RE: [ActiveDir] Adfind + Admod help

[Coleman, Hunter]

I agree with Al in that I don't see an obvious way to do this from a
single command line. The key, as he mentioned, is going to be getting a
list of unique department numbers and section numbers. I'd probably
separate those out into two distinct lists, one for departments and one
for sections. Once you have those lists, you could pipe them to admod or
any other tool of your choice to create the groups. However, since
you're probably going to need some script to generate the lists, you
might as well keep the group creation within the script as well.
 
The problem with trying to use adfind is that you are not going to be
able to construct an LDAP query that returns only unique instances of
apsgDepartment and apsgSection. No knock on adfind, you'll run into the
same thing with ldp or dsquery. You can query for and return any object
that has those attributes populated, but the returned set of those
attributes will have duplicates. That's where your script will throw the
attributes into a hash (or scripting dictionary) to eliminate the
duplicates.
 
The outline of your script would look something like this:
-query AD for all user objects that have apsgDepartment and/or
apsgSection populated
-loop through the returned set to build unique lists of Department
numbers and Section numbers
-loop through the Department number list and create a group for each one
-loop through the Section number list and create a group for each one,
and nest it in the corresponding Department group
 
None of that is heinously difficult to script. I'd probably lean towards
powershell or perl, since they handle hashes better than VBScript. But
it's certainly feasible in VBScript as well. Holler if you want some
help going down this road.
 
Hunter
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help



Thank you for the response Al.

 

To answer your ultimate question, which was Does that help, or ??,
then I would have to lean more towards ?? in my case.  Not to say you
didn't give some excellent options, but unfortunately it all boils down
to me simply not being any sort of a programmer and so I currently
wouldn't know how to do any of the options you suggest.  (I'm studying
the ways of VBScripting right now).  To answer an earlier question, Do
you already have the department names in a list? Or is that something
that you have to gather first?, the department and section information
is already contained within Active Directory through Schema Extensions.
The actual names of the departments/sections are not important at this
level, all I need to be concerned with is the department and section
numbers.

 

As an example...

 

dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com

apsgDepartment: 24

apsgSection: 242

 

I am a part of Department 24, section 242.  Thus, my user account should
be a member of the (not created yet) Sec242 security group, and then the
Sec242 security group would be a member of the (not created yet) Dep24
security group.

 

I too was hoping I could lure Joe out to respond and see if Adfind +
Admod could meet this challenge.  I'm certainly hoping so.  J

 

Thanks,

~Ben

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 22, 2007 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

Do you already have the department names in a list? Or is that something
that you have to gather first? 

 

If you have to gather, then I assume you'll have to iterate each user
object and determine the department value. Then, you'll create a group
for every single unique instance of department value. After those are
created, you'd then create the section sg's and make them members of the
relevant department sg.  

 

Is there a clean way?  I don't think it's something that you can do on a
single command line, although I throw that out there mostly as a
challenge to joe. He likes that kind of challenge I suspect ;)

 

Couple of options come to mind: 

 

You could build a table and based on that table you can create/populate.
ADMOD and ADFIND could be useful to you there. 

You could build a script that uses dictionary objects and creates the
unique instances for you and correlates that information to the sections
and then creates/populates.  It's slightly complex, but...

 

Building the tables, you could then execute manually.  Depends on the
scope of course. 

 

Of course, .NET is an option as well.  Same logic depending on language
though. And you will want to do this in passes most likely so you can
ensure that the department group is created when it comes time to add an
object to it.  It's helpful to do it that way... 

 

Does that help, or ??

Al



 

On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: 

Hey guys,

 

I'm trying to wrap my brain around how best to accomplish this and 

RE: [ActiveDir] Adfind + Admod help

[Coleman, Hunter]

Powershell is the latest-greatest command shell for Windows.
http://www.microsoft.com/technet/scriptcenter/webcasts/ps.mspx has some
webcasts on it, and
http://www.microsoft.com/windowsserver2003/technologies/management/power
shell/faq.mspx is the FAQ. I don't see VBScript going away anytime soon,
but I suspect that PS is going to be the way of the future in many
respects, especially for sys admin types. The downside, for now, is that
there isn't the depth and breadth of resources available yet for PS that
exist for VBScript. That's slowly changing, but will take some time. The
script center is a good spot to poke through sample code for either one:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
Hunter

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help



Thanks for the response Hunter.  Yeah, that's pretty much the logic that
I had come down to.  By the way, what is the real difference between
Powershell and VBScript anyway?  I've been hearing more and more about
Powershell lately, and since I'm going to take the time to learn a
scripting language, I will want to make sure I learn the one that will
have the most value to me from an administration perspective.

 

Let me go talk to my local software dev here in our department.  I'm
sure we'll be able to come to a solution no problem.  It just bugs me
that I don't know how to do scripting like this yet.

 

And I'll certainly holler if I run out of options.

 

Thanks again,

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, January 23, 2007 9:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help

 

I agree with Al in that I don't see an obvious way to do this from a
single command line. The key, as he mentioned, is going to be getting a
list of unique department numbers and section numbers. I'd probably
separate those out into two distinct lists, one for departments and one
for sections. Once you have those lists, you could pipe them to admod or
any other tool of your choice to create the groups. However, since
you're probably going to need some script to generate the lists, you
might as well keep the group creation within the script as well.

 

The problem with trying to use adfind is that you are not going to be
able to construct an LDAP query that returns only unique instances of
apsgDepartment and apsgSection. No knock on adfind, you'll run into the
same thing with ldp or dsquery. You can query for and return any object
that has those attributes populated, but the returned set of those
attributes will have duplicates. That's where your script will throw the
attributes into a hash (or scripting dictionary) to eliminate the
duplicates.

 

The outline of your script would look something like this:

-query AD for all user objects that have apsgDepartment and/or
apsgSection populated

-loop through the returned set to build unique lists of Department
numbers and Section numbers

-loop through the Department number list and create a group for each one

-loop through the Section number list and create a group for each one,
and nest it in the corresponding Department group

 

None of that is heinously difficult to script. I'd probably lean towards
powershell or perl, since they handle hashes better than VBScript. But
it's certainly feasible in VBScript as well. Holler if you want some
help going down this road.

 

Hunter

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help

Thank you for the response Al.

 

To answer your ultimate question, which was Does that help, or ??,
then I would have to lean more towards ?? in my case.  Not to say you
didn't give some excellent options, but unfortunately it all boils down
to me simply not being any sort of a programmer and so I currently
wouldn't know how to do any of the options you suggest.  (I'm studying
the ways of VBScripting right now).  To answer an earlier question, Do
you already have the department names in a list? Or is that something
that you have to gather first?, the department and section information
is already contained within Active Directory through Schema Extensions.
The actual names of the departments/sections are not important at this
level, all I need to be concerned with is the department and section
numbers.

 

As an example...

 

dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com

apsgDepartment: 24

apsgSection: 242

 

I am a part of Department 24, section 242.  Thus, my user account should
be a member of the (not created yet) Sec242 security group, and then the
Sec242 security group would be a member of the (not created yet) Dep24
security group.

 

I too was hoping I could lure

RE: [ActiveDir] Remote DC's on Virtual Server

[Coleman, Hunter]

IMHO, ESX/VM Infrastructure and Virtual Server are like apples and
oranges. Yes, they are both virtualization environments, but have vastly
different capabilities. VM Infrastructure has a much broader and deeper
feature set that does come with added cost and complexity.
 
Regardless, in the context of the original question I'd be concerned
about the load Exchange is going to place on the host hardware. How many
Exchange users are in the 8 domains, and how many of these would
potentially be connecting to the alternate site? Are you going to have
GC availability to support Exchange? What other resources at the hotsite
might be looking for DC/GC services?
 
I would also be careful about having a configuration at my hotsite that
is significantly different from my normal production environment. When
things have melted down to the point of failing over to the hotsite,
it's not a good time to be pulling out the manuals for your
infrastructure because you don't work with it day in and day out.

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Thursday, January 18, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


ESX (VMWare) is good - and pricey. And very strict as to hardware specs.
And complex to setup and administer. And, I could be wrong on this, NOT
(MS)-supported for virtualizing DCs.
 
Virtual Server, on the other hand, is good, not pricey, less picky, more
supported (I believe it's actually validated) for DCs virtualization.
Plus, the liberal OS licensing scheme is very attractive to me.
 
Yes, I know, VMWare rules the market. Yes, I am biased.
 
  
Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com  -
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

  _  

From: Salandra, Justin A.
Sent: Thu 1/18/2007 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote DC's on Virtual Server



What would you recommend for the following situation.

 

We are thinking of having a hot site where Exchange will be replicated
to a remote location.  Since Exchange will be remote over the Internet,
we will need to have DC's for each domain available in that remote site.
(This would all be going across a VPN)

 

I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server
Enterprise edition.  These DC's would really only be used in the event
of a disaster and people started connecting to Exchange up in the remote
site.

 

Is VMWare Infrastructure 3 good?  What would you use?

 

Justin A. Salandra

MCSE Windows 2000  2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

RE: [ActiveDir] Remote DC's on Virtual Server

[Coleman, Hunter]

On the Virtual Infrastructure side: Moving running guests across hosts
(vmotion), the network configuration options, lower host overhead,
grouping hosts into resource pools and allowing guests to automatically
migrate based on allocation guarantees, 4-way SMP guests, 64-bit guests
:-
 
Nothing wrong with Virtual Server, but I see it more on par with VMware
Server than ESX/Virtual Infrastructure.

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Thursday, January 18, 2007 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Interesting points, Hunter.
 
Not to engage in a holy war or something, but would you mind mentioning
what makes one of these Orange and the other Apple (the fruit)? No,
don't mention 64-bit Guest, thank you very much :)[1]
 
 
[1]Grumbling I wish MS will hurry up on this front already.
/grumbling

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com  -
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

  _  

From: Coleman, Hunter
Sent: Thu 1/18/2007 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


IMHO, ESX/VM Infrastructure and Virtual Server are like apples and
oranges. Yes, they are both virtualization environments, but have vastly
different capabilities. VM Infrastructure has a much broader and deeper
feature set that does come with added cost and complexity.
 
Regardless, in the context of the original question I'd be concerned
about the load Exchange is going to place on the host hardware. How many
Exchange users are in the 8 domains, and how many of these would
potentially be connecting to the alternate site? Are you going to have
GC availability to support Exchange? What other resources at the hotsite
might be looking for DC/GC services?
 
I would also be careful about having a configuration at my hotsite that
is significantly different from my normal production environment. When
things have melted down to the point of failing over to the hotsite,
it's not a good time to be pulling out the manuals for your
infrastructure because you don't work with it day in and day out.

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Thursday, January 18, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


ESX (VMWare) is good - and pricey. And very strict as to hardware specs.
And complex to setup and administer. And, I could be wrong on this, NOT
(MS)-supported for virtualizing DCs.
 
Virtual Server, on the other hand, is good, not pricey, less picky, more
supported (I believe it's actually validated) for DCs virtualization.
Plus, the liberal OS licensing scheme is very attractive to me.
 
Yes, I know, VMWare rules the market. Yes, I am biased.
 
  
Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com  -
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

  _  

From: Salandra, Justin A.
Sent: Thu 1/18/2007 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote DC's on Virtual Server



What would you recommend for the following situation.

 

We are thinking of having a hot site where Exchange will be replicated
to a remote location.  Since Exchange will be remote over the Internet,
we will need to have DC's for each domain available in that remote site.
(This would all be going across a VPN)

 

I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server
Enterprise edition.  These DC's would really only be used in the event
of a disaster and people started connecting to Exchange up in the remote
site.

 

Is VMWare Infrastructure 3 good?  What would you use?

 

Justin A. Salandra

MCSE Windows 2000  2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

RE: [ActiveDir] R2 Schema

[Coleman, Hunter]

No, you will still need to extend the schema to support DFS:
http://technet2.microsoft.com/WindowsServer/en/library/84445c1b-a418-4a0
9-a50c-5f3258cfc5b51033.mspx?mfr=true
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Friday, January 12, 2007 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

Interesting.  I have a similar situation.  But in my case they want me
to roll out R2 on 10 of my W2K3sp1 file and print servers to take
advantage of DFS.  After reading the installation docs from the CD it
appears to me that I don't have to extend the schema because the servers
I will be upgrading are not DCs...would like a reassurance that this is
indeed the case with the community...

-many thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] quota issues

[Coleman, Hunter]

http://www.google.com/search?sourceid=navclientie=UTF-8rls=GGLD,GGLD:2004-22,GGLD:enq=windows+alternate+data+stream

http://support.microsoft.com/kb/814594/en-us


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio 
ArandaSent: Wednesday, October 25, 2006 10:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota 
issues


Im sorry but I dont 
know what you mean by files having streams. Can you explain that 
attribute to me?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike 
GuestSent: Wednesday, October 
25, 2006 10:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota 
issues

Just a couple of 
thoughts

Have you tried 
searching the disk for other files marked with him as owner  perhaps from a 
legacy share which no longer exists?

Alternatively, is it 
possible that one of the files hes copying has streams? I understand the space 
used by a stream does not get added to the disk space that windows reports, but 
perhaps it affects the quota?



Mike GuestIT 
SolutionsHMLPadiham 
DDI: +44 (0)1282 682550 Internal Extension: (61) 2550




From: 
Antonio Aranda 
[mailto:[EMAIL PROTECTED] Sent: 25 October 2006 15:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota 
issues

There seems to be 
mostly small files; 5 to 7 K.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Parag 
NagwekarSent: Tuesday, October 
24, 2006 11:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] quota 
issues

I guess he is probably 
trying to write or copy file which is quite big, may be more than 200Mb in size. 
Please tell him to write smaller file on the file system where he already using 
300MB. 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Antonio ArandaSent: Tuesday, October 24, 2006 12:55 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] quota 
issues

Im having weird quota issues. 
I have a partition that has the default quota set to a 500 MB. There 
are a good hundred users that wring to that partition but only one is having 
this issue; he keeps running out of quota even though he has only written about 
300 MB to his subdirectory. He can only write to that subdirectory so why 
is he running out of space?

Antonio 
Aranda
Network 
Analyst
UT-Permian 
Basin
432-552-2413 


*This 
email is intended only for the addressee named above. As this email may contain 
confidential or privileged information, if you are not the named addressee or 
receive this message in error, please notify us immediately, delete it and do 
not make use of or copy it.This message is protected by copyright. HML 
accepts no responsibility for viruses found in this message or any file 
attachment.Homeloan Management LimitedRegistered in 
England No. 22148391 Providence Place, 
Skipton, North Yorkshire BD23 
2HL**

RE: [ActiveDir] Switching distibution lists to security groups

[Coleman, Hunter]

Rob-

This came up just the other day. Check http://www.mail-archive.com/activedir@mail.activedir.org/msg47273.htmland 
see if the responses there help.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Huber, Rob (HNI 
Corp)Sent: Tuesday, October 24, 2006 8:10 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Switching 
distibution lists to security groups


Hello,

This may be an easy answer, but I 
want to get feedback anyway. What are the potential 
problems/issues/concerns with switching distribution groups to security 
groups? Our Sharepoint group has rolled out Sharepoint site permissions 
based on DLs. I believe that DLs should be used for DLs and security 
groups should be used for security (or permissions in this case) and have 
encouraged them to set the permissions accordingly. Their counter is that 
the site owners do not know the membership of the security groups, but know the 
membership of their respective groups DLs and therefore it is easier to 
administrate the permissions that way. A simple fix would be to switch the 
DLs to security groups, however that seams a bit too 
simple.

RE: [ActiveDir] nslookup. AD beginer question

[Coleman, Hunter]

You may be running into this: http://support.microsoft.com/kb/825675/en-us


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon 
LinanSent: Monday, August 28, 2006 12:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer 
question


Hi 
Everyone,

When I do a nslookup 
domain.com, being domain.com my AD domain, what should I see? A list of the dns 
server in my domain? A list of the DC? 

The fact is that I am 
doing nslookup and I am getting, domain controllers but also a users 
computer

Thanks

RE: [ActiveDir] Replication from ASP

[Coleman, Hunter]

Can't you code your ASP so that it points to the same DC 
when it creates the user account that PeopleSoft is using for 
authentication?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, 
BryanSent: Friday, August 04, 2006 12:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication from 
ASP


Anyone have any 
thoughts on this?

Thanks,


Bryan 
Lucas
Server 
Administrator
Texas Christian University




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lucas, BryanSent: Monday, July 31, 2006 4:12 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication from 
ASP

Does anyone know how I force 
replication through ASP 2.0? 

My DCs are all local (no WANs) and 
2003 SP1.

I have a web page that does account 
creation and then points the user to a portal which attempts to authenticate 
against AD. The portal software (Peoplesoft) can only attempt against a 
single DC, so if that user didnt create his account there it doesnt work right 
away. 

Bryan 
Lucas
Server 
Administrator
Texas 
Christian University

RE: [ActiveDir] Granting Exchange Mailbox Access

[Coleman, Hunter]

A different approach is for the Exch Full Admin to simply 
grant him/herself Full Mailbox Access-Allow on an individual,as-needed 
basis. I prefer this because it requires a conscious effort on the admin's part 
to access someone else's mailbox, regardless of what your corporate use policies 
state about email being the company's property.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, 
ScottSent: Wednesday, August 02, 2006 5:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting 
Exchange Mailbox Access


The perm youre looking 
for is Receive As on the Mailbox store. The problem is that delegating 
Exchange Full Administrator adds an explicit Deny ACE to CN=First 
Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com 
for Receive As and that gets replicated all the way down to the mailboxes. 
So even if you grant your group the required perms, if theyve been delegated 
EFA, the Deny will override it.

Id imagine you can 
remove the Deny ACE manually, but we just skipped the delegation wizard and 
added the ACE for Receive As for our Mailbox 
Admins.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, 
BENSent: Wednesday, August 02, 
2006 5:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Granting Exchange 
Mailbox Access

In an effort to cut down on service 
account abuse, Ive been removing and reducing privileges left and right. 
I have delegated Exchange Full Administrator rights to a few users who had 
previously been using the service account we originally installed Exchange 
2003.

Sometimes, the Exchange 
Administrators will need to access a users mailbox to assist with various 
issues, and Im having trouble delegating that right to the members of the 
Exchange Full Administrators group.

I have created a domain security 
group named simply Exchange Full Administrators, and I delegated Exchange Full 
Administrator rights to that security group at the organizational level. 
So anyone in that security group should have full administration rights. 
Ive had to delegate a few other rights in Active Directory for some other 
reasons to this new security group (for instance to give this security group 
rights to modify the dynamic mailing list OU); however Im having trouble 
finding exactly where to delegate rights to give this security group full access 
to everyones mailbox.

Any 
thoughts?

Thanks,
~Ben

RE: [ActiveDir] Granting Exchange Mailbox Access

[Coleman, Hunter]

Check to see if someone removed the explicit Deny for the 
individual account on Send-As/Receive-As at the Exchange Org level, and if not 
whether it's getting overridden by an explicit Allow further down the 
hierarchy.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, 
BENSent: Thursday, August 03, 2006 11:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting 
Exchange Mailbox Access


Thats actually a very 
good idea, and I may enforce that on them. I suppose if anything, my 
curiosity is getting the best of me and Im really wondering what is different 
between that delegated security group and the individual account that installed 
Exchange which is granting full mailbox access across the 
board.

I just cant find 
anything that actually is different between the 
two.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Coleman, 
HunterSent: Thursday, August 
03, 2006 9:20 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange 
Mailbox Access

A different approach is 
for the Exch Full Admin to simply grant him/herself Full Mailbox 
Access-Allow on an individual,as-needed basis. I prefer this because 
it requires a conscious effort on the admin's part to access someone else's 
mailbox, regardless of what your corporate use policies state about email being 
the company's property.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Crawford, 
ScottSent: Wednesday, August 
02, 2006 5:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Granting Exchange 
Mailbox Access
The perm youre looking 
for is Receive As on the Mailbox store. The problem is that delegating 
Exchange Full Administrator adds an explicit Deny ACE to CN=First 
Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com 
for Receive As and that gets replicated all the way down to the mailboxes. 
So even if you grant your group the required perms, if theyve been delegated 
EFA, the Deny will override it.

Id imagine you can 
remove the Deny ACE manually, but we just skipped the delegation wizard and 
added the ACE for Receive As for our Mailbox 
Admins.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, 
BENSent: Wednesday, August 02, 
2006 5:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Granting Exchange 
Mailbox Access

In an effort to cut down on service 
account abuse, Ive been removing and reducing privileges left and right. 
I have delegated Exchange Full Administrator rights to a few users who had 
previously been using the service account we originally installed Exchange 
2003.

Sometimes, the Exchange 
Administrators will need to access a users mailbox to assist with various 
issues, and Im having trouble delegating that right to the members of the 
Exchange Full Administrators group.

I have created a domain security 
group named simply Exchange Full Administrators, and I delegated Exchange Full 
Administrator rights to that security group at the organizational level. 
So anyone in that security group should have full administration rights. 
Ive had to delegate a few other rights in Active Directory for some other 
reasons to this new security group (for instance to give this security group 
rights to modify the dynamic mailing list OU); however Im having trouble 
finding exactly where to delegate rights to give this security group full access 
to everyones mailbox.

Any 
thoughts?

Thanks,
~Ben

RE: [ActiveDir] Types of network Card in AD forest like Intel, 3-COM..

[Coleman, Hunter]

You can start with this http://www.microsoft.com/technet/scriptcenter/scripts/network/client/list/nwlsvb05.mspx?mfr=trueand 
add in some logic to query AD for DCs and Exchange servers and then run the 
scriptcenter code against those particular servers.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet 
SinghSent: Monday, July 31, 2006 10:51 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Types of network 
Card in AD forest like Intel, 3-COM..


Hi,

Setup: Windows 2003 
+ exchange 2003.

