RE: [ActiveDir] Password Expiration

2006-06-26 Thread Cace, Andrew 



Christine,
  They get prompted 120 days after their last password 
change.  If you haven't done so already, get a hold of acctinfo.dll from 
the Windows Resource Kit.  After registering this DLL, a new tab will be 
available to you in ADUC, which shows some password information for each 
user.  You'll be able to see when they last changed their password and when 
they will have to change it again.
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Christine 
AllenSent: Monday, June 26, 2006 6:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password 
Expiration

 


We have a 120 day password 
expiration GPO.  What happens if a user changes their password in the 120 
day time period?  Do they still get prompted with the whole domain does or 
do they get prompted 120 days after their reset their password?  
Thanks.
 

-Christine
 
 
Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place 
Boston, MA 02216
 
617-748-6034
617-293-4407


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Address List based on OU

2006-06-06 Thread Cace, Andrew 



Devon,
  I don't think it is possible to do an ldap 
query based on the parent OU.  In our environment, we have a script that 
runs nightly, which stamps some of the extensionAttribute values with something 
representative of their location.  We then base our queries off of that 
value.
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Tuesday, June 06, 2006 12:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Address List based 
on OU


I have several sites that are 
sitting on one mailbox store but are located in different OU’s.  What LDAP 
query can I use to create an Exchange 2003 address list, based on users that are 
in a particular OU?
 
-Devon--- 
This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain information 
that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If 
you are not the intended recipient, you are hereby notified that any use, 
dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, notify us 
immediately by telephone and (i) destroy this message if a facsimile or (ii) 
delete this message immediately if this is an electronic communication. 
Thank you. 


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] LAG and LDAP queries

2006-06-06 Thread Cace, Andrew 
 
Jason,
  You shouldn't have any problems with your ldap query if you use the
LDAPSERVERS.mydomain.mycompany.com DNS record that you proposed below.
Using that record is the same thing as using mydomain.mycompany.com.  Both
are records which point to another server.

Always glad to lend a hand to CCIT West.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 06, 2006 11:09 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LAG and LDAP queries 

I have a group of applications (ie. Sibel etc) running from Unix boxes
using AD for LDAP.   I'm wanting to put in a Lag Infrastructure.

The queries from these APPs basically look at mydomain.mycomapny.com 389.
That's about as smart as they get.  So, I know this isn't  a AD problem but
if I want my lag I have to figure this out for them.  I don't want one of
the lag servers to return there query (stale info). I have read thew a
couple of LAG threads here and not really found anything referring to my
exact problem. I know I can kill all the SRV records and keep the windows
boxes out but I have to keep the cname to let this replicate on schedule.

Anyone tried something like putting in a DNS record with just the DC's they
want to return queries?

LDAPSERVERS.mydomain.mycompany.com

Am I way off base(DN) sorry bad j/k




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Help with VB script to map printers

2005-12-07 Thread Cace, Andrew 



You shouldn't need the extra quotes in the printer 
name/path.  The value of the variable is passed in its entirety, it doesn't 
get truncated because it contains spaces.  Someone else already recommended 
trying to connect to the printer from the Run line, I'll second 
that.
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley 
[MVP]Sent: Wednesday, December 07, 2005 2:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Help with _vbscript_ to map printers

This should work:
 
UNCpath1 = "\\server.abc.private\"“HP Color 
LaserJet 3500"""
 
Ed Crowley MCSE+Internet MVPFreelance E-Mail 
PhilosopherProtecting the world from PSTs and Bricked 
Backups!™
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rich 
MilburnSent: Wednesday, December 07, 2005 12:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Help with _vbscript_ to map printers


Try using Chr(34) instead of quotes for 
your paths… i.e. 
UNCpath1 = "\\server.abc.private\" & Chr(34) & 
“HP Color LaserJet 3500" & Chr(34)
 
Chr(34) 
is how you get quotes into a string – at least it’s the only way I’ve ever 
gotten to work… my WSH doesn’t seem to like the double quotes I see some people 
use sometimes (i.e. MsgBox “I 
said, “”Hello.”” would always give me an error.  MsgBox “I said, “ & chr(34) & 
“Hello.” & Chr(34) works)
 
Rich
 

---Rich 
MilburnMCSE, 
Microsoft MVP - Directory ServicesSr 
Network Analyst, Field Platform DevelopmentApplebee's International, 
Inc.4551 W. 107th 
StOverland Park, KS 
66207913-967-2819--”I love 
the smell of red herrings in the morning” - 
anonymous




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Wednesday, December 
07, 2005 1:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help with _vbscript_ to 
map printers
 
Hi 
–
 
I am 
trying to modify a VBS found on the Internet to map multiple printers. This will 
be run for every user in an OU. I keep getting the following error for line 8: 
8007007B - The filename, directory name or volume syntax is 
incorrect
 
I have 
played around with the syntax but think I am missing something very basic here. 
Any thoughts?
 
