Sent: Wed 11/30/2005 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _vbscript_ ADSI IADs Get Method Nevermind, just found the answer to my own question, and it is no, must use the persons CN, no other attributes are accepted, good to know. Thanks for the potential help. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Wednesday, November 30, 2005 3:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _vbscript_ ADSI IADs Get Method Everyone, I am trying to write a _vbscript_ to connect to a user account using the samaccountname attribute to update some info. Is this even possible and if so can someone provide a code sample, I would think it would look something like this for Test in the Microsoft domain: LDAP://sAMAccountName=Test, OU=Users,DC=Microsoft,DC=COM or LDAP://sAMAccountName=Test,CN=Users,DC=Microsoft,DC=COM Then again, maybe this is not even possible. If not should I use ADO instead even though I am returning 1 record with each query, seems inefficient way to me when I can just use an ADSI pointer. Jeremy -- Jeremy Burkes System Analyst/MIS SPHQ [EMAIL PROTECTED] PH: 202-764-1270 Fax: 202-764-1503
[ActiveDir] Printer Permissions
Everyone, I want to give our help desk the ability to manage print queues in our Active Directory environment. Is there a way to give them permissions to the printers without having to touch each one? Print Operators gives them to many permissions. Thanks. Jeremy --- Jeremy Burkes Strategic Systems Programs Management Information Systems Help Desk: 202-764-1442 Work: 202-764-1270 | Fax: 202-764-1503 [EMAIL PROTECTED]
RE: [ActiveDir] GC availability issue?
Tony, Thanks for the response. All subnets are configured correctly in Active Directory and all workstations are correctly identifying what site they are suppose to be in. DNS settings are also correct. In sniffing the traffic I forgot to mention that even though the machine knows what site it is in (based on the registry entry) it will still occasionally contact another site for information. I asked my boss the very same question why not more GCs at our site and while he agrees maybe more would be fine he also does not believe that is the problem. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, July 18, 2005 4:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC availability issue? Hi Jeremy The problem with machines contacting DCs in other sites could be related to your subnet definitions in AD. Check to see that all subnets are registered in AD and are associated with the appropriate site. Also check your DNS settings, especially on the machines displaying the problem. While your problems dont sound like they could be related to the number of GCs, you should perhaps consider why you only have 2 out of a possible 5. Is there any reason why you could not make all of your DCs GCs? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, 19 July 2005 6:34 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GC availability issue? Everyone, We have an empty root domain and a child domain with approximately 9 or so sites in the forest. The root domain has 2 DCs (1 GC) and the child domain has 3 DCs (1GC) both of which are located in our main site. At our main site where I am located we have approximately 500 users. The best scenario I can give you is we do PC rollouts where we take a large number of PCs 30-50 at a time and rename them with an old extension in the host name then we bring a new machine onto the network with the same name. Sometimes we get an error saying the computer account already exists in the organization when we try to name the new machine with the same name, but the issue is inconsistent. I did some traffic sniffing with a PC and found that approximately 50% of the time machines in our site are contacting servers in other site for directory service information instead of our site DCs. Even machines that have been on the network are not using local site DCs for information all the time but using other site DCs instead. I am wondering what could be causing this. This configuration has been static for sometime nothing new has been introduced except for Windows 2003 schema (could this be the cause?). I think it is because we do not have enough GCs in our site (2), but my boss disagrees. What does everyone think? Jeremy --- Jeremy Burkes Strategic Systems Programs Management Information Systems Help Desk: 202-764-1442 Work: 202-764-1270 | Fax: 202-764-1503 [EMAIL PROTECTED] This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] GC availability issue?
Aric, Thank you for the response. Yes all 9 sites are configured correctly with the correct subnets in Active Directory. This network topology has not changed in years and these are physically separate sites. The clients in question definitely are in the correct subnet associated with our site because I have check the registry entry for site association and it is correct, yet these machines will contact a remote site server for directory services. DNS looks correct with respect to what servers are registering in what sites. Workstation access of remote DCs is both during the joining of the domain as well as afterwards. We believe the renaming error as I have proved it out relates to the old system contacting a remote domain controller for the name change and the new system contacting a local domain controller for its name, since the local domain controller does not have the old system name change it errors out. I am going to sniff more traffic and provide some more information here. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, July 18, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC availability issue? Under normal (what ever that means) circumstances 2 GCs should certainly be able to handle 500 users. Have you defined subnets for each of your 9 sites? Are you certain that the clients in question belong to one of the defined subnets? Are your DCs registering all appropriate site coverage records in DNS? Is this usage of remote DCs occurring typically on the workstations first access during/after joining the domain or does it continue after subsequent reboots? Introducing Windows Server 2003 schema extensions should not cause this problem. As for the rename error this could certainly be the result of the system believing that its name is a duplicate in the organization due to replication latency based on your site topology. This of course could be exacerbated by the fact that local systems (the new machines) might be accessing DCs in remote sites. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Monday, July 18, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GC availability issue? Everyone, We have an empty root domain and a child domain with approximately 9 or so sites in the forest. The root domain has 2 DCs (1 GC) and the child domain has 3 DCs (1GC) both of which are located in our main site. At our main site where I am located we have approximately 500 users. The best scenario I can give you is we do PC rollouts where we take a large number of PCs 30-50 at a time and rename them with an old extension in the host name then we bring a new machine onto the network with the same name. Sometimes we get an error saying the computer account already exists in the organization when we try to name the new machine with the same name, but the issue is inconsistent. I did some traffic sniffing with a PC and found that approximately 50% of the time machines in our site are contacting servers in other site for directory service information instead of our site DCs. Even machines that have been on the network are not using local site DCs for information all the time but using other site DCs instead. I am wondering what could be causing this. This configuration has been static for sometime nothing new has been introduced except for Windows 2003 schema (could this be the cause?). I think it is because we do not have enough GCs in our site (2), but my boss disagrees. What does everyone think? Jeremy --- Jeremy Burkes Strategic Systems Programs Management Information Systems Help Desk: 202-764-1442 Work: 202-764-1270 | Fax: 202-764-1503 [EMAIL PROTECTED]
RE: [ActiveDir] GC availability issue?