My AD + Ex setup is 
running on different hardware. Now what is the best way to find what types of 
Network (and also how many on one 
server) cards are installed on my all DCs and Exchange. I need to write a script 
or a wmi query. 


Thanks,
Manjeet

RE: [ActiveDir] Schema Question

[Coleman, Hunter]

I'm wondering why you would want to do that. You can tell 
if a person is using the defaults by checking mDBUseDefaults, and if she is not 
you can pull actual limits from mDBStorageQuota, mDBOverQuotaLimit, and 
mDBOverHardQuotaLimit.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
(ITS)Sent: Friday, June 30, 2006 11:38 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema 
Question


All,

Let me start with, Im a total newb 
when it comes to Schema and Schema modifications.

Is it possible to modify the schema 
that so every time a new user is created (via ADUC) an extension attribute is 
populated with a default value? Our Exchange guys would like extensionAttribute5 
to be populated automatically with 100, which is the default mailbox size. Is 
this possible? It seems like it would be, but as I warned, Im a 
newb.

Thanks,

Justin 
ClayITS 
Enterprise Services 
Metropolitan 
Government of Nashville and Davidson County Howard School 
Building 
Phone: 
(615) 880-2573


  
  
ITS ENTERPRISE SERVICES 
  EMAIL NOTICEThe information contained in this email and any 
  attachments is confidential and may be subject to copyright or other 
  intellectual property protection. If you are not the intended recipient, 
  you are not authorized to use or disclose this information, and we request 
  that you notify us by reply mail or telephone and delete the original 
  message from your mail 
system.

RE: [ActiveDir] Question regarding compacting AD DB.

[Coleman, Hunter]

If each 2k3DC is newly promoted, as opposed to an in-place 
upgrade, then the .dit on those DCs will essentially be compacted with minimal 
whitespace. Were you planning on rebuilding your DCs as part of the migration, 
or doing in-place upgrades?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Tuesday, June 27, 2006 10:29 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question regarding 
compacting AD DB.

Hello,

It may be a silly question, but when u perform a migration from winNT/w2k 
to a w2k3 domain, do i have next to compact+defrag the ntds.diton 
*EACH* DC2k3that have been migrated ? or may i do the operation on only 
one DC and this DC will replicate the state (compactdefrag) on all other 
DCs ?
I have at least 60 DCs :(
I think the answer will be "compact  defrag each DC that have been 
upgraded", but just to be 100 % sure.

Thanks for answer.
Yann




Yahoo! Mail réinvente le mail ! Découvrez le nouveau 
Yahoo! Mail et son interface révolutionnaire. 

RE: [ActiveDir] Domain gets Blacklisted

[Coleman, Hunter]

You'll probably have better luck if you post this in one of 
the Exchange newsgroups (microsoft.public.exchange*) or lists (http://groups.yahoo.com/group/exchange-2003/)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay 
KumarSent: Tuesday, June 13, 2006 11:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain gets 
Blacklisted

Hi all,

Can u help me on this prob. Problem is that my exchange 2003 which 
installed on win 2003 dc agets blacklisted (Means my static ip is blacklisted). 
I searched how to stop this
and on net i found solutions pointing towards open relay and spam 
protection. They r saying that ur exchange is spaming so tell me how to control 
and stop spamming.

Thanx
Ajay

RE: [ActiveDir] OT:Exchange mailnickname

[Coleman, Hunter]

Empirical evidence suggests that he shouldn't be insisting 
so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and 
we have no problems getting to subfolders via OWA. I'm sure you could take a 
test user account in your environment and duplicate 
this.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, June 09, 2006 7:41 AMTo: 
activedirectorySubject: [ActiveDir] OT:Exchange 
mailnickname

My company wants to use a mail stubing app called "Mailbox Manager" from 
CA.

I've been going back and forth with the tech there.
He claims that, according to him, due to a limitation in WebDAV, one of the 
user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for 
users to be able to see subfolders underneath their inbox in OWA. 
I've never heard of such a limitation and think he may be talking about 
"mailnickname"(alias), but he inisits I'm wrong.

Can anyone shed some light on this?

Thanks

RE: [ActiveDir] OT:Exchange mailnickname

[Coleman, Hunter]

Not that I've run into, as far as accessing subfolders via 
OWA. Again, this would be very easy for you to confirm in your environment and 
throw back at the CA tech, though you might consider this a good indicator of 
what you're in for support-wise from them.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, June 09, 2006 8:53 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:Exchange 
mailnickname

Thanks.
What about mailNickname?
Arethere any issues if mailNickname is different than sAMAccountName 
in re: to WebDAV?

Thanks again
On 6/9/06, Coleman, 
Hunter [EMAIL PROTECTED] 
wrote: 

  
  
  Empirical 
  evidence suggests that he shouldn't be insisting so much. Very few of our 
  users have a proxy address of [EMAIL PROTECTED], and we have no problems getting 
  to subfolders via OWA. I'm sure you could take a test user account in your 
  environment and duplicate this.
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Friday, June 09, 2006 7:41 AMTo: 
  activedirectorySubject: [ActiveDir] OT:Exchange 
  mailnickname
  
  
  My company wants to use a mail stubing app called "Mailbox Manager" from 
  CA.
  
  I've been going back and forth with the tech there.
  He claims that, according to him, due to a limitation in WebDAV, one of 
  the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see 
  subfolders underneath their inbox in OWA. 
  I've never heard of such a limitation and think he may be talking about 
  "mailnickname"(alias), but he inisits I'm wrong.
  
  Can anyone shed some light on this?
  
  Thanks
  

RE: [ActiveDir] AD lag sites and replication

[Coleman, Hunter]

Title: AD lag sites and replication



This may be further out on the unsupported limb than you 
want to crawl, but IIRC Deanreferenced an alternative to lag sites in his 
part of the joe and Dean show at DEC. You could schedule a script that toggles 
the replication epoch value and during "off-hours", nothing (and 
nobody)will be able to force replication without setting the epoch back 
first.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 2:33 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
AD lag sites and replication

Thanks Ulf.

I was 
hoping to avoid NIC disabling and such like. I was looking for a solution which 
would enforce the replication schedule between sites, such that an admin could 
not 'over ride' it.

I'd 
rather handle the situation with procedures and policies than use scripts to 
disable NICs (or connection objects) at scheduled times :)

neil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 09:01To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

You are able to 
disable the network interfaces, pretty easy with VMWare or Virtual Server since 
you are able to do it from the host via scripting, bit more painfull if you have 
to do it from the DC itself since you don't have any remote access when the nic 
is disabled (you could use a scheduled task which runs netsh to activate / 
deactivate the interface).

Also putting a 
firewall with scheduled rules in between would work very well, especially since 
you can block everything but RDP at the no-sync times.

As long as you 
don't exceed the tombstone-lifetime I don't see any reasons why this should not 
be supported since we are just talking about lag-sites without any memberservers 
/ clients / users who log onto those DCs.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD lag sites and replication
  
  I'm looking to implement one or more lag sites, 
  with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 
  2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  We're concerned that admins can still force 
  replication outside of these hours using repadmin or replmon etc. 
  Is there a (supported) way to ensure that 
  replication can ONLY occur within the hours described above? 
  Thanks, neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a 

RE: [ActiveDir] Permission to modify description

[Coleman, Hunter]

What happens when you run the script interactively, as opposed to within
the login script?

You can (should?) tighten the security on this...granting Self allow on
Write Description should be sufficient. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall
Sent: Wednesday, April 19, 2006 4:41 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Permission to modify description

I have a logon script which changes the description of the current user
when they logon, or rather it should do. Whenever I pop that script in
to a logon script it fails with a general access denied error.

The line it fails on it the last of these two;

objUser.Description = strMessage
objUser.SetInfo

objUser is pointing to the correct user, and it can set the local cached
description setting, it only fails when it trys to set that info on the
server.

I have tried giving Authenticated Users the Write General
Information permission, but that doesn't help.

Any ideas what permission I need to assign so that people are able to
edit the description properties ? Is there an associated permission for
using the setinfo method ?


If it helps, this is win2k servers with xp desktops.

Olly
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] automatic account disable

[Coleman, Hunter]

What criteria are you using to determine that a user is inactive? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myke
Sent: Wednesday, April 19, 2006 8:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] automatic account disable

hi guys,

it's possible to make a automatic lockout in user accounts by
inactivity, or I need a third party tool?

thanks

Myke
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Lingering Objects

[Coleman, Hunter]

Have you looked at http://support.microsoft.com/kb/314282and 
http://technet2.microsoft.com/WindowsServer/en/Library/4a1f420d-25d6-417c-9d8b-6e22f472ef3c1033.mspx? 
And are you sure that the lingering objects are the root cause of the 
replication problems, and not vice-versa?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, March 30, 2006 12:15 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Lingering Objects
I have many problems with lingering 
objects. I would like to solve them. I Recive this message when I use 
repadmin /showreps: 

  
  
HQSite\DC1 via RPC 
  objectGuid: 2521a874-d379-4281-8744-4bd34c792026Last attempt @ 
  2002-01-21 16:10.54 failed, result 8240:There is no such object on the 
  server.Last success @ (never). I have read this Ms article (http://support.microsoft.com/?id=317097 - Lingering objects 
prevent Active Directory replication from occurring) How can I discover with object 
is that and how to delete it? CAN I find a server that does not have the Object 
to rehost from? Does anyone have 
anything else about this problem? I have many (about 165) dc´s with about 80 
GC´s. I have many problems with replication  The Strict replication 
Consistency 0 is making things better . but tin some of them the problems 
remains. I wait for your 
help... Adrião Ferreira Ramos 
Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 
 
 

  
  
"matheesha weerasinghe" 
  [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 
  30/03/2006 07:26 
  


  
Favor responder 
aActiveDir@mail.activedir.org

  


  
Para
  ActiveDir@mail.activedir.org 


  
cc
  

  
Assunto
  Re: [ActiveDir] DC Demotion  
AD Site Configuration
  


  
  The 
whole point of a site is to have a DC in it isn't it? Therefore you should 
cleanup the unnecessary sites and associate subnets with sites you want them to 
be a part of. The DC locator will only do its job correctly if DNS is right. DNS 
will be correct if you maintain a nice sites and services plan and clean up all 
other unnecessary records in DNS.  
In my opinion "a" is the way to go.  M@On 
30/03/06, James Carter [EMAIL PROTECTED] wrote: 
Hey guys, Single Windows 2003 
Domain. I have 5 core sites and 70 branch offices. Each 
of the core sites host 2 x dc's and each branch office has a DC. 
The design is legacy from NT4 whereby we had a BDC at 
each of the branch offices as they had slow WAN links at the time. During the 
upgrade, each of the BDC's were made dc's. Each dc is located in it's own AD 
Site  IP Subnet defined. Our concerns are that some 
of these remote dc's are located in insecure environments, i.e the are just a 
server sat in an unlocked closet in a business office environment. 
We've just completed an WAN upgrade and our links are minimum 
of 1mb to each of the remote offices. This is good news 
for us, as we can now demote most of the remote dc's (about 60 of them) 
My question is regarding the cleanup process. We have 75 AD 
Sites created with a subnet assigned to each site. Once the demotion process 
takes place, will I need to a) add the IP subnet to the 
core site so that the branch office is serviced by the dc's located there and 
then delete the old AD Site which no longer holds a dc. b) leave the AD site in existance with the IP Subnet assigned and let the 
DC locator service find a DC for the client to authenticate to? (this means I am 
left with a load of un-needed Sites in AD..I assume) We 
also use DFS but moving to DFS-R shortly. Thoughts 
anyone? Jim 
__Do You 
Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: [ActiveDir] Disaster Recovery

[Coleman, Hunter]

Using virtual disk file backups or images for AD disaster 
recovery has USN-rollback perils that have been discussed several times here. 
It's worth a visit to the archives to check those out before staking your 
disaster recovery abilities on this strategy.

On the other hand, using AD-aware backups in conjunction 
with virtual servers *does* greatly simplify the hardware issues during a 
restore, and may be worth considering for that benefit 
alone.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
CornetetSent: Tuesday, March 21, 2006 9:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disaster 
Recovery

I do a backup of the C: drive and system state using 
NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and 
system state) using Legato Networker. Why the NTBACKUP? Just in 
case...

I've done a couple of hotsite test recoveries of our DCs 
(HP DL380G2) to various other HP server models, and even to Dells. I've never 
had a major problem doing this with server 2003 (windows 2000, on the other 
hand, seemed to always give me grief).

I have toyed with the idea of having a couple of DCs 
running on virtual servers. I'd create a perl script to nightly shut down the 
DCs, copy thevirtual diskfiles, then bring the DCs back up. I want 
to do this not so much for the hardware independence, but rather for the speed 
of recovery. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Disaster Recovery

Hello there,

I have a question regarding Active Directory disaster recovery. I was just 
curious as to what steps you all take to protect your forest.


An example is I back up my System State nightly and these tapes go off to a 
offsite location. If my building and computer suite was to burn down, I would 
need to rebuild my forest. 

In this scenario I am assuming it would be easier to have identical 
hardware to carry out a restore, I know you can restore to alternate hardware 
but I hear bad things about this.

The other thought is to haveDC built using virtual server and start 
this DC one per month to replicate the latest copy of AD, then shutting it down, 
saving a copy of the VHD and sending to a offsite location,

That way it's not hardware dependant and just need to do a metadata 
cleanup

what do you all do?

amy 



Yahoo! 
Cars NEW - sell your car and browse thousands of new 
and used cars online search 
now 

RE: [ActiveDir] Export AD user list in hirerarchy

[Coleman, Hunter]

http://support.microsoft.com/kb/237677/en-ushasinstructionsonexportingtheOUstructure



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard Michael 
TyersSent: Tuesday, March 21, 2006 10:13 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Export AD user list 
in hirerarchy
Hi all,I have a DC running W2K server, with a number of 
OUs.I want to export the hirerarchy out, possibly to a CSV, or at worst 
excel (xls) file.Can anyone point me in the direction of where I would 
find out how to do that? thanks in advance,b

RE: [ActiveDir] Monitoring DC's

[Coleman, Hunter]

Never used Tivoli. From an RFP that an IBM vendor presented 
usa couple of years ago, I thought it was excessively complex, at least 
for our environment.

Regardless of the product, if it installs an agent on your 
DCs and you don't control the monitoring framework, then you're creating an 
opportunity for a non-domain admin to become one.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, March 10, 2006 2:19 PMTo: 
activedirectorySubject: [ActiveDir] Monitoring 
DC's

We currently run Tivoli for monitoring and software distribution here(No, 
SMS and MOM are not an option).
Right now there are talks about installing Tivoli endpoints on our Win2k3 
DC's for monitoring those as well.

How do people on this list feel about Tivoli for monitoring, specifically, 
and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC 
availability,etc, in general?


Thanks

RE: [ActiveDir] R2 and W2K3 SP1

[Coleman, Hunter]

You're just upset that ADAM has gone Mormon :-) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, February 17, 2006 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 and W2K3 SP1

A couple of reasons

1. As people keep buying the product they will buy the SP1 version of it
which has significant updates for security, etc. Best to get the old
stuff out of the channels.

2. Gets several feature packs out there with the media so people 
a. Know about it at all, lots of folks don't know about the RTW
stuff
b. Feel that it is fully supported (this was an issue with
acceptance of ADAM)

Even if you don't want any of the feature packs, you want R2 or at least
ADAM SP1 for the AD Tool updates. This and more is discussed in the book
in the signature below[1]. ;o)

Don't upgrade to R2 because you think it is a new OS. Upgrade if you
need the feature packs (or tools as mentioned above). I do recommend
slapping the schema in when you can, at some point, you will most likely
need to apply it so this gives you good head start for getting it in
there if you don't need it right away.


   joe 

[1] BTW, anyone who has had a chance to go through the book I wouldn't
mind hearing reviews (or better reading them on Amazon) and/or thoughts
on it. I am getting very positive feedback so far on the updates and
folks are really enjoying it. Worst comment is that ADAM deserves more
room and I completely agree, ADAM is a book unto itself that I am making
up notes on now for including a whole section on Microsoft dorking with
the name. If you know an MS Marketing person, please kick them in the
knee for me. Tell them they can respond to me at my email address. ADAM
was a great name, you could say, this is a case for ADAM madam! Oh no,
now you have to say something stupid like we need MSADLDS or ADLDS or
even LDS. At least they could have something fun and called it
Lightweight Service Directory. ADLDS and LDS are not fun. ADAM is fun.
Microsoft, stop being a stick in the mud you boobs.
Ah, back to work. Maybe post more over the weekend but probably not, too
busy.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 17, 2006 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 and W2K3 SP1

So Windows 2003 R2 is nothing more then Windows 2003 SP1???  Then why
release R2 at all?

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, February 17, 2006 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 and W2K3 SP1

R2 CD1 == w2k3 SP1.
R2 CD2 == addon components.

Does that help?
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta,
Nathaniel V Contractor NASIC/SCNA
Sent: 17 February 2006 15:34
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 and W2K3 SP1

Hey list,

Do you guys/gals know whether it is true that R2 disk 1 is the same as
Windows 2003 SP1?  I loaded the first disk and it loads exactly and
looks exactly like Windows 2003 SP1, except when the license agreement
screen comes up, it lists the OS as 2003 R2.  In the R2 FAQ page on the
Microsoft site, it says that you do not need to upgrade your 2003
servers to R2, you need to only upgrade them to SP1
http://www.microsoft.com/windowsserver2003/R2/R2FAQ.mspx.  Is there not
a distinct difference in the Kernel of R2 and the Kernel of 2003 SP1?
If not, then for the 2003 servers that I already have online, they need
only
SP1 to be up to standards.  R2 Disk 2 seems like the NT4 Option Pack,
not another OS release or kernel, but another set of features on a
separate disk.  Correct me if I am wrong.


Nathaniel Bahta
GD-NS
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. 

RE: [ActiveDir] Replication traffic monitoring accounting

[Coleman, Hunter]

Title: Replication traffic monitoring & accounting



You can look at the NTDS perfmon counters, which include 
some replication traffic metrics. You might also want to look at your SYSVOL for 
recent large (relatively speaking) files that someone may have inserted via 
group policy objects. Possibly software distribution?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
HARTONOSent: Wednesday, February 15, 2006 4:56 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] Replication traffic 
monitoring  accounting

Hi all, 
Our network guys posted an interesting stats today, 
one of the DC in the remote site was using 40MByte of bandwidth over 3 hours in 
total. The dcs are plain dc with wins service installed (but the wins arent 
replicating to that particular dc) - the only thing is that one of the dc is 
running msmq with public queues on it.
Since the two DCs are rather standard, im wondering 
how do I do accounting on my end if possible to find out what could possibly be 
wrong - 40Mbyte of data over 3 hours is rather huge and choking up one of our 
slow 128k lines (sucky I know)
Without doing sniffing or on the network end etc, is 
there a way I could count replication traffic over to particular DC (perfmon 
maybe?) - not sure if inbound dra etc counters are related...
Anyone went down similar track before? 
Thank you and have a splendid day!  Kind Regards, 
 Freddy 
Hartono Group Support Engineer 
InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785  

RE: [ActiveDir] permon access

[Coleman, Hunter]

Are you wanting them to run perfmon against your domain 
controllers, or against member servers/workstations? Locally, or 
remotely?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Monday, February 13, 2006 8:14 AMTo: 
activedirectorySubject: [ActiveDir] permon 
access

In windows 2000 Forest, what are the bare minium rights needed for a user 
to run perfmon?

I'd like to delegate this to someone without making them alocal admin 
on the box.
Is this possible?

I can't seem to find a gpo adm template that allows this for win2k.

Thanks

RE: [ActiveDir] permon access

[Coleman, Hunter]

http://support.microsoft.com/?kbid=300702if you have 2k3 
members


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Monday, February 13, 2006 9:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon 
access

Sorry,

member servers.
remotely.

Thanks
On 2/13/06, Tom Kern 
[EMAIL PROTECTED] wrote: 

  Thank you very much!!
  
  Thats exactly what I was looking for...
  
  On 2/13/06, Olivarez, 
  Sergio J Mr ANOSC/FCBS  
  [EMAIL PROTECTED] wrote: 
  

Yeah sorry bout 
that! I realized that after I had already sent it. Check out the 
links below maybe they will help! 
http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;164018



Thanks... ... 
... ...
Sergio J. 
Olivarez - Contractor
GD-NS 





From: Tom 
Kern [mailto: [EMAIL PROTECTED]] 
Sent: Monday, February 13, 
2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon 
access



Thats 
why i stated I was on a windows 2000 Forest.



That 
group is only available on Wink23 dc's.



Thanks

On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS  
[EMAIL PROTECTED] wrote: 

How about utilizing 
the "Performance Monitor Users" built-in security group!


Thanks... ... ... 
...
Sergio J. 
Olivarez - Contractor
GD-NS 





From: Tom 
Kern [mailto: [EMAIL PROTECTED]] 
Sent: Monday, February 13, 
2006 8:14 AMTo: 
activedirectorySubject: 
[ActiveDir] permon access



In 
windows 2000 Forest, what are the bare minium rights needed for a user to 
run perfmon?



I'd 
like to delegate this to someone without making them alocal admin on 
the box.

Is this 
possible?



I can't 
seem to find a gpo adm template that allows this for 
win2k.



Thanks

RE: [ActiveDir] permon access

[Coleman, Hunter]

What account is the Performance Logs and Alerts running 
under, and what account did you give permissions to on the remote server's 
registry keys?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Monday, February 13, 2006 2:59 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon 
access

That works except when the user tries to create a counter log.
The log doesn't start and when an attempt is made to start it, the user 
gets an event id 2046.

The soultion here-
http://eventid.net/display.asp?eventid=2046eventno=2556source=SysmonLogphase=1

says to allow the Performance Logs and Alerts service on the local 
boxto use an account that has the "logon as service" right on the remote 
server.