I got 
this from: 
http://www.computerperformance.co.uk/ezine/ezine16.htm#Example%203:%20Mapping%20Multiple%20Printers
 
'  
Poached from Guy Thomas February 2004.
'  
**
Dim 
multiPrinter, UNCpath1, UNCpath2, UNCpath3
UNCpath1 = "\\server.abc.private\HP Color LaserJet 
3500"
UNCpath2 = "\\server.abc.private\HP LaserJet 
3300"
UNCpath2 = "\\server.abc.private\HP LaserJet 
5000"
Set 
multiPrinter = CreateObject("WScript.Network") 
multiPrinter.AddWindowsPrinterConnection 
UNCpath1
multiPrinter.AddWindowsPrinterConnection 
UNCpath2
multiPrinter.AddWindowsPrinterConnection 
UNCpath3
 
' 
 WScript.Echo "Your printer is mapped from : " & UNCpath1  
_
'  
& "and from : " & UNCpath2
WScript.Quit
' End 
of _vbscript_




---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or 
any attachments. This information is strictly confidential and may be subject to 
attorney-client privilege. This message is intended only for the use of the 
named addressee. If you are not the intended recipient of this message, 
unauthorized forwarding, printing, copying, distribution, or using such 
information is strictly prohibited and may be unlawful. If you have received 
this in error, you should kindly notify the sender by reply e-mail and 
immediately destroy this message. Unauthorized interception of this e-mail is a 
violation of federal criminal law. Applebee's International, Inc. reserves the 
right to monitor and review the content of all messages sent to and from this 
e-mail address. Messages sent to or from this e-mail address may be stored on 
the Applebee's International, Inc. e-mail system. 




--No virus found in this outgoing message.Checked by AVG 
Free Edition.Version: 7.1.371 / Virus Database: 267.13.12/194 - Release 
Date: 12/7/2005


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] remove logon script?

2005-12-06 Thread Cace, Andrew 



Try putting the LDAP filter in 
double-quotes.
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Tuesday, December 06, 2005 3:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon 
script?





I get the following 
error:
 
(objectClass was 
unexpected at this time.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Tuesday, December 06, 2005 2:00 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon 
script?
 
It works 
against the current default domain which is the domain of the default domain 
controller. You can determine what that is with 
 
adfind 
-default -s base -dn
 
 
If you 
want it to work against another domain, remove -default and add -b domain_dn 
(i.e. change the search base of the adfind query).
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: Tuesday, December 06, 2005 1:46 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon 
script?
This will 
work for the currently logged in domain right?
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, December 05, 2005 4:44 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon 
script?
 
One tiny 
correction :)
 
Adfind 
–f “(&(objectCategory=person)(objectClass=user)(scriptpath=logon.bat))” 
–default –dsq | admod –unsafe scriptpath:-
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian 
DesmondSent: Monday, December 
05, 2005 4:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon 
script?
Adfind 
and admod from joeware.net
 
Adfind 
–f “(&(objectCategory=person)(objectClass=user)(scriptpath=logon.bat))” 
–default –dsq | admod –unsafe scriptpath-
 

Thanks,Brian 
Desmond
[EMAIL PROTECTED]
 
c - 
312.731.3132
 
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: Monday, December 05, 2005 3:40 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon 
script?
 
How can I remove the logon.bat from 
all my user (2000+) accounts at one time in my domain?  I’ve switch to GPO 
for the logon scripts.
 
Devon 
Harding
Windows 
Systems Engineer
Southern Wine 
& Spirits - BSG
954-602-2469
 




__This 
message and any attachments are solely for the intended 
recipientand may 
contain confidential or privileged information. If you are 
notthe intended 
recipient, any disclosure, copying, use or distribution 
ofthe 
information included in the message and any attachments 
isprohibited. If 
you have received this communication in error, 
pleasenotify us 
by reply e-mail and immediately and permanently delete 
thismessage and 
any attachments. Thank You. 




__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You. 


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] FSMO role transfer

2005-11-30 Thread Cace, Andrew 
It is available in the AD snap-ins.  In AD Domains & Trusts, you can
transfer the Domain Naming master by right-clicking the name of the snap-in
in tree-view and choosing Operations Master.  In ADUC, right-click the name
of the domain and choose Operations Master to transfer the RID, PDC, and
Infrastructure masters.  In the Schema Management snapin, you can transfer
the Schema master by right-clicking Active Directory Schema and choosing
Operations Master.

Next question...Why isn't there a single place to click all of these?

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 30, 2005 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FSMO role transfer



If the task is that trivial
If the benefit is so great
Why isn't it part of the AD snap ins as a one button task?