Sakari, I am not sure what non-DC-related reasons we could necessarily have. We have 9 sites across the continental US with some having slow links (fractional T-1s). We put in site configuration because we wanted to make sure clients used the local DCs for directory services unless those were unavailable. I dont think my boss would like this configuration change, but if you can explain in further detail why it would be better to have 2 sites instead of the 9. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 5:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC availability issue? Hi Jeremy, If you have 5 DCs and 9 sites, do you have non-DC-related reasons to have sites? If not, you could remove all sites that don't have a DC, and link their subnet objects to some remaining sites. For example, if your DCs are on two AD sites, and then you have seven DC-less locations, you could add the subnets of those seven locations to either one of your AD sites. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Monday, July 18, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GC availability issue? Everyone, We have an empty root domain and a child domain with approximately 9 or so sites in the forest. The root domain has 2 DCs (1 GC) and the child domain has 3 DCs (1GC) both of which are located in our main site. At our main site where I am located we have approximately 500 users. The best scenario I can give you is we do PC rollouts where we take a large number of PCs 30-50 at a time and rename them with an old extension in the host name then we bring a new machine onto the network with the same name. Sometimes we get an error saying the computer account already exists in the organization when we try to name the new machine with the same name, but the issue is inconsistent. I did some traffic sniffing with a PC and found that approximately 50% of the time machines in our site are contacting servers in other site for directory service information instead of our site DCs. Even machines that have been on the network are not using local site DCs for information all the time but using other site DCs instead. I am wondering what could be causing this. This configuration has been static for sometime nothing new has been introduced except for Windows 2003 schema (could this be the cause?). I think it is because we do not have enough GCs in our site (2), but my boss disagrees. What does everyone think? Jeremy --- Jeremy Burkes Strategic Systems Programs Management Information Systems Help Desk: 202-764-1442 Work: 202-764-1270 | Fax: 202-764-1503 [EMAIL PROTECTED]
[ActiveDir] OT: Exchange Email Deletion Policy
Everyone, We are setting up an email deletion policy at my organization. I have tested and understand how the recipient policy works and the entire email deletion process works. One thing that is a little confusing is the fact that the email deletion policy works off a hidden field for each item in a users mailbox that I will call modified date field. Meaning if I copy a message into my mailbox that has a received time of over 30 days and the email deletion policy deletes anything it over 30 days the message does not get deleted. I know this is because of the modified date field. What I want to know is when does Exchange decide to change this date from the time it was created to a later date. Is this based on a user moving a message to a new folder, replying, and forwarding? I want to educate our help desk, users, etc. on what will be deleted and when and I cannot find any documentation on the internet that explains when and how the modified date is changed/updated. TIA. Jeremy --- Jeremy Burkes Strategic Systems Programs Management Information Systems Help Desk: 202-764-1442 Work: 202-764-1270 | Fax: 202-764-1503 [EMAIL PROTECTED]
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
I would have thought the answer would be A. %Username%. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S)
Title: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Learn something new everyday, did not know that. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Monday, June 27, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) From dsmod user /? : The special token $username$ (case insensitive) may be used to place the SAM account name in the value of -webpg, -profile, -hmdir, and -email parameter. For example, if the target user DN is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name attribute is janed, the -hmdir parameter can have the following substitution: -hmdir \users\$username$\home Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, June 27, 2005 3:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ? on MCSE Exam 70-290 (W2K3S) Ladies and Gentlemen; In reading Dan Holme's and Orin Thomas' fine MCSE Self Paced training Kit training manual, I have come upon a question in the Chapter 3 lesson review on page 3-55: What variable can be used with the DSMOD and DSADD commands to create user-specific home folders and profile folders? a. %Username% b. $Username$ c. CN=Username d. Username The correct answer is b Is this true? Thanks in advance. _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DL Expansion Troubleshooting
Do you have two domains in the same physical site with Exchange servers in both domains? If so read on as we had a very similar issue. Hope this helps. We had your 1st problem here which possibly could be related to your 2nd problem. We have two domains in the same physical site 3 Exchange servers in one domain and 1 Exchange server in the other domain. Whenever we sent out email particularly to our ALL HANDS DL it would sometimes fail and no one would get it, other times people would get it on the first try. It took me the longest time to figure out why. When a DL is expanded any server within the organization can technically expand the message unless you set the expansion server usually an Exchange server within the site does the expansion. We found that our 1 Exchange server in the other domain was getting the expansion responsibilities sometimes (25% chance) for our Domain level Distribution List. This server knows nothing about Domain specifics so it would fail. As soon as we put that domain in a separate site and reduced the site replication time to 5 minutes we no longer had any problems. One of our 3 Exchange servers in the same domain would always be responsible for the expansion of any DL we had in our domain. I believe I eventually found a technet article on this, let me see if I can find it. I hope this helps. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, June 16, 2005 1:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DL Expansion Troubleshooting did you compare the members of the respective groups in AD on your 3 GCs? You could potentially have an inconsistency between the DCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Donnerstag, 16. Juni 2005 02:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DL Expansion Troubleshooting Apparently we have had for the past three months a persistent but not predictable issue with large and nested DL expansion. These are always DLs that are nested usually three to four levels deep and ultimately expand to tens of thousands of mailboxes. There are three global catalogs in the Exchange site, and they sit all day around 3%. No load issues, all 2k3 SP1, have been built to spec by yours truly in December I believe. Nothing weird going on with them that I can see. There are two issues that crop up, one newer than the other. Issue #1 (original) is that quite simply it will take a couple tries of sending a message to a DL to get everybody to get it some folks get it twice, some get it once. When you do a message tracking it just sort of falls off the face of the Earth as far as delivery to the folks that dont get it twice. Now issue #2 is that as of late some DLs just hang up in the submission to categorizer if you look in message tracking. Takes a couple tries to get the categorizer to categorize. Everything but the OWAs is 2000 SP3 w/ the rollup. I just started looking at this today, and quite frankly Ive gotten to the end of my short list of things to check. I cranked up diagnostic logging for DSAccess and SMTP on the gateways and the mailbox server hosting the mailbox that blasts these DLs. Havent found anything useful. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Exchange Mailbox Limits
Don't get me started on attachments. Since I am a contractor for the government we have to do what they say even though it goes against good IT practices and even when we try to tell them why it is not smart they want to do it anyway. Email attachments in excess of 20MB are not uncommon in my environment. We still set that limit but email was never meant to handle that size of an attachment. I think you guys are bringing this up just to raise my blood pressure, thanks, LOL! Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 10, 2005 2:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Mailbox Limits Now do your users spell shit right in these messages? Every last one of them had a typo today. One of them they even botched the subject - Pruchasing Newsletter. Yesterday or two days ago I forget the Pruchasing department had to send two blast messages, you see they forgot the time date in message #1. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 10, 2005 12:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Mailbox Limits ROTLMAO! I share your pain, Brian. Yeah Gotta love those 'Send to ALL' DLs - and the obvious misuse of same. Black bronco in the north parking lot, second level - your lights are on Ummm, which city/site? I only have 50 of them. And, I'm guessing the sender knows where he/she is. So, why send to the ENTIRE COMPANY? I could almost understand using the ALL DL for that site. And (I'm really kinda heartless, so excuse this, please) people who leave their lights on need to be reminded that it's their problem - so who cares? OK - apparently I'm cranky at 1AM :oD Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, June 09, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Mailbox Limits And then I have this problem. We have CO All (2500 mailboxes) and CPS ALL (60K mailboxes). Today the dumbasses with access to these DLs sent: 1x5K - CPS ALL 1x15K - CO ALL 1x270K - CO ALL (two fricken attachments) 1x9K - CO ALL Now times all that out assuming SIS works perfectly by oh I think 260ish mailstores. Our quotas for teachers (like 50K of them): 60/70/80 and central office employees - 250/400/450. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 09, 2005 11:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Mailbox Limits LOL, a major customer you and I have both worked with currently has mailbox limits of 20MB for most of their 200k or so mailboxes and as a whole, it works fine. I think execs get 50-80MB. I had heard a few people complain that some HTML messages are several MB so it doesn't take but an hour or so for 20MB to get filled up. The response from the folks doing the mailbox quota support was... Stop using HTML for messages. Unless you knew someone who could yell at someone, chances are slim you will get an increase from 20MB. Once Exchange quotas got stored in my AD my quota mysteriously went to 80MB, we could never figure out what the misfire was in the system... I told them I would look into it and get back to them. Seriously though, if you think about it, 20MB for 200K users is a lot of space, no matter how cheap the disk and you have to consider deleted items retention and backup space to go back say 30,60,90 or even more days on top of all of that. You can go quite a ways with 20MB of plain text messages. You don't really often needs graphics and pretty fonts to communicate with folks. I can see companies making judgements along those lines. Especially as more and more reports come out about how email and instant messaging is probably starting to hurt productivity more than help. I have heard of a couple of companies backing away from the email world and seeing tremendous productivity gains and better customer service. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 09, 2005 11:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange Mailbox Limits This is NOT personal, but let me say that your limits are overly restrictive and counter-productive as far as fostering good relationship with your end-users is concerned. In this day and age (html email and all), 25MB is nothing, especially when you consider the fact that hard drive costs are exponentially less than what they used to be 2-3 years ago. That is all my opinion and, again, it's not meant to knock you in a personal way. Sincerely, Dèjì Akómöláfé, MCSE+M
[ActiveDir] Active Directory Permission for Exchange DL
I have an Exchange Distribution List that I would like to give users (actually a security group) permission to modify the members of the group. I gave the users read and also gave them write permissions on the property tab for the write Members attribute of the object. However, it does not work I put myself in the group and gave it plenty of time for replication. The only information I could find is that the user or group must be an owner to be able to modify members of a Distribution List. I find that hard to believe. What rights am I missing, is there some other attribute they need permission to be able to modify members? Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." - Edmund Burke "It is not how many times you get knocked down, it is how many times you get back up." - Vince Lombardi
RE: [ActiveDir] DHCP client(OT)
Try this: Every experienced network guru knows that quite often the problem with a faulty network connectio is due to the TCP/IP stack being corrupted or not properly bound. Starting with WinXP Microsoft has disabled the ability to uninstall TCP/IP. So what are you to do if you suspect that all that is needed is a clean install of the TCP/IP stack? Luckily it is fairly easy to rebuild the stack to the prsitine conditions that it was in on a clean install using the NetShell utiltiy. Here is how: Go to your command prompt and type the following: netsh int ip reset [ log_file_name ] A log file name must be specified in order to succesfully execute the netsh command. This file will log all the actions taken by netsh. Sample: netsh int ip reset resetlog.txt netsh int ip reset c:\resetlog.txt The only difference between these two is that the first will create the log in the current directory while the second specifies where tho log is to be created. After creating the log you can use notepad or any other text editor to see exactly what changes were made. I got this from this website: http://www.mikeshardware.com/howtos/tips_xp/#anchor12531 Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 06, 2005 1:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP client(OT) Sorry, I screwed up I did reinstall the drivers(twice) and installed another nic pc card and got the same error. thanks Medeiros, Jose wrote: Yes.. I would try that first, and make sure that you have the lateset driver from your vendors web site. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Friday, May 06, 2005 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP client(OT) Its a laptop. The nic is on board. I disabled and renabled it. Should i uninstall the drivers? I havn't tried that yet... Medeiros, Jose wrote: Have you tried removing the Nic restarting XP and re-adding so it rebinds to the TCP/IP stack? Jose - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Friday, May 06, 2005 9:59 AM To: ActiveDir (E-mail) Subject: [ActiveDir] DHCP client(OT) I have a windows xp box that can't start the dhcp client service. I get an event id 1004 -The DHCP client is shutting down. The following error occured: The system cannot find the file specified. I went thru the steps in this MS kb- http://support.microsoft.com/default.aspx?scid=kb;en-us;822123 Also, i ran netsh int ip reset reset.log to reset the tcp/ip stack. Still no go. When i run ipconfig, i get An internal error occured: The system cannot find the file specified Even if I give the box a static address, i still get the same error. The dhcp client services is stuck in starting in services.msc. Anything else I can do to troubleshoot further? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows 2000 Whitepaper DNS Clients
Title: Windows 2000 Whitepaper DNS Clients Everyone, I am looking for a whitepaper that explains in detail how Windows 2000 clients use DNS to resolve what DC/GCs are in their site and processes are taken if those servers are unavailable. I found a KB article but it is written poorly and has a lot of contradictions in it. I believe a whitepaper existed at one point but I cannot find it. TIA. Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi
RE: [ActiveDir] Windows 2000 Whitepaper DNS Clients
Title: Windows 2000 Whitepaper DNS & Clients This is exactly what I was looking for. Thanks to all for the help. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim HinesSent: Thursday, April 21, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Windows 2000 Whitepaper DNS Clients There is a section in the distributed systems guide on this. Here is the link http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> - Original Message - From: Burkes, Jeremy [Contractor] To: ActiveDir@mail.activedir.org Sent: Thursday, April 21, 2005 7:09 AM Subject: [ActiveDir] Windows 2000 Whitepaper DNS Clients Everyone, I am looking for a whitepaper that explains in detail how Windows 2000 clients use DNS to resolve what DC/GCs are in their site and processes are taken if those servers are unavailable. I found a KB article but it is written poorly and has a lot of contradictions in it. I believe a whitepaper existed at one point but I cannot find it. TIA. Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." - Edmund Burke "It is not how many times you get knocked down, it is how many times you get back up." - Vince Lombardi
RE: [ActiveDir] Policies:
If he has a router ACL or firewall(s) between the two networks he is going to need port 445 opened for tcp and udp for SMB traffic. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: In the end both NetBIOS and FQDN are resolved to IPs. Although you can ping the machines does not mean you can access the same machines on other ports. Are you using firewalls in between or do those target systems have firewalls installed, enabled and configured? If yes, check which ports are allowed Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: woensdag 20 april 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: All do not work...IP, Netbios FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: Blair, James [EMAIL PROTECTED] Date: Wed, 20 Apr 2005 21:19:15 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
Once you get a backup of the Exchange information store completed successfully you can get rid of your old transaction logs from the other server. You should also see any transaction logs that are currently on the Exchange server automatically disappear once the backup is completed if it is done right and successfully completes. What backup software are you using and what components of the backup software have you installed on either the backup server and/or the exchange server? Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, April 12, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs I have the exchange agent, but the error I was getting said that the file could not be backed up because it was in use. I believe the exchange agent requires that I use the open file option (which, in this case is just using VSS). Yes, I know it would make sense that the agent knows that it needs to use VSS to backup exchange properly, but it doesn't look like that is the case. Or I could be wrong, and something else is going on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thijssen, Andries (Cognizant) Sent: Tuesday, April 12, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs Using the 'open file option' in your backup product will not result in a a good exchange backup. Either buy the exchange option, or use NT-backup to create a normal Exchange backup. You can use NT backup to backup the Exchange store to file and then include this file in your regular backup. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: 12 April 2005 16:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs So lets say I get the backup software working correctly (Duh, I forgot to turn on the open file option)...will I ever need the transaction logs from say January of this year? The reason I ask is because for now I have just moved all logs older than February to another machine to free space. If I don't need to ever backup those transaction logs, then I will just delete them once I have verified that the backups are working correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Tuesday, April 05, 2005 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs Not to be nit picky but it means you are not backing it up _correctly_ As Doug mentions, a correct on-line exchange backup will purge the logs on completion of the backup process. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, Douglas Sent: Tuesday, April 05, 2005 8:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs Transaction logs are automatically deleted upon successful backup of exchange. If your getting a large collection of transaction logs, that means you are not backing up Exchange. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, April 05, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Transaction logs Just had a couple of questions about a couple things I can't seem to get a straight answer for. Is there a recommended length of time to hold on to Exchange transaction logs? Is there any reason to keep transaction logs around any further back than specified in the checkpoint file? Is it typical to enable circular logging, or does this somehow get you into some issues if a disaster does happen? As always, THANKS for your advice/comments List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] raid failure