Is this my only solution?
Thanks
On 2/13/06, Coleman, 
Hunter [EMAIL PROTECTED] 
wrote: 

  http://support.microsoft.com/?kbid=300702 if you have 2k3 
  members
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] permon access
  
  Sorry,
  
  member servers.
  remotely.
  
  Thanks
  On 2/13/06, Tom Kern [EMAIL PROTECTED]  
  wrote: 
  
Thank you very much!!

Thats exactly what I was looking for...


On 2/13/06, Olivarez, 
Sergio J Mr ANOSC/FCBS  
[EMAIL PROTECTED] wrote: 

  
  Yeah sorry 
  bout that! I realized that after I had already sent it. Check 
  out the links below maybe they will help! 
  http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html
  http://support.microsoft.com/default.aspx?scid=kb;en-us;164018
  
  
  
  Thanks... ... 
  ... ...
  Sergio J. 
  Olivarez - Contractor
  GD-NS 
  
  
  
  
  
  From: Tom 
  Kern [mailto: [EMAIL PROTECTED]] 
  Sent: Monday, February 
  13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon 
  access
  
  
  
  Thats 
  why i stated I was on a windows 2000 Forest.
  
  
  
  That 
  group is only available on Wink23 dc's.
  
  
  
  Thanks
  
  On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS 
   
  [EMAIL PROTECTED] wrote: 
  
  How about 
  utilizing the "Performance Monitor Users" built-in security 
  group!
  
  
  Thanks... ... 
  ... ...
  Sergio J. 
  Olivarez - Contractor
  GD-NS 
  
  
  
  
  
  From: Tom 
  Kern [mailto: [EMAIL PROTECTED]] 
  Sent: Monday, February 
  13, 2006 8:14 AMTo: 
  activedirectorySubject: 
  [ActiveDir] permon access
  
  
  
  In 
  windows 2000 Forest, what are the bare minium rights needed for a user to 
  run perfmon?
  
  
  
  I'd 
  like to delegate this to someone without making them alocal admin on 
  the box.
  
  Is 
  this possible?
  
  
  
  I 
  can't seem to find a gpo adm template that allows this for 
  win2k.
  
  
  
  Thanks
  

RE: [ActiveDir] ldap error during search. Paging related?

[Coleman, Hunter]

Try it with a capital "Z"
adfind -b 
dc=mydomain,dc=com -f 
"((objectcategory=computer)(whencreated=2005111200.0Z))"


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, February 10, 2006 1:53 PMTo: 
activedirectorySubject: [ActiveDir] ldap error during search. Paging 
related?

I'm running this query -

C:\WinAdminToolsadfind -b dc=mydomain,dc=com -f 
"((objectcategory=computer)(whencreated=2005111200.0z))"


I get this error-

ldap_get_next_page_s: [myDC.mydomain.com] Error 0x35 (53) - 
Unwilling To Perform

Is this related to paging?
Am i going over the 1000 object limit or am i screwing up the query?

Thanks

RE: [ActiveDir] ds* or joeware to get DN from email address

[Coleman, Hunter]

adfind -default -f 
"(objectCategory=person)([EMAIL PROTECTED])" dn

You can change your search base as necessary. This also 
assumes that you want to check the primary SMTP address, and not match on a 
secondary address.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
HerasSent: Friday, February 10, 2006 2:50 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] ds* or joeware to 
get DN from email address

Are there any tools out there that can get me the DN from an email 
address?

I canwrite a script for this pretty easily, but I want to hand the 
task off to another admin that does not know scripting. Having him use 
pre-existing tools will simplify things.

Teo

RE: [ActiveDir] DSQUERY filter for space character only

[Coleman, Hunter]

(objectCategory=user)(displayName=\20))


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sitton Glen 
ESent: Tuesday, February 07, 2006 10:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for 
space character only

I need to run an obscure DSQUERY with a filter that 
finds displayNames with a value of a single space character. I'm 
stumped. I've tried every escape character possibility that I'm aware 
of. I know how to find null values, but can't seem to query on a space 
character alone. It hoses the ldap syntax.

When ADUC builds the ldap query itself, it 
fails:

 ((objectCategory=user)(displayName= 
))

 The query filter ... is not a valid 
query string.

I've tried:
" "
 ' '
 %20
 +
and escaping it with a \ or a 
^

Any ideas?

Thanks in advance,
- Glen

RE: [ActiveDir] Automagic Security groups.

[Coleman, Hunter]

Two options come to mind, I'm sure there are 
others...

1) Build a set of scripts and put a web front-end on them, 
which would allow others to move the user account and as part of the move, the 
OUone groups would get stripped and the OUtwo groups would get 
added.

2) Directly delegate the object move (or like above, stick 
it in a web page). Then have a scheduled task that periodically runs and looks 
at all user objects in OUone and sets the group membership correctly, same for 
OUtwo.

Option 1 has a more immediate effect, and that may be an 
important point. Option 2 has the advantage of consistently enforcing group 
membership, so even if someone makes an inadvertant change it will get corrected 
on the next pass of the script. It also makes it easier to change the groups and 
have all users get updated.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, 
JimSent: Tuesday, February 07, 2006 12:47 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Automagic Security 
groups.

I am almost looking for a 
query based Security Group, similar to Distribution 
Groups.

It would save me a ton of 
time if when I moved a user from OUone to OUtwo if it would/could strip that 
user of all their old groups and drop them into the new groups, based upon what 
OU the user account currently resides in.

15 schools, students moving 
from school to school all year longit would save us a ton of time. In fact I 
could delegate the move and have others do it. It would be the last part of the 
puzzle to making these moves near zero administrative 
overhead.

Any 
ideas?

Jim 
Kennedy

RE: [ActiveDir] Script to determine a machine's site

[Coleman, Hunter]

You can pull it with WMI (not sure about the PE scenario)
http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_tasks__networking.asp
 (watch the wrap) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 06, 2006 7:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site

Thanks for the feedback, Deji, Guido, joe et al.

The one piece of code I'm missing now is one that can determine a machine's IP 
address. Any suggestions how that may be done (again, assume the machine is not 
joined to a domain and is running PE).

I can then feed that address into the logic that I do have (similar to that 
outlined below).


neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 03 February 2006 23:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site

I don't have the script I wrote for this handy, but the logic I used is this:
 
Get host's IP Address
Split it into whatever subnet mask use in your subnet/site configurations.
Do a CaseCase Else looking for a match.
If you get a match, that computer is in that site.
 
e.g. 
IP is 192.168.100.201
Subnet Mask is /16
192.168.100 = SiteA
192.168.101 = SiteB
192.168.102 = SiteC
192.168.103 = SiteC
 
So, you go
Select Case IPAddy
 Case 192.168.100 : strSiteName = SiteA
 Case 192.168.101 : strSiteName = SiteB
 Case 192.168.102, 192.168.103 : strSiteName = SiteC
.
 
Works in PE
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 2/3/2006 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site


Actually DsAddressToSiteNames will only take socket addresses (PSOCKET_ADDRESS, 
type AF_INET) to translate, the parameter that takes the dnshostname is the one 
to specify what DC you want to resolve the addresses to subnet/sites on. 
 
Actually the previously mentioned ATSN[1] utiltity is a light wrapper over this 
call.
 
  joe
 
 
 
 
[1]  Note the initials - I am not great with tool names. The best tool name I 
have isn't even a name I thought up and I haven't made the tool yet. I just 
know what I want it to do and what its name will be.
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greene, Adam S
Sent: Friday, February 03, 2006 3:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script to determine a machine's site


The function call DsAddressToSiteNames will take a dnsHostName and give you the 
site it belongs to. If you cannot implement that call, there are scripts out 
there that do a brute force query of AD for sites and subnets to get you the 
site name. Search for the function call and DsAddressToSiteNames vbscript to 
find them on google. With a lot of sites and subnets, that approach could get 
unwieldy though. If you can call a remote web service from your vbscript or 
write a win32 implementation of the call, that would be a better way to go. 
There is code out there on doing a C# version.
 
-Adam
 
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, February 03, 2006 7:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Script to determine a machine's site



Does anyone have a script which can: 

 - Interrogate the local machine for its IP address and mask
 - Determine the subnet which the machine resides in
 - Determine the site that corresponds to the that subnet 

And all this must be possible on a machine which is not joined to a domain. 
Ideally, the script should work when WinPE is running, too, as the machine is 
being built. 


Any ideas? 

neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended recipient 
of this email please notify the sender immediately and delete your copy from 
your system. You must not copy, distribute or take any further action in 
reliance on it. Email is not a secure method of communication and Nomura 
International plc ('NIplc') will not, to the extent permitted by law, accept 
responsibility or liability for (a) the accuracy or completeness of, or (b) the 
presence of any virus, worm or similar malicious or disabling code in, this 
message or any attachment(s) to it. If verification of this email is sought 
then please request a hard copy. Unless otherwise stated this email: (1) is 
not, and should not be treated or relied upon 

RE: [ActiveDir] OT: Roaming Profiles

[Coleman, Hunter]

"can't" and "unsupported" are two different 
things


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Navroz 
ShariffSent: Monday, February 06, 2006 2:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
Profiles

That's interesting...I have been doing exactly what 
the article states one can't.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
ParrisSent: Monday, February 06, 2006 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
Profiles


Dont you just love 
Microsoft..

Personal 
folder files are unsupported over a LAN or over a WAN link 


http://support.microsoft.com/?kbid=297019 






From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Navroz 
ShariffSent: 06 February 2006 
19:28To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
Profiles

Frank,
Below is a link to MS 
Outlook plugin that when configured, will automatically archive folders to a 
network share at regular intervals, making it easy to keep all of you Outlook 
folders safely backed up.
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B081F3A-B7D0-4B16-B8AF-5A6322F4FD01displaylang=en

-Nav





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Frank 
AbagnaleSent: Monday, February 
06, 2006 1:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
Profiles

No need to apologise, I blame spielberg 
anyway.



frank

"Ulf B. Simon-Weidner" 
[EMAIL PROTECTED] 
wrote:

  Sorry - wasn't sure 
  if it's your real name. If I'd choose a fake name for a community yours is in 
  the top10 ;-)
  
  
  
  Hope you don't 
  mind.
  
  
  
  Ulf
  
  



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Frank 
AbagnaleSent: Friday, 
February 03, 2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming 
Profiles

Ulf  
everyone,



thanks for your responses, roaming profilesare 
mandatory here, if we were to take this away, all hell would break 
loose.



I guess educating them to store files elsewhere 
would be a good start.



thanks



Frank



Ulf - you are not the first to mention Carl 
Hanratty, youwon't be the last!"Ulf B. Simon-Weidner" 
[EMAIL PROTECTED] 
wrote:

  Hi 
  Frank,
  
  with those large 
  roaming profiles you need to
  1. educate your 
  users
  2. question the 
  use of roaming profiles
  
  In fact I've 
  seen a lot of companies who tend to stick to local only profiles in the 
  recent past. Roaming profiles are great - however I see them in 
  infrastructures where people are moving around on multiple computers a 
  lot, and where they don't have that much individual applications. I would 
  use roaming profiles for the production workers who are spending not a lot 
  of time on the computer and might share a pool of computers, however for 
  the regular office worker and the board of directors I'd use local 
  profiles since they tend to work on the same computer a lot and also 
  travel a lot.
  Educate them not 
  to store their critical data within the profile, and maybe a desktop 
  backup software which is taking care of their profile and data when 
  connected comes in handy too.
  
  
  Carl 
  Hanratty
  
  
  




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Frank 
AbagnaleSent: Friday, 
February 03, 2006 10:51 AMTo: ActiveSubject: [ActiveDir] OT: Roaming 
Profiles

Hi all,

I have a question regarding Roaming Profiles. 
Our environment currently have 3500 users which are all roaming profile 
enabled. Their profiles are stored on the local site server. We have 
approx 56 sites which are all linked by 256-1mb 
lines.

I like the concept of roaming profiles, however 
some of our users have profiles ranging from 5mb - 200mb, some even with 
1GB profiles. 

Because alot of our users log on to different 
computers at different sites, we are finding issues with corrupted 
profiles and logon speeds. On a few occasions, where a user has been 
added to a group, the permissions assign to this group are not shown 
when the users is logged back on. Deleting the profile and recreating 
fixes this issue but it's quite a time consuming 
effort.

How does everyone deal with roaming profiles if 
used? sometimes there are instances where users just want to logon to 
the PC without their roaming profile so they can remote desktop to their 
PC. In this situation 

RE: [ActiveDir] Script to change owner?

[Coleman, Hunter]

You can only take ownership of an object, not push it onto 
another security principal. Look at dsacls and the "wo" flag, running in the 
security context of the 3rd party.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, 
ScottSent: Wednesday, February 01, 2006 3:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Script to change 
owner?


Is there anyway in script 
(preferred) or through the GUI to change the owner of an object? I realize 
I can seize ownership in ADUC, but Id like to be able to assign ownership to a 
3rd party. If need be, I can login as that 3rd party 
to seize ownership, but Id like to be able to do it on a whole tree of objects, 
hence the desire to do it in script.

Thanks
Scotte

RE: [ActiveDir] ADAM msds-UserPasswordExpired

[Coleman, Hunter]

IIRC, some of the userAccountControl flags got pulled 
out into discrete attributes in ADAM. I think that UF_DONT_EXPIRE_PASSWD is now 
represented by ms-DS-User-Dont-Expire-Password. However, even with 
ms-DS-User-Dont-Expire-Password set to False and pwdLastSet set to 0, I'm still 
not seeing msds-UserPasswordExpired flip to 
True.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Tuesday, January 31, 2006 11:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] ADAM 
msds-UserPasswordExpired

The only thing that comes to mind as to why this might be the case is that 
your useraccountcontrol value is incorrect for what you're trying to do. 
In order for the user to be required to reset their password, 
UF_DONT_EXPIRE_PASSWD must not be set as well as I understand it. Can you 
check the user account control and make sure that the user object is not 
configured to never expire the password? 


If this value is set to 0 and the User-Account-Control 
attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must 
set the password at the next logon 
On 1/30/06, Mr Oteece 
[EMAIL PROTECTED] 
wrote: 
I 
  am using ADAM R2. I am setting the password and pwdLastSetattributes via 
  the ADAM ADSI Edit program. msDS-UserPasswordExpired does become TRUE if 
  you backdate the password (to backdate thepwdLastSet, I set the system 
  time back a year, set the pwd, thenreturn it to current time). It just 
  doesn't become TRUE if pwdLastSetis 0.On 1/30/06, Al 
  Mulnick [EMAIL PROTECTED] 
  wrote: Just so we're on the same page, which version of ADAM are you 
  testing this against?Also, what are you using to set and 
  test the test conditions?  Al On 
  1/27/06, Mr Oteece [EMAIL PROTECTED] 
  wrote:   I am looking at ADAM to store bindable users 
  for authentication. I am   seeing some unexpected behavior when it 
  comes to the various  attributes that ADAM is using instead of 
  userAccountControl. I would  expect that setting pwdLastSet to 0 
  would cause  msds-UserPasswordExpired to become TRUE. Attempting 
  to bind with a  user with pwdLastSet = 0 does indeed fail. Yet 
  looking at the  attributes in ADSIEDIT or LDP shows 
  msds-UserPasswordExpired to still   be false.  
   Is that as expected? Is the logic to check both attributes to 
   determine if a pwd is expired? Or just check pwdLastSet and ignore 
  the  msds-UserPasswordExpired attribute?   List 
  info : http://www.activedir.org/List.aspx34 
   List FAQ: http://www.activedir.org/ListFAQ.aspx 
  35  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/36 
  List info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADAM msds-UserPasswordExpired

[Coleman, Hunter]

What is strange, though, is that a bind attempt using an account with
pwdLastSet of 0 fails, and a subsequent query (using a different
account) of msds-UserPasswordExpired on the original account still
doesn't show it as true. I would have expected the construction to occur
on the later query.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 31, 2006 7:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM msds-UserPasswordExpired

The attribute msds-UserPasswordExpired is constructed. It depends
entirely on how that construction is occurring. It sounds like it is
only checking pwdLastset against policy and isn't acknowledging a value
of 0 in pwdLastSet. 

That source hasn't been posted yet for us to view so I sent an email to
someone inside of MS to see if I can get clarification.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Tuesday, January 31, 2006 4:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADAM msds-UserPasswordExpired

The users are not set to not expire password.

On 1/31/06, Al Mulnick [EMAIL PROTECTED] wrote:
 The only thing that comes to mind as to why this might be the case is 
 that your useraccountcontrol value is incorrect for what you're trying

 to do.  In order for the user to be required to reset their password, 
 UF_DONT_EXPIRE_PASSWD must not be set as well as I understand it.  Can

 you check the user account control and make sure that the user object 
 is not configured to never expire the password?


 If this value is set to 0 and the User-Account-Control attribute does 
 not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the

 password at the next logon


 On 1/30/06, Mr Oteece [EMAIL PROTECTED] wrote:
 
  I am using ADAM R2. I am setting the password and pwdLastSet 
  attributes via the ADAM ADSI Edit program. msDS-UserPasswordExpired 
  does become TRUE if you backdate the password (to backdate the 
  pwdLastSet, I set the system time back a year, set the pwd, then 
  return it to current time). It just doesn't become TRUE if 
  pwdLastSet is 0.
 
 
 
  On 1/30/06, Al Mulnick [EMAIL PROTECTED] wrote:
   Just so we're on the same page, which version of ADAM are you 
   testing
 this
   against?  Also, what are you using to set and test the test
conditions?
  
   Al
  
  
   On 1/27/06, Mr Oteece [EMAIL PROTECTED] wrote:
   
I am looking at ADAM to store bindable users for authentication.

I am seeing some unexpected behavior when it comes to the 
various attributes that ADAM is using instead of 
userAccountControl. I would expect that setting pwdLastSet to 0 
would cause msds-UserPasswordExpired to become TRUE. Attempting 
to bind with a user with pwdLastSet = 0 does indeed fail. Yet 
looking at the attributes in ADSIEDIT or LDP shows 
msds-UserPasswordExpired to still be false.
   
Is that as expected? Is the logic to check both attributes to 
determine if a pwd is expired? Or just check pwdLastSet and 
ignore the msds-UserPasswordExpired attribute?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] CPU/Memory usage .vbs?

[Coleman, Hunter]

The error message is pretty accurate 
:-)

Try it this way


oFileName = 
Inputbox("c:\cpuuse.txt","CPU Usage","CPUuse.txt")
Set FSO = 
CreateObject("Scripting.FileSystemObject")
Set oFile = 
FSO.CreateTextFile(oFileName, 
True)

strComputer = "." 

Set objWMIService = 
GetObject("winmgmts:\\"  strComputer  "\root\CIMV2") 

Set colItems = 
objWMIService.ExecQuery( _
 
"SELECT * FROM Win32_PerfRawData_PerfOS_Processor",,48) 

For Each objItem in 
colItems 
 
Wscript.Echo "PercentProcessorTime: "  
objItem.PercentProcessorTime
oFile.WriteLineobjItem.PercentProcessorTime
Next




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Tuesday, January 24, 2006 8:25 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage 
 .vbs?





This is what I have. 
But I get an Object Required on intProcessoeUse

strComputer = "." 

Set objWMIService = 
GetObject("winmgmts:\\"  strComputer  "\root\CIMV2") 

Set colItems = 
objWMIService.ExecQuery( _
 
"SELECT * FROM Win32_PerfRawData_PerfOS_Processor",,48) 

For Each objItem in 
colItems 
 
Wscript.Echo "PercentProcessorTime: "  
objItem.PercentProcessorTime
Next

oFileName = 
Inputbox("c:\cpuuse.txt","CPU Usage","CPUuse.txt")
Set FSO = 
CreateObject("Scripting.FileSystemObject")
Set oFile = 
FSO.CreateTextFile(oFileName, True)

oFile.WriteLine 
intProcessorUse.PercentProcessorTime





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Derek 
HarrisSent: Monday, January 
23, 2006 3:49 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage 
 .vbs?

Very 
easily; just put the following lines near the top:

oFileName 
= Inputbox("Enter the path and filename to save the info.","CPU 
Usage","CPUuse.txt")Set FSO = 
CreateObject("Scripting.FileSystemObject")Set oFile = 
FSO.CreateTextFile(oFileName, True)



and put an 
oFile.WriteLine, with whatever data you want, wherever you 
want.

eg.

oFile.WriteLine 
intProcessorUse.PercentProcessorTime



Of course, 
it's usually better to put the values into a variable, and then do what you want 
with the variable...





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: Monday, January 23, 2006 12:47 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CPU/Memory usage 
 .vbs?
This is 
great! What I need is to use this code to output the current usage 
percentage to a text file. Can this be done?
strComputer = "."Set objWMIService = GetObject("winmgmts:" _  "{impersonationLevel=impersonate}!\\"  strComputer  "\root\cimv2")set objRefresher = CreateObject("WbemScripting.Swbemrefresher")Set objProcessor = objRefresher.AddEnum _ (objWMIService, "Win32_PerfFormattedData_PerfOS_Processor").objectSetintThresholdViolations = 0objRefresher.RefreshDo For each intProcessorUse in objProcessor If intProcessorUse.PercentProcessorTime  90 Then intThresholdViolations = intThresholdViolations + 1 If intThresholdViolations = 10 Then intThresholdViolations = 0 Wscript.Echo "Processor usage threshold exceeded." End If Else intThresholdViolations = 0 End If Next Wscript.Sleep 6000 objRefresher.RefreshLoop







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Sunday, January 
22, 2006 11:52 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] CPU/Memory usage 
 .vbs?


WMI is a pretty easy way to get this 
done. What's your comfort level with scripting? 