David Adner wrote:
> I'm not debating the effort it takes to make the change.  I'm saying I 
> don't see the point in devoting whatever amount of effort it takes for 
> something that's going to provide benefit only, IMO, an extremely rare 
> case.  And if that case happened, the corrective action is also a 
> trivial process.  And again, I'm not saying I don't see your point; I just
don't agree with it.
>
>   
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Bahta 
>> Nathaniel V Contractor NASIC/SCNA
>> Sent: Wednesday, November 30, 2005 12:32 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] FSMO role transfer
>>
>> That process is trivial in itself.  It does not take much to transfer 
>> the roles before you conduct maintenance on a server.  Why not do it?  
>> It will save you cleaning up metadata after you seize a role of a 
>> failed operations master.  Sounds like a stitch in nine saves time 
>> concept to me.  I do not intend on taking every proactive measure 
>> either, but when it comes to the small and quickly implemented 
>> measures that could save plenty of time, I try to utilize all of them 
>> available.
>>
>> Is that agreeable?
>>
>> Nathaniel Vincent Bahta
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
>> Sent: Wednesday, November 30, 2005 1:24 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] FSMO role transfer
>>
>> Any proper maintenance plan has a backout plan and a recovery plan, 
>> so I am preparing for the possibility of an unexpected problem.  If 
>> I'm pulled into a dark room because something goes wrong then I 
>> should feel confident I'll leave that room with my hide mostly 
>> intact; it may be slightly singed, but I can live with that.  If 
>> management isn't the reasonable type then that's a different issue.
>>
>> If your philosophy is to take every proactive measure ahead of time 
>> possible, then that's fine.  I just don't see the point with regards 
>> to FSMO roles when the recovery action is a relatively trivial 
>> process.  This is obviously a matter of personal preference so I'm 
>> not trying to convince others to change.  I just found the concept 
>> unusual so I thought I'd share.
>>
>> 
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of 
>>> [EMAIL PROTECTED]
>>> Sent: Wednesday, November 30, 2005 10:16 AM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: RE: [ActiveDir] FSMO role transfer
>>>
>>> I would rather, as stated earlier, assess the risk and then act 
>>> appropriately. The original poster never defined 'maintenance' in 
>>> detail.
>>>
>>> The original post did state that the box would be down for ~2 hours 
>>> for maintenance. This is clearly more than a patch and a
>>>   
>> reboot. We've
>> 
>>> been over that scenario and concluded that it carries a lesser risk.
>>>
>>> As joe said, if the maintenance all goes badly wrong, do
>>>   
>> you want to
>> 
>>> be pulled into a dark room and questioned as to why you did not 
>>> prepare for that eventuality?
>>>
>>>
>>> neil
>>>
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>> Sent: 30 November 2005 15:29
>>> To: ActiveDir@mail.activedir.org
>>> Subject: Re: [ActiveDir] FSMO role transfer
>>>
>>> Okay define maintenance please?
>>>
>>> Patching?
>>> Service Pack?
>>> Applying QFEs?
>>> Performance tuning?
>>> What?
>>>
>>> Is there a level of maintenance that would cause you to move FSMO's 
>>> and not?
>>>
>>> Like for example, if I'm patching, I've tested the patch, I'm 
>>> reasonably expecting a favorable outcome otherwise I wouldn't be 
>>> deploying, I have a backup.
>>>
>>> [EMAIL PROTECTED] wrote:
>>>
>>>   
 I think we've missed the essence of the original post :)
 
>>> The DCs are
>>>   
 not just being rebooted, they are being 'ma

RE: [ActiveDir] AD Question for your peers-GPO

2005-10-04 Thread Cace, Andrew 
I agree with Deji.  The separate OU method is much easier.  If you choose to
use security group filtering, you will have to reboot the servers after
adding them to the security group in order to force them to updates their
Kerberos ticket.  If you can't reboot the servers, then you will have to
wait up to a week for them to update on their own.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, October 04, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO

Easiest way: put the servers in one OU and the non-servers in another OU.
Then create one policy for each OU.
 
There are other ways, like adding the servers to a security group and
filtering your policy by group membership. The separate OU formula is easier
- IMO.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 10/4/2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO


What would I do in this situation
 
One OU which all Computers join when they are added to the domain

I have two Global Groups 1=WSAdmins and 2=SVRAdmins. These two groups do not
contain the same users.
 
Now, I want to ensure that when I set a Restricted Policy, only the WSAdmins
are listed in the Local Admins group on the Workstations and SVRAdmins is
only a member of the local Administrators group on the Servers in the
default OU
 
Is this possible? From how I see it, if a restricted group is set on an OU,
then any computer which is a member of this OU receives this setting.
 
Sorry, this has always confused me, which is why I went for the scripted
option on startup.
 
thanks
 
Frank

[EMAIL PROTECTED] wrote:

Correct.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Tue 10/4/2005 12:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Question for your peers-GPO


Deji,

I may sound real stupid asking this, but if I add Administrators to
the
Member Of attribute, how can I make sure this is only "local
Administrators"
e.g Local Workstations or Local member servers and not the builtin
Administrators group (the one with Domain Admin permissions)

Is this because the restricted groups GPO is only applied to the
ClientsOU?
and not at DDP level?

thanks

frank





[EMAIL PROTECTED] wrote:

Brian,

the "wipe and load" behavior is a thing of the past with the
introduction of
the new "MemberOf" attribute. Here's a short reply I posted on
another list a
while back.

Another option is to use the "MemberOf" option in a "Restricted
Groups" GPO.
Say the group is called GrpA and you want it to be a member of the
administrators group in every client in ClientsOU. You will create
and apply
a group policy to ClientsOU. In that policy, you will create a
restricted
group object, by adding GrpA. Then in the properties, you will
choose
the
"this group is a member of:" and type in "administrators".

By doing the above, the existing members of the "administrators"
group are
not removed. The process will simply append GrpA to the membership
list on
"administrators".