Stupid question Tom but are you sure that when the first hard drive failed that the array was able to rebuild completely using the hot spare before the second drive failed? Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 11, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] raid failure http://support.microsoft.com/default.aspx?scid=kb;en-us;269075 Looks like the ced means nothing really... John Kern, Tom [EMAIL PROTECTED] M To Sent by: Bruyere, Michel [EMAIL PROTECTED] [EMAIL PROTECTED], ail.activedir.org ActiveDir (E-mail) ActiveDir@mail.activedir.org cc 04/11/2005 09:10 AMSubject RE: [ActiveDir] raid failure Please respond to [EMAIL PROTECTED] tivedir.org 3 disks and 1 spare. i don't have a ghost image. i don't understand how recovery console can find the winnt folder but repair or booting the OS can't. boot.ini is pointing to the correct arc path. and what the heck is SYSTEMced? does anyone know of something that can be done to get out of this? anything i can edit? thanks alot -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Monday, April 11, 2005 9:47 AM To: Kern, Tom Subject: RE: [ActiveDir] raid failure Hi, It depends on you actual configuration though, did you have 3 disks in RAID5 and 1 hotspare? Or 4disks in RAID5 straight? Last time something like that happened to me I had to recreate the whole raid (there was no hot spare drive). And then use the recovery plan I had (in this case I had a ghost of the system drive and tapes for the data). -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Kern, Tom Envoyé : Monday, April 11, 2005 9:34 AM À : ActiveDir (E-mail) Objet : [ActiveDir] raid failure i had 2 drives fail on a 4 disk raid 5 array. i rebuilt the drives and now when i boot into win200, i get cannot find file \winnt\system32\config\systemced. also, when i try to run a repair, i get windows200 could not be found. i can however boot into recovery console. anyway i can get out of this while waiting for backups to arrive. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] raid failure
Well if the first failure was not able to completely rebuild before the second drive failure you are going to have to start over and recover from a backup. RAID 5 can only handle one hard drive failure in an array it cannot recover from 2 drive failures at the same time. Based on the information you have provided it sounds like maybe the second hard drive failure probably occurred when the first failure was almost completely rebuilt to the hot spare. That is why the system will boot but you have major problems. I don't think you can recover but I very well could be wrong you are beyond my area of expertise at this point. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, April 11, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] raid failure i wasn't there so i'm not sure i installed another copy of windows into a diff dir. i can boot fine off that. when i try to boot off the failed installation i get a 7b stop error- inaccessible_boot_device. is there anyway i can fix that installtion from this point? thanks -Original Message- From: Burkes, Jeremy [Contractor] [mailto:[EMAIL PROTECTED] Sent: Monday, April 11, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] raid failure Stupid question Tom but are you sure that when the first hard drive failed that the array was able to rebuild completely using the hot spare before the second drive failed? Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 11, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] raid failure http://support.microsoft.com/default.aspx?scid=kb;en-us;269075 Looks like the ced means nothing really... John Kern, Tom [EMAIL PROTECTED] M To Sent by: Bruyere, Michel [EMAIL PROTECTED] [EMAIL PROTECTED], ail.activedir.org ActiveDir (E-mail) ActiveDir@mail.activedir.org cc 04/11/2005 09:10 AMSubject RE: [ActiveDir] raid failure Please respond to [EMAIL PROTECTED] tivedir.org 3 disks and 1 spare. i don't have a ghost image. i don't understand how recovery console can find the winnt folder but repair or booting the OS can't. boot.ini is pointing to the correct arc path. and what the heck is SYSTEMced? does anyone know of something that can be done to get out of this? anything i can edit? thanks alot -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Monday, April 11, 2005 9:47 AM To: Kern, Tom Subject: RE: [ActiveDir] raid failure Hi, It depends on you actual configuration though, did you have 3 disks in RAID5 and 1 hotspare? Or 4disks in RAID5 straight? Last time something like that happened to me I had to recreate the whole raid (there was no hot spare drive). And then use the recovery plan I had (in this case I had a ghost of the system drive and tapes for the data). -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Kern, Tom Envoyé : Monday, April 11, 2005 9:34 AM À : ActiveDir (E-mail) Objet : [ActiveDir] raid failure i had 2 drives fail on a 4 disk raid 5 array. i rebuilt the drives and now when i boot into win200, i get cannot find file \winnt\system32\config\systemced. also, when i try to run a repair, i get windows200 could not be found. i can however boot into recovery console. anyway i can get out of this while waiting for backups to arrive. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses
Try this:
ldifde -f smtpaddress.ldf -s myserver -r (objectClass=user) -l
ProxyAddresses=SMTP:*
Jeremy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, April 06, 2005 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Trouble with ldifde - trying to export list of SMTP
addresses
ldifde -f smtpaddress.ldf -s myserver -r (objectClass=user) -l
ProxyAddress
Which did not return users ProxyAddresses; I am looking for their SMTP
addresses.
Any suggestions?
This is what is returned:
dn: DC=testing,DC=local
changetype: add
dn: CN=Users,DC=testing,DC=local
changetype: add
dn: CN=Computers,DC=testing,DC=local
changetype: add
dn: OU=Domain Controllers,DC=testing,DC=local
changetype: add
dn: CN=System,DC=testing,DC=local
changetype: add
dn: CN=LostAndFound,DC=testing,DC=local
changetype: add
dn: CN=Infrastructure,DC=testing,DC=local
changetype: add
dn: CN=ForeignSecurityPrincipals,DC=testing,DC=local
changetype: add
dn: CN=Program Data,DC=testing,DC=local
changetype: add
dn: CN=Microsoft,CN=Program Data,DC=testing,DC=local
changetype: add
dn: CN=NTDS Quotas,DC=testing,DC=local
changetype: add
dn: CN=WinsockServices,CN=System,DC=testing,DC=local
changetype: add
dn: CN=RpcServices,CN=System,DC=testing,DC=local
changetype: add
dn: CN=FileLinks,CN=System,DC=testing,DC=local
changetype: add
dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=testing,DC=local
changetype: add
dn: CN=Default Domain Policy,CN=System,DC=testing,DC=local
changetype: add
dn: CN=AppCategories,CN=Default Domain
Policy,CN=System,DC=testing,DC=local
changetype: add
dn: CN=Meetings,CN=System,DC=testing,DC=local
changetype: add
dn: CN=Policies,CN=System,DC=testing,DC=local
changetype: add
dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=testi
ng,DC=local
changetype: add
dn:
CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,
DC=testing,DC=local
changetype: add
dn:
CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syst
em,DC=testing,DC=local
changetype: add
dn:
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=testi
ng,DC=local
changetype: add
dn:
CN=User,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,
DC=testing,DC=local
changetype: add
dn:
CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=Syst
em,DC=testing,DC=local
changetype: add
dn: CN=RAS and IAS Servers Access Check,CN=System,DC=testing,DC=local
changetype: add
dn: CN=File Replication Service,CN=System,DC=testing,DC=local
changetype: add
dn: CN=Dfs-Configuration,CN=System,DC=testing,DC=local
changetype: add
dn: CN=IP Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecPolicy{72385230-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecNFA{72385232-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn:
CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecFilter{7238523A-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn:
CN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn:
CN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecFilter{72385235-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecPolicy{72385236-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn:
CN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecNFA{7238523E-70FA-11D1-864C-14A3},CN=IP
Security,CN=System,DC=testing,DC=local
changetype: add
dn: CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP
RE: [ActiveDir] Change Password Policy
It is domain specific so it is all or nothing with respect to the domain you apply it to. You can however set on individual users under the account tab, password never expires option which effectively keeps you from having to change the password, this is usually used for user created service accounts for applications, etc. See article for more information. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine AllenSent: Wednesday, April 06, 2005 2:58 PMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Change Password Policy Hello, We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide. Thanks