Have you seen this? 




http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/monitoring/performance/

On 1/22/06, 
Harding, Devon [EMAIL PROTECTED] 
wrote: 
That being said.I'm looking for 
a script that will output the current memory usage (in percentage)  the top 
cpu processes.Is this possible?wmi? 
From: [EMAIL PROTECTED] 
on behalf of Michael B. SmithSent: Sat 1/21/2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: .vbs mailing list?Although my most useful 
information about tough _vbscript_ questions hascome from here and from Robbie 
Allen's various books, there is [EMAIL PROTECTED].-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Harding, DevonSent: Saturday, January 21, 2006 
12:17 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] OT: .vbs mailing list?Is there a VBSript mailing list out 
there?-Devon-__ 
This message and any attachments are solely for the intendedrecipient 
and may contain confidential or privileged information.If you are not the 
intended recipient, any disclosure, copying, useor distribution of the 
information included in the message and any attachments is 
prohibited.If you have received this communicationin error, 
please notify us by reply e-mail and immediately andpermanently delete this 
message and any attachments.Thank You.List info 
: http://www.activedir.org/List..aspxList 
FAQ: 

RE: [ActiveDir] OT: speaking of AD books...

[Coleman, Hunter]

http://www.joeware.net/win/ad3e.htm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Monday, January 23, 2006 7:19 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: speaking of AD books...

I lost track of which book Joe was writing about below. Can someone
refresh my memory?

As for Joe writing a book about how he does things - what would be cool.

al

Rich Milburn wrote:
 Joe I have one question for you on this book before mine arrives... am

 I going to read it, and then start bugging you again about compiling a

 book of AD and server best practices based off of all the good novels 
 you have posted on this list??
 
 :)
 
 In fact... come to think of it... maybe there is still an unwritten 
 book... one that takes topics that tend to come up on this list and 
 deals with each on a discussion basis.  It might be more useful for 
 consultants and architects though, but still... two examples:
 
 1) empty root domain issue - pros and cons
 2) remotely managing DCs - joe you once had a long spiel on how you 
 used to manage all those DCs remotely, and rather than give someone DA

 rights to work on it, you'd demote it, then rebuild it from bare 
 metal.  A decent percentage of us probably knows how to do these
things remotely.
 But what if someone wanted to set something like this up, and it was a

 new concept to them.  Is there a guide out there anywhere that could 
 show how to do it?  From setting up the imaging software, to 
 configuring a DC image to come up without someone clicking any buttons
locally, etc?
 
 
 A book like that would probably want a lot of input from a lot of 
 people, because the answers to a lot of best practices questions are 
 it depends.  But I bet there's a need...
 
 Rich
 --
 -
 Rich Milburn
 MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field 
 Platform Development Applebee's International, Inc.
 4551 W. 107th St
 Overland Park, KS 66207
 913-967-2819
 --
 I love the smell of red herrings in the morning - anonymous
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Sunday, January 22, 2006 10:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: speaking of AD books...
 
 Yeah there is a chapter on migration from 2K to K3 as well as a small 
 chapter on upgrading to K3R2.
 
 The big wins in this version of the book if anyone asks me though are
 
 1. A real live chapter on ADAM. First in existence that I am aware of.

 I like this chapter, if anyone reads it and has issues with it, please

 email me directly. I really like ADAM, I want to make sure my info is 
 all correct and that it fits people's experiences with it. Heck I 
 wouldn't mind just hearing about people's experiences so if I write 
 anything else concerning ADAM, I can comment on it so others may not 
 hit the same issues/pitfalls.
 
 2. Significant updates to the Schema Chapters.
 
 3. Significant updates to the Security Chapters.
 
 4. A chapter on basic Exchange (AD-Related) tasks and how to script 
 them.
 
 5. The Site Topology and Replication chapter got a pretty serious 
 update as well.
 
 6. A lot of the scripts were reworked. 
 
 Do not buy the book for the VB.NET and Directory Services chapter. I 
 am not a NET person, I fully admit it, it is pretty much the same as 
 it was in 2E.
 If you want a book in that realm, you want the book Joe Kaplan has 
 been working on, I was a technical reviewer for that book and it looks

 like it is going to be pretty good.
 
 
 The TR folks can comment if they like on what they liked about it or 
 anything they think that is in it that makes it worthwhile. I had, 
 what I considered unusual, a two way street with feedback with the 
 TRs. They sent me their comments, I sent back responses for many of 
 the comments and asked for more detail or asked questions or what not 
 as needed. I know most everything I have ever TR'ed has been sort of a

 black hole where I don't know if the feedback is being used or not 
 which I never liked. At least one reviewer mentioned to me that the 
 feedback was unusual and well accepted.
 
 I don't expect this to be the be all end all book on AD but I did try 
 to make it so I would be happy my name was on it which if anyone knows

 me is not a low achievement bar, I am a bit picky. But at the same 
 time, I know I didn't get everything perfect, there wasn't time for 
 perfect, it had to be released this decade. It isn't a book that is in

 my voice/tone; it is a refresh so I attempted to follow the voice/tone

 that was there as much as possible as it wasn't mine to change. Some 
 people will not like that and some people are probably thankful for 
 it. :o)
 
 
 
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 

RE: [ActiveDir] OT: Script Request - Restart Remote Service

[Coleman, Hunter]

Here is part of a script that I poached from somewhere. It's only set to
stop a list of services, but you could include a second step in the
For...Next loop that calls the oInstance.ExecMethod_(StartService)
after you've stopped the service.

Watch for line wraps and such...


sComputer = 'enter the target computer name here
' In 'services_list', add your sevices in the order you want them to
stop. 
' If some of the services have comma in their names, 
' you must choose another delimiter 
services_list =
IMAP4Svc,POP3Svc,MSExchangeES,MSExchangeIS,MSExchangeMTA,MSExchangeSA,M
SExchangeMGMT,MSExchangeSRS,RESvc 
services_array = Split(services_list,,) 


For i = 0 to UBound(services_array) 
  sService = Trim(services_array(i))
  'fileTxt.WriteLine(ServiceName =   sService)
  Set oInstance =
GetObject(winmgmts:{impersonationLevel=impersonate}//  sComputer  _
/root/cimv2:Win32_Service=  Chr(34)  sService  Chr(34))
  'fileTxt.WriteLine(ServiceState =  
oInstance.Properties_(State).Value)
  fileTxt.WriteLine(oInstance.Name  :  
oInstance.Properties_(State).Value)
  If (oInstance.Properties_(State).Value = Running) Then
   Set oOutParam = oInstance.ExecMethod_(StopService)

   If oOutParam.ReturnValue = 0 Then
fileTxt.WriteLine(oInstance.Name   stopped successfully)
   Else
fileTxt.WriteLine(oInstance.Name   failed to stop)
Select Case oOutParam.ReturnValue
Case 1  fileTxt.WriteLine(The request is not
supported.)
Case 2  fileTxt.WriteLine(The user did not have the
necessary access.)
Case 3  fileTxt.WriteLine(The service cannot be stopped
because other   _
services that are running are
dependent on it.)
Case 4  fileTxt.WriteLine(The requested control code is
not valid, or   _
it is unacceptable to the
service.)
Case 5  fileTxt.WriteLine(The requested control code
cannot be sent to   _
the service because the state
of the service.)
Case 6  fileTxt.WriteLine(The service has not been
started.)
Case 7  fileTxt.WriteLine(The service did not respond
to the stop request   _
in a timely fashion.)
Case 8  fileTxt.WriteLine(Unknown failure when stopping
the service.)
Case 9  fileTxt.WriteLine(The directory path to the
service executable was not found.)
Case 10 fileTxt.WriteLine(The service is already
stopped)
Case 11 fileTxt.WriteLine(The service database is
locked.)
Case 12 fileTxt.WriteLine(A dependency which this
service relies on   _
has been removed from the
system.)
Case 13 fileTxt.WriteLine(The service failed to find
the service needed   _
from a dependent service.)
Case 14 fileTxt.WriteLine(The service has been disabled
from the system.)
Case 15 fileTxt.WriteLine(The service does not have the
correct authentication   _
to run on the system.)
Case 16 fileTxt.WriteLine(This service is being removed
from the system.)
Case 17 fileTxt.WriteLine(There is no execution thread
for the service.)
Case 18 fileTxt.WriteLine(There are circular
dependencies when stopping the service.)
Case 19 fileTxt.WriteLine(There is a service running
under the same name.)
Case 20 fileTxt.WriteLine(There are invalid characters
in the name of the service.)
Case 21 fileTxt.WriteLine(Invalid parameters have been
passed to the service.)
Case 22 fileTxt.WriteLine(The account, which this
service is to run under is   _
either invalid or lacks the
permissions to run the service.)
Case 23 fileTxt.WriteLine(The service exists in the
database of services   _
available from the system.)
Case 24 fileTxt.WriteLine(The service is currently
paused in the system.)
End Select
   End If


  Do 
' state will be Stop Pending until Stopped. 
' Adjust sleep as necessary, but do *not* remove it! 
WScript.Sleep 1000 
   Set oInstance =
GetObject(winmgmts:{impersonationLevel=impersonate}//  sComputer  _
/root/cimv2:Win32_Service=  Chr(34)  sService  Chr(34))
   'fileTxt.WriteLine( ServiceState =  
oInstance.Properties_(State).Value
 Stopped = False
  if oInstance.Properties_(State) = Stopped Then 
'fileTxt.WriteLine( sService  :  
oInstance.Properties_(State).Value 
Stopped = True 
  end if 
  Loop until Stopped 

 End If
Next  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL 

RE: [ActiveDir] AD computer accounts being removed

[Coleman, Hunter]

Look at netdom.exe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, January 18, 2006 3:03 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD computer accounts being removed

On 1/18/06, Crawford, Scott [EMAIL PROTECTED] wrote:

 For example, if the
 domain box shows MICROSOFT, change it to Microsoft.com or vice-versa.

 This seems to trigger a domain rejoin without having to join the
workgroup.

 snip

On a side-note - is there a command line utility which will allow a
workstation to be renamed/joined to a domain?

I'm aware of a way of creating a computer account using the NET command,
but this has to be done from the server, and ideally, I'm hoping there's
a way of joining from the NT4/2kpro/XP workstations.

--
AdamT
Maidenhead is *not* in Kent
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] adfind question

[Coleman, Hunter]

Try it as
adfind -h DC1 -b 
"cn=schema,cn=configuration,dc=myco,dc=private" -s base 
objectVersion


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, January 18, 2006 3:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] adfind 
question


Hi 


I am 
trying to write a little batch file that will report various version numbers to 
me on each DC to help monitor the W2k3 upgrade process. I am having trouble 
getting adfind to report the objectVersion of the Schema. When I 
run:
adfind DC1 b 
CN=Schema,CN=Configuration,DC=myco,DC=private 
I get a 
torrent of stuff including the attribute that I want. (That is an attribute 
right?) When I try to filter or limit the output, I dont get what I want. For 
example,
adfind DC1 b 
CN=Schema,CN=Configuration,DC=myco,DC=private 
objectVersion
Gives 
me a list of all of the objects under Schema.

How can 
I limit this? (Or, does anyone have a script that already checks all this 
stuff?)

Thanks.

-- 
nme
--No virus found in this outgoing message.Checked by AVG 
Free Edition.Version: 7.1.375 / Virus Database: 267.14.20/233 - Release 
Date: 1/18/2006

RE: [ActiveDir] ADUC updates - Was Expired Accounts

[Coleman, Hunter]

Maybe the ability to change the security context for certain operations
within a session? Like a task-specific run-as. I haven't thought this
all the way through in terms of security implications, but usually when
I fire up ADUC it's with a non-privileged account, and then I have to go
back with a different account or different tool in a privileged context
if I need to make a change.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, January 13, 2006 8:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts

Only three people with issues with ADUC? Or did these three fine folks
describe accurately everyone's pain? 

I am asking because I will summarize and wrap this up after it is done,
I pinged the developer and he is looking forward to seeing the email
with the details. This isn't going through multiple layers of PSS like
you may be used to putting requests through, this is going into the MVP
feedback system and being sent separately to one of the guys writing the
source code for it.

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Thursday, January 12, 2006 10:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts

Here are some of my ADUC pet peeves and wish-list items. 

Let's have an expert's mode where we don't change the names of the
attributes things that are user-friendly like calling samAccountName
User logon name (pre-Windows 2000), Kind of a cross between ADUC and
ADSIedit or like that E55 admin utility in RAW mode.

Allow ADUC to handle larger numbers of objects in a container without
running like a snail.

I'd like to be able to multi-select a bunch of objects and have a UI to
change all the common attributes that are modifiable.

I'd like an interface that will allow me to query for where a particular
security principal is referred to in an explicit ACE on an ACL.

I'd like an extension of the Advanced Security dialog that allowed me to
specify a security principal, highlight a right and click a button to
find out how/why that principal has that right.

I'd like an easy way to search by managedBy that didn't require full
DNs.
I'd like to be able to specify the canonical name and have it figure out
the DN for me. That's because canonical name is copy-able from the UI.

Use the disabled account icon for disabled accounts that show up in the
find object dialog results pane.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 12, 2006 8:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts

Your starter for 10: [Dean will explain this, joe :) ]

Add context menu options below out of the box: 
1. Unlock User (user context menu)
2. Unlock all users (OU context menu)

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 12 January 2006 15:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts

Well, ok, lets do this.

Everyone who has an idea for a change to ADUC post to the ideas to this
thread. Don't be shy, you may have thought of something no one else
would think of that once seeing it would go this is very cool. Then when
the thread seems to die (or some point after that when I catch up :oP )
I will summarize to make sure I understand and then post to LadyBug as
improvements that could be made. Also, you may or may not be shocked to
hear that many of the folks working on the stuff in Redmond actually
watch this list on a regular basis too so they may see it directly. I
know the conversation we had previously about suggested improvements to
AD was watched pretty closely and generated several DCRs without me even
arguing with anyone.

So let's hear it. First item on the table is different icons flagging
accounts (and I am stating this generically) that are not currently
live.
This includes disabled, locked, expired passwords, expired accounts?
Would this be better to add maybe as additional columns that you could
tell the GUI to sort on? Or the icons are best?

Note to Dean: This is D's bailywick now isn't it? I think I recall us
having this conversation at BB.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, January 12, 2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Expired Accounts

I believe it would be helpful if different icons could be used for
disabled accounts, expired account, expired password, etc.  

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 12, 2006 7:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Expired Accounts

Philosophical 

RE: [ActiveDir] Find date Computer object was deleted and created

[Coleman, Hunter]

Turn up auditing and then parse the Security event logs on your domain
controllers. There are a variety of ways to partially or fully automate
this, including EventComb and scripting. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nigel Glasgow
Sent: Friday, January 13, 2006 8:47 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Find date Computer object was deleted and created

Hi all,


I am trying to determine if and when a Sysadmin with domain admin pass
deleted and recreated a computer object in the domain. This info will
useful to any IT manager or SysAdmin who is having doubts about what is
being reported when computer objects are suddenly absent, then they
reappear in the domain computer listing next day.

 Any help out there?

Thanks.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NT and AD Permissions

[Coleman, Hunter]

Where are the C$/D$ shares? On the PDC, BDC, member 
server?

What happens when you put the migrated account directly in 
the NT4 Local Administrators group and bypass the nested group 
config?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
BurraSent: Wednesday, January 11, 2006 10:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] NT and AD 
Permissions

Hi,

we have a NT domain and a new 2003 AD domainMigrated a domain admin 
account, but after migration, that account can not connect to admin shares like 
C$ or D$.. is there any quick fix..

I have the Domain Admins group on AD as a member of Local Administrators 
group on the NT Domain...is there something i am missing??


Thanks in advance...


Regards,
Chandra 

RE: [ActiveDir] Strange deleted object issue

[Coleman, Hunter]

Try adfind with the -showdel flag


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Tuesday, January 10, 2006 8:11 AMTo: 
activedirectorySubject: [ActiveDir] Strange deleted object 
issue

I have this weird issue-

A user object is missing from my win2k native mode domain.
I know because this user has complained that he can't log in and i can't 
find the object anywhere in AD.

I've checked the deleted objects container in AD with ldp and he is not in 
there as well.
He's not in the Lost and Found container either.

His exchange mailbox is oprhaned in ESM.

Sometime last nite this user was deleted but i have no way of finding 
him. we don't have auditing turned on for that but i figured if an object 
was deleted it would definetely be in the deleted objects container.
is there anyway to bypass that?
where else can i look?

Any help would be great because this is just plain bizzare.

Thanks

RE: [ActiveDir] Strange deleted object issue

[Coleman, Hunter]

Create a user account, then delete it. Note which DC you're 
connected to for the delete, then check the security log on that DC. Look at all 
of the events around the time you deleted the account so that you'll know what 
is actually getting logged.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Tuesday, January 10, 2006 1:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange deleted 
object issue

Yes.
Thanks.
I just have 2 issues.

1. I don't understand why i get that error in ldp when i enter the oid 
control for deleted objects

2. Most importantly, i had "audit account management" enabled for sucess 
and failure on my domain controllers ou and auditing enabled for "everyone" for 
everything on the entire domain object, yet when i use evencombMT to scan for an 
event id 630 in the security log, i get nothing. 

this account was deleted last nite so something should show up with this 
auditing enabled, no?

do i have to set some other security policy like "audit directory service 
access" as well?

I figured account management should cover deleting a user object.

Thanks
On 1/10/06, Al 
Mulnick [EMAIL PROTECTED] 
wrote: 

  I've deleted the rest of the thread already, but did you not already say 
  you found him in the deleted items using ADFIND -showdel? 
  
  Or did I misread that and you're still looking for him? 
  
  
  On 1/10/06, Tom 
  Kern [EMAIL PROTECTED] wrote: 
  
  
I'm just using ADUC and searching by sAMAccountName.
With LDP, i'm looking in Deleted Objects container but this company 
never deletes users accounts, just disables them indefinetly so all i see in 
that container are linkTrackOMTEntry objects.

How can i see if the user was renamed?

I got a call from help desk that this user couldn't log in and they 
couldn't find him in AD using ADUC which i confirmed.
he's been witht the corp for 5 years and i was assured he always had an 
account.

Thanks
On 1/10/06, Al 
Mulnick [EMAIL PROTECTED] 
wrote: 

  how do you know he's missing exactly? I mean, are you sure the 
  account wasn't changed for example? Maybe renamed somehow? 
  
  When you search, how are you searching exactly? 
  
  
  
  On 1/10/06, Tom 
  Kern [EMAIL PROTECTED] 
  wrote: 
  
I have this weird issue-

A user object is missing from my win2k native mode domain.
I know because this user has complained that he can't log in and i 
can't find the object anywhere in AD.

I've checked the deleted objects container in AD with ldp and he is 
not in there as well.
He's not in the Lost and Found container either.

His exchange mailbox is oprhaned in ESM.

Sometime last nite this user was deleted but i have no way of 
finding him. we don't have auditing turned on for that but i 
figured if an object was deleted it would definetely be in the deleted 
objects container.
is there anyway to bypass that?
where else can i look?

Any help would be great because this is just plain bizzare.

Thanks

RE: [ActiveDir] OT: DEC 2006

[Coleman, Hunter]

Oh no, there was no mention of civility anywhere 
:-)


From: Brian Desmond 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Friday, January 06, 2006 7:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 
2006


Oh you mean you 
witnessed them being civil to each other? That doesn't happen too 
often,especially after hours.


Thanks,
Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132


From: [EMAIL PROTECTED] on 
behalf of Fuller, StuartSent: Fri 1/6/2006 5:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 
2006

Aimed at both Hunter and I are "average" AD admins and 
have found it very useful. The best part is sitting aroundat night 
talking with Joe and Dean.:-)

_Stuart Fuller





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of mike klineSent: Friday, January 06, 2006 1:34 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
OT: DEC 2006


Looks like DEC is a great event and a lot of the 
heavy hitters and MVP's from this list will be there. Just wondering 
about it, is this a good conference for the average AD 
admin/designer or is this aimed at the advanced experts. I think my 
company will send some of us so I'm trying to get a feelfor the target 
audience. 

Thanks
Mike
On 1/6/06, Lee, Wook 
[EMAIL PROTECTED] wrote: 

  
  I'm doing my regular 
  lounge act at DEC. I don't know if I'll be able to make it to DEC 07 if I have 
  to pay to play (the DEC that will live in Infamy if they make us pay, haha). 
  Maybe they'll let me come if I volunteer to help set up or maybe do janitorial 
  work on the side. I know Stella and Christine are always looking for 
  "volunteers". :-P ;-) 
  
  Wook
  
  P.S. Haikus and 
  Jingles have been done. Do we dare do Limericks? "The 7 Limericks of Identity 
  Management" does have a certain ring to it. Higgledy-Piggledy? Sonnets would 
  be too high-brow for this crowd. 
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge 
  deSent: Friday, January 06, 
  2006 2:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  OT: DEC 2006
  
  
  
  damn I knew 
  there was a catch! ;-))
  
  
  
  jorge
  
  
  
  
  
  From: [EMAIL PROTECTED] on behalf of Gil 
  KirkpatrickSent: Fri 
  2006-01-06 00:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  OT: DEC 2006
  
  Jorge, you're speaking at DEC. You already get a free 
  pass.We're not going to make speakers pay for their tickets, at least 
  not until after 2007. :) -g-Original 
  Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Almeida Pinto, Jorge deSent: Thursday, January 05, 2006 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: 
  DEC 2006can I get a free 
  pass?jorgeFrom: [EMAIL PROTECTED] on behalf of Gil 
  KirkpatrickSent: Thu 2006-01-05 23:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006Well, I'm going. But I get a free pass... 
  :)-gil 
  From: [EMAIL PROTECTED] [ 
  mailto:[EMAIL PROTECTED]] On Behalf Of Mark 
  ParrisSent: Thursday, January 05, 2006 3:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 2006Of the list 
  how many people are going to DEC this year? www.directoryexpertsconference.com http://www.directoryexpertsconference.com/Tomorrow 
  is the last day for the early bird registrations if anyone wants to day some 
  $£EUR's.MarkThis e-mail and any 
  attachments may contain confidential and privileged information. If you 
  are not the intended recipient, please notify thesender immediately by 
  return e-mail, delete this e-mail and destroy anycopies. Any dissemination 
  or use of this information by a person other than the intended recipient 
  is unauthorized and may be illegal.This e-mail and any attachment is for authorised use by the intended 
  recipient(s) only. It may contain proprietary material, confidential 
  information and/or be subject to legal privilege. It should not be copied, 
  disclosed to, retained or used by, any other party. If you are not an intended 
  recipient then please promptly delete this e-mail and any attachment and all 
  copies and inform the sender. Thank you. List 
  info : http://www.activedir.org/List.aspxList 
  FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  List info : http://www.activedir.org/List.aspxList 
  FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  

RE: [ActiveDir] Exchange store size

[Coleman, Hunter]

Check the application event logs on the exchange servers 
for ESE 220. Text of those should show the size of each store as the backup of 
the store begins. Given a list of your Exchange servers, you could script that 
up to check them all and dump out the results to a file.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, January 06, 2006 12:29 PMTo: 
activedirectorySubject: [ActiveDir] Exchange store 
size

Is there any quick easy way to get the size of all your Exchange 2k 
mailbox/public stores in your Org?