HTH


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Mon 10/3/2005 4:14 PM
To: ActiveDir@mail.activedir.org
Cc: '# Jose Medeiros-IBM (E-mail)'
Subject: RE: [ActiveDir] AD Question for your peers-GPO



Yes. You want to use the Restricted Groups function in the computer
config
area. Be aware it is a replacement not a merge, so, things already
in
there

RE: [ActiveDir] Domain controllers not replicating

2005-09-28 Thread Cace, Andrew 
Have you verified that the IP address that the FQDN resolves to is correct?
Have you tried pinging DC1 from DC2 by IP and by name, and vice-versa?  Run
repadmin /showrepl locally on each DC and get the GUID from the top of the
output.  Are there any errors in repadmin?  Try to nslookup the GUID from
the other DC.  Other people have already recommended running dcdiag, also
run netdiag /v /fix.  Let us know of any pertinent errors.  Good luck.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig
Sent: Wednesday, September 28, 2005 12:07 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain controllers not replicating

I have a strange one.
  I have two sites in different cities, that are in one Domain.  Both sites
are setup to replicate through a domain controller at each site.  Both
servers were talking and performing replication a week ago.  Now both sites
are not replicating.  I can ping both Domain controllers from  any
workstation in both sites.  I can also ping from the Domain controller to
any workstation at any site.  I can also ping the other servers at both
sites, except for the Domain controller at the other site that it is setup
to replicate with.
 Both of these Domain controllers cannot ping each other, but they can ping
all other computers in both sites.  These two servers will talk to everyone
else except to each other.  When I ping the FQDC of the opposing Domain
controller, it does resolve the IP address, but I get a request timed out.



__
Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Domain Controller Security

2005-09-23 Thread Cace, Andrew 
We have a great TAM.  The guy is extremely knowledgeable on a wide variety
of MS products.  What he doesn't know, he knows who to get in touch with in
Las Colinas to get the right answers fast.  That's why I was shocked when I
went to some MS training on MIIS in San Jose, and heard the technical people
in the class bagging on TAMs and how non-technical they tend to be. 

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 23, 2005 4:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security

Which on the whole you may find to be far more helpful than most TAM's you
might have gotten...

Not trying to be mean, but I haven't had the greatest luck with TAMs. There
have been two in ten years that I can think of off the top of my head that I
liked (hey Efrem, hey Michelle) and I still beat the crap out of them when I
had them available. Generally, IMO, a TAM is a person who tells you what you
can't have even if they don't know what you are asking for. 
 
I once talked about looking into a TAM position and a high level MCS manager
who had been trying to get me to join MS for I don't know how long told me
(he was drunk at the time), hell no, you are far too technically gifted to
be a TAM... 


Just a thought though mom, you guys in SBS land seem to stick together
pretty well. I wonder if you could form a union with all of the SBS crazies
(and I say that lovingly) and have dues and such and then get a joint
Premier Support Account for all of you together and funnel issues up through
it. 

   joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, September 23, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security

Us in SBSland have newsgroups and MVPs.



Brian Desmond wrote:

> *Technical Account Manager. When you spend ample money with MS, you 
> get one of these. I think a PSS contract is enough to have one.
> They're sort of your MS/Customer bridge. *
>
> * *
>
> **Thanks,***
> **Brian Desmond***
>
> [EMAIL PROTECTED] 
>
> **c - 312.731.3132**
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *DeStefano, 
> Dan
> *Sent:* Friday, September 23, 2005 12:26 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Domain Controller Security
>
> Excuse my ignorance, but what is a TAM?
>
> Dan
>
> --
> --
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *ASB
> *Sent:* Friday, September 23, 2005 5:46 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Domain Controller Security
>
>>>And knowing it, I can always take extra precautions.
>
> The knowing it consists of "don't do it, because you can't secure it"
>
> There are no extra precautions to take. Certainly, you can increase 
> your auditing, but you could do that now without knowing anything else.
>
>>>basically, 25% more prepared and secure against this type of attack
> is better than 0%.
>
> The more people that know, the higher the potential of attack. And, as 
> folks have pointed out, since there are no viable workarounds, it 
> doesn't help anyone to have the number of potential attackers increased.
>
> Call your TAM and see if he or she will provide enough details for you 
> to feel comfortable.
>
> -ASB
>
> FAST, CHEAP, SECURE: Pick Any TWO
>
> http://www.ultratech-llc.com/KB/
>
>
> On 9/23/05, *Kamlesh Parmar* <[EMAIL PROTECTED] 
> > wrote:
>
> I have to disagree a bit here...
>
> Certainly, obscuring of information is not the way to feel secure.
>
> If I don't know, how it is done, then how do I know, that I will be 
> able to detect it, and trace it.
> And knowing it, I can always take extra precautions. Which I think, 
> better than not knowing it at all.
>
> basically, 25% more prepared and secure against this type of attack is 
> better than 0%. and certainly it helps calibrate how much paranoid I 
> have to be. :-)
>
> I would like to know, how it is done, as our team is currently 
> migrating some good number of domains to single domain. And we are 
> going to give local guys rights to logon to DC for some system 
> maintenance purposes, till final single domain is cleaned up and we 
> revert back to core team for day-to-day maintenance.
>
> So I am very much interested in knowing it.
>
> On 9/23/05, *joe* <[EMAIL PROTECTED] >
> wrote:
>
> The docs are wrong. Many of us have been hounding MS on this for 
> years. They really started straightening out docs with K3. Some of the 
> older 2K docs still suggest this security boundary at the domain. It 
> really came to a head when Lucent put out a paper on this

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Cace, Andrew 
Tom,
  The article is incorrect.  It is possible to programmatically push a DNS 
suffix search list to remote PC's.  The following code will do it for you.

arrDNSSuffixes = Array("suffix1.com", "suffix2.com", "suffix3.com", 
"suffix4.com")
Set objWMIService = GetObject("winmgmts:" & 
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objNetworkSettings = objWMIService.Get("Win32_NetworkAdapterConfiguration")
objNetworkSettings.SetDNSSuffixSearchOrder(arrDNSSuffixes) 

This code should work as is, provided you find a way to populate the 
strComputer value.  In my experience, it takes about 6 seconds to connect to a 
remote computer and make the changes.