RE: [ActiveDir] time sync script
I believe that Windows time uses the system's BIOS clock in some way. If your system was old and the BIOS battery had weakened or quit then the next time you boot the clock would be off by minutes and Windows would have to update itself again against the domain. At least I think the above is true I could be wrong. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, April 05, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time sync script Matt, I did this once with a batch file that ran through a computer list - something like this: For %%i in (computers.txt) do net time \\%%i /DOMAIN:yourdomain /SET I got the computers.txt with a net view computers.txt I think there is a /y that causes it to not ask for confirmation. As I just saw someone else pointed out, no, you shouldn't have to do this. For some reason we did though, some were out of sync by over 15 minutes. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Tuesday, April 05, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time sync script If you're talking about a script that runs on the client machines, then just use the 'net time' command in a logon script. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, April 05, 2005 2:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time sync script Anybody have a script that can check the time on client machines and auto sync them with the Domain Controller? Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT (sort of) ADC entry in Active Directory
Title: OT (sort of) ADC entry in Active Directory Everyone, We recently switched over to Exchange 2000 Native mode (successfully) making sure to remove config_ca, srs databases, and then uninstalling the Active Directory Connector from all the servers within our organization. Switched to Exchange 2000 Native mode and waited for replication and all of the features of Exchange 2000 Native mode are present ie everything is running smoothly. I was using ADSI Edit to check some things in the configuration container and noticed we still have a container called Active Directory Connections under Services\Microsoft Exchange. In the container there is one object called Default ADC Policy. I figured when we switched over it would be removed, nope. Anyone have any ideas as to what I should do? Delete it? Leave it? It does not seem to be bother anything within our Exchange organization just bother me :^) Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi
RE: [ActiveDir] OT (sort of) ADC entry in Active Directory
Thanks everyone. I did not know that a raw installation with no ADC installation would have that container. Interesting. Thanks for the information, good thing I did nothing. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 25, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (sort of) ADC entry in Active Directory There's no point in deleting it either. You could, but why mess with it? In native mode, it won't matter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (sort of) ADC entry in Active Directory Not sure if you can delete it or not, however a raw forest with Exchange loaded without ever using ADC will have the Active Directory Connections container. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Friday, March 25, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT (sort of) ADC entry in Active Directory Everyone, We recently switched over to Exchange 2000 Native mode (successfully) making sure to remove config_ca, srs databases, and then uninstalling the Active Directory Connector from all the servers within our organization. Switched to Exchange 2000 Native mode and waited for replication and all of the features of Exchange 2000 Native mode are present ie everything is running smoothly. I was using ADSI Edit to check some things in the configuration container and noticed we still have a container called Active Directory Connections under Services\Microsoft Exchange. In the container there is one object called Default ADC Policy. I figured when we switched over it would be removed, nope. Anyone have any ideas as to what I should do? Delete it? Leave it? It does not seem to be bother anything within our Exchange organization just bother me :^) Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: VBScript Question
Title: OT: VBScript Question The issues that I am referring to are security violations which are instances where someone as violated the proper handling of data. The Navy, Department of Defense requires that we defrag the exchange information store. Moving user mailboxes is not an option. The reason I am creating this script is I have been all the departments in separate information stores. I am hoping that when one of these violations occur I can just dismount that departments store, defrag, then mount again. This will allow me to keep every other department up and running. Currently we stop all Exchange services, defrag the one store, then start the Exchange services effectively bringing everyone on that server down. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 10:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Figured the Navy was still part of the government :) I asked the question because the only time I would *ever* want to defrag a db in Exchange 200x is because I was forced to. Otherwise, I would prefer to move the user mailstores to an alternate db on the same server instead. It would be a) safer and b) faster and c) just generally a better idea than defragging a db in place and taking those kinds of chances. It's not like 5.5 when you had only one store instance. You can move the user mail stores around almost at will (as long as they're not logged on of course) and clients don't even have to update at this point. They'll get the new (be default defragged) db, and you'll have made the problem that drove you there go away. I'm interested in "issues" that would cause you to want to defrag as I just plain don't understand at this point and hate to offer advice without full understanding of the possible ramifications and issues that may be present. I think Marcus posted some useful coding techniques that should help you recapture the command line information. From there you should be able to push it to a log file, which I think is what you were after in the first place (vs. piping it from the command line to the text file). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, March 03, 2005 6:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question I work for the government and we have to run offline defrags after hours for issues that arise. In the past we just had a batch file that stopped all exchange services on a machine and then ran the offline defrag then restarted the services. We want to streamline the process. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 5:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Before getting to a better idea to automate, I have to ask is this something to automate? What drives you to want to automate the off-line defragmentation in Exchange 2000 and what makes you want to do that in the first place? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, March 03, 2005 5:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: VBScript Question Everyone, I am creating a VB script that is dismounting, defraging, then mounting exchange information stores on an exchange server. My script is complete but I want to improve it. The problem I am having is that I build a command line to run eseutil and call it using WshShell Object Run Method which is appended to a file using the sign(s) with the bWaitOnReturn set to True (see link for more info). Unfortunately, this causes my script to wait as it should but I have no idea what is going on since the log file is not written to until eseutil completes its pass. So the commandline just sits there while my script and eseutil run in the background. Is there anyway to output to both the command line and the output file the progress of eseutil? Better ideas for providing more information on the script running to the user? TIA. http://msdn.microsoft.com/library/default.asp?url=""> Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." - Edmund Burke "It is not how many times you get knocked down, it is how many times you get back up." - Vince Lombardi
RE: [ActiveDir] OT: VBScript Question
Title: OT: VBScript Question Joe is correct. If a message is removed from an information store and a defrag is performed that message is permanently deleted from the information store shrinking the information store database and returning the free space to the OS. Most security violations involve email ie someone sending information in the body of a message and/or as an attachment to a message. Obviously I know Microsoft recommends not defragging unless you you moved a lot of users out of an information store plus other reason (don't have the article in front of me). However, since the Navy says we have to do it, I do it :^) Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 04, 2005 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question My expectation is to scramble the layout of the info on the disk for the store after the removal of the messages with the info that shouldn't be there. Deleting and then defragging is a fairly common generic practice to try and remove all traces of information on a disk. I am not sure if this will work well with the istore, but I expect it might. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 04, 2005 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question I am not trying to imply that there is something wrong with your practice, so dont take offence. But, what is the correlation between violations and defrag? I am trying to understand what the defrag is supposed to do, post-violation. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Friday, March 04, 2005 3:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question The issues that I am referring to are security violations which are instances where someone as violated the proper handling of data. The Navy, Department of Defense requires that we defrag the exchange information store. Moving user mailboxes is not an option. The reason I am creating this script is I have been all the departments in separate information stores. I am hoping that when one of these violations occur I can just dismount that departments store, defrag, then mount again. This will allow me to keep every other department up and running. Currently we stop all Exchange services, defrag the one store, then start the Exchange services effectively bringing everyone on that server down. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 10:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Figured the Navy was still part of the government :) I asked the question because the only time I would *ever* want to defrag a db in Exchange 200x is because I was forced to. Otherwise, I would prefer to move the user mailstores to an alternate db on the same server instead. It would be a) safer and b) faster and c) just generally a better idea than defragging a db in place and taking those kinds of chances. It's not like 5.5 when you had only one store instance. You can move the user mail stores around almost at will (as long as they're not logged on of course) and clients don't even have to update at this point. They'll get the new (be default defragged) db, and you'll have made the problem that drove you there go away. I'm interested in "issues" that would cause you to want to defrag as I just plain don't understand at this point and hate to offer advice without full understanding of the possible ramifications and issues that may be present. I think Marcus posted some useful coding techniques that should help you recapture the command line information. From there you should be able to push it to a log file, which I think is what you were after in the first place (vs. piping it from the command line to the text file). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, March 03, 2005 6:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question I work for the government and we have to run offline defrags after hours for issues that arise. In the past we just had a batch file that stopped all exchange services on a machine and then ran the offline defrag then restarted the services. We want to streamline the process. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 5:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Before getting to a better idea to automate, I have to ask is this something to automate? What drives you to want to automate the off-line defragmentation in Exchange 2000 and what makes you want to do that in the f
RE: [ActiveDir] OT: VBScript Question
Title: OT: VBScript Question Sorry Al I have looked at what Marcus provided and it shows promise. I will post back after I get a chance to integrate it into my code. Thanks for the help everyone. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Friday, March 04, 2005 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Joe is correct. If a message is removed from an information store and a defrag is performed that message is permanently deleted from the information store shrinking the information store database and returning the free space to the OS. Most security violations involve email ie someone sending information in the body of a message and/or as an attachment to a message. Obviously I know Microsoft recommends not defragging unless you you moved a lot of users out of an information store plus other reason (don't have the article in front of me). However, since the Navy says we have to do it, I do it :^) Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 04, 2005 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question My expectation is to scramble the layout of the info on the disk for the store after the removal of the messages with the info that shouldn't be there. Deleting and then defragging is a fairly common generic practice to try and remove all traces of information on a disk. I am not sure if this will work well with the istore, but I expect it might. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 04, 2005 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question I am not trying to imply that there is something wrong with your practice, so dont take offence. But, what is the correlation between violations and defrag? I am trying to understand what the defrag is supposed to do, post-violation. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Friday, March 04, 2005 3:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question The issues that I am referring to are security violations which are instances where someone as violated the proper handling of data. The Navy, Department of Defense requires that we defrag the exchange information store. Moving user mailboxes is not an option. The reason I am creating this script is I have been all the departments in separate information stores. I am hoping that when one of these violations occur I can just dismount that departments store, defrag, then mount again. This will allow me to keep every other department up and running. Currently we stop all Exchange services, defrag the one store, then start the Exchange services effectively bringing everyone on that server down. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 10:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Figured the Navy was still part of the government :) I asked the question because the only time I would *ever* want to defrag a db in Exchange 200x is because I was forced to. Otherwise, I would prefer to move the user mailstores to an alternate db on the same server instead. It would be a) safer and b) faster and c) just generally a better idea than defragging a db in place and taking those kinds of chances. It's not like 5.5 when you had only one store instance. You can move the user mail stores around almost at will (as long as they're not logged on of course) and clients don't even have to update at this point. They'll get the new (be default defragged) db, and you'll have made the problem that drove you there go away. I'm interested in "issues" that would cause you to want to defrag as I just plain don't understand at this point and hate to offer advice without full understanding of the possible ramifications and issues that may be present. I think Marcus posted some useful coding techniques that should help you recapture the command line information. From there you should be able to push it to a log file, which I think is what you were after in the first place (vs. piping it from the command line to the text file). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, March 03, 2005 6:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question I work for the government and we have to run offline defrags after hours for issues that arise. In the past we just had a batch file that stopped all exchange services on a machine and then ran the offline defrag then restarted the services. We want to streamline the process. Jeremy From: [EMAIL PROTECTED] [mai
RE: [ActiveDir] OT: VBScript Question
Title: OT: VBScript Question We never got a straight answer from Microsoft. As you know with most OSs when you delete a file you are not physically removing it from the hard drive you are just removing the pointer to it in the address table and marking the space that the file takes up as being free to be written to. The maintenace interval that Exchange runs nightly effectively does what a defrag does without shrinking the database and we believe marks sections of the database free to be written to without actually zeroing out the data it just removes the pointers to the data. So if someone happened to get access to the Exchange database before the A manual defrag forces the exchange database to free up the empty space returning it to the OS. Since the data is no longer a part of the database the data values are no longer valid and are garbage since there are no database pointers to reference the data. I hope this answers your question and makes sense Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Friday, March 04, 2005 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Doesn't zeroing out the db do that? i'm not sure,just asking... thanks -Original Message-From: joe [mailto:[EMAIL PROTECTED]Sent: Friday, March 04, 2005 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question My expectation is to scramble the layout of the info on the disk for the store after the removal of the messages with the info that shouldn't be there. Deleting and then defragging is a fairly common generic practice to try and remove all traces of information on a disk. I am not sure if this will work well with the istore, but I expect it might. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 04, 2005 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question I am not trying to imply that there is something wrong with your practice, so dont take offence. But, what is the correlation between violations and defrag? I am trying to understand what the defrag is supposed to do, post-violation. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Friday, March 04, 2005 3:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question The issues that I am referring to are security violations which are instances where someone as violated the proper handling of data. The Navy, Department of Defense requires that we defrag the exchange information store. Moving user mailboxes is not an option. The reason I am creating this script is I have been all the departments in separate information stores. I am hoping that when one of these violations occur I can just dismount that departments store, defrag, then mount again. This will allow me to keep every other department up and running. Currently we stop all Exchange services, defrag the one store, then start the Exchange services effectively bringing everyone on that server down. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 10:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Figured the Navy was still part of the government :) I asked the question because the only time I would *ever* want to defrag a db in Exchange 200x is because I was forced to. Otherwise, I would prefer to move the user mailstores to an alternate db on the same server instead. It would be a) safer and b) faster and c) just generally a better idea than defragging a db in place and taking those kinds of chances. It's not like 5.5 when you had only one store instance. You can move the user mail stores around almost at will (as long as they're not logged on of course) and clients don't even have to update at this point. They'll get the new (be default defragged) db, and you'll have made the problem that drove you there go away. I'm interested in "issues" that would cause you to want to defrag as I just plain don't understand at this point and hate to offer advice without full understanding of the possible ramifications and issues that may be present. I think Marcus posted some useful coding techniques that should help you recapture the command line information. From there you should be able to push it to a log file, which I think is what you were after in the first place (vs. piping it from the command line to the text file). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, March 03,