Thanks

RE: [ActiveDir] OT: DEC 2006

[Coleman, Hunter]

You're saying you don't take your laptop bag to the gym? :-)

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Mark Parris 
Sent: Thu 1/5/2006 3:56 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] OT: DEC 2006



Just a thought: 

 

As most people already have a laptop bag – can we have a bag that we 
can say use for the gym this year or is it too late?

 

I always get laptop bags (average 6 a year) and they sit in cupboard 
(closet) until I have too many or my wife goes ape (mad) and I have to dispose 
of them.

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil 
Kirkpatrick
Sent: 05 January 2006 22:37
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DEC 2006

 

Well, I'm going. But I get a free pass... :)

 

-gil

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark 
Parris
Sent: Thursday, January 05, 2006 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: DEC 2006

Of the list how many people are going to DEC this year? 
www.directoryexpertsconference.com http://www.directoryexpertsconference.com/ 
 

 

Tomorrow is the last day for the early bird registrations if anyone 
wants to day some $£€’s.

 

Mark

 

This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this e-mail and destroy any
copies. Any dissemination or use of this information by a person other
than the intended recipient is unauthorized and may be illegal.

winmail.dat

RE: [ActiveDir] DHCP(ot)

[Coleman, Hunter]

Ask your company what problem they hope to solve, or what 
added functionality they hope to get, by going with a 3rd party product. Then 
ask them if that problem/functionality is worth the purchase and implementation 
cost.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Monday, December 19, 2005 8:08 AMTo: 
activedirectorySubject: [ActiveDir] DHCP(ot)

My company wants to use 3rd party dhcp product like Bluecat's Adonis 500 or 
1000 instead of Windows DHCP.

Is there really any compelling reason to dump or not dump Windows 
DHCP?

We are running a Win2k3 Forest FFL Win2k3 with all our clients Win2k pro at 
the moment and Exchange 2k3.

We do have a lot of Solaris servers running Sybase and other 
backendnetwork services as well.

I'm just wondering why the pros or cons are of moving away from Windows 
DHCP in this area.

I think the pros of WIN DHCP is its free and the abilty to prevent rouge 
DHCP servers(if they're running win2k and above, of course).

I think most DHCP servers can do DDNS these days on behalf of the client so 
that's probably not an issue.
Most can also give clients additionally info in the scope options like dns 
ip,domain name,etc.

So, i was wondering if i'm missing anything.

Also, has anyone used Bluecat's DHCP product in their network?

Thanks alot

RE: [ActiveDir] Fully Own a User

[Coleman, Hunter]

You've hit the masterAccountSID problem that crops up when 
a mailbox-enabled account gets disabled. http://support.microsoft.com/default.aspx?scid=kb;en-us;278966


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, December 14, 2005 5:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Fully Own a 
User


Hi 


I have 
about 10 users that left the company. Their AD accounts are disabled. I would 
like to use Exmerge to archive their email to PST and then delete them. However, 
Exmerge kicks back an error: Error opening message store (MSEMS). These accounts 
have the same permissions as the users for whom Exmerge worked fine. I tried 
enabling one of the accounts, logged in as that user, and then tried to 
configure Outlook to use the account. This last step (Outlook) got rejected 
saying the user did not have permission to access the 
mailbox.

So, how 
can I completely own this account and give my admin account full 
control?

Thanks.
--No virus found in this outgoing message.Checked by AVG 
Free Edition.Version: 7.1.371 / Virus Database: 267.13.13/199 - Release 
Date: 12/13/2005

RE: [ActiveDir] ADMT Request

[Coleman, Hunter]

It's been ages since we ran our migration, but at the time we scripted
it using the sample scripts that accompanied ADMT. If you go that route,
you can have multiple log files that are uniquely named and not run into
the session confusion. You'll also get much more consistent results from
the scripts, as you won't have mischecked options or typos that seem
inevitable in lots of point/click scenarios.

Hunter 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 12, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADMT Request

Hi All

I am not sure anybody that can do anything with this listens on this
list but we have been using ADMT v.3 with great success for a very large
scale migration.  The multi session ability has been a huge benefit to
us.  We are running into a problem keeping multiple sessions straight.

How hard would it be to include a description field that you can fill in
when you start the session that would then show up in the title bar for
the session (something like Session DENVER, California, etc)

Just a wish.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Found bug in Active Directory DNS (integrated)

[Coleman, Hunter]

You're sure that it wasn't your client cache returning the 
value after the initial query?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ADSent: Wednesday, December 07, 2005 7:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Found bug in Active 
Directory DNS (integrated)

Ok, this is the scenario.I 
needed to create 123 DNS entries really quick so I decided to use DNSCMD. It 
ended it being a big mistake.

The mandatory parameters for DNSCMD /RECORDADD are the following:

servername
/RecordAdd
Zone
NodeName
RRType
RRData
[command parameters]

So I typed in the following: (entered it on different lines for easy 
readibiltiy).

ncdc01 
/RecordAdd 
myDomain.com 
hostA.myDomain.com
A
192.168.1.2

The command completes with a "Command Completed Successfuly". Great. Only 
one problem. It does not show up in the DNS management console. I can see it in 
the directory but not in the DNS snapin. When I do a NsLookup on that record it 
comes up as hostA.myDomain.com.myDomain.com. Ok so I figured out that you do not 
need to specify the domain name for the NodeName parameter of the 
command. I go ahead and delete the entry in ADUC because I can't see it in DNS 
console, clear the DNS cache on the server and clear the cache on my client. 
When I run NsLookup on the host again it shows up as 
hostA.myDomain.com.myDomain.com. That is impossible right? The only way I was 
able to clear this entry from the server cache was to restart DNS on the DC. Not 
a feasible solution when you have 20 DC across the country.

Has anyone seen this before?

Thanks

Yves 

RE: [ActiveDir] Exporting Mailbox rights

[Coleman, Hunter]

The reference is on line 155 of the script. Go to Alain's 
site (www.lissware.net) and scroll down to 
the link for "Script Kit of Volume 2". Download that and extract the whole 
thing...you should get a directory structure, and themain script is in 
\Volume_2_ScriptKits\Chapter_04\Sample 4.02 to 4.13. You should also see a 
\Functions directory, which is where the SecurityInclude.vbs script (and others) 
reside.

To run it against all of the mailboxes in an OU, you'll 
need to wrap Alain's script with code that queries the OU for all mailboxes, and 
then pipes the CN for each mailbox to the WMIManageSD.Wsf 
code.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Amy 
HunterSent: Monday, December 05, 2005 5:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting 
Mailbox rights

Hi Alain,

thanks for your response, it all looks very clever.

I have tried running the following command:

WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /adsi 
WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group 
mailboxes,OU=,DC=spinnaker,DC=org" /decipher


I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: 
Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"

when I open this script, i can't see any reference to this 

Also, How can I run this against all group mailboxes in an OU

any ideas?

Amy ;-)

Ps...sorry if I sound lame, scripting is not an area I spent too much time 
with Yet. /DIV 



Alain Lissoir [EMAIL PROTECTED] 
wrote:

  
  You can 
  look at http://www.lissware.net, volume 
  2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the 
  Functions folder).
  
  Syntax to 
  use in red below (the script supports Filesystem, Share, ADObject with 
  Extended Rights, Exchange Mailbox, Registry Key, WMI 
  namespace).
  
  Microsoft (R) Windows Script Host Version 5.6Copyright (C) 
  Microsoft Corporation 1996-2001. All rights reserved.
  
  Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] 
  [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] 
  [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] 
  [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] 
  [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] 
  [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] 
  [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] 
  [/Password:value]
  
  Options:
  
  FileSystem : Get 
  the security descriptor of the specified file or directory 
  path.Share 
  : Get the security descriptor of the specified share 
  name.ADObject 
  : Get the security descriptor of the specified distinguished name AD 
  object.E2KMailbox 
  : Get the security descriptor of the Exchange 2000 mailbox specified by AD 
  user distinguished 
  name.E2KStore 
  : Specify if th e security descriptor must come from the Exchange 2000 
  store.RegistryKey : Get 
  the security descriptor of the specified registry 
  key.WMINameSpace : Get the 
  security descriptor of the specified WMI Name 
  space.ViewSD 
  : Decipher the security 
  descriptor.Owner 
  : Set the security descriptor 
  owner.Group 
  : Set the security descriptor 
  group.SDControls : 
  Set the security descriptor control 
  flags.AddAce 
  : Add a new ACE to the 
  ACL.DelAce 
  : Remove an existing ACE from the 
  ACL.Trustee 
  : Specify the ACE mask (granted user, group or machine 
  account).ACEMask 
  : Specify the ACE mask (granted 
  rights).ACEType 
  : Specify the ACE type (allow or deny the ACE 
  mask).ACEFlags 
  : Specify the ACE flags (ACE mask 
  inheritance).ObjectType 
  : Specify which object type, property set, or property an ACE refers 
  to.InheritedObjectType : Specify the GUID of an object that will inherit 
  the 
  ACE.SACL 
  : Manage the System ACL (auditing) (default=Discretionary 
  ACL).Decipher 
  : Decipher the security 
  descriptor.ADSI 
  : Retrieve the security descriptor with 
  ADSI.SIDResolutionDC : Domain Controller to use 
  for SID 
  resolution.Machine 
  : Determine the WMI system to connect to. 
  (default=LocalHost)User 
  : Determine the UserID to perform the remote connection. 
  (default=none)Password 
  : Determine the password to perform the remote connection. 
  (default=none)Examples:
  
   Viewing Security descriptors 
  ... Files and Folders 
  --- 
  WMIManageSD.Wsf /FileSystem:C:\MyDirectory 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ 
   WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory\MyFile.Txt 
  /Decipher+ WMIManageSD.Wsf 
  /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ 
  
   Share 
  --- 
  WMIManageSD.Wsf /Share:MyDirectory /Decipher+
  
   AD object 
  

RE: [ActiveDir] Exporting Mailbox rights

[Coleman, Hunter]

http://msdn.microsoft.com/library/default.asp?url="">(watch the URL 
wrap)

There's a section in there that covers the mailbox 
permissions.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Amy 
HunterSent: Friday, December 02, 2005 3:17 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exporting Mailbox 
rights

Hi everyone,

Thankyou everyone for your responses to my other post, everything went 
smoothly.

I am looking for a way to export Exchange 2003Mailbox Permission 
access to a .csv or .txt for all mailboxes in active directory
Does anyone know of a script or tool which will give me the same 
information as the Exchange Advanced Tab  Mailbox Rights for all users and 
groups. 

I want to view the mailboxes to see who has access to what.

Kind Regards,

Amy ;-)


How much free photo storage do you get? Store your 
holiday snaps for FREE with Yahoo! Photos. Get 
Yahoo! Photos

RE: [ActiveDir] When is a domain Admin not a domain Admin?

[Coleman, Hunter]

Well, if they truly have full control over all objects, 
then they could add themselves into the Domain Admins group. Moot 
point...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Morley, 
ScottSent: Monday, November 28, 2005 12:59 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] When is a domain 
Admin not a domain Admin?


All,

For reasons too long and boring to 
mention, I have been asked about the following 
scenario:

Create a regular normal everyday 
user
Give that user full control over all 
objects in the domain
The user is NOT part of the Domain 
Admins group


Does the membership of the domain 
Admins group provide some additional rights/functionality to a user? Or is 
full access to all objects equivalent to domain admin 
rights?




Scott 
Morley
Active Directory 
Manager
MSCE 2000, CCNA, CNE, 
CNI

"Human beings, who are 
almost unique in
having the ability to learn from the experience of 
others, 
are also remarkable for their apparent disinclination to 
do so. " - Douglas Adams (1952-2001)
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.

RE: [ActiveDir] Renaming AD accounts en masse

[Coleman, Hunter]

Probably the easiest thing to do is save the spreadsheet 
into a delimitted text file (tab-delimitted in the code below), then open the 
file and read each line:

Const ForReading = 1
strSourceFile = "yourFile.txt"
Set objFSO = 
CreateObject("Scripting.FileSystemObject")Set objSourceFile = 
objFSO.OpenTextfile(strSourceFile, ForReading)
Do Until objSourceFile.AtEndOfStreamstrLine = 
objSourceFile.ReadLinearrTemp = Split(strLine, 
VBTab)
rest of your code here
Loop


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Thursday, November 17, 2005 2:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD 
accounts en masse

Oh very cool that worked. Sorry, i'm not very 
_vbscript_ savvy. 

Now if I can figure out how to modify one of RLMuellers 
scripts to pull the info in from a spreadsheet I'll have it made. Any 
hints appreciated!

Thanks


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Thursday, November 17, 2005 3:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD 
accounts en masse


the link to script I mailed 
you is to rename the common name attribute (CN) using the movehere 
method.

if you want to change the sAMAccountName 
attribute you can use the following code:

Set objADObject = GetObject("LDAP://DC-NAME/CN=JORGE,OU=IT-DEPARTMENT,DC=DOMAIN,DC=LOCAL")objADObject.Put 
"sAMAccountName", "new 
samaccountname"objADObject.SetInfo

Jorge


From: [EMAIL PROTECTED] on 
behalf of Rimmerman, RussSent: Thu 11/17/2005 9:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD 
accounts en masse

I don't see a username option in DSMOD. Every other 
blank appears to be modifyable except for the username 
(sAMAccountName)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, 
AricSent: Thursday, November 17, 2005 2:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD 
accounts en masse


Another command line 
option would DSMOD.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Almeida Pinto, Jorge 
deSent: Thursday, November 17, 
2005 12:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD 
accounts en masse



you can use the 
example as explained at: http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1214.mspx

although a group is used as example 
you can do it with users also. Modifying the script to use an input file would 
to the "en masse" thing



cheers,

Jorge





From: [EMAIL PROTECTED] 
on behalf of Tony MurraySent: 
Thu 11/17/2005 8:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Renaming AD 
accounts en masse

You can create with 
CSVDE but not modify, so it wouldnt be suitable for 
renaming.

A script or LDIFDE 
would be the obvious alternatives.

Tony





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Friday, 18 
November 2005 6:17 a.m.To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Renaming AD 
accounts en masse


CSVDE is probably a good bet since you have the 
information in Excel already:



http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/1050686f-3464-41af-b7e4-016ab0c4db26.mspx 




Phil

On 11/17/05, Rimmerman, Russ [EMAIL PROTECTED] 
wrote: 

What's the easiest and 
quickest way to rename a large (1000+) number of AD user accounts? LDIFDE? 
AD.NET? Or is there something 
easier? I'm going to be importing 1000+ AD accounts that are first.last 
for the username and will want to rename them to a specific username listed in 
an excel spreadsheet. 

  
  

  ~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisions and may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your system. 
  ~~

This communication, including any attachments, is 
confidential. If you are not the intended recipient, you should not read it - 
please contact me immediately, destroy it, and do not copy or use any part of 
this communication or disclose anything about it. Thank you. Please note that 
this communication does not designate an information system for the purposes of 
the Electronic Transactions Act 2002.

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error 

RE: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?

[Coleman, Hunter]

We've used Boot and Nuke, which has several options for number of 0/1
write passes. http://dban.sourceforge.net/ 

I'm not sure what Joe's -safe option would be on something like this :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 16, 2005 7:03 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?

Jose, you might want to check with the Symantec support site to find
something that meets DoD spec.  If not, there are lots of inexpensive
options such as http://www.stompsoft.com/drivewasher2.html that claim to
meet that standard.  Pretty much, it means many passes of writing 1's
and 0's to all sectors on the media, so you *could* even do this
yourself if you really really wanted to.

I think there should be a joeware tool for it g

-ajm


From: Jose Medeiros [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recommendations for a DOD wipe of a RAID
Array?
Date: Wed, 16 Nov 2005 00:32:06 -0800

Thanks for the reply Brian, I suggested that as well. These servers are

being donated to a non profit and have had sensitive payroll data on
them.
The policy at the company now that they are Sarbanes Oxley compliant is

that we will do a DOD wipe of all discarded data.

Jose
- Original Message - From: Brian Desmond 
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, November 15, 2005 7:14 PM
Subject: RE: [ActiveDir] Recommendations for a DOD wipe of a RAID
Array?


I don't work for HP, but, I usually find the System Erase utility on 
the SmartStart disk sufficient.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
Jose
Sent: Tuesday, November 15, 2005 9:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recommendations for a DOD wipe of a RAID Array?

Greetings,

I am trying to use Symantecs Gdisk with a /DODWIPE option to do a 
security wipe of  a Compaq 7000's Raid Array, however using a dos boot

disk will not allow me to access the disk array. My work around on 
this was that I created a 32 bit bootable CD-Rom using Bart's PE and I

added the server's 32bit Raid controller driver which now allows me to

access the disk array. However since it is running a 32bit OS, gdisk 
will not work as it is only a 16bit program. When I try and use 
Symantec's Gdisk32 which will run, the /DODWIPE option is not 
available.

Does anyone know if Symantec has an updated version of GDISK32 that 
supports a DODWIPE? Does any one have any prefered tools other then 
GDISK that they can recommend that will work with my Raid Array?

Since there are some HP employees on this list, does HP have a 
recommended tool they provide there customers to use on Proliant 
servers before decommisioning them?

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] strGrooup?

[Coleman, Hunter]

Your post got me to wondering where I had screwed up, and it turns out I
made two incorrect assumptions. First, I thought that VBScript was
consistent with other environments where False=0 and True=1. Not so, as
apparently they decided that True=-1. Second, I assumed that in the If
statement, if your check evaluated to True (or -1, as I see now) then
the code following Then would execute, and if the check evaluated to
False (or 0) then the code following Then would not execute. Turns out
that is the case from a logical standpoint, but in the implementation if
your check evaluates to anything other than 0, then the code following
Then will execute. Kind of subtle, but it could produce unexpected
results, at least for me :-)

Hunter 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Monday, November 14, 2005 7:03 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strGrooup?

I found the problem.  It seems that my constants were not lower case,
thats why it was not mapping.  I also added 'On Error GoTo 0' after the
removal of the drives to show errors.  The drives mapped with the
original If,Then statements (without the 0).
 
Thanks All...



From: [EMAIL PROTECTED] on behalf of Coleman, Hunter
Sent: Mon 11/14/2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strGrooup?


OK, looking at this a bit closer than my first reply, if the user is in
Windows_Group and/or any of the other groups, what are the odds that
that group will happen to be first in the strGroup string? InStr will
return the position of the first occurrance, so unless it happens to be
the first group in strGroup you're going to get something greater than
1. Your If statements are looking for something that evaluates to 0 or 1
(False or True). So you need to change your evaluation to something like
If (InStr(strGroup, Windows_group)  0) Then 
End If
 
But that's not why you were getting the drives mapped. You have Option
Explicit set at the start, then you have On Error Resume Next. When you
try to use strGrooup (that isn't defined), the script errors but then
continues on to the next line. Get rid of the On Error Resume Next and
change your If statements, and you should be set. If you want to do some
error checking, you can put the On Error Resume Next back in but check
to see what Err.Number is after your If statements. As long as it is
zero, you can continue with the drive mapping.
 
Hunter



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Monday, November 14, 2005 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strGrooup?



I cannot figure this one out.  Why doesn't the following script work
when I use 'strGroup', instead, it works (maps drives) when I use
strGrooup.  strGrooup isn't even defined.

 

Option Explicit

Dim objNetwork, objUser, CurrentUser, objFSO

Dim strGroup

 

Const Windows_Group = BSG - IS Windows Systems

Const Pricing_Group = gs-ssd-pricing

Const IPCC_Group = IPCCGroup

Const IXOS_Group = IXOS_ScanPost_Common

 

Set objNetwork = CreateObject(WScript.Network)

' Forces script to skip errors (rem below line to see errors)

on error resume next

 

Dim WshNetwork

Set WshNetwork = WScript.CreateObject(WScript.Network)

' Set all drives to be removed here.

WshNetwork.RemoveNetworkDrive e:

WshNetwork.RemoveNetworkDrive f:

 

Set objUser = CreateObject(ADSystemInfo)

Set CurrentUser = GetObject(LDAP://  objUser.UserName)

strGroup = LCase(Join(CurrentUser.MemberOf))

 

if instr(strGrooup, Windows_Group) then

 objNetwork.MapNetworkDrive s:, \\gsfps2\siteshare

 objNetwork.MapNetworkDrive u:, \\gsfps2\users

end if

 

if instr(strGroup, IXOS_Group) then

 objNetwork.MapNetworkDrive e:, \\gsimage2\IXOS_ScanPost_Common\Late
Archive

 objNetwork.MapNetworkDrive f:,
\\gsimage2\IXOS_ScanPost_Common\Common Post

 objNetwork.MapNetworkDrive i:,
\\gsimage2\IXOS_ScanPost_Common\Normal

 objNetwork.MapNetworkDrive j:,
\\gsimage2\IXOS_ScanPost_Common\Demand

 objNetwork.MapNetworkDrive k:,
\\gsimage2\IXOS_ScanPost_Common\Emergency

end if

 

Devon Harding

Windows Systems Engineer

Southern Wine  Spirits - BSG

954-602-2469

 



__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You. 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com

RE: [ActiveDir] strGrooup?