-Andrew

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is 
this article correct and are these the only ways to programmatically alter the 
dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
[EMAIL PROTECTED]   Vry&-4ibb


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] DC authentication

2005-09-06 Thread Cace, Andrew 
nltest /sc_reset:domain\DC /server:computername will do the trick nicely.

Nltest.exe is part of the Windows Support Tools.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of vex
Sent: Tuesday, September 06, 2005 3:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC authentication

Thommes, Michael M. wrote:
> SET LOGONSERVER at the command line should be enough.


And on a similar note, if I'm having trouble with a user logging on to a
specific DC, is there a way to force their workstation to log on to a
different one?




  --Brett

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] DC authentication

2005-08-31 Thread Cace, Andrew 
 
Our TAM has been beating using nltest instead of "set l" into our heads for
almost two years now.  The set command echoes a variable that is set at
startup and doesn't change when your authenticating server changes.  

The only problem with using nltest with the /sc_query option is that it also
checks a cached value.  If you truly want to determine which DC is currently
authenticating a PC, you should use the /sc_reset option of nltest.  This
will reset the secure channel between the workstation and the DC and report
the status of the secure channel.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Wednesday, August 31, 2005 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC authentication

Hi Christine

This will show you the secure channel for given machine:

nltest /sc_query: /server: 

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Thursday, 1 September 2005 8:58 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC authentication

Sorry, I'm have a brain hiccup.  Does anyone know the command line utility
that tells you which dc authenticates you?

-Christine

Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216

617-748-6034
617-293-4407
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] GPO with folder redirection not applying against machines OU

2005-08-16 Thread Cace, Andrew 



Robert,
  I can't replicate your situation.  I created a 
GPO, configured folder redirection in the user portion of the GPO and loopback 
processing in replace mode in the computer portion of the GPO, in Replace 
mode.  When I ran the modeling wizard, the Summary tab shows the policy 
applying and the Settings tab shows the folder redirection under the computer 
portion of the GPO.
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert 
DaleSent: Tuesday, August 16, 2005 9:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO with folder 
redirection not applying against machines OU


Dear 
Andrew,
 
Thanks.
 
I tried this and 
although it shows the loopback policy option in the modeling report once rerun 
it does not show the folder redirection, could this be a weakness in the modeler 
and that it simply will show up when the users login 
?
 
 
Robert 
Dale




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Cace, 
AndrewSent: 16 August 2005 
15:37To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO with folder 
redirection not applying against machines OU
 
Robert,
  Check out 
Loopback Processing.  This will allow user policies to be applied based 
upon the AD location of the computer.  See the following link for 
details:  http://support.microsoft.com/?kbid=231287

 
-Andrew

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Robert DaleSent: Tuesday, August 16, 2005 8:04 
AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO with folder 
redirection not applying against machines OU
Ive setup OU for my citrix farm and 
for my users then created a GPO called FR that only contains the folder 
redirection information in it and linked this to the OU that all my Citrix 
servers are in however when I run the modeling wizard the gpo is never shown 
unless I place a link for it in the users OU however I only want the folder 
redirection to apply when the users log into the citrix server not for there 
local desktops. If I add any entries in the machine part of the GPO none of them 
are applied only the user parts are applied as the winning GPO. 

 
I don’t have folder redirection 
enable in any other GPOs.
 
Its not just with folder redirection 
any change I make that is machine related doesn’t show up, inspite of the fact 
that I have the GPO enabled for both user and computer 
configuration.
 
Any ideas or work around so that I 
can have folder redirection only for users logging into specific machines 
?


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] GPO with folder redirection not applying against machines OU

2005-08-16 Thread Cace, Andrew 



Robert,
  Check out Loopback Processing.  This will allow 
user policies to be applied based upon the AD location of the computer.  
See the following link for details:  http://support.microsoft.com/?kbid=231287
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robert 
DaleSent: Tuesday, August 16, 2005 8:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO with folder 
redirection not applying against machines OU


Ive setup OU for my citrix farm and 
for my users then created a GPO called FR that only contains the folder 
redirection information in it and linked this to the OU that all my Citrix 
servers are in however when I run the modeling wizard the gpo is never shown 
unless I place a link for it in the users OU however I only want the folder 
redirection to apply when the users log into the citrix server not for there 
local desktops. If I add any entries in the machine part of the GPO none of them 
are applied only the user parts are applied as the winning GPO. 

 
I don’t have folder redirection 
enable in any other GPOs.
 
Its not just with folder redirection 
any change I make that is machine related doesn’t show up, inspite of the fact 
that I have the GPO enabled for both user and computer 
configuration.
 
Any ideas or work around so that I 
can have folder redirection only for users logging into specific machines 
?