[ActiveDir] OT: VBScript Question
Title: OT: VBScript Question Everyone, I am creating a VB script that is dismounting, defraging, then mounting exchange information stores on an exchange server. My script is complete but I want to improve it. The problem I am having is that I build a command line to run eseutil and call it using WshShell Object Run Method which is appended to a file using the sign(s) with the bWaitOnReturn set to True (see link for more info). Unfortunately, this causes my script to wait as it should but I have no idea what is going on since the log file is not written to until eseutil completes its pass. So the commandline just sits there while my script and eseutil run in the background. Is there anyway to output to both the command line and the output file the progress of eseutil? Better ideas for providing more information on the script running to the user? TIA. http://msdn.microsoft.com/library/default.asp?url=""> Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi
RE: [ActiveDir] OT: VBScript Question
Title: OT: VBScript Question I work for the government and we have to run offline defrags after hours for issues that arise. In the past we just had a batch file that stopped all exchange services on a machine and then ran the offline defrag then restarted the services. We want to streamline the process. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, March 03, 2005 5:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: VBScript Question Before getting to a better idea to automate, I have to ask is this something to automate? What drives you to want to automate the off-line defragmentation in Exchange 2000 and what makes you want to do that in the first place? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Thursday, March 03, 2005 5:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: VBScript Question Everyone, I am creating a VB script that is dismounting, defraging, then mounting exchange information stores on an exchange server. My script is complete but I want to improve it. The problem I am having is that I build a command line to run eseutil and call it using WshShell Object Run Method which is appended to a file using the sign(s) with the bWaitOnReturn set to True (see link for more info). Unfortunately, this causes my script to wait as it should but I have no idea what is going on since the log file is not written to until eseutil completes its pass. So the commandline just sits there while my script and eseutil run in the background. Is there anyway to output to both the command line and the output file the progress of eseutil? Better ideas for providing more information on the script running to the user? TIA. http://msdn.microsoft.com/library/default.asp?url=""> Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." - Edmund Burke "It is not how many times you get knocked down, it is how many times you get back up." - Vince Lombardi
[ActiveDir] OT Sort of: Exchange 2000 ADC Problem
Title: OT Sort of: Exchange 2000 ADC Problem We are moving to Exchange 2000 native mode. We have a problem where we deleted two SRS databases that did not delete the Config CA from the ADC. Now there are two options. In doing some searching I found where someone had a similar problem and they deleted the ADC service in Sites in Services under the Exchange settings. I did some searching in ADSI Edit and found where the Config CAs are held. I am able to delete them if needed. So what are the recommendations? Delete from Active Directory directly or remove the ADC service all together using Sites Services? I have my own idea as to which one I would do but I wanted to see what you guys thought. - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi
RE: [ActiveDir] OT Sort of: Exchange 2000 ADC Problem
Al, Yes that is what I am saying for whatever reason after deleting the SRS databases the Config_CAs for those sites remain. The KB article you mention is what our procedure is directly based of off. We have 10 sites this happened at two of them. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, March 02, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT Sort of: Exchange 2000 ADC Problem Are you saying that you removed the SRS db's but the config_CA didn't go away? Why? As for which tool, sites and services would be preferred vs. ADSIEDIT method in most cases. There's not enough information to know for this one however. I'm also assuming you've seen http://support.microsoft.com/kb/272314 and been following it. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Wednesday, March 02, 2005 1:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Sort of: Exchange 2000 ADC Problem We are moving to Exchange 2000 native mode. We have a problem where we deleted two SRS databases that did not delete the Config CA from the ADC. Now there are two options. In doing some searching I found where someone had a similar problem and they deleted the ADC service in Sites in Services under the Exchange settings. I did some searching in ADSI Edit and found where the Config CAs are held. I am able to delete them if needed. So what are the recommendations? Delete from Active Directory directly or remove the ADC service all together using Sites Services? I have my own idea as to which one I would do but I wanted to see what you guys thought. - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange 2003 Forestprep
Are you running the forestprep directly on the server that holds the schema master role? Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Wednesday, February 16, 2005 11:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange 2003 Forestprep Pre-requisites all in place and all DC's are GC's so I guess it can't be that. I feel a PSS call coming :-) [EMAIL PROTECTED] wrote: Assuming that the necessary components (SMTP, NNTP, ASP, etc) are already inplace on the Exchange server, the only thing I have seen that causes thaterror is where there is no GC at the site where the Exchange server islocated. I have no explanation for why it is so, but I ran into this twicealready. In both situations, there were already E2K in place and functionaland installing a new E2K at the site does not present the same problem. Theproblem only manifested itself when installing E2K3. Putting up a GC at thesite and allowing time for replication was the only way I was able to getE2K3 installed.YMMVSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Jacqui HurstSent: Wed 2/16/2005 6:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Exchange 2003 ForestprepThis is a shot in the dark but has anyone experienced (and solved) thisbefore.Forestprep was run quite sometime ago on a clean Windows 2003 AD environment.In addition to this a couple of other schema extensions have been applied (ILO and Novadigm extensions).I am now in the process of installing Exchange 2003 after completing thesetup and sync with ADC.When I run the setup I receive the following errorSetup failed while installing sub component Microsoft ExchangeOrganization-Level Container chilren with error code 0xc1037ae6.I have looked at the LDIF.err file and found it to be failing when trying tomodify an object in the CN=Address-Templates container (within Exchange partof configuration container) I have looked in here and found that there areno template objects.I uninstalled Exchange (fully) and rerun forestprep but this still hasn'tcreated them. The account being used to install Exchange has Schema,Enterprise, Exchange delegation, local machine admin rights but I didn'tthink it really need all this once the forestprep had been run.I have looked at article 870829 but unless I doing something wrong thisdoesn't appear to help (I did change the paths while the setup was halfwaythrough (at the error) and tried a retry instead of cancel and rerunning thesetup process as it takes an age to complete the installtion and then removeit to start again) Hope all this makes sense after all it is 2am Cheers JacquiList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting robocopy to skip inaccessible files
/R:n : number of Retries on failed copies - default is 1 million. http://www.ss64.com/nt/robocopy.html Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucia WashayaSent: Monday, January 31, 2005 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] setting robocopy to skip inaccessible files Collegues, I need to set robocopy to skip those files that are inaccessible. so far if robocopy comes across an inaccessible file it will keep on retrying. I would like to skip it and carry on copying. I am using the /MIR switch. Your help will be greatly appreciated. Thanks you in advance Regards,Lucia WashayaTel: 5497=The cobra will bite whether you call it Cobra or Mr. Cobra.=
[ActiveDir] OT: Service Recovery
Title: OT: Service Recovery I am setting up a batch file that will do the following: - Send notification to IT admins - Attempt to restart the service I have completed my batch file and want to test it in our test environment. Anyone have any idea how to get Windows 2000 to actually fail a service to test my batch file? I can't seem to find a way to get Windows 2000 service to actually fail (maybe a good thing) to test the batch file any ideas? Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi
RE: [ActiveDir] OT: Service Recovery