[Coleman, Hunter]

Comment out your "on error resume next" line and run the 
script. What errors show up?

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, November 14, 2005 4:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
strGrooup?





I cannot figure this one out. 
Why doesnt the following script work when I use strGroup, instead, it works 
(maps drives) when I use strGrooup. strGrooup isnt even 
defined.

Option 
Explicit
Dim objNetwork, objUser, 
CurrentUser, objFSO
Dim 
strGroup

Const Windows_Group = "BSG - IS 
Windows Systems"
Const Pricing_Group = 
"gs-ssd-pricing"
Const IPCC_Group = 
"IPCCGroup"
Const IXOS_Group = 
"IXOS_ScanPost_Common"

Set objNetwork = 
CreateObject("WScript.Network")
' Forces script to skip errors (rem 
below line to see errors)
on error resume 
next

Dim 
WshNetwork
Set WshNetwork = 
WScript.CreateObject("WScript.Network")
' Set all drives to be removed 
here.
WshNetwork.RemoveNetworkDrive 
"e:"
WshNetwork.RemoveNetworkDrive 
"f:"

Set objUser = 
CreateObject("ADSystemInfo")
Set CurrentUser = 
GetObject("LDAP://"  objUser.UserName)
strGroup = 
LCase(Join(CurrentUser.MemberOf))

if instr(strGrooup, Windows_Group) 
then
objNetwork.MapNetworkDrive 
"s:", "\\gsfps2\siteshare"
objNetwork.MapNetworkDrive 
"u:", "\\gsfps2\users"
end if

if instr(strGroup, IXOS_Group) 
then
objNetwork.MapNetworkDrive 
"e:", "\\gsimage2\IXOS_ScanPost_Common\Late 
Archive"
objNetwork.MapNetworkDrive 
"f:", "\\gsimage2\IXOS_ScanPost_Common\Common Post"
objNetwork.MapNetworkDrive 
"i:", "\\gsimage2\IXOS_ScanPost_Common\Normal"
objNetwork.MapNetworkDrive 
"j:", "\\gsimage2\IXOS_ScanPost_Common\Demand"
objNetwork.MapNetworkDrive 
"k:", "\\gsimage2\IXOS_ScanPost_Common\Emergency"
end if

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You. 

RE: [ActiveDir] strGrooup?

[Coleman, Hunter]

OK, looking at this a bit closer than my first reply, if 
the user is in Windows_Group and/or any of the other groups, what are the odds 
that that group will happen to be first in the strGroup string? InStr will 
return the position of the first occurrance, so unless it happens to be the 
first group in strGroup you're going to get something greater than 1. Your If 
statements are looking for something that evaluates to 0 or 1 (False or True). 
So you need to change your evaluation to something like
If (InStr(strGroup, Windows_group)  0) 
Then

End If

But that's not why you were getting the drives mapped. You 
have Option Explicit set at the start, then you have On Error Resume Next. When 
you try to use strGrooup (that isn't defined), the script errors but then 
continues on to the next line. Get rid of the On Error Resume Next and change 
your If statements, and you should be set. If you want to do some error 
checking, you can put the On Error Resume Next back in but check to see what 
Err.Number is after your If statements. As long as it is zero, you can continue 
with the drive mapping.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Monday, November 14, 2005 4:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
strGrooup?





I cannot figure this one out. 
Why doesnt the following script work when I use strGroup, instead, it works 
(maps drives) when I use strGrooup. strGrooup isnt even 
defined.

Option 
Explicit
Dim objNetwork, objUser, 
CurrentUser, objFSO
Dim 
strGroup

Const Windows_Group = "BSG - IS 
Windows Systems"
Const Pricing_Group = 
"gs-ssd-pricing"
Const IPCC_Group = 
"IPCCGroup"
Const IXOS_Group = 
"IXOS_ScanPost_Common"

Set objNetwork = 
CreateObject("WScript.Network")
' Forces script to skip errors (rem 
below line to see errors)
on error resume 
next

Dim 
WshNetwork
Set WshNetwork = 
WScript.CreateObject("WScript.Network")
' Set all drives to be removed 
here.
WshNetwork.RemoveNetworkDrive 
"e:"
WshNetwork.RemoveNetworkDrive 
"f:"

Set objUser = 
CreateObject("ADSystemInfo")
Set CurrentUser = 
GetObject("LDAP://"  objUser.UserName)
strGroup = 
LCase(Join(CurrentUser.MemberOf))

if instr(strGrooup, Windows_Group) 
then
objNetwork.MapNetworkDrive 
"s:", "\\gsfps2\siteshare"
objNetwork.MapNetworkDrive 
"u:", "\\gsfps2\users"
end if

if instr(strGroup, IXOS_Group) 
then
objNetwork.MapNetworkDrive 
"e:", "\\gsimage2\IXOS_ScanPost_Common\Late 
Archive"
objNetwork.MapNetworkDrive 
"f:", "\\gsimage2\IXOS_ScanPost_Common\Common Post"
objNetwork.MapNetworkDrive 
"i:", "\\gsimage2\IXOS_ScanPost_Common\Normal"
objNetwork.MapNetworkDrive 
"j:", "\\gsimage2\IXOS_ScanPost_Common\Demand"
objNetwork.MapNetworkDrive 
"k:", "\\gsimage2\IXOS_ScanPost_Common\Emergency"
end if

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You. 

RE: [ActiveDir] scripting file move issue(OT)

[Coleman, Hunter]

Yes, this is scriptable. Perl vs VBS? Either will work, so 
I'd go with whatever you are most comfortable with.

How quickly are your source directories going to refill, 
and how quickly are is your destination directory going to get cleaned up by the 
different process?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, November 09, 2005 11:30 AMTo: 
activedirectorySubject: [ActiveDir] scripting file move 
issue(OT)

I'm having a problem trying to figure out how to script or batch file 
something.

I want to move N number of files from a series of sudirectories to another 
dir and then wait to make sure a different process that is running will remove 
the files i just moved from the other dir, before moving more N number of files 
from a series of subdirectories to that dir and continuing the process in this 
manner until the seires of subdirectories are empty. 

can i script something like this? 
would perl be better at this than _vbscript_?

can i do this with Robocopy? I read the docs and don't really think so but 
maybe someone else more familliar with it would know

thanks

RE: [ActiveDir] scripting file move issue(OT)

[Coleman, Hunter]

Rich has outlined what you'll need to do. I'd probably 
include an initial check of the destination folder to make sure it's empty 
before starting any of the copies/moves.

http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/default.mspxhas 
links to snippets that will show you how to list all files in a folder (and thus 
get a count), as well as how to move or copy files.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, November 09, 2005 1:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file 
move issue(OT)

thanks

i think i might need a little more assistance here.
i'm a little out of my depth
On 11/9/05, Rich 
Milburn [EMAIL PROTECTED] 
wrote: 

  
  Tom, 
  
  Suggest you use 
  FSO.MoveFile or Folder.MoveHere in _vbscript_ to do the moving rather than 
  xcopy. You could enumerate files, have a for each loop with a counter, 
  and move files until the counter is divisible by 1000 (or = 1000 and reset), 
  sleep for 15-20 seconds, and continue. After your sleep you could check 
  that the destination folder is empty and if not then sleep again. 
  
  
  I'm assuming some 
  familiarity with the _vbscript_ I'm talking about, if you need more specifics 
  just ask. 
  Rich
  
  
  
  --- Rich Milburn 
  MCSE, Microsoft MVP 
  - Directory ServicesSr 
  Network Analyst, Field Platform Development Applebee's International, 
  Inc.4551 
  W. 107th StOverland 
  Park, 
  KS 66207 
  913-967-2819 
  -- 
  "I am always doing 
  that which I can not do, in order that I may learn how to do it." - Pablo 
  Picasso
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 09, 2005 12:58 
  PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] scripting file 
  move issue(OT)
  
  
  
  the 
  source dirs take awhile to refill as they are being filled by xcopy. it copies 
  about 4gig a batch.
  
  The 
  destination dir empties in about 10-15secs.
  
  also the 
  destinantion dir can only handle 1000 files at a time before being 
  emptied.
  
  
  
  thanks
  
  
  
  On 
  11/9/05, Coleman, Hunter  [EMAIL PROTECTED] 
  wrote: 
  Yes, this is 
  scriptable. Perl vs VBS? Either will work, so I'd go with whatever you are 
  most comfortable with. 
  
  How quickly are your 
  source directories going to refill, and how quickly are is your destination 
  directory going to get cleaned up by the different process? 
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On 
  Behalf Of Tom KernSent: Wednesday, November 09, 2005 11:30 
  AMTo: 
  activedirectorySubject: 
  [ActiveDir] scripting file move issue(OT)
  
  
  I'm 
  having a problem trying to figure out how to script or batch file 
  something.
  
  
  
  I want to 
  move N number of files from a series of sudirectories to another dir and then 
  wait to make sure a different process that is running will remove the files i 
  just moved from the other dir, before moving more N number of files from a 
  series of subdirectories to that dir and continuing the process in this manner 
  until the seires of subdirectories are empty. 
  
  
  
  can i 
  script something like this? 
  
  would 
  perl be better at this than _vbscript_?
  
  
  
  can i do 
  this with Robocopy? I read the docs and don't really think so but maybe 
  someone else more familliar with it would know
  
  
  
  thanks
  
  
  
  
  
  ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
  PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or 
  any attachments. This information is strictly confidential and may be subject 
  to attorney-client privilege. This message is intended only for the use of the 
  named addressee. If you are not the intended recipient of this message, 
  unauthorized forwarding, printing, copying, distribution, or using such 
  information is strictly prohibited and may be unlawful. If you have received 
  this in error, you should kindly notify the sender by reply e-mail and 
  immediately destroy this message. Unauthorized interception of this e-mail is 
  a violation of federal criminal law. Applebee's International, Inc. reserves 
  the right to monitor and review the content of all messages sent to and from 
  this e-mail address. Messages sent to or from this e-mail address may be 
  stored on the Applebee's International, Inc. e-mail system. 
  
  
  
  
  

RE: [ActiveDir] Exchange now supported on virtual hardware

[Coleman, Hunter]

"It depends..."

We're running some production Exchange front-end servers on 
ESX and they perform as well as others that we have on physical hardware. 
Connector servers are also good candidates. Heavily loaded mailbox servers...I 
agree with you there.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, October 28, 2005 7:53 
AMTo: ActiveDir@mail.activedir.org; 
[EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: 
Re: [ActiveDir] Exchange now supported on virtual hardware


I couldn't agree more with Tony -- Exchange is a resource hog and should 
not be done on VMWare except for testing purposes. Just because you can 
doesn't mean you should

Chuck Gafford
Systems Architect
Unisys
Mobile: (405) 819-6766

-Original Message-From: Medeiros, Jose 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.org; 
[EMAIL PROTECTED]Cc: # Jose Medeiros-IBM (E-mail) 
[EMAIL PROTECTED]Sent: Thu, 27 Oct 2005 15:39:35 -0700Subject: 
[ActiveDir] Exchange now supported on virtual hardware


Hi Tony, 

I have to respond to this. Many IT managers think you can just virtualize any 
application because of all the marketing hype. Be very careful, I/O is critical 
to Exchange and any other database application which may make running it on 
VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very 
resource intensive and will take whatever it can. Now I am sure if you have a 
very small environment that it may make sense, but with Microsoft Small Business 
server why would you want to?

Any body else car to throw in there two cents?

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Behalf Of Tony Murray
Sent: Thursday, October 27, 2005 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware


Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual 
Server 2005 R2.  This article has just been released.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;320220
 
I guess this means we can now run a DC and Exchange on the same physical 
hardware without any of the previous limitations.
 
Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange now supported on virtual hardware

[Coleman, Hunter]

Typically 20GB and 800 users per store, with 3 stores per 
server.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, October 28, 2005 10:17 
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Exchange now supported on virtual hardware



What's your sizing of mail stores and mailboxes there --

Chuck
-Original Message-From: Coleman, Hunter 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Fri, 28 Oct 
2005 08:35:27 -0600Subject: RE: [ActiveDir] Exchange now supported on 
virtual hardware



"It depends..."

We're running some production Exchange front-end servers on 
ESX and they perform as well as others that we have on physical hardware. 
Connector servers are also good candidates. Heavily loaded mailbox servers...I 
agree with you there.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, October 28, 2005 7:53 
AMTo: ActiveDir@mail.activedir.org; 
[EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: 
Re: [ActiveDir] Exchange now supported on virtual hardware


I couldn't agree more with Tony -- Exchange is a resource hog and should 
not be done on VMWare except for testing purposes. Just because you can 
doesn't mean you should

Chuck Gafford
Systems Architect
Unisys
Mobile: (405) 819-6766

-Original Message-From: Medeiros, Jose 
[EMAIL PROTECTED]To: ActiveDir@mail.activedir.org; 
[EMAIL PROTECTED]Cc: # Jose Medeiros-IBM (E-mail) 
[EMAIL PROTECTED]Sent: Thu, 27 Oct 2005 15:39:35 -0700Subject: 
[ActiveDir] Exchange now supported on virtual hardware


Hi Tony, 

I have to respond to this. Many IT managers think you can just virtualize any 
application because of all the marketing hype. Be very careful, I/O is critical 
to Exchange and any other database application which may make running it on 
VMWARE or VIRTUAL SERVER unpractical not to mention Exchange is also very 
resource intensive and will take whatever it can. Now I am sure if you have a 
very small environment that it may make sense, but with Microsoft Small Business 
server why would you want to?

Any body else car to throw in there two cents?

Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Behalf Of Tony Murray
Sent: Thursday, October 27, 2005 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Exchange now supported on virtual hardware


Microsoft has introduced support for Exchange 2003 SP2 and later on Virtual 
Server 2005 R2.  This article has just been released.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;320220
 
I guess this means we can now run a DC and Exchange on the same physical 
hardware without any of the previous limitations.
 
Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] exchange confusion(OT)

[Coleman, Hunter]

IIRC, you have a dedicated SMTP connector for 
servername.journaldomain.com or journaldomain.com. You can try going to the 
Advanced tab of this SMTP connector and checking the box to "Send HELO instead 
of EHLO," which should drop the extended verb attempts from your 
side.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, October 12, 2005 8:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange 
confusion(OT)

no difference.
i get back all the esmtp verbs including the MS ones.

In a net trace all i see is "tcp retransmission" on port 25 to that 
server.
i'm sending them about 2,000 emails in my queue but i only see about 3 
connections in the trace.

in the protocol log, i see my server give a xexch50, then their servr 
responds with a "need to auth first", then my server issues a bdat, then 
nothing-
no quit or rset or anything.

thanks alot

On 10/12/05, Coleman, 
Hunter [EMAIL PROTECTED] 
wrote: 

  Network 
  trace is probably the way to go, but lacking that...if you telnet to port 25 
  on the remote corp's mail host, and issue an ehlo command, do you get back a 
  list of supported verbs? What are they, or if not, what do you get back? Do 
  that from your workstation and also from the Exchange server that's trying to 
  deliver the mail to see if there are any differences or firewall restrictions. 
  
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Wednesday, October 12, 2005 6:04 PM 
  To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] exchange confusion(OT)
  
  
  its 2 seperate orgs.
  that seems to be about 2 servers in the same org.
  
  i think the issue rests with the xexch50 esmtp verb.
  everytime my exchange server issues it, things just hang.
  
  the remote corp is using a pix firewall with an smtp proxy but not 
  Mailguard.
  I know mailguard can cause issues.
  
  do you know of any problems with some MS specific esmtp verbs like 
  xexch50 and pix firewalls?
  
  thanks alot
  On 10/11/05, Al 
  Mulnick [EMAIL PROTECTED]  
  wrote: 
  
This was what I was 
thinking of http://support.microsoft.com/default.aspx?scid=kb;EN-US;288175

But it's possible you have 
another issue going on. Can you capture the trace via netmon? Do you 
have it available? 

Ethereal is fine as well, 
but... Whichever you use, filter the conversation to those two servers so 
you can see everything going on. 

Also, do you end up getting 
a NDR? If so, what is it? 

Unable to relay? You 
didn't set up any recip policies with journaldomain.com by any 
chancedid you? 






  
  -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Tom KernSent: Tuesday, October 11, 2005 2:41 
  PMTo: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] exchange 
  confusion(OT)
  
  Both servers are exchange 2k
  
  The conversation goes something like this-
  ehlo
  mail from:
  rcpt to:
  
  on my mailserver's side.
  all these get 250 smtp response codes from the journal 
  server.
  
  then, my mail server tries to send a xexch50 which gets a "need to 
  auth first" response from their server.
  now i assume thats just normal exchange routing/mapi info stuff but 
  they're not in the same ORG so thats a normal response.
  then the last thing i see is a bdat from my server and thats all she 
  wrote.
  i never see a quit or the conversation end.
  this is in the smtp protocol logs on my bridgehead server.
  
  in ethereal i just get "tcp retransmission" everytime i see the ip of 
  the journal server.
  maybe this is the GRE tunnel and i should play with the PMTUD on the 
  bridgehead?
  
  
  
  The thing you say about contacts having an internal address is new to 
  me. i've never worked at a company that gave their contacts internal proxy 
  addys or ever seen it written that you should do that.
  every place i've worked just used contacts as an object to represent 
  external addys in the GAL.
  
  isn't this their point?
  why would you need an addy pointing back to you for an external 
  contact?
  i'm not disagreeing with you, mind you, i'd just like to know why and 
  I know you know :)
  
  also, can you elaborate as to the "weird results" from having a 
  recipient pol point to a FQDN that indicates itself(not sure if thats the 
  way they set it up).
  
  thanks. sorry for all the questions(and OT as they are).
  
  
  On 10/11/05, Al 
  Mulnick [EMAIL PROTECTED] 
   wrote: 
  
One thing Exchange 
2000x doesn't do well is deal with hosting a FQDN that indicates 
 

RE: [ActiveDir] Adding users to local Admin group

[Coleman, Hunter]

Title: Adding users to local Admin group



The restricted groups setting falls under the Computer 
Config section of the GPO, so it's not going to apply to all machines they log 
into. It's only going to apply to the computers that receive the 
GPO.

Put the computers that are going to be used in the Cisco 
class into a temporary OU, and apply the restricted groups GPO to that temporary 
OU.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jake 
StablSent: Thursday, October 13, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.org; [EMAIL PROTECTED]; 
techcoords@listserv.osn.state.oh.usSubject: [ActiveDir] Adding users 
to local Admin group

I am using Active Directory and I need to know how to 
add certain people to the local admin group only on certain computers. I 
know I can do this under restricted groups but that makes thoses users local 
admin on all machines they log into. Specificly I have a cisco class I 
need to give admin rights to but only on those computers they use. Any one 
have a suggestion?
-- Jacob 
Stabl Network Engineer Plain Local School District http://www.plainlocal.org Office: 330.492.3500 Cell : 
330.704.1278 IP Phone: 4466 

RE: [ActiveDir] Adding Helpdesk Group to Local Admin Group

[Coleman, Hunter]

Title: Message



That won't work, since the restricted groups setting is 
under the Computer Config part of the GPO.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, 
DAVIDSent: Thursday, October 13, 2005 9:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding Helpdesk 
Group to Local Admin Group

Open 
up the GPO properties and in the security tab add the Helpdesk group. Give 
them read and apply group policy for that 
policy. remove apply group policy from any other group 
you do not want to get the policy, I.E. Authenticated 
Users.


Regards,


David 
Chianese


-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Salandra, Justin A.Sent: Thursday, October 13, 
2005 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Adding Helpdesk Group to Local Admin 
Group

  
  How would I utilize Restriced 
  Groups in a GPO to add in a Helpdesk Group that I have for my helpdesk staff 
  to have administrative rights on a local PC with out having to touch each PC 
  and without screwing up the local admin group?
  
  Justin A. 
  Salandra
  MCSE Windows 2000  
  2003
  Network and Technology Services 
  Manager
  Catholic Healthcare 
  System
  646.505.3681 - 
  office
  917.455.0110 - 
  cell
  [EMAIL PROTECTED]
  

RE: [ActiveDir] exchange confusion(OT)

[Coleman, Hunter]

What do the SMTP conversation and network traces look like 
from their side?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Thursday, October 13, 2005 10:03 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange 
confusion(OT)

I disabled ehlo on the smtp connector and i still get a full unreachable 
queue- "connection was dropped by remote host"

In ethereal, i get "tcp retransmission" and "tcp zero window" during the 
conversation between my mail server and theirs.

does this point to the IPsec tunnel and mtu?
My side?
Their side?

Thanks alot.
On 10/13/05, Tom Kern 
[EMAIL PROTECTED] wrote: 

  mismatched on my side or theirs?
  
  I was wrong, its an IPsec tunnel NOT a gre tunnel.
  
  The mtu size on my side is the default for a cisco 2600 router(i think 
  thats the setting of the media being used in the router- 
  etherenet=1500,etc).
  
  Thanks
  
  On 10/13/05, Michael B. 
  Smith [EMAIL PROTECTED]  
  wrote: 
  
Honestly, that looks like a mismatched MTU to me. It's worth 
checking. 

If you 
turn off EHLO, as someone else suggested, that should limit the maximum size 
of the TCP packet rather dramatically...


From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Thursday, October 13, 2005 10:29 AM 
To: ActiveDir@mail.activedir.orgSubject: Re: 
[ActiveDir] exchange confusion(OT) 


thanks.

i don't think they are running mailguard as when i telnet to the server 
and issue a ehlo, i get all the esmtp verbs including the MS ones.

when i try to issue an "xexch50", the server replies with a "need to 
authenticate first".
after which i can still happily issue a data or bdat


still in my sniffer, all i get is "tcp retransmission".
In the smtp logs on my bridgehead, i just get a bdat issued by my 
server and then nothing- no quit or rset.

in ESM, my queue to the journal server is backed up and says 
"connection dropped by remote host".
eventualy the mail in this queue gets put into the "messages with 
unreachable destination" queue.


strange..
On 10/13/05, Candee 
Vaglica [EMAIL PROTECTED]  
wrote: 

  Try searching for the SMTP fixup http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080265e37.html 
  
  
  
  On 10/13/05, Tom 
  Kern [EMAIL PROTECTED] 
  wrote: 
  
Thanks.