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] csvde issue

2005-08-15 Thread Cace, Andrew 
Tom,
  You're missing a closing parentheses ')' at the end.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Monday, August 15, 2005 9:01 AM
To: activedirectory
Subject: [ActiveDir] csvde issue

I'm having a hard time exporting computer objects based on operating system
attribute using csvde.

this is what i use-

C:\>csvde -f servers.txt -r
"(&(objectCategory=computer)(operatingSystem=Windows 2000 server)"

This is the error i get-
Search Failed
An error has occurred in the program

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-05 Thread Cace, Andrew 



Just a guess, but are you trying to sync an Exchange server 
that is part of a domain with the Active Directory for that domain?  In 
that case, wouldn't the user object that you are trying to create a mailbox for 
already be created in the AD?  Isn't the metadirectory trying to 
create a new user with the same distinguished name (and all other properties) as 
an already existing user?
 
-Andrew
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 05, 2005 12:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred


Hi 
 
I am trying to use a metadirectory 
to add an exchange user. An agent sitting on the Exchange server machine, which 
will add the mail box for the user.
 
But when I try to add the user, I am 
getting the following error “An operations error 
occurred”
 
10:38:01.112: [1412.724] DataAccess: 
UP_AddRecord EXCH2K
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify Request
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify operation to Exchange 
operation
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Bind using Configured 
Credentials:
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net 
bind=ADS_SECURE_AUTHENTICATION
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object. Success 
server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD User Object from an an AD 
Object
10:38:03.502: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... 
Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:03.502: [1412.724] DataAccess: 
EXCH2K: Mapping Add/Modify Request, Error: An operations error 
occurred...
10:38:03.502: [1412.724] DataAccess: 
UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An 
operations error occurred...
10:38:03.502: [1412.724] RUPS: 
Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of 
UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: 
Mapping Add/Modify Request, Error: An operations error 
occurred...)
 
Pasted the part of the tarce only 
just in an attempt to give more information. The entry I am trying to add is 
as:
 
dn: cn=ZZZGGG\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
objectClass: 
person
objectClass: 
organizationalPerson
objectClass: 
user
userAccountControl: 
544
DisplayName: ZZZGGG, 
ANGUS
cn: ZZZGGG, 
ANGUS
givenName: 
ANGUS
sn: 
ZZZGGG
sAMAccountName: 
ZZZGGGtest
homeMDB: CN=Mailbox Store 
(RLGMFUMX01),CN=First Storage Group,CN=Information
 Store,CN=RLGMFUMX01,CN=Servers,CN=First 
Administrative Group,CN=Administrat
 ive Groups,CN=RBSG Retail 
Exchange,CN=Microsoft Exchange,CN=Services,CN=Con
 figuration,DC=gepurbsres01,DC=net
mailNickname: ZZZGGG, 
ANGUS
 
The homeMDB value is correct and the 
meta directory connects to the Exchange server machine and the AD machine using 
the Admin user.
 
Can you please help me debug this. 
Thanks,
 
Mayuresh.


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.

2005-08-04 Thread Cace, Andrew 
 
Your samAccountName has a comma in it.  I don't think that's allowed.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 04, 2005 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem
22 (Invalid argument), data 0.

Hi All,

I am using a meta directory to push mailbox users into active directory. I
am stuck with the following:

The adding of user entries to AD fails with the above error. The kind of
entry that the meta directory is trying to add is as follows:

ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net'
dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 544
DisplayName: ZZZGGG, ANGUS
cn: ZZZGGG, ANGUS
givenName: ANGUS
sn: ZZZGGG
sAMAccountName: ZZZGGG, ANGUS-Test
ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid
argument), data 0.'

Any clue as to how can I solve this problem?

Thanks and Regards,
Mayuresh.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] AD Training

2005-06-07 Thread Cace, Andrew 
If you have any good contacts with Microsoft, see if you can get a seat in
one of their "Troubleshooting Windows Server 2003 Directory Services"
classes.  Great class for someone who already knows the book theory and is
looking for instruction on how to fix some of the problems that you will
encounter.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, June 07, 2005 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Training

Anybody have any recommended training on Active Directory?  already taken
the "Microsoft Windows 2003 Configuring Active Directory Services" from
Global Knowledge, but am looking for the next step I guess. 

Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System
Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] OT-Data ACLing

2005-06-01 Thread Cace, Andrew 
Subinacl.exe from Microsoft will do what you are looking for.  You can
download subinacl.exe from
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-
93CF-ED6985E3927B&displaylang=en.  The version of subinacl.exe that is
included in the Windows 2003 Resource Kit is bugged.  

Syntax: 
subinacl /file c:\*.* /accountmigration=domain\currentuser=domain\newuser

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

Cacls does not appear to perform this function either,

Many thanks.

Mark
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 13:18:39
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT-Data ACLing

I did no know calcs did this, been looking at xcacls ans scacls but no joy,
will try, many thanks.

Mark
-Original Message-
From: "Adams, Kenneth W \(Ken\)" <[EMAIL PROTECTED]>
Date: Wed, 1 Jun 2005 08:59:24
To:
Subject: RE: [ActiveDir] OT-Data ACLing

There is a built-in utility called cacls that can do this for you.
Another utility is a commercial product called Security Explorer by Small
Wonders Software.

Ken Adams



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, June 01, 2005 8:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT-Data ACLing


All,

Does anyone know of a utility that can look at a directory and identify
where data is permissioned by a certain group and then append another group
to that location to enable the new group to be permissioned on that data
too. 