Tried that already, both in the services mmc and from the task manager. I believe Windows 2000 Server sees it as a graceful shutdown, hence does not try to run the file. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Thursday, December 02, 2004 11:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Service Recovery How about stopping the service manually? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Thursday, December 02, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Service Recovery I am setting up a batch file that will do the following: - Send notification to IT admins - Attempt to restart the service I have completed my batch file and want to test it in our test environment. Anyone have any idea how to get Windows 2000 to actually fail a service to test my batch file? I can't seem to find a way to get Windows 2000 service to actually fail (maybe a good thing) to test the batch file any ideas? Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Service Recovery
Tried that as well. Disabled Print Spooler, which the Fax Service depends on and tried starting the Fax Service, got the dependency error but no batch file. I have echo on and a pause at the end to keep the batch window open when it runs for testing purposes. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, December 02, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Service Recovery maybe disable a dependent service then reboot? or if you can't afford a reboot maybe stop your service, stop and disable a dependent service, then restart your service which should fail. hth, john Burkes, Jeremy [Contractor] wrote: I am setting up a batch file that will do the following: - Send notification to IT admins - Attempt to restart the service I have completed my batch file and want to test it in our test environment. Anyone have any idea how to get Windows 2000 to actually fail a service to test my batch file? I can't seem to find a way to get Windows 2000 service to actually fail (maybe a good thing) to test the batch file any ideas? Jeremy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ===
RE: [ActiveDir] Quasi DC Administrator Service Issue
Title: Quasi DC Administrator Service Issue Just to let everyone know after analyzing what was going on, I found this Microsoft article to be the most likely culprit. http://support.microsoft.com/default.aspx?scid=kb;EN-US;257247 Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Burkes, Jeremy [Contractor]Sent: Monday, August 02, 2004 9:32 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Quasi DC Administrator Service Issue We have some network administrators that do not have full domain administrative access (not in the domain admins group). We have given their accounts through the default domain controller group policy the ability to manage some domain controller services mainly the print spooler and the tcp/ip print service with full control access. When they try to stop or start the service they get error code 5: access is denied. These users are also in server and print operators group(s). Any ideas? Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270
[ActiveDir] Quasi DC Administrator Service Issue
Title: Quasi DC Administrator Service Issue We have some network administrators that do not have full domain administrative access (not in the domain admins group). We have given their accounts through the default domain controller group policy the ability to manage some domain controller services mainly the print spooler and the tcp/ip print service with full control access. When they try to stop or start the service they get error code 5: access is denied. These users are also in server and print operators group(s). Any ideas? Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270
RE: [ActiveDir] AD and Exchange - Slightly OT
Do you have any custom recipient policies or did you modify the default recipient policy? Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 2:26 PMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
RE: [ActiveDir] AD and Exchange - Slightly OT
Sorry I meant to say do you have any custom recipient policies above the default recipient policy and/or do you have a RUS for your second domain, domain B. Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message-From: Pelle, Joe [mailto:[EMAIL PROTECTED]Sent: Thursday, July 22, 2004 2:26 PMTo: ActiveDir ([EMAIL PROTECTED])Subject: [ActiveDir] AD and Exchange - Slightly OT Hello! Please assist, sorry for the slightly OT post: Situation: We have a security root domain (root) and below it our primary child domain (Domain A). We recently created a second domain underneath the root domain (domain B) with a two way trust between the two child domains (A and B). Our DNS for Domain A and B both forward up to the root. Our Exchange 2003 server is sitting in Domain A. I recently created a user (with a mailbox) on Domain B from the Exchange server in Domain A TestUser1. Problem(s): Exchange never stamped an email address onto TestUser1. I created an SMTP address for the user manually. Now I want to create an Outlook profile and Outlook does not see the new user. The Outlook client is installed on a machine that is connected to Domain B as is TestUser1s account. The machine has a static IP, DNS, and WINS. DNS and WINS are both pointing to the new Domain (B). Do I have a DNS problem? I can resolve other names that are already in the GAL via the Outlook client, but not TestUser1. Any advice you can give would be greatly appreciated! Thanks! Joe Pelle Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent.
[ActiveDir] OT: Exchange 2000 SPAM Filtering
Title: OT: Exchange 2000 SPAM Filtering Our organization is running Exchange 2000. We recently put up an SMTP Gateway between our firewall and Exchange 2000 Email Gateway to fend off SPAM and viruses giving us a good choke point for both. We are using Symantec Mail Security for SMTP which does not require Exchange 2000 to run on. It is a very good product by Symantec but we remain unimpressed as it gives no automated reporting or performance monitoring. Does anyone have a product that combats viruses and SPAM while providing automated reporting and performance monitoring, preferably one that does not require Exchange 2000 to run? We want to stay away from having to maintain another Exchange server if we can help it as we would not put any user mailboxes on it. Thanks in advance and sorry for the OT discussion if it offends anyone. Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270
[ActiveDir] OT: Exchange SMTP Relay Precedence
Title: OT: Exchange SMTP Relay Precedence Here is the scenario: I have two Exchange servers in different routing groups called ServerA and ServerB. ServerA has an SMTP Connector to an external domain (externaldomainA.com) using a smart host with a Connector Scope of Entire Organization and Allow messages to be relayed to these domains checked. ServerB's SMTP virtual server does not allow relay (Only the list below is checked). We want to allow another external domain (externaldomainB.com) the ability to relay through ServerB to ServerA instead of using the internet to send mail to externaldomainA.com. We figured that an SMTP connector scoped to the Entire Organization with Allow messages to be relayed to these domains checked would let externaldomainB to relay through ServerB to ServerA to externaldomainA but that does not seem to be true as we get the 550 error (5.7.1 Cannot Relay). Does the settings in the SMTP Virtual Server take precedence over an SMTP connector in another routing group? Do we have to open up ServerB's virtual server to externaldomainB.com to allow it to relay? TIA. Jeremy
[ActiveDir] Windows 2000 Security Log Rights
Title: Windows 2000 Security Log Rights Okay everyone probably a stupid question but here it goes. We have a user who has some rights to domain controllers but not full administrative rights. We want this user to be able to view only the security log. Is there a way to provide just view only rights to the security log. I am assuming this is not possible since it would be in the same section where you find managing auditing and security log in group policy under computer configuration\windows settings\security settings\local policies\user right assignments. But I just wanted to check to see if you guys knew anything different. TIA. Jeremy
RE: [ActiveDir]
If someone already suggested this I apologize. You can set him up as a local admin using group policy in AD if the boxes are all 2K or XP. Under Computer Configuration\Windows Settings\Security Settings\Restricted Groups. Create a group like desktop admins and put the user in that group. Add the group to the restricted groups container with local admin rights, any workstations that fall under the group policy will add the user as a local admin. Hope this helps. Jeremy -Original Message-From: Bruce Clingaman [mailto:[EMAIL PROTECTED]Sent: Thursday, December 04, 2003 11:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] You could add him to the local administrators group using the computer management tool | connect to another computer. The addusers.exe can add users to local groups using the cmd or batch file. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jerry JohnsonSent: Thursday, December 04, 2003 9:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I guess it is kinda funny now that I think about it. I would not mind if the domain user in question was a member of all the clients local admin group but I do not know of a way to accomplish this without visiting each desktop. Jerry Scicom Data Services Minnetonka,Mn -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Thursday, December 04, 2003 9:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I hope that last comment was a joke...as I wouldnt want a "user" to have domain admin rights. If you find a good solution for this, I would be suprised, as I have looked for a better solution than just adding the users domain account to the local admin group and cant find anything. I have been living with all "domain users" being members of their local machine admin group, and just hoping that they dont change the local admin user password. If all you are worried about is keeping the admin password so that you can get into the machine if you need...dont worry, there are always local machine administrator reset programs. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jerry JohnsonSent: Thursday, December 04, 2003 9:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Hi I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop. All of our clients are setup with the same local admin password and do not want him to know that password. Is this possible? He is currently just a domain user. Thank you Jerry Scicom Data Services Minnetonka,Mn