I know there were issues with Cisco's Mailguard feature on a PIX 
but i can't seem to find any articles on their website.

Thanks again

On 10/13/05, Al 
Mulnick [EMAIL PROTECTED] 
 wrote: 

  Actually, there are 
  some knownissues with pix and Exchange. You should check 
  the cisco support and kb articles to see if yours is a match, although 
  I would have thought your journaling company would have figured it out 
  by now.Similar symptoms.  
  
  The article I sent 
  you had to do with the configuration and you'll possibly see issues 
  regardless of the ORG you're in. 
  
  
  
  

-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
Of Tom Kern
Sent: Wednesday, October 12, 2005 10:29 
PMTo: ActiveDir@mail.activedir.org Subject: 
Re: [ActiveDir] exchange 
confusion(OT)

no difference.
i get back all the esmtp verbs including the MS ones.

In a net trace all i see is "tcp retransmission" on port 25 to 
that server.
i'm sending them about 2,000 emails in my queue but i only see 
about 3 connections in the trace.

in the protocol log, i see my server give a xexch50, then their 
servr responds with a "need to auth first", then my server issues a 
bdat, then nothing-
no quit or rset or anything.

thanks alot

On 10/12/05, Coleman, Hunter [EMAIL PROTECTED] 
wrote: 

  Network trace is probably the way to go, but lacking 
  that...if you telnet to port 25 on the remote corp's mail host, 
  and issue an ehlo command, do you get back a list of supported 
  verbs? What are they, or if not, what do you get back? Do that 
  from your workstation and also from the Exchange server that's 
  trying to deliver the mail to see if there are any differences or 
  firewall restrictions. 
  
  
  

RE: [ActiveDir] Design Question

[Coleman, Hunter]

Unless there are different requirements at various branches 
for domain-wide settings, like password policies, or there are political 
obstacles, I would go with as few domains as possible. Start with a single 
domain, and then increase that number only if you run into circumstances that 
require multiple domains (password stuff, kerberos policies, certificate stuff, 
etc).

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Wednesday, October 12, 2005 11:47 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Design 
Question

Hi 
-

I am designing a new 
domain structure what will have a HQ and then roughly 10 branch offices, less 
than 200 users total. The Microsoft Branch Office Deployment guide shows a 
single forest with three domains: root, hq, and branches (and oodles of domain 
controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a 
single domain if possible. 

My inclination is to 
go with the latter (single domain) model. With this size organization is there a 
need for multiple domains? An empty root? 

Thanks.

-- 
nme

RE: [ActiveDir] exchange confusion(OT)

[Coleman, Hunter]

Network trace is probably the way to go, but lacking 
that...if you telnet to port 25 on the remote corp's mail host, and issue an 
ehlo command, do you get back a list of supported verbs? What are they, or if 
not, what do you get back? Do that from your workstation and also from the 
Exchange server that's trying to deliver the mail to see if there are any 
differences or firewall restrictions.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, October 12, 2005 6:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange 
confusion(OT)

its 2 seperate orgs.
that seems to be about 2 servers in the same org.

i think the issue rests with the xexch50 esmtp verb.
everytime my exchange server issues it, things just hang.

the remote corp is using a pix firewall with an smtp proxy but not 
Mailguard.
I know mailguard can cause issues.

do you know of any problems with some MS specific esmtp verbs like xexch50 
and pix firewalls?

thanks alot
On 10/11/05, Al 
Mulnick [EMAIL PROTECTED] wrote: 

  This was what I was thinking 
  of http://support.microsoft.com/default.aspx?scid=kb;EN-US;288175
  
  But it's possible you have 
  another issue going on. Can you capture the trace via netmon? Do you 
  have it available? 
  
  Ethereal is fine as well, 
  but... Whichever you use, filter the conversation to those two servers so you 
  can see everything going on. 
  
  Also, do you end up getting a 
  NDR? If so, what is it? 
  
  Unable to relay? You 
  didn't set up any recip policies with journaldomain.com by any 
  chancedid you? 
  
  
  
  
  
  

-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Tuesday, October 11, 2005 
2:41 PMTo: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] 
exchange confusion(OT)

Both servers are exchange 2k

The conversation goes something like this-
ehlo
mail from:
rcpt to:

on my mailserver's side.
all these get 250 smtp response codes from the journal 
server.

then, my mail server tries to send a xexch50 which gets a "need to auth 
first" response from their server.
now i assume thats just normal exchange routing/mapi info stuff but 
they're not in the same ORG so thats a normal response.
then the last thing i see is a bdat from my server and thats all she 
wrote.
i never see a quit or the conversation end.
this is in the smtp protocol logs on my bridgehead server.

in ethereal i just get "tcp retransmission" everytime i see the ip of 
the journal server.
maybe this is the GRE tunnel and i should play with the PMTUD on the 
bridgehead?



The thing you say about contacts having an internal address is new to 
me. i've never worked at a company that gave their contacts internal proxy 
addys or ever seen it written that you should do that.
every place i've worked just used contacts as an object to represent 
external addys in the GAL.

isn't this their point?
why would you need an addy pointing back to you for an external 
contact?
i'm not disagreeing with you, mind you, i'd just like to know why and I 
know you know :)

also, can you elaborate as to the "weird results" from having a 
recipient pol point to a FQDN that indicates itself(not sure if thats the 
way they set it up).

thanks. sorry for all the questions(and OT as they are).


On 10/11/05, Al 
Mulnick [EMAIL PROTECTED] 
 wrote: 

  One thing Exchange 2000x 
  doesn't do well is deal with hosting a FQDN that indicates itself. 
  It causes weird results. So if their internal server primary dns 
  suffix is journaldomain.com and 
  they have a recip policy of servername.journaldomain.com then they'll have some 
  strange results over time.
  
  One thing you might want 
  to look for is the verbs being passed back and forth between the 
  servers. If Exchange 2K3 and Exchange 2K are trading messages, they 
  can talk ESMTP with Microsoft specific verbs assuming nothing is between 
  the two. 
  
  A network trace is the 
  easiest way to troubleshoot this. Look at the successful and failed 
  conversations to see what's going on. At least it's recreatable. 
  
  
  Oh. Your 
  mail-enabled contact should have an internal address as well. It's a good 
  idea to have it, vs. a requirement, but it's not really mail-enabled if 
  it's just a Windows contact and doesn't have both an internal and an 
  external address (primary of course). 
  
  -ajm
  
  
  

-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Tuesday, October 11, 2005 
11:30 AMTo: activedirectorySubject: Re: 
[ActiveDir] 

RE: [ActiveDir] Forest prep/domain prep in a MT root Domain

[Coleman, Hunter]

Title: RE: [MVP-Directory Services] October MVP Awards



John-

Some more details please...

What do you have in place now, in terms of Active Directory 
and Exchange (versions, layout, etc)? Or is this a brand new install of 
everything?

Are you talking about Exchange forestprep/domainprep, or 
Win 2003 adprep forestprep/domainprep?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of ZAD Forum for 
Active DirectorySent: Tuesday, October 11, 2005 9:55 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Forest prep/domain 
prep in a MT root Domain

Hey 
everyone, long time reading hereI'm confused as I'm new to AD and doing my 
research for our conversion..so here is my question we are gong to have an 
MT root domain and a sub ( if that the correct term) domain where we are going 
to put exchange, let call the root domain "AD.sdccd" and the sub domain 
admin.

What 
is the proper procedure for running Forest prep and Domain Prep? From all my 
reading I don't think I run forest prep on the sub domain but do run domain prep 
on the MT root and on the sub domain. Am I correct


john

  

RE: [ActiveDir] Question about Delegation Object Owner.

[Coleman, Hunter]

If you create an object, you are the owner of the object 
and have full control over it. Seems like your options include removing their 
create/delete OU rights and making them go through you, or setting up a proxied 
system (e.g. web page) that will do the creation for them.

You could run a script that takes ownership of all OUs and 
resets permissions on them, but that will be reactive and you may still end up 
with user accounts or other things that the admins created manually inbetween 
runs of the script.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Thursday, October 06, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question about 
Delegation  Object Owner.


Hello,

In my university, I had succesfully 
delegated to each adminsresponsible oftheir OU the following 
tasks:
- Creste.delete groups.
- Create/delete computers
- Create/delete OUs..
- Only Modify Users properties: 
Adminshave no right tocreate/delete users because this task is done 
by our MIIS 2003.

BUT, i noiticed that in some OUs, users are 
still created manually, and after searching, it was due to the fact that admins 
have the rights to create child OUs, they become automaticallythe owner of 
theirOUso theycan easily modify the ACLs to have full control 
.. :(

So my question :is there a way to 
grant them create/delete OU without having themto be theowner of 
their OU ?

I did not find a set of properties in 
dssec.dat concerning my needs.

Thanks for input.

Cheers,



Yann

RE: [ActiveDir] Maximum distinguished name length?

[Coleman, Hunter]

From AD's perspective, the RDN is Some User (or cn=Some User). It
does not include anything beyond that, such as OU or container paths. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Thursday, September 29, 2005 9:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Maximum distinguished name length?

Steve Patrick wrote:

 There is no hardcoded limitation on DN  - there is a max 255 RDN
length.

And just to verify how the term RDN is defined w/respect to AD [as
opposed to how it's defined w.r.t. eDirectory], the RDN value is the
partial distinguished name of an object that is relative to the AD
domain in which it is located.  So, if the object's CN is Some User
and is located in an OU named Our Users located within the domain
DC=MyDomain,DC=MyCompany,DC=COM, then the RDN is CN=Some User,OU=Our
Users.  Or, to put it another way, the RDN is all components of the
name from the CN up to but not including the first occurrence of a
DC 
component in the DN.  This is correct, yes?


--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Racing to save lives
The Leukemia  Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp

Do not send me unsolicited commercial email.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2 exchange public folder questions

[Coleman, Hunter]

If you have a folder and subfolders that need to maintain 
the same set of permissions, grant the permissions to a group at the top foler 
and propagate them down; then manage the group membership to grant/revoke 
permissions.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, September 30, 2005 3:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 2 exchange 
public folder questions

thanks but i'm more interested in client perms not inheriting.
not admin perms.

if a user takes someone out of a PF in outlook, i'd like to propagate 
downward or be given the choice like ntfs...

thanks
On 9/30/05, Katherine 
Coombs [EMAIL PROTECTED] 
wrote: 
Hi 
  Tom,For question number two check out http://support.microsoft.com/?id=815916 
  Cheers,Katherine-Original Message-From: [EMAIL PROTECTED] 
  [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: 
  29 September 2005 21:47To: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] 2 exchange public folder questions Don't know on 1, 
  but for 2 get PFDavAdmin which is either in the Exchange Resource Kit or 
  downloadable from Microsoft. It will let you set permissions on a folder and 
  then propagate them down to subfolders.-Original 
  Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] 
  ] On Behalf Of Kern, TomSent: Thursday, September 29, 2005 7:38 
  AMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] 2 exchange public folder questions1. When I attach a 
  shortcut to a public folder item(word doc) as an attachment to an email, many 
  users cannot open the attachement but just click on the shortcut and nothing 
  happens.they all have appropriate rights to the folder. is this some 
  OLE issue on the client?by what mechanism does this occur?2. Is 
  there anyway to set inheritance on a public folder? There doesn't seem to be 
  an "inheritance" tab in Outlook or under "client permissions" tab in ESM. 
  How can i set a user to have say, reviewer role or create items right for 
  all folders and/or items underneath a public folder or future folders created 
  underneath said folder?or block that right?Thanks alot. 
  .Böv
rzÊryiList info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspx 
  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List 
  info : http://www.activedir.org/List.aspx 
  List FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  

RE: [ActiveDir] OT: Microsoft MOM Mailing list?

[Coleman, Hunter]

http://www.listleague.com/

Go to "View Hosted Lists by Interest", then Microsoft 
Management, then MOM


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Friday, September 30, 2005 8:46 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Microsoft MOM 
Mailing list?





Off Topic: Does anyone know if there 
is a MOM 2005 mailing list out there?

Devon 
Harding
Windows Systems 
Engineer
Southern Wine  Spirits 
- BSG
954-602-2469





__This message and any 
attachments are solely for the intended recipientand may contain 
confidential or privileged information. If you are notthe intended 
recipient, any disclosure, copying, use or distribution ofthe information 
included in the message and any attachments isprohibited. If you have 
received this communication in error, pleasenotify us by reply e-mail and 
immediately and permanently delete thismessage and any attachments. Thank 
You. 

RE: [ActiveDir] 2 exchange public folder questions

[Coleman, Hunter]

Don't know on 1, but for 2 get PFDavAdmin which is either in the Exchange 
Resource Kit or downloadable from Microsoft. It will let you set permissions on 
a folder and then propagate them down to subfolders. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 29, 2005 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2 exchange public folder questions

1. When I attach a shortcut to a public folder item(word doc) as an attachment 
to an email, many users cannot open the attachement but just click on the 
shortcut and nothing happens.
they all have appropriate rights to the folder.
is this some OLE issue on the client?
by what mechanism does this occur?
 
2. Is there anyway to set inheritance on a public folder? There doesn't seem to 
be an inheritance tab in Outlook or under client permissions tab in ESM.
How can i set a user to have say, reviewer role or create items right for all 
folders and/or items underneath a public folder or future folders created 
underneath said folder?
or block that right?
 
Thanks alot.
.Böv
rzÊryi
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO filtering by properties of User Object

[Coleman, Hunter]

I think the way I'd approach it is to build a script that 
checks users for roaming profiles, and puts them in a security group if they do. 
Schedule the script to run on a regular basis. Then use the security group for 
GPO filtering.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of nelson 
yongSent: Tuesday, September 27, 2005 2:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO filtering by 
properties of User Object
Hi Gurus, I m trying to create some GPO that will filter only those 
users who have roaming profiles. How 
can I achieve this? Do I use WMI filters? Any resources on that? I have tried 
searching but out of all the hits, not useful enough. Thanks alot in advance for any help/input. 
CONFIDENTIALITY 
 DISCLAIMER CAUTION: This communication is confidential and is 
intended for use only by the addressee. If you are not the addressee, you 
should not disseminate, distribute or copy this communication. If you have 
received this communication in error, please notify us immediately by return 
email and delete the original message. Kindly note that email 
communications are not secured, and therefore are susceptible to alteration. 
Kuok (Singapore) Limited will not accept legal responsibility for the 
contents of this message. Thank 
you.

RE: [ActiveDir] exchange one more time(ot)

[Coleman, Hunter]

Why should Exchange not think that servername.domain.tld is 
a domain?

Can 
you resolve servername.domain.tld from the Exchange server? How about from the 
smarthost?



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Monday, September 26, 2005 5:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one 
more time(ot)

when i had the smtp connector point to dns, it failed with "remote host did 
not respond".

when pointing to a smarthost it worked.

maybe exchange while sending to [EMAIL PROTECTED], 
thinks servername.domain.tld is a domain and when it gets a nxdomain from 
domain.tld, it fails?

no?

sillier things have been know to occur with exchange...

thanks
On 9/26/05, joe 
[EMAIL PROTECTED] 
wrote: 

  From my 
  experience it should work fine. It doesn't have to know if the right hand side 
  is a domain or host IP, it simply needs to try and look it up in DNS. I 
  believe it will try an MX lookup and failing that, fall back to a host record 
  lookup. 
  
  A simple 
  test would be to enable SMTP on some machine in your domain, make sure there 
  is a host record for the given name and then send a message to it, you should 
  see the message hit your configured drop folder. 
  
   joe
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Saturday, September 24, 2005 2:12 AM To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] exchange one more time(ot) 
  
  
  how does it figure out its a literal addy and not a domain? how does it 
  know the RHS is not a domain name and fail trying to look it up?
  or does it fail and then go up the list to the other part of the 
  name?
  I'd like to know because i can't find any exchange docs on it.
  there's nothing in the app log.
  i'll turn up diag logging..
  
  mail didn't start flowing untill i changed the connector to point to a 
  smart host rather than dns.
  until then, it just sat in the queue. the error in the queue was "remote 
  destatination did not respond".
  
  Thanks
  
  
  On 9/23/05, Al 
  Mulnick [EMAIL PROTECTED]  
  wrote: 
  
Exchange 
should be able to deliver to a literal address as long as it is not its own. 
That's a valid and a common address in SMTP. 

Check 
the logs to see what the failure is. There's a lot of possibilities as to 
why it may not get to its destination.

Al


From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom 
KernSent: Friday, September 23, 2005 3:07 PMTo: 
activedirectorySubject: [ActiveDir] exchange one more 
time(ot)


If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered 
or will exchange think " servername.domain.tld " is the domain name and 
throw an error?

Just a question i'm throwing out because an archive solution is giving 
me that kind of contact to send mail to and its not getting there.
I have a feeling its because of that and i should just create a 
connector to forward to that addy as a smarthost but i want to confirm with 
you guys that i can't write an address in that form and expect exchange(or 
any smtp server?) to deliver the mail. 
thanks

RE: [ActiveDir] exchange one more time(ot)

[Coleman, Hunter]

Does "servername.domain.tld" have MX and A records in DNS? 
Is this one of your servers, or does domain.tld belong to someone 
else?

What happens when you try to telnet on port 25 from your 
Exchange server to servername.domain.tld?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Saturday, September 24, 2005 12:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one 
more time(ot)

how does it figure out its a literal addy and not a domain? how does it 
know the RHS is not a domain name and fail trying to look it up?
or does it fail and then go up the list to the other part of the 
name?
I'd like to know because i can't find any exchange docs on it.
there's nothing in the app log.
i'll turn up diag logging..

mail didn't start flowing untill i changed the connector to point to a 
smart host rather than dns.
until then, it just sat in the queue. the error in the queue was "remote 
destatination did not respond".

Thanks


On 9/23/05, Al 
Mulnick [EMAIL PROTECTED] 
wrote: 

  Exchange 
  should be able to deliver to a literal address as long as it is not its own. 
  That's a valid and a common address in SMTP. 
  
  Check the 
  logs to see what the failure is. There's a lot of possibilities as to why it 
  may not get to its destination.
  
  Al
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Friday, September 23, 2005 3:07 PMTo: 
  activedirectorySubject: [ActiveDir] exchange one more 
  time(ot)
  
  
  If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered 
  or will exchange think " servername.domain.tld " is the domain name and throw 
  an error?
  
  Just a question i'm throwing out because an archive solution is giving me 
  that kind of contact to send mail to and its not getting there.
  I have a feeling its because of that and i should just create a connector 
  to forward to that addy as a smarthost but i want to confirm with you guys 
  that i can't write an address in that form and expect exchange(or any smtp 
  server?) to deliver the mail. 
  thanks

RE: [ActiveDir] Applications that extend the schema...

[Coleman, Hunter]

My preference would be that the application vendor include a set of LDIF
files. That way all of the schema mods are in plain view and AD service
owners (domain admins, schema admins) can see what is getting changed.
Unless the schema mods were well documented by the vendor, I wouldn't
run an application that performed the mods. Even if they were well
documented, I still might not run that application...too much of a
black-box situation.

I wouldn't even consider running an app with a service account that had
schema admin rights, which is what you would need in the first scenario
you mention.

Those aren't really AD-specific concerns, but more directory operational
practices/preferences.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, September 23, 2005 8:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Applications that extend the schema...

Given the # of variations that may exist in AD deployments, anywhere
from a small business with a single forest/tree/domain all the way up to
a large enterprise with multiple forests each containing multiple trees
with each tree having numerous domains, there may be many differences of
opinion on the part of administrators regarding schema extensions and
applications the create them.

I'm interested in hearing those opinions in regards to an enterprise
type of resource provisioning application that will run primarily as a
service under a specific domain account, with the caveat that the
application does require some schema extensions in order to run
properly.  In particular, the question pertains to whether or not the
main application should attempt to perform the schema extension work
when it detects that they are not present, and if so, should it
want/need to do so under it's own set of credentials used to perform the
service logon by the service control manager when the service is
started, or should the application's UI request an elevated set of
credentials in order to perform the schema extension.  Alternatively,
should the schema extension be performed using an additional program
provided with the application so that it would be relatively easy for an
administrator to logon, run the schema extension tool, and then be done
with their part so that the application's owner could continue with
the installation  configuration of the application.

I'm familiar with many of the issues in terms of Novell's eDirectory,
but with AD there may be some other concerns due to differences in the
two directory services and how they are implmented.  It's the
AD-specific concerns that interest me.


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Racing to save lives
The Leukemia  Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security

[Coleman, Hunter]

Fred-

This is not possible. While you can make it more difficult 
for the user to do things you don't want him to, if you give him either physical 
access to the DC or the ability to log on to the DC, he is in a position to 
elevate his permissions to the point of owning your forest.

If you can move the files and shares to another machine, 
then restricting him to only be able to change passwords within a particular OU 
is easy by either setting the OU security directly or going through the 
Delegation of Control Wizard.

Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of van Donk, 
FredSent: Tuesday, September 20, 2005 2:52 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security

I have a contractor 
in a remote site. There is only 1 server in that site which is a 
DC.

He needs to 
administer that server. 
-Create 
shares
-Make file/share 
permissions
-Change user 
passwords in the User OU for that site.

He is not allowed to 
log on to any other server is the domain.

When I make him a 
"Server Operator" he can logon to any server in the domain.

Any idea on how to 
lock him down to that one server and then how to lock him down on that one OU 
where he should only be allowed to change the passwords of the 
users.