Example: D: is permissioned with Domain users in multiple directories but
Not in every directory, I wish to search the directories and where Domain
Users appears and append another group to that location.

I hope this is clear.

Regards

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Cace, Andrew 
This would require some effort to configure and maintain, but what about
using DHCP reservations?  This will accomplish the goal of only allowing
approved PC's on your network.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, May 16, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

At the lower layers of the OSI stack, the only way I'm aware of to block
computers from getting an IP address is to use port-based authentication if
your network hardware supports it. As Al mentioned, quarantine networks are
becoming a more realistic solution, but don't address the basics of DHCP.
Using IPSec to ensure only trusted computers can get access to resources is
a decent solution as well; the rogue PC can get an address, but cannot
connect to anything except perhaps the internet. Not simple to set up,
though...

Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC
through the ethernet cables and put a high-pass filter on the legit
machines. Then, if someone plugs a rogue laptop into the network, the laptop
gets a little hot... :-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Monday, May 16, 2005 7:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DHCP
> 
> I am wondering if there is any way to secure DHCP from assigning 
> leases to PCs that are not authorized on the domain. I imagine that 
> this is not possible since, in order to authenticate, a PC needs an IP 
> address.
> 
> The problem is that the other day we had a rogue PC plug into our 
> network and, though probably coincidental, our browse list was messed 
> up afterwards. So I have been tasked with finding out if there is a 
> way to prevent unauthorized PCs from obtaining IP leases on our 
> network (other than disabling all jacks not in use, which is what we 
> will be doing). If not, does anyone have any suggestions on how to 
> prevent the above situation in the future?
> 
>  
> 
> _
> 
>  
> 
> Daniel DeStefano
> 
> PC Support Specialist
> 
>  
> 
> IAG Research
> 
> 345 Park Avenue South, 12th Floor
> 
> New York, NY 10010
> 
> T. 212.871.5262
> 
> F. 212.871.5300
> 
>  
> 
> www.iagr.net 
> 
> Measuring Ad Effectiveness on Television
> 
>  
> 
> The information contained in this communication is confidential, may 
> be privileged and is intended for the exclusive use of the above named 
> addressee(s). If you are not the intended recipient(s), you are 
> expressly prohibited from copying, distributing, disseminating, or in 
> any other way using any of the information contained within this 
> communication. If you have received this communication in error, 
> please contact the sender by telephone 212.871.5262 or by response via 
> e-mail.
> 
>  
> 
>  
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] joining station to the domain and GPO...

2005-04-13 Thread Cace, Andrew 
Instead of giving your techs the permission to add unlimited computers to
the domain, give them the ability to create computer objects in the OU where
they are going to end up.  Then, when they create the computer object, they
can assign themselves permissions to add it to the domain.  That way, no
computers get added to the Computers OU.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Wednesday, April 13, 2005 10:31 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] joining station to the domain and GPO...

Hi, 
I have a little question as to how you guys would handle this
situation...

I have 2 techs that are adding stations to the domain from time to time.
When they join the stations to the domain, the computer account is created
in the COMPUTERS built-in UO. 
I have many UOs that are used to deploy the GPOs depending on the type of
computers, let say desktop and laptops.

The problem actually occurs because they "forget" to tell me that they added
a new laptop to the domain and this new added machine ends up on the network
w/o the proper GPOs applied.

I actually check the UO manually but I would like to have any automated way
to check for new computer account added in the UO. For control purposes,
they don't have access to move the computer account from an UO to another
and it have to stay that way. 

Any ideas or 3rd party programs that can help are appreciated...




Thanks



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] script to convert userID to first and lastname of users

2005-02-17 Thread Cace, Andrew 
 
dsquery can also find the information also.  The syntax is: 
dsquery * -filter (samAccountName=name) -attr displayName

I would use the Joeware tool, because I'm frustrated with some of the
limitations of dsquery.  I just haven't had the need yet to learn to use
the Joeware tool.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, February 17, 2005 8:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] script to convert userID to first and lastname
of users

I'm assuming by "convert" you mean associate? (i.e. given a user ID,
show me the Full Name? 

You could use adfind (www.joeware.net)

>adfind -b dc=mydomain,dc=com -gc -f "objectCategory=person" 
>sAMAccountName Name

That returns something like: 

dn:CN=Robert Smith,CN=Users,DC=mydomain,DC=
>name: Robert Smith
>sAMAccountName: SmithR




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese
Fahmy
Sent: Thursday, February 17, 2005 8:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] script to convert userID to first and lastname of
users

I need a script to search for userID for users and give me their full
name. 
We have Active Directory 2003.

Thanks,
Marie 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail transmission contains information that is intended to be
confidential and privileged.  If you receive this e-mail and you are not
a named addressee you are hereby notified that you are not authorized to
read, print, retain, copy or disseminate this communication without the
consent of the sender and that doing so is prohibited and may be
unlawful.  Please reply to the message immediately by informing the
sender that the message was misdirected.  After replying, please delete
and otherwise erase it and any attachments from your computer system.
Your assistance in correcting this error is appreciated.  Thank you.
Cintas Corporation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] suggestions for tombstoned DC recovery?

2005-02-14 Thread Cace, Andrew 
 
If DCPROMO won't work, even with the /FORCEREMOVAL flag, the following
MS KB Article has a reghack that will allow you to remove the domain
controller.  We had to do this at a remote site in Europe, where the
technical guys had "gone home for the day".

http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

It's not that DCPROMO was not an option, it just didn't work - also
"access denied".

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] suggestions for tombstoned DC recovery?

Why is DCPROMO not an option? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?

One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies.  Replication is not working - "Access
denied".  Also, the restored DC cannot be dcpromo'd out.  Rebuilding the
computer from scratch is not an option.  Repadmin and nltest operations
are unsuccessful.  Does anyone have any tricks up their sleeve for
getting this once-working DC to "play nice again"?  I keep thinking that
an nltest with a secure channel reset option, followed by a repadmin
operation with a force option using the one good DC as an authoritative
source - should be the answer.  But it doesn't seem to work.  Any help
is appreciated!  Thanks.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DSget Contacts in AD

2004-12-10 Thread Cace, Andrew 
Are you sure that it is choking on the amount?  The first time that I
used dsquery | dsget, dsget user was choking because dsquery group
returned a group and dsget user wasn't able to handle having a group
piped to it.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, December 10, 2004 12:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DSget Contacts in AD

One thing that bothers me is that DSQUERY should have brought back all
the
entries and you should have been able to use it as expected.  I'm trying
to
figure out why DSQUERY chokes on the amount.  


Can you verify that it's the amount that's causing it to choke?  Can you
run
it without piping the results to dsget and see if you get the same
results?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, December 10, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DSget Contacts in AD

How about

Command | grep ">"

Or do you mean the dn: string prefixing the dn being returned? 

If the latter, you can have it returned distinguishedname as one of the
attributes and then use the command above but you will still get the
attribute labels. If you just want DN strings, you can use the -dsq
option
but you won't get attributes output at all then.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY
Sent: Friday, December 10, 2004 10:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DSget Contacts in AD

Any way to exclude the DN from the output?

At 15:44 12/10/2004, you wrote:
>C:\>adfind -b ou=companies,dc=domain,dc=com -f 
>"(&(objectcategory=Person)(objectClass=contact
>))" cn createTimeStamp
>
>AdFind V01.17.00cpp Joe Richards ([EMAIL PROTECTED]) May 2004
>
>Using server: wil-dc01.bbtnet.com
>
>dn:CN=Test User,CN=Users,DC=bbtnet,DC=com
> >createTimeStamp: 20041210144136.0Z
> >cn: Test User
>
>
>1 Objects returned
>
>
>
>Specifying the attribute list tells ADFIND to return those attributes
only.
>In your case, you'd use displayname, mail, and 
>physicaldeliveryofficename for the attributes you want.
>
>
>Al
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY
>Sent: Friday, December 10, 2004 9:27 AM
>To: [EMAIL PROTECTED]
>Subject: RE: [ActiveDir] DSget Contacts in AD
>
>I had it set to 500 because for any limit size above that (0, or 1500,
>etc.) it fails with that error.
>
>I've read through the ADfind docs and must not be alert enough to see 
>how to spec the attribs I want. How is it done?
>
>At 15:17 12/10/2004, you wrote:
> >You may misunderstand ADFIND.  It will allow you to specify the 
> >attribs you want vs. which one's you don't want last I checked.
> >
> >As for your DSQUERY command, why are you limiting to 1000 on the one 
> >that doesn't work?  Why not leave it at 0 ?
> >
> >Al
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Dan HINCKLEY
> >Sent: Friday, December 10, 2004 8:16 AM
> >To: [EMAIL PROTECTED]
> >Subject: [ActiveDir] DSget Contacts in AD
> >
> >I find DSget works like a charm retrieving user info like this:
> >
> >dsquery user ou=companies,dc=domain,dc=com -limit 0 | dsget user 
> >-display -email -office -acctexpires > d:\temp\dsquery.txt
> >
> >But when I try to retrieve more than about 500 contacts like this:
> >
> >dsquery contact ou=companies,dc=domain,dc=com -limit 1000 | dsget 
> >contact -display -email -office > d:\temp\dsquerycontacts.txt
> >
> >I get this error:
> >
> >dsget failed:Value for `Target object for this command' has incorrect

> >format
> >
> >The Contacts folder has a series of subfolders and a few distribution

> >groups mixed in; might they cause this?
> >
> >ADfind doesn't seem to give me the option to specify which fields I 
> >wnat to retrieve, only to exclude fields, and there are too many to 
> >do
>that.
> >
> >
> >
> >Dan Hinckleyt: (41 22) 999 0183
> >Information Management Groupf: (41 22) 999 0010
> >IUCN, The World Conservation Union  e: [EMAIL PROTECTED]
> >1196 Gland, Switzerland w: http://iucn.org/
> >
> >List info   : http://www.activedir.org/mail_list.htm
> >List FAQ: http://www.activedir.org/list_faq.htm
> >List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> >List info   : http://www.activedir.org/mail_list.htm
> >List FAQ: http://www.activedir.org/list_faq.htm
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>List info   : http://www.activedir.org/mail_list.htm
>List FAQ: http://www.activedir.org/list_faq.htm
>List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>List info   : http://www.activedir.org/mail_list.htm
>List FAQ: http://www.activedir.org/list_faq.htm
>List a