Thanks!
Fred

RE: [ActiveDir] disabling users

[Coleman, Hunter]

http://www.unix.org.ua/orelly/perl/sysadmin/ch06_05.htmwould be a good 
start


From: Kern, Tom 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Wednesday, September 21, 2005 2:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling 
users

I only have time to learn one scripting lang.
i figured perl is the better way to go as i have to work with linux and 
solaris as well.

know of any good docs,books,sites on perl and COM+ or adsi?
something that will teach you both like the _vbscript_ resources do?

i really think there is a market for perl and AD/win32 out there that is 
untapped.
O'reilly has let most of their win32 perl books become outdated and stop at 
Win NT as has Dave Roth.

I'm not a programmer and i don't have time to learn multipe scripting 
langs, so i always thought perl would be the best way to go.
I find it as approachable as _vbscript_ but unlike _vbscript_, I don't find 
many rescources for using it on win32 systems.
I'm afraid learning perl and working with windows might be an uphill 
battle.
are there resources for teaching you how to use perl with 
cdo,wmi,adsi,ado,etc?
i'm not a total newbie to perl, i've used it on linux but i've never really 
done much on windows with activestate.
and as i've said, i'm not a programmer and i didn''t major in comp sci, so 
a lot of this stuff is not second nature to me and hasn't been pounded in for 
years.
so jumping from lang to lang for me is not really an option.

thanks


  -Original Message- From: Brian Desmond 
  [mailto:[EMAIL PROTECTED] Sent: Wed 9/21/2005 2:46 PM 
  To: ActiveDir@mail.activedir.org Cc: Subject: 
  RE: [ActiveDir] disabling users
  

RE: [ActiveDir] OT: SAN Assessment

[Coleman, Hunter]

If you have the time, pick up a copy of Pierre Bijaoui's Scaling
Microsoft Exchange 2000. I don't think it's been updated for Exchange
2003, but most everything he covers in there carries forward. It's very
good information on building storage infrastructure for Exchange,
including SANs.

It may not replace a consulting engagement, but it will give you enough
background to understand (and question) any recommendations. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

Well we don't have a preferred vendor. We're looking at all the obvious
choices: HP, EMC, StorageTek (SUN) etc.

Right now its more important to just get an independent (non-vendor
specific) assessment carried out.

Thanks,



Firefox - Rediscover the web 




Original Message Follows
From: Bernard, Aric [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment
Date: Wed, 21 Sep 2005 14:25:57 -0400

Yep, lots of consulting firms do his sort of work.  Who is the SAN
vendor?  Typically they will be happy to come out and help with this
kind of activity as it usually means additional sales now or in the
future.

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, September 21, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

I work for a consulting firm that does these sorts of things, so, yes I
know people utilize consulting firms to do this stuff. :)

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SAN Assessment

Hi,

We're in the process of planning to migrate from Notes to Exchange and
one the dependenices of this migration is a SAN environment.

Has anyone utilized the services of any independent consulting bodies to

carry out a SAN assessment. Essentially, helping in the process of
determining requirements and laying out a path to successful deployment
with

considerations for high availability, scalability and future
considerations.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO on XP 2000 Pro

[Coleman, Hunter]

I'd create the Workstations OU and the Servers OU. Then write a script
that looks at each of the machines in the computers container, and based
on what you find in the operatingSystem attribute have the script move
the object to the appropriate OU.

I'd also not leave new computer objects in the computers container. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP  2000 Pro

I have over 2000 machines in my computers containers.  Is there any
other way?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO on XP  2000 Pro

WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP  win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO on XP  2000 Pro

How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain?  WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.

Devon Harding
Windows Systems Engineer
Southern Wine  Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Database Corruption

[Coleman, Hunter]

I'd also look at running hardware diagnostics, particularly on the disk 
subsystem and controller. No point in restoring or repromoting if there is an 
unresolved hardware problem.

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Steve Linehan 
Sent: Fri 8/19/2005 8:18 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Database Corruption



Well the first thing I always recommend is to try an offline defrag as 
it is possible that the corruption is in an index, i.e. metadata, that can be 
rebuilt.  If the offline defrag fails then restoring from backup or repromoting 
will be your next step.

 

Thanks,

 

-Steve

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, 
Diane
Sent: Friday, August 19, 2005 6:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Database Corruption

 

My preferred approach would be to demote the box to member server and 
re-promote to a domain controller to ensure a good fresh copy of the DIT.  YMMV 
as the specific requirements at your location may prevent this.  We have only 
run into this once early in our AD days and this was the approach we used with 
good success.

 

Diane

 


  _  


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex 
Fontana
Sent: Friday, August 19, 2005 3:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Database Corruption

Started getting the error below a few weeks ago on one of our DCs.  My 
first reaction is to run a non-auth restore from a day before this started 
happening and let replication take care of everything else.  Any reason NOT to 
do this?  I’m concerned that this may happen again and wasn’t able to find 
anything specific to the error below.  Besides calling PSS any thing else I 
should look into before restoring?  This box holds all FSMO roles, Win2k3, 
server for NIS.

 

TIA

 

-alex

 

Event Type:   Error

Event Source:NTDS ISAM

Event Category: Database Page Cache 

Event ID:   475

Date:8/19/2005

Time:2:00:24 PM

User:N/A

Computer: DC

Description:

NTDS (528) NTDSA: The database page read from the file 
C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 
(0x2000) bytes failed verification due to a page number mismatch.  The 
expected page number was 81184 (0x00013d20) and the actual page number was 
2349964126 (0x8c119b5e).  The read operation will fail with error -1018 
(0xfc06).  If this condition persists then please restore the database from 
a previous backup. This problem is likely due to faulty hardware. Please 
contact your hardware vendor for further assistance diagnosing the problem.

 

winmail.dat

RE: [ActiveDir] HP teaming

[Coleman, Hunter]

What problem do you have (or are trying to prevent) that makes you want
to set up teaming? I only ask because you will be adding complexity to
your environment that may not be justified by the perceived benefit. On
the other hand, maybe it will...

Hunter 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, August 17, 2005 7:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] HP teaming

They are member servers right now with no teaming. About to become DC's.
Do you have anything against switch assisted load balancing?

Also, which model catalyst did you have an issue with?

Thanks a lot!


On 8/17/05, Francis Ouellet [EMAIL PROTECTED] wrote:
 I've had great success using nic teaming on all my DCs running on hp 
 Proliant hardware. They were all configured for FT. Make sure the 
 network side of things fully supports it though, we had to upgrade a 
 few catalyst switches for this to work correctly (I think it was an 
 ARP
 issue)
 
 I'd suggest trying it on a member server first to make sure your 
 networking hardware is capable of supporting it correctly.
 
 One last thing, are those DCs currently in place or you're considering

 nic teaming for future deployments?
 
 Thanks,
 Francis
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: August 17, 2005 9:24 AM
 To: activedirectory
 Subject: [ActiveDir] HP teaming
 
 Any for or against Hp nic teaming on DC's?
 Also which type would you use(if any)? Fault tolerence or load 
 balancing?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] exchange weirdeness

[Coleman, Hunter]

No. You're running into the msExchMasterAccountSID problem.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has
information, and points to the NoMAS tool. You can also handle this by
setting the attributes manually or via script.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, August 17, 2005 12:48 PM
To: activedirectory
Subject: Re: [ActiveDir] exchange weirdeness

update- i enabled the user account about 30mins ago and updated the RUS.
stilll  i get denied trying to log on via outlook and an event id
9548 gets logged on the exchange server everytime i try logging on,
stating that the account is still disabled...

replication issue?

dns is up and running. the only known issue is no connectivity to the
root. but the root has no users or mailservers.

strange

On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote:
 I have mailbox enabled users in AD that have been disabled. However in

 ESM, they are not marked as such. When i run the cleanup agent, they 
 are still not marked as disabled.
 
 When i try to Exmerge the box, I get an access denied error(i have 
 full exchange admin rights inherited from the org and full mailbox 
 right on the user).
 Also, i can't open their box via outlook as well.
 
 My situation at this firm is as such- we have no network connectivity 
 to the root(for about 2 wks. don't ask, long story..).
 The users are all in my child domain as are their mailboxes. the root
is empty.
 
 We are also running with netbios/tcp disabled forest wide.
 
 i know there are some issues with netbios being disabled and exmerge 
 and ESM and outlook. Could this be a cause? I don't know the exact 
 error you would get.
 
 I don't think having no connectivity to the root should be an issue.
 We have 4 dc's, 3 of which are gc's in the child domain.
 
 any advice would be great.
 thanks

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] exchange weirdeness

[Coleman, Hunter]

For folks who have already left, I'd go with granting Self full
mailbox access. I haven't tested it, but if the account has already been
disabled then I don't think that setting it to expire on a date in the
past will restore the necessary mailbox permissions for you to access
it.

For future departures, I think the ideal thing is to have some sort of
deprovisioning utility that handles disabling the account, possibly
moving it to a different OU, sets the Self mailbox access, and any other
rules that your business processes dictate. You could have that as a
script or front-end it with a web page. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, August 17, 2005 2:06 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] exchange weirdeness

so, what is a good practice to deal with user's who have left and their
mailboxes?

Should you just expire the account to a date in the past and then you
can access their box?
or can you give Self full mailbox access to a disabled account and
then access the box?

which way works?
thanks alot

On 8/17/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
 No. You're running into the msExchMasterAccountSID problem.
 http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has 
 information, and points to the NoMAS tool. You can also handle this by

 setting the attributes manually or via script.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Wednesday, August 17, 2005 12:48 PM
 To: activedirectory
 Subject: Re: [ActiveDir] exchange weirdeness
 
 update- i enabled the user account about 30mins ago and updated the
RUS.
 stilll  i get denied trying to log on via outlook and an event id
 9548 gets logged on the exchange server everytime i try logging on, 
 stating that the account is still disabled...
 
 replication issue?
 
 dns is up and running. the only known issue is no connectivity to the 
 root. but the root has no users or mailservers.
 
 strange
 
 On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote:
  I have mailbox enabled users in AD that have been disabled. However 
  in
 
  ESM, they are not marked as such. When i run the cleanup agent, they

  are still not marked as disabled.
 
  When i try to Exmerge the box, I get an access denied error(i have 
  full exchange admin rights inherited from the org and full mailbox 
  right on the user).
  Also, i can't open their box via outlook as well.
 
  My situation at this firm is as such- we have no network 
  connectivity to the root(for about 2 wks. don't ask, long story..).
  The users are all in my child domain as are their mailboxes. the 
  root
 is empty.
 
  We are also running with netbios/tcp disabled forest wide.
 
  i know there are some issues with netbios being disabled and exmerge

  and ESM and outlook. Could this be a cause? I don't know the exact 
  error you would get.
 
  I don't think having no connectivity to the root should be an issue.
  We have 4 dc's, 3 of which are gc's in the child domain.
 
  any advice would be great.
  thanks
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] exchange weirdeness

[Coleman, Hunter]

Inline... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, August 17, 2005 2:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] exchange weirdeness

If self has FC and associate mbox with external account, i can then
access the box with an account that has FC on the mbox and run exmerge?
Yes, allowing for the mailbox permissions cache that Michael mentioned

Also, is nomas avaiable for download or do i have to go thru PSS?
PSS, but I think it's a no-charge call if that's all you are asking
for. If you have a support agreement your TAM should be able to get it
for you as well.

thanks a lot. you really helped me out here!

On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote:
 so, what is a good practice to deal with user's who have left and 
 their mailboxes?
 
 Should you just expire the account to a date in the past and then you 
 can access their box?
 or can you give Self full mailbox access to a disabled account and 
 then access the box?
 
 which way works?
 thanks alot
 
 On 8/17/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
  No. You're running into the msExchMasterAccountSID problem.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has 
  information, and points to the NoMAS tool. You can also handle this 
  by setting the attributes manually or via script.
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Wednesday, August 17, 2005 12:48 PM
  To: activedirectory
  Subject: Re: [ActiveDir] exchange weirdeness
 
  update- i enabled the user account about 30mins ago and updated the
RUS.
  stilll  i get denied trying to log on via outlook and an event id
  9548 gets logged on the exchange server everytime i try logging on, 
  stating that the account is still disabled...
 
  replication issue?
 
  dns is up and running. the only known issue is no connectivity to 
  the root. but the root has no users or mailservers.
 
  strange
 
  On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote:
   I have mailbox enabled users in AD that have been disabled. 
   However in
 
   ESM, they are not marked as such. When i run the cleanup agent, 
   they are still not marked as disabled.
  
   When i try to Exmerge the box, I get an access denied error(i have

   full exchange admin rights inherited from the org and full mailbox

   right on the user).
   Also, i can't open their box via outlook as well.
  
   My situation at this firm is as such- we have no network 
   connectivity to the root(for about 2 wks. don't ask, long
story..).
   The users are all in my child domain as are their mailboxes. the 
   root
  is empty.
  
   We are also running with netbios/tcp disabled forest wide.
  
   i know there are some issues with netbios being disabled and 
   exmerge and ESM and outlook. Could this be a cause? I don't know 
   the exact error you would get.
  
   I don't think having no connectivity to the root should be an
issue.
   We have 4 dc's, 3 of which are gc's in the child domain.
  
   any advice would be great.
   thanks
  
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ok, last one really

[Coleman, Hunter]

Watch for line wraps; you'll want to put your code between a While/Wend
loop.

Dim fso, ts
Const ForReading = 1
Set fso = CreateObject(Scripting. FileSystemObject)
Set ts = fso.OpenTextFile(c:\test.txt, ForReading, True)

While NOT ts.AtEndOfStream
strComputer = ts.ReadLine()
rest of your code goes here
Wend
ts.Close() 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, August 12, 2005 2:32 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ok, last one really

how would you write that to loop thru every line in a file?

thanks

On 8/12/05, Alain Lissoir [EMAIL PROTECTED] wrote:
 On MSDN, you can find some sample scripts to read from a file.
 See at
 http://msdn.microsoft.com/library/en-us/script56/html/sgWorkingWithFil
 es.asp
 
 For instance,
 
 Dim fso, ts
 Const ForReading = 1
 Set fso = CreateObject(Scripting. FileSystemObject) Set ts = 
 fso.OpenTextFile(c:\test.txt, ForReading, True) strComputer = 
 ts.ReadLine()
 ts.Close()
 
 Depending on the format of your file, you can read a single line and 
 split the comma separated computer names or You can loop and read 
 lines one-by-one if you have a computer name per line.
 Your call ...
 
 For a book on scripting and WMI, you can always have a look at my web 
 site
 ;) http://www.lissware.net
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Friday, August 12, 2005 7:46 AM
 To: activedirectory
 Subject: [ActiveDir] ok, last one really
 
 How can i change this script so i can just feed it a file of computer 
 names so i can automate the changing of dns servers in the client
properties?
 
 SCRIPT-
 
 On Error Resume Next
 
 strComputer = .
 arrNewDNSServerSearchOrder = Array(192.168.0.1, 192.168.0.2)
 
 Set objWMIService = GetObject(winmgmts: _   
 {impersonationLevel=impersonate}!\\  strComputer  \root\cimv2) 
 Set colNicConfigs = objWMIService.ExecQuery _  (SELECT * FROM 
 Win32_NetworkAdapterConfiguration WHERE IPEnabled = True)
 
 WScript.Echo VbCrLf  Computer:   strComputer
 
 For Each objNicConfig In colNicConfigs  WScript.Echo VbCrLf
 Network Adapter   objNicConfig.Index
  WScript.Echo DNS Server Search Order - Before:
  If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
For Each strDNSServer In objNicConfig.DNSServerSearchOrder
  WScript.Echo   strDNSServer
Next
  End If
  intSetDNSServers = _
   objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder)
  If intSetDNSServers = 0 Then
WScript.Echo Replaced DNS server search order list.
  Else
WScript.Echo Unable to replace DNS server search order list.
  End If
 Next
 
 WScript.Echo VbCrLf  String(80, -)
 
 Set colNicConfigs = objWMIService.ExecQuery _  (SELECT * FROM 
 Win32_NetworkAdapterConfiguration WHERE IPEnabled = True)
 
 For Each objNicConfig In colNicConfigs  WScript.Echo VbCrLf
 Network Adapter   objNicConfig.Index
  WScript.Echo DNS Server Search Order - After:
  If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
For Each strDNSServer In objNicConfig.DNSServerSearchOrder
  WScript.Echo   strDNSServer
Next
  End If
 Next
 
 END OF SCRIPT
 
 
 also, can anyone recommend a good VBscript book for Windows admining 
 so i can leave you guys alone?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user dump

[Coleman, Hunter]

Adfind will let you dump the profile location. Just include profilePath
in the list of attributes that you want returned:

Adfind -b dc=sub,dc=domain,dc=com -s subtree -f
(objectCategory=person) name profilePath 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Wednesday, August 10, 2005 9:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] user dump

thanks, i need it to dump the profile locations also.  is this possible
w/ these tools?  know anything about add user?


 dsquery/dsget will do the trick as well.

 Phil

 On 8/10/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
 ADFind: http://www.joeware.net/win/free/tools/adfind.htm

 Example 6 from the command line help (adfind.exe /?) should be a good

 starting point for you.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Freddie 
 Coleman III
 Sent: Wednesday, August 10, 2005 8:19 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] user dump



 how can i dump a list of all of my ad users?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] account operators

[Coleman, Hunter]

I expect they lack Exchange View Only Admin permissions (or higher). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 8:27 AM
To: activedirectory
Subject: [ActiveDir] account operators

is there any reason an account operator could create a user but not a
mailbox for that user?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] account operators

[Coleman, Hunter]

Yes. Regardless of the rights they have on the user object, they will
also need rights within Exchange (or proxied rights via a web page or
provisioning code). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] account operators

I thought AO had complete rights to the user object which would include
exchange attribs.
i guess they still need rights to the store?
is that it?
thanks

On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
 I expect they lack Exchange View Only Admin permissions (or higher).
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, August 11, 2005 8:27 AM
 To: activedirectory
 Subject: [ActiveDir] account operators
 
 is there any reason an account operator could create a user but not a 
 mailbox for that user?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] one more silly question(OT exchange)

[Coleman, Hunter]

Yes, but you will also need to grant Reviewer rights on your mailbox to
the user, and they will have to open it as a secondary mailbox or create
a shortcut to it instead of File-Open other user's folder-(Calendar
from drop-down list) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 2:37 PM
To: activedirectory
Subject: [ActiveDir] one more silly question(OT exchange)

Is it possible to create a new calender folder in your inbox and
delegate access to that?
Outlook lets me do it but when a user tries to open it, the only choices
they get is the default calender.
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] one more silly question(OT exchange)

[Coleman, Hunter]

Yes, thanks Doug.

Note that by granting Reviewer permissions at the mailbox level, you
aren't necessarily giving out access to the contents of your inbox, sent
items, etc. It only lets someone view those folders. You'd need to
assign permissions on those folders, such as the created calendar
folder, so that the person could view appointments on that calendar. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, August 11, 2005 7:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] one more silly question(OT exchange)

http://support.microsoft.com/kb/195781/en-us


In order to share other than the five default Mailbox folders,
Contacts, Inbox, Journal, Notes, and Tasks, you must share the entire
Mailbox. This will give access to subfolders as well as the five primary
folders.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 8:08 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] one more silly question(OT exchange)

what i'm saying is the new calender is not listed as an option. it just
lists the default folders in your mailbox.
the user has reviewer rights on the new calender.

i don't think thats what Hunter meant. if it were just the basic open
other users folder, i wouldn't be so furstrated.
thanks

On 8/11/05, Douglas M. Long [EMAIL PROTECTED] wrote:
 I believe he means:
 
 Right click on the mailbox-- Open other folder-- Other user's 
 folder...
 
 With a user that you give review rights.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, August 11, 2005 6:40 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] one more silly question(OT exchange)
 
 for secondary mailbox, you mean give them full control to the user's

 inbox and have them login that way with a second profile?
 
 how do you create a shortcut to just the second calender? do you do it

 within outlook for the other user?
 how does that work?
 thanks
 On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
  Yes, but you will also need to grant Reviewer rights on your mailbox
 to
  the user, and they will have to open it as a secondary mailbox or
 create
  a shortcut to it instead of File-Open other user's
folder-(Calendar
  from drop-down list)
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Thursday, August 11, 2005 2:37 PM
  To: activedirectory
  Subject: [ActiveDir] one more silly question(OT exchange)
 
  Is it possible to create a new calender folder in your inbox and 
  delegate access to that?
  Outlook lets me do it but when a user tries to open it, the only
 choices
  they get is the default calender.
  thanks
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user dump

[Coleman, Hunter]

ADFind: http://www.joeware.net/win/free/tools/adfind.htm

Example 6 from the command line help (adfind.exe /?) should be a good
starting point for you. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Wednesday, August 10, 2005 8:19 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] user dump



how can i dump a list of all of my ad users?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Adding custom fields to AD

[Coleman, Hunter]

...or ADAM. These kinds of requests have a tendency to creep beyond the
original scope, which can have unintended consequences if the upfront
planning falls short.

Hunter 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 10:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding custom fields to AD

Certainly it is possible.  And, it's not overly difficult to DO, but the
upfront planning that SHOULD be done can be tedious.

Remember - this is the schema.

My opinion - and it seems to be free today (as if I've ever been afraid
to give it...) - This is a job that just screams SQL server.

I can't imagine WHY AD would be a better choice in this case.  As long
as the apps are all able to connect via a SQL provider in some method
(and goodness knows Microsoft has made a lot of them available),
this should be no pain at all.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 09, 2005 11:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding custom fields to AD

Group,

My manager wanted me to check, even though, I don't think that it is
possible, but, I will present the question.  

He would like to add some custom fields, about 30, to AD.  He would like
to add bio information into AD to be pulled by Sharepoint and other
applications for people to read. I think that this is a waste of time,
space and effort.  However, it is not my call and if this is what he
wants

What are everyone's thoughts on the topic?

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